Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

OpISIS C2’s and Malware?

leave a comment »

I was bored again and let my fingers do the walking on ThreatCrowd with some interesting results. Did you all know that you could put words into that search engine and come up with malware hits? So, in the case of my word searches I decided to look for Arabi words that have meaning to Da’esh and the jihadi set with some interesting results. In the case of the word “jihad” I came up with the following hits:

The hits there show you the attendant hashes of malware alleged to be connected to those domains as C2’s (Command and Control) systems. When you click on them you get the Maltego maps and all of the data concerning them so you can see where everything pivots to and what other servers may be involved with it. Using this method I ran into a set of results for Balabindi, which is the same malware as seen in the recent attack on the Amaq Da’esh site that was hacked and served malware out to about 600 people (claimed) by stats from the link shortener used to propagate it.

 

The Balabindi though is all sourcing from one domain address: isisisiisisiisis.ddns.net

Balabindi malware set and variants

MSI pivot on Balabindi

The searches that I ran showed that there were concerted efforts with Balabindi using dynDNS sites (jihad101.no-ip.biz and others) as command and controls for the Balabindi variants used against jihadists in the past and they continue today. There is even a minecraft server (jihad.serveminecraft.net) that may also be involved as well. Of course it is funny ha ha to name these servers jihadihacker and other names to poke at the jihobbyists but it is kinda bad OPSEC really in my book. So either these are OpISIS or someone is having a bit of a joke, but the malware in the case of jihad100.no-ip.biz is just “server.exe” and basically like the rest of the samples I was seeing was a RAT, so I can see how these are just being used to pwn these jihadi’s and harvest their real data, that is if they are stupid enough to run “server.exe” on their box.

Malware from jihadi100.no-ip.biz

Malware from jihadi100.no-ip.biz VT of same malware sample

Generally I am seeing the same kinds of attacks with older off the shelf malware that may get past some old AV or work on people who have no AV at all but nothing so far has stood out as exotic so I am thinking this is the Anon’s doing their thing, or trying to… At the least it was interesting to find the function on ThreatCrowd and leverage it. I think I will plink away at it some more using Russian words next for shits and giggles.. Or.. OOOH maybe Korean huh?

I guess the last thing I would say on all of this is that the Anon’s may have had some success with these attacks and maybe passed on some info to the right people but generally I am not impressed with the op’s against Da’esh as a whole. Taking down the jihobbyist sites may be splashy for the tabloids but the reality of it is that these sites like Amaq are just for the lowest of fruit users online wanking off to jihad. Sure, some could maybe go full “lone wolf nutbag” and try something but generally the real players got off the boards years ago because they were just for skidz and wannabe’s. Most of the real shit happens in closed sites that are below the radar and of course on chat systems like Telegram and others where they can talk with some crypto and not be hassled by some poor php site that gets popped every other day and taken offline.

Meh.

IOC’s:

https://www.threatcrowd.org/domain.php?domain=al-aren.com
https://www.threatcrowd.org/email.php?email=janeverno@gmail.com
https://www.threatcrowd.org/ip.php?ip=167.114.156.214

Threatcrowd for word jihad: https://www.threatcrowd.org/searchTwo.php?data=jihad
jihadhack1.no-ip.biz
jihadhacker.no-ip.biz
jihadijohn.no-ip.org
jihad1.ddns.net
jihad0812929.ddns.net
jihadhacker711.no-ip.biz
jihad059.ddns.net
jihad.serveminecraft.net
MD5=9d69109e7ceff7fa05966ba7e08e4d6d

Threatcrowd for word ISIS: https://www.threatcrowd.org/searchTwo.php?data=ISIS
isisisiisisiisis.ddns.net
MD5=22e2fa976906b4aac9509828e124c734 MD5=cf084279a857462e2cf96b053a7175af
https://www.threatcrowd.org/listMalware.php?antivirus=Password.Stealer
https://www.threatcrowd.org/listMalware.php?antivirus=Worm*Win32/Rebhip.A
https://www.threatcrowd.org/listMalware.php?page=716&antivirus=Back
https://www.threatcrowd.org/listMalware.php?page=949&antivirus=Back
https://www.threatcrowd.org/listMalware.php?page=1138&antivirus=W3

isisis12.no-ip.biz
Reference=Houdini/Dinihu/Jenxcus/H-worm Reference=http://cybertracker.malwarehunterteam.com/c2/ Reference=https://bartblaze.blogspot.com/2014/02/remediate-vbs-malware.html Reference=https://otx.alienvault.com/pulse/56e2dab5aef921042823dbca/

isis.ocn.ne.jp
MD5=2ecde55cc501d71803f0c57d668fa546

isis-paris.fr
MD5=797df4f92d18573ae98db61d4f8b0c89

isis-immo.com
MD5=797df4f92d18573ae98db61d4f8b0c89

isis.ie
MD5=797df4f92d18573ae98db61d4f8b0c89

isislove.zapto.org
MD5=764ecc97921c87de344bf98157e76e49 MD5=910dd000e8d8675348d94649c1ad9273

isishacker.ddns.net
MD5=be425683065595828801d5fe304826d1

isis94.no-ip.biz
MD5=fce1ef3b926f54a257896bd0adc09ecd

jihad100.no-ip.biz
MD5=11b45bfbbbd944ca9bf1f5f69628d055 MD5=1eb1a366dae694202235656f2f42aa9a MD5=7f209fa351a6792484fcc4d786a17ffd MD5=cd685e040b584909bd208e8fcad0c846

jihad1001.ddns.net
MD5=b31ac43984d38772f11a2ad1970e8e95 MD5=dc86dc3747a43f6bdda6abf36fa657d1

jihad101.no-ip.biz
MD5=2b2f4d554c493c7dfb9700baf50c9559

https://www.threatcrowd.org/domain.php?domain=jihad100.no-ip.biz
https://www.threatminer.org/domain.php?q=jihad100.no-ip.biz
https://www.threatcrowd.org/listMalware.php?page=95&antivirus=Backdoor.Bladabindi
https://www.threatcrowd.org/listMalware.php?antivirus=MSI
Hashes:
00271eee4b2cc6c591b31d0267bd3e1d
0258fb82ea0fad355826f9685a722fdd
00204b5cd771f38cdb12f77296f0e822
0128958f21527ed62fb8ebe1163b02a5
00bb0e9497e75a264d2160c8eb00620f
020d22addc989600255c92f0f63272dc
026c17ab578370253c9f798e23a365cb
0147b1139992081a6d5a0a6dfb12745a
02fc1b4f2314f5d011f76d757ddbf993
007bba0dd36ab190f8b594b9104dcc3e
005fad4aeaecb924553112e314f5a823
02d903c651cd7d284bd946a56123f508
01cf03c1da3b09d4d6b91430a5172bb9
00c18e20f7900e54aeff98c4ebb30191
00c9a4b108671d4bd4b67e5caf971f10
03b29a401511611a3bc61b39b1b147b5
043f38cd210d3abfea4fb124ffd016ec
0388edac9178997a41b0278ffcf8e042
01a240dafb6367a590a754c5e6a16de2
01a9e9a5ec760c0d0bd41a4bd4a3e10e
03ab0f14df1e1f648369914947ff530f
003776fd5668294fb56b8d15b9d48d00
0431311b5f024d6e66b90d59491f2563
03c7b3a07ad9806a20e949ddfa3f978e
0110bd2e29655e68cc51fca34e08b6fe
021118d45187f43dbe4d5ce848d29b0e
023144e95a77434be50c627fb9dd9407
028d360f8315a1f4203897d45715b207
039735d34e9b0dd5c9a2d38f58376a79

https://malwareconfig.com/config/7f209fa351a6792484fcc4d786a17ffd/

https://www.threatcrowd.org/domain.php?domain=jihad.serveminecraft.net
https://malwr.com/analysis/MzM2OTBkOGJmZjA4NDQ2YzkxODY0NGVkMWFiMDU1NjA/

https://www.threatcrowd.org/domain.php?domain=irhabi.no-ip.org

Written by Krypt3ia

2017/04/10 at 20:34

Posted in OpISIS

Trump Hotels Dot Com: Malware C2 In 2014

leave a comment »

Credit CNN

TURNIP HACKED!

Remember when the news media was told by Brian Krebs that Turnip’s hotels had been hacked and their credit card data has been stolen? Well there is more to the very little story that made the press after Krebs dropped a dime on them. In looking around the ThreatCrowd today I decided to take a look at the Turnip brand and, well, they have over three thousand domains but a couple jumped out on the searches due to their being connections in some malware back in April of 2014. This coincides with the hack time frame according to the stories I have seen including the one by CNN above where not much is said by Trump nor the FBI or USSS because they were looking into it and that Turnip was a candidate for president. Given that no one has really said anything about this hack post Krebs I have to wonder just how deep these guys got in and what actor group it may have been. If it was straight up carding was it Rescator? Some other Eastern Block group? If it was Russian then, well, you know how they like to dual use these hacks right?

Well, the malware in this case was programmed to attempt to connect with the hotel psmtp server as well as the main domain. This means that they were compromised enough to used as a C2 or perhaps it was just garbage traffic as as been seen in the past with some malware creators. The real kicker is that this malware was doing it’s thing in the same time frame that the hack was alleged to have happened, so I have to think that the case here is that they did in fact use them as a C2 as well, or another actor did piggybacking on the other hacking going on.

Maybe Turnip’s security just sucked? Oh well, as you can see from the maps below they were pretty busy. The best thing for me though was the name of the file that the malware was propagating by.

(scroll down but don’t be drinking anything hot FAIR WARNING)

Maltego of psmtp server at Turnip Hotels

 

Trumphotels.com Domain ThreatCrowd

Trumphotels.com.s9a1.psmtp.com ThreatCrowd

Money shot of the malware that has trumphotels in the C2 list

Oh, and Turnip loves him Godaddy, the Mos Eisley of domain registries and server farms.

The Malware:

So that malware that had the Turnip hotel as a C2? Yeah, it was in the guise of a file called SHEMALE_MOVIE_83.MPEG.EXE I shit you not! So GoldShower’s systems were being used to pimp malware that went under the name of SHEMALE_MOVIE_83.MPEG.EXE

BAAAAAAAAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAAH!

SHEMALE_MOVIE_83.MPEG.EXE

I do love the schadenfreude here. Evidently it was a trojan that harvested creds, listened to all traffic, and manipulated the SMTP on the system as well. I have to wonder who at Turnip Hotels may have gotten an email with this file and clicked on it. I also have to wonder if they were acutally mailing this shit out from Turnip central as they had connections to the PSMTP server as well. Say, any of you get any dirty email from Turnip back in 2014 or 2015?

 

As I write I have this grin on my face…

Enjoy the schadenfreude kids!

K.

IOC’s

https://www.threatcrowd.org/searchTwo.php?data=trump

https://www.threatcrowd.org/domain.php?domain=trumphotels.com.s9a1.psmtp.com

https://www.threatcrowd.org/malware.php?md5=833009a54c295a72ad64ab0941f482fe

https://virustotal.com/en/file/e11f563e084bf435ba59ab74bf13aba88f382fa1cadc6186ddca2b63209c9b3b/analysis/

https://malwr.com/analysis/YTY4NTM5YWY5NDNjNDAwYjkyNWNmMjQwM2RmMjAwYTE/

4/25/2014

https://www.threatcrowd.org/listMalware.php?antivirus=BackDoor.SlymENT.1498

https://www.threatcrowd.org/ip.php?ip=202.71.129.187

https://www.threatcrowd.org/domain.php?domain=email.cz

https://www.threatcrowd.org/ip.php?ip=72.29.227.205

https://www.threatcrowd.org/domain.php?domain=trumphotels.com

https://malwr.com/analysis/YTY4NTM5YWY5NDNjNDAwYjkyNWNmMjQwM2RmMjAwYTE/

https://www.threatcrowd.org/listMalware.php?antivirus=BackDoor.SlymENT.1498

Written by Krypt3ia

2017/04/06 at 19:12

You See What Happens When I Get Bored? china.org.cn –> media.president.ir –> rodong.rep.kp —> TURLA?

leave a comment »

So yeah, I was bored earlier and when I am bored my brain likes to take a walk down the darker hallways of the intertubes. Today I was plinking around with ThreatCrowd as is my wont, and I decided to start messing about with .gov.kp addresses. So I did a search for just .gov.kp which netted me nada. So I went back to the drawing board and looked up all the .kp addresses out there. I messed around a bit and hit rodong.rep.kp which had the nugget of the day I was looking for.

See that big purple thing? Yeaaaaaahhhh that is malware activity and a has all the hallmarks for nation state malware kids! Upon looking closer at this closer at this you can see that this piece of malware is talking to other interesting places like Iran and China! This really piqued my interest because just look at those addresses huh? Iranian mil sites, the presidents site, their news service (FARS) and china! Now what could be happening here kids? Was this malware or something else? Is the anticipation killing you yet?

Right! So I then started to circle out to the other sites on TC and of course clicked on the malware hash itself to see what the deal was here and when this all came about. To my surprise this malware and the activity happened last year in June. The malware was run privately on Hybrid on June 22nd 2016 but if you look closely at the image at the top of this piece, you see that the post is listed as December 3rd 2016? How does that work one wonders? Is this a post to the site after the original piece was uploaded? Was there something going on here that made the dates all messed up? In any case, the fact that this was posted privately to Hybrid in June shows that someone was either testing their malware or someone just found this and decided to post it privately to not trip up they had found it.

The sample itself is the php on the site (http://forum.china.org.cn/viewthread.php?tid=175697) which is not around at the moment to attempt to gather a sample directly. I also checked The Wayback Machine too and alas they did not have the site cached on the date or after where I would need to get the sample. At the time of testing this malware injected an exe (FP_AX_CAB_INSTALLER64.3×3) in temp and begins the work of pwning the system. It drops some files on the system and within the process is an IP address (210.72.21.87) which is in China.

Ok, so I pivot over to the malware 866fd7c29b0b6082c9295897d5db9e67 and whoa, look at all the malware traffic! It’s a festival out there man! Looks like someone is using a flash update to pwn all the things in Iran, China, and DPRK maybe huh? When you look at the malware C2 call outs it makes in the Hybrid analysis you can see them all. But when i start looking at the sites in the binary it is then I start to see where the other sites have bad histories and the files that seem to have been a part of the arcology.

Pattern match: “http://forum.china.org.cn/archiver/”
Pattern match: “http://www.china.org.cn/node_7077424.htm”
Pattern match: “http://forum.china.org.cn/main.php”
Pattern match: “http://210.72.21.87/uc/en_uc_admin/avatar.php?uid=248308&size=middle”
Pattern match: “http://forum.china.org.cn/viewthread.php?tid=175697&page=1#pid261371″
Pattern match: “http://www.b14643.de/Spacerockets_1/Rest_World/Simorgh-IRILV/Gallery/Simorgh.htm”
Pattern match: “http://www.jajusibo.com/imgdata/jajuilbo_com/201505/2015051137439063.jpg”
Pattern match: “http://www.jajusibo.com/serial_read.html?uid=20376&section=sc38”
Pattern match: “http://media.president.ir/uploads/org/144022966897383700.jpg”
Pattern match: “http://media.farsnews.com/media/Uploaded/Files/Images/1394/05/31/13940531000590_PhotoI.jpg”
Pattern match: “http://static2.bornanews.ir/thumbnail/ttNMJfA47E4M/hsPvu53JYc4ZMdL-GggwrIzh2hzU5xtVFQP8bK_wEHTWBrL3vxxKeZCrWjxHgZzZ8wnBrYkXU3QMHDsygonvkmg5kwqDkuu0pz2Zr-6LSnsZsz9y7UBP4tOzeGfnkG3Doo_lkYGgn2HQLYzD7Q9EqmO9y02FRvdV2ZvL5vX-_oL5SMFaqVjbXcnvO0GLTcsXON4tIh35SxI,/”
Pattern match: “http://static2.bornanews.ir/thumbnail/SQ8qder1eiAx/hsPvu53JYc4ZMdL-GggwrIzh2hzU5xtVFQP8bK_wEHTWBrL3vxxKeZCrWjxHgZzZ8wnBrYkXU3QMHDsygonvkmg5kwqDkuu0pz2Zr-6LSnsZsz9y7UBP4tOzeGfnkG3Doo_lkYGgn2HQLYzD7Q9EqmO9y02FRvdV2ZvL5vX-_oL5SMFaqVjbXcnvO0GLTcsXON4tIh35SxI,/”
Pattern match: “http://static2.bornanews.ir/thumbnail/WoR50ZKvbOvU/hsPvu53JYc4ZMdL-GggwrIzh2hzU5xtVFQP8bK_wEHTWBrL3vxxKeZCrWjxHgZzZ8wnBrYkXU3QMHDsygonvkmg5kwqDkuu0pz2Zr-6LSnsZsz9y7UBP4tOzeGfnkG3Doo_lkYGgn2HQLYzD7Q9EqmO9y02FRvdV2ZvL5vX-_oL5SMFaqVjbXcnvO0GLTcsXON4tIh35SxI,/”
Pattern match: “http://www.president.ir/en/88795”
Pattern match: “http://i.imgur.com/0ayxQnW.png?1”

Other hits for the hash:

Threat Miner: https://www.threatminer.org/sample.php?q=866fd7c29b0b6082c9295897d5db9e67

Hybrid: https://www.hybrid-analysis.com/sample/940aefe52f2f5d95535cbb536c53655971d803336a208d4066683c3ddbb9959d?environmentId=100

Threat Miner: https://www.threatminer.org/host.php?q=178.22.79.3

Threat Miner: https://www.threatminer.org/host.php?q=203.130.61.92

It gets stranger with the sites that this thing attempts to connect with as well. All of the connections are GET’s on port 80 so is this just polling sites or are some of these carriers of malware second stage? I have yet to go through all of them but one stood out already in the odd department (in red) this site came up dirty on more than one occasion and also the site resides in the US but has a guy from Iran ostensibly as owner who has a Yahoo account for an email. When you look at the site it seems to be a pro Iran mil site that kind of mirrors many of the others in Iran (think Geoshitties from hell) but why is an official site like this being hosted in the US huh?

media.president.ir 80.191.69.176 Iran (ISLAMIC Republic Of)
media.farsnews.com 178.22.79.3 Iran (ISLAMIC Republic Of)
i.imgur.com 185.31.19.193 European Union
weather.china.org.cn 210.72.21.12 China
http://www.military.ir 63.141.224.83 United States
fpdownload2.macromedia.com 2.16.106.177 European Union
r18.imgfast.net 87.98.180.46 France
images.china.cn 106.48.12.36 China
ipic.su 104.28.23.43 United States
imgs.xici.net 203.130.61.92 China
static2.bornanews.ir 46.209.99.141 Iran (ISLAMIC Republic Of)
news.xinhuanet.com 106.48.12.33 China
gallery.military.ir 63.141.224.83 United States
rodong.rep.kp 175.45.176.78 Korea Democratic People’s Republic of
fpdownload.macromedia.com 72.246.168.194 United States
my.china.org.cn 210.72.21.87 China
http://www.jajusibo.com 121.78.144.175 Korea Republic of
http://www.china.org.cn 106.48.12.35 China

An address inn memory though there was this little hit: bzip.org When looking at this site it has been rather naughty over time and has a high hit ratio for malware: This site also seems to be tied to APT activity.

This site has a lot of trojan activity over time so this may be the hit we are looking for. When I dug into this site I located the key piece of information that I believe nails this as Turla activity. When you look up the domain for bzip.org you get an email address attached; donna@kestrel.ws which then turns up in the ThreatMiner report as being a C2 for Turla. So, it looks like my boredom has maybe led me to RU APT activities against CN/IR/DPRK in June of last year.

Whaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaat?

Is this in fact the case? Has anyone else seen this? I will keep plinking along but do take a look you malware mavens and see what you think.

K.

Written by Krypt3ia

2017/04/04 at 18:23

Posted in Malware

Amaq News Malware Attempt Using Old Malware

with one comment

Amaq Hack:

Vice reported on the Amaq News Agency’s hack and dissemination of malware last week and the report really kind of fails to do much more than attempt to amplify the booga booga of the whole affair. I thought I would go hunt down the sample(s) of the malware and have a looksee for myself. Which is exactly what I did and located two samples of malware that are from other domains owned by the same players. What follows is a run down of those samples (I was unable to find the one mentioned in the story as of yet but did locate the VT assessment of it) and a fuller deconstruction of the domains involved.

As some of you may know, Amaq is just the news site for the dissemination of propaganda so this would be a good target for someone to go after, infect, and hopefully reap the rewards of anyone stupid enough to install the file that was being served out. Interestingly though the malware mentioned in the piece on the 30th is a flash update and the malware I located on the other attached domains is an .apk file that allegedly is for a flash update? In any event, my first impression from the Vice piece was that it was derptastic. You are going to use a 2013 rat that everyone see’s to pwn an alleged 600 click happy jihadi’s?

REALLY?

Right so as the Vice article says the malware was easily seen by a multitude of AV products so really, you are hitting the lowest common denominator here if they click on it and have no AV at all. Of course if you were aiming at phones that would be different but this was an executable binary so.. uhh.. Duh? Right, well the malware in the story was ostensibly just an update to Flash if what has been posted is in fact true. I went to the site listed in the shortlink and no joy on that, nothing there anymore.

Domains:

After checking the domain jiko.at from the url that was serving the malware last week I began tracking down the owner data. What came from that is that the email address of alibenmohaed216@gmail.com is a throw away account as far as I can tell with only three domains being registered with it. Once you look though, you can see that more domains actually had been created by the same actor using the name “dertou” as well. Those domains are ad13.de, amaqqq.xyz, baqiyy.at, and jkikkia.at.

Without going too far down the rabbit hole here I just wanted to point out that these addresses were all created on the 29th of March and deployed along with the other exploit it seems. One of the domains is still live and are serving out the malware:

Now this address would match up with the attempts at trying to get amaq users to go to a bad squatted address and this is where I got the malware I mentioned above (details below) The other domains are all interesting in that some have names that are close to such things as the Da’esh magazine “Baqiya” but others like ad13.de have nothing to do with all that and in fact ad13 is much much older a domain. Ad13 was originally created in around 2013 and was decomissioned around October 2016 with changes made to the domain in July 2016.

When I started looking up the list.ru address I hit a road block for now but I will keep poking at that because I feel that this person is one of the key players if not the key player here. Otherwise there is the usual obfuscation going on with the other addresses out there and as such I am just going to drop them for now. Instead, I will look at the malware and where that is making calls to after dumping the IOC’s on you all.

Here you go!

IOC’s:

Malware:

https://www.hybrid-analysis.com/sample/b641c03fe4334d7c0045db7db70fd7d1c8756ba5a50f35a6ec5257bd533c1630?environmentId=100 –> Malware
https://malwr.com/analysis/OTllNDU5YjNkYzVlNDFhOWI1Yzc2YWY0ZWI3NWY0N2Q/ –> Malware
http://urlquery.net/report.php?id=1490856486148
https://virustotal.com/en/file/379cd2fed583c183fc1c5d1597421642f8e6b15af74ec58348e40ee80f227b25/analysis/1490880990/ —> Malware
https://www.hybrid-analysis.com/sample/b641c03fe4334d7c0045db7db70fd7d1c8756ba5a50f35a6ec5257bd533c1630?environmentId=100 –> Malware
https://malwr.com/analysis/ZDgyOWFkYTIwNjdlNGJjOWE2MTMwYjQwYmJmNmRiN2M/

Domains:
https://virustotal.com/en/domain/saitamasinse.com/information/
https://www.threatcrowd.org/domain.php?domain=amqqq.xyz
https://virustotal.com/en/domain/saitamasinsefesa1forall.com/information/
https://virustotal.com/en/domain/saitamasinsefesa1formelol.com/information/
https://virustotal.com/en/domain/fgssaitamasinsefesabgformelol.com/information/
https://www.threatcrowd.org/domain.php?domain=saitamasinse.com
https://www.threatcrowd.org/domain.php?domain=ad13.de
https://www.threatcrowd.org/ip.php?ip=66.85.157.86

Malware:

The malware sample I got from the amaq xyz site was named FlashPlayer8x86_x64.exe and downloads as an .apk (Android) file by name obfuscation from the url. Once run it attempts to contact several domains and IP addresses for the second stage.

These addresses don’t actually have sites on them so they are just C2 and in the case of the original malware in the Vice piece there was a site with a gate.php address which may have been an IP collection point or a second stage malware install site. None of these though have the gate.php and the fact that this site is still working makes me think that perhaps this was to be the second wave of attacks had not Vice and other sources reported on the hack. Perhaps though because it is still live the hackers plan on another attempt at going back to the well no?

Overall the sites have been updated recently but have been around a while. The malware is easily detectable by AV, and the RAT is old so was this a real attempt at harvesting or was this some sort of pranksterism or PSYOP? Frankly I can see it both being semi-experienced hackers doing this or more astute actors using easily seen malware to perhaps scare users into not looking at the site anymore. That I could track it back so far to the list.ru user to me says that there may be more to this if I dig further but then I have to be that interested in who may be fucking with amaq.

The fact of the matter is Da’esh is losing ground and losing the interest of those who think they are a righteous Caliphate because they are losing ground. The attempts to garner more lone wolves and perpetuate the jihad with these guys has been too plagiaristic for me. Basically Da’esh stole AQAP’s model but carried it off with less style so once they lose Raqqa they will lose a great deal of cred online in my opinion. Perhaps then they will be less of a threat on the GWOT in that respect… Maybe not.

Anyway, yeah, these guys are soft targets and not the sharpest tools in the tool box so hacking them has never been a challenge. All these insecure PHP sites and their users are easy pickins really so this is a non story to me. It is more interesting to me who may be trying to fuck with them and to determine why exactly. Is this the IC trying to deter them or is this an OpISIS kind of thing?

I am still deciding…

K.

Written by Krypt3ia

2017/04/03 at 18:42

Posted in CyberFAIL, Da'esh, jihad

RULEAKS: Russian Media and Disinformation in Ukraine by the DNR-ONLINE

with 2 comments

INTRODUCTION:

Back in December I located a dump of data on the darknet placed there by a hacker collective in Ukraine called RUH8. The dump is rather good sized and all come from Russian backed Ukraine sources. RUH8’s dumped one group in particular that I was interested in because I located a piece of malware in the email spool that, once run through the usual tests, showed to be something not widely seen before. I will cover the malware further down the article and will include IOC’s but once I harvested the email spool itself and began to get things translated things got even more interesting.

Once I mirrored the site I got some help from <REDACTED> and set to work in translation of emails and documents attachments. Most of the bulk of the dump is average emails concerning daily business but a few began to tell a tale of the company that the emails came from and how it was in fact a Russian front organization created for propaganda in Ukraine and used to manipulate the populace in the Donetsk People’s Republic (The Russian separatist area of Ukraine) and those outside it including other countries outside of Ukraine.

Having all of this come to light just after the election win for Trump, and now coming out here in the midst of the Russian intervention and collusion investigations today, I thought this report would be prescient and give a rare insight into how the Russian propaganda machine works, how the intelligence apparatus of Russia works in this respect, and perhaps bring to light a new piece of malware for everyone to see.

THE LEAK:

The leak by RUH8 in the darknet consists od more than a few entities email spools as well as individuals that they have described as assets of Russia. In the case of this post the data comes from the domain dir-online.ru. This is a media org in Ukraine that is Russian backed and as I said before caters to the Donetsk People’s Republic. Within the dump there are many documents covering the day to day but five documents stood out amongst them all (frankly there are more to be analyzed and one needs Russian speakers to translate them all) as being all things shady.

RUH8 is also the group that hacked and dumped “The Grey Cardinal’s” email spool as well. Having gone through that spool I did not find any malware of merit or anything that was new so I moved on in mirroring and checking for goodies. They keep adding content to the site too so I would expect eventually I will locate some more goodies in the future. Keep an eye on the blog for more when I find it. The Grey Cardinal though is an interesting figure and I recommend you all read up on him as well.

THE PROPAGANDA PLAN:

Right, well on to the good stuff! The following documents found in this dump show Russia’s machinations at propaganda in Ukraine, well, at least this small slice of it.

DOC1

From Translator: This talks about “anti-Russian hysteria” in the media and about disinformation and fake news that makes Russia look bad. And also that pro-Russian voices are accused of being agents of the Kremlin. To counter this, this document outlines a project to create a pro-Kremlin media campaign in the Ukraine that includes a budget for hiring journalists and buying equipment like computers and voice recorders, a budget for freelancers and “insiders”, Website hosting, web administrators, editors, advertising, The amounts — which are, for some reason, in US Dollars, are $9,250 for initial set-up expenses, and $38,280 ongoing costs. Those could be monthly costs — the salary of a full-time journalist is listed at $2,000, and that’s likely to be $2,000 a month.  The editor in chief, who’ll be based in Kiev, will get $2,500 a month. Hey, their freelance budget is $6,000 a month! 

DOC2

From Translator: is a little disturbing, since it outlines how the anti-war movement in the Ukraine can be used for pro-Russian purposes. For example, the idea is to create a picture of the leaders in Kremlin as corrupt power-grabbers who are using the war in eastern Ukraine to distract everyone from their own problems. Russia’s invasion of eastern Ukraine is just misformation from Kiev. Sounds totally legit.

Oh, and I figure out why it’s all in US Dollars. Hah, this is funny. Way back when I was based in Russia — something like 20 years ago, when the Soviet Union had just collapsed, inflation was rampant. Stores had to change the prices on all their products several times a day! To deal with it, they all switched to using Dollars or Euros instead, the traitors! To fix the problem, instead of fixing the economy, the Russian government outlawed the use of foreign currencies on prices. So what the stores did was switch to using something called the “arbitrary unit” — which just happened to be worth as much as the dollar, by pure coincidence. Ever since then, this “arbitrary unit” has been the default price. It particularly convenient during inflationary periods, or when dealing with local currencies in different republics. Plus, everyone knows what it means. So, in this document, they use the term “arbitrary unit” and in others, they seem to have just used the dollar symbol instead.

Also, I can confirm that the ongoing expenses are per month — they spelled that out in this budget.

So anyway, this is another juicy document. They’ve put together a budget for running a fake anti-war grassroots organization.

Initial costs are $79,200 for things like computer equipment, recruiting, registering domain names and getting business and media licenses, and website design. It’s interesting that in both this budget and the previous one I looked at, they’re careful to get all the permits and licenses in place. They might be trying to undermine the government of a foreign country, but at least they’ve got all their paperwork in order!
Then the ongoing expenses are $86,000 and include salaries for regular contributors and freelancers, salaries for editorial managers and copyeditors, a financial manager and their deputy, $2,000 for a lawyer, $20,000 for online advertising, and $10,000 for promotion on social media like Facebook and VKontakte (Russia’s LinkedIn).  

They’re expecting 100,000 unique visitors a day on weekdays.

It’s interesting they note that they’ll be playing games with the tax status of their employees — like in the U.S., there’s a difference between paying people as staff (where the employer has to pay a chunk of the taxes) and as freelancers (where the poor schmuck has to pay for everything). Also, in Ukraine, folks living in the disputed territories don’t have to pay taxes. They’re saying that they can save 40% as a result of playing around with this, which they claim is common practice in the Ukraine.

So not only are they undermining a foreign government, but trying to avoid paying taxes while they do it! I don’t know which is worse.

Document docxk7EDEjG06i is a plan for creating a major national media outlet from scratch. It will take $347,640 in startup costs, and about $146,500 a month in ongoing expensies. Total costs, for an eight-month period, are $3.82 million, including advertising costs, and other related expenses. Again, they’re playing around with the taxes. And they’re expecting to get a quarter million visitors a day on weekdays.

This one also has a budget for protection against DDOS attacks. They estimate that this will cost $2,000 a month (including the site hosting itself).

They also plan to sell advertising here, and have an ad sales department, and the editor in chief’s salary will be $10,000 a month plus a share of the ad revenues.

That’s not too shabby… Then they’ve got some projections for costs and revenues after that first eight-month period, which is interesting for those of our readers who plan to launch an online magazine in the Ukraine…

DOC3

From Translator: This is super evil. I’m really impressed! The idea is is to create a pro-European, anti-Russian website — with the underlying message that the Ukraine will be better off without those annoying eastern provinces, and let Russia have them, so that it can enjoy its wonderful European future without them dragging the country down. So, again, they have an editorial budget. $69,900 in setup expenses, $65,000 a month in ongoing expenses, and plans to reach 100,000 readers a day on weekdays.

DOC4

From Translator: This is a plan to create a news site to cover the conflict in the disputed territories, because people are hungry for war news. The idea is to make it seem objective and independent, but slip in a pro-Russian point of view. So they’ll use terms associated with anti-Russian reporting, but slant the coverage to make Ukraine look bad. Yicch. Startup expenses: $97,200, ongoing expenses: $126,500 per month, expected audience: 120,000 unique visitors a day during weekdays.

DOC5

From Translator: This is an analysis of the Ukrainian political system and how a lot of work is done by “shadow” organizations in government. There don’t seem to be any action items here.

DOC6

From translator: This is an overview of the Ukrainian media climate, and on how anti-Russian it is, and blames Western advisers for some of it.

So here is the context from these documents from the translator for you…

From Translator: These emails seem to have been sent to Georgi Bryusov, who heads up Russia’s wresting federation, and are in reference to a meeting with “PB.” I don’t know who “PB” is.

Bryusov then forwarded them on to Surkov.

So, how likely is this?

Well, I spent a some time covering a similar conflict in Georgia, where there was also a “separatist” province, called Abkhazia, and the conflict there was used to put pressure on the Georgian government. Although it was supposed to be a purely local, homegrown movement, Abkhazia — which didn’t even have an airport — somehow had fighter jets and bombed Georgian-controlled areas with them. (I was in one of those areas with a group of UN observers while it was being bombed. Fun! The Georgians shot down one of the planes which … surprise, surprise! … turned out to have a Russian pilot inside.)

Russia also paid the operating costs for the Abhazian press center, where I spent many a happy day. All international phones calls were free! I could call my editors anywhere in the world, and file stories about the brave Abkhazian rebels! They also fed us and provided us a place to sleep, and organized regular trips to the front lines where we could enjoy being shot at by the Georgians. They also showed us how well prisoners of war were treated and corpses of people killed by the Georgias and, allegedly, mutilated. (Though the Red Cross folks I talked to couldn’t confirm that the mutilations were real and not, say, the expected results of getting too close to an explosion.)

Anyway, the bottom line is that I do have personal experience of Russian spending gold to manipulate the media, in case anyone ever had any doubts that they were willing to do it.

As you can see from the commentary above, and you too can read the documents as well, the Russians set up a media company including websites and formulated plans to manipulate people toward the Donetsk People’s Republic and against a Free Ukraine. I am still going through the dump looking for the bills for the domains mentioned as well and will run them through Threatcrowd and other sources to see if they were used at all for malware C2 and propagation. Which brings me to the use of dnr-online as a C2. Interestingly enough the site itself is not a C2 but it does have connectivity to other IP addresses and domains that are.

dnr-online.ru

WHOIS for dnr-online.ru

5.101.152.66

The archology of malware that talks to 5.101.152.66 is rather interesting. There’s a bit of everything bad attached to that one to be sure including that MrSweet address that is ransomeware central. 5.101.152.66 is owned/created by beget.ru which has quite the many few dirty connections as well.

beget.ru WHOIS

beget.ru

Of course beget could be innocent enough but as you can see there is enough of Mos Eisley in there to make one not want to get an account there and set up a site right? I will continue to look into other domains within the networks that dnr-online bought as soon as I can locate the bills for them or domain names and that will be another post I am sure. What all of this tells you though, is that the Russians have always been carrying out these kinds of active measures against people like those in Ukraine as well as what they did to us in the election of 2016. This is not a one time deal and certainly will not be the last one we shall see. In fact, the bots and the domains will continue to be set up by the likes of the SVR and GRU in hopes of manipulating the general populace toward the goals of the Putin regime until it’s demise.

… and likely past it.

THE MALWARE & GROUNDBAIT:

Right! now on to the other interesting bit found in the dump from dnr-online. In looking at the spool I dumped all attachments into a folder and began checking them for malware. All the word docs, excel sheet, power-points etc. The docs all checked out but one zip file had a .scr file in it that turned out to be malware. The file (Центр управления восстановлением ДНР справка-доклад за 13 октября 2015 года.exe) Center for Recovery Management of the DNR certificate-report for October 13, 2015.exe came from an email comiing in from a Russian source to the head of dnr-online. I am unable to source the headers at this time of the email but the question becomes was this malware sent to the DNR by RUH8 or was this malware sent to DNR to send to others in some other campaign. I cannot say either way but, the malware is a new sample of GROUNDBAIT or Prikormka that was detected and reported on by ESET running rampant in Ukraine. Given that ESET claims that this malware was being used against the separatists in Ukraine it stands to reason that the logic here is that the malware was to be used by the propaganda campaign against those it was seeking to manipulate. However, the nagging thing for me is the way this was passed around. The email has no real context in the text and to me it seems to imply that it is a fix for things inside dnr. My other thought is that maybe someone got hold of the GROUNDBAIT raw sample and re-used it by re-packing it and setting it against dnr-online.

An interesting notion…

I contacted ESET and talked a bit with the guy who did the work and he was.. Well.. Not so helpful. So here are the IOC’s for this file for you all to look for.

IOC’s

Filename: Recovery Control Center Help DNR-Report for October 13, 2015
Filetype:.exe
SHA256: f9a96ad58fb946981d196d653ec28fa31d6f946a7e2f6784b317dd9adc557b62 (AV positives: 52/57 scanned on 04/30/2016 07:33:42)
File raw: zip file: zipnh4dZDtMUk.zip

https://www.hybrid-analysis.com/sample/4eaf154ce8974228db6e35a1364337a12b821b73f052a44dc24ebdf0c1da6a4e?environmentId=100
https://virustotal.com/en/file/4eaf154ce8974228db6e35a1364337a12b821b73f052a44dc24ebdf0c1da6a4e/analysis/1484661011/

https://virustotal.com/en/file/4eaf154ce8974228db6e35a1364337a12b821b73f052a44dc24ebdf0c1da6a4e/analysis/1484661011/

Dropped executables
“archive.rar” has type “gzip compressed data from NTFS filesystem (NT)”
“helpldr.dll” has type “PE32 executable (DLL) (GUI) Intel 80386 for MS Windows”
“samlib.dll” has type “PE32 executable (DLL) (GUI) Intel 80386 for MS Windows”
“rbcon.ini” has type “ASCII text with CRLF line terminators”

Writes directory archive.rar (exfil)

C2 connected:185.68.16.35
Connects and downloads second stage: GET http://wallejob.in.ua/wd.php?sn=2120161230091201&rb=7&ob=R_pol_x&bt=0 HTTP/1.1

https://www.threatcrowd.org/ip.php?ip=185.68.16.35
https://www.threatcrowd.org/malware.php?md5=7accb6fed266a2023659f438ad1b3546
domain:      wallejob.in.ua
descr:       Domain registered for customer of Ukraine.com.ua
admin-c:     UKRAINE-UANIC
tech-c:      UKRAINE-UANIC
status:      OK-UNTIL 20170619000000
nserver:     ns114.inhostedns.com
nserver:     ns214.inhostedns.net
nserver:     ns314.inhostedns.org
mnt-by:      UKRAINE-MNT-INUA
mnt-lower:   UKRAINE-MNT-INUA
changed:     hostmaster@ukraine.com.ua 20160907200219
source:      INUA

Found malicious artifacts related to “185.68.16.35” (ASN: , Owner: ): …
URL: http://wood-house.com.ua/ (AV positives: 2/68 scanned on 12/27/2016 16:55:43)
https://www.threatcrowd.org/domain.php?domain=wood-house.com.ua

URL: http://wallejob.in.ua/ (AV positives: 5/68 scanned on 11/17/2016 02:10:28) <—GROUNDBAIT C2
https://www.threatcrowd.org/domain.php?domain=wallejob.in.ua
https://www.hybrid-analysis.com/sample/319e9dc36678c4d774ba0765ec93d3160bd476ab0f98bac1b7e5b92e7994a88a/?environmentId=1

URL: http://zarabatak.ru/ (AV positives: 1/68 scanned on 07/20/2016 10:59:29)
https://www.threatcrowd.org/domain.php?domain=zarabatak.ru

URL: http://psh.co.ua/ (AV positives: 1/68 scanned on 07/14/2016 04:35:37)
https://www.threatcrowd.org/domain.php?domain=psh.co.ua

URL: http://sem-dev.co.ua/ (AV positives: 1/68 scanned on 07/14/2016 04:33:23)
https://www.threatcrowd.org/domain.php?domain=sem-dev.co.ua

wood-house.com.ua
domain:           wood-house.com.ua
dom-public:       NO
registrant:       xdkjv649
mnt-by:           ua.intermedia
nserver:          ns311.inhostedns.org
nserver:          ns211.inhostedns.net
nserver:          ns111.inhostedns.com
status:           ok
created:          2014-11-07 13:31:27+02
modified:         2016-11-03 16:37:39+02
expires:          2017-11-07 13:31:27+02
source:           UAEPP

registrar:        ua.intermedia
organization:     SE Rabotnov Volodymyr
organization-loc: ФОП Работнов Володимир Володимирович
url:              http://names.com.ua
city:             Melitopol
country:          UA
source:           UAEPP

contact-id:       xdkjv649
person:           Vladimir V Rabotnov
person-loc:       Работнов Владимир Владимирович
e-mail:           not published
address:          not published
address-loc:      not published
phone:            not published
mnt-by:           ua.intermedia
status:           ok
status:           linked
created:          2013-04-05 15:01:02+03
modified:         2014-01-08 23:42:17+02
source:           UAEPP

 

TYING IT ALL TOGETHER:

So what we have here is the insider’s view of how dnr-online, a propaganda wing within Ukraine’s Donetsk People’s Republic put together a media service(s) and planned to use them as a framework of Russian propaganda in the region. We also have malware that is known to be actual spycraft in the region within it’s mail spool being passed around at least to two sources inside, one of them being the director of the DNR company. Was that malware meant to infect and eventually allow for the dump in the darknet or was the malware being passed along for other uses that we cannot see in this spool dump? In either case this information makes it clear that in Ukraine the Russian propaganda and espionage machines are alive and well and using the net as a force multiplier at the very least.

I will continue looking at the growing dumps by RUH8 and let you all know about any malware and goodies that pop up. It is also of interest to you all that this dump has been around and certain groups have looked at it and just sort of said “Nothing to see here” which is interesting to me. I mean malware that no one has seen really and plans for propaganda in the region are of no interest? I guess maybe these groups just did not want to spent the cycles on looking deeper into the data. I actually did with the help of others as well as checked the forensics on the metadata to insure the stuff was real.

…but that’s just me… I am not a churnalist.

Oh well..

More when I have it.

K.

UPDATE!: One day after this report one IP address involved as a nexus of malware has changed it’s domain name! Coincidence? Hmmmm?

Screenshot from 2017-03-29 06-14-33

Written by Krypt3ia

2017/03/28 at 13:00

Cyber-Berkut Joining The Manafort Fray

with one comment

Cyber-Berkut, a Russian leaning alleged hacker collective in Ukraine decided to weigh in on the whole Manafort debacle with a data dump. The dump unsurprisingly is pro Russian and attempts to paint the US as trying to manipulate things and make it look like Manafort is guilty. Berkut does this by dropping a word doc and a couple of pdf’s that they claim make a case for the State Department trying to discredit Manafort’s efforts in Ukraine on Russia’s behalf. It is rather amusing and ineffectual really but I had to take a closer look because they claimed to have hacked these documents. The documents look legit but there is no source on these as to where they were hacked from if hacked at all as well as no other dump to confirm a hack at all of any merit.

They try to link Leshenko to all of this. Leshenko too was alleged to have been the hacker in the Manafort cell phone hack and extortion. Same actor?

Now berkut doing this is not new really but most of the time they spend their time attacking the Ukrainian factions who reside outside of Donetsk who want to have a free country, not those who want Russian rule. In the past this group has hacked and DDoS’d sites but this one, weak as it is, caught my attention just because Manafort is now in the hot seat over Russian ties to oligarchs who are close to Putin while running the Trump campaign so one tends to want to dig. In looking at Berkut and their history other have claimed that they are part of the Fancy Bear group and even attempts have been made to link them to the cutout Gucci-fer (Gucci, like Gianni and Fur, like… Fur.. Not GOOSIFUR) and DNCLeaks as well. These are somewhat tenuous reports though from what I saw in looking out there at them but it made me want to dig a little more into them.

Berkut showed up in or around July 2014 with sites being created on numerous domains since. Most of theses sites had been registered privately negating personal information but several of them from the time of first creation have one name attached to them; Aleksandr Pachenko. An Aleksandr Panchenko does live in Ukraine and does in fact work in tech who may fit the bill as to the originator of the sites. The email address though used for each of these, alex_panchenko@mail.com, does not really exist and the addresses used are bogus as well so there is not much to go on other than a name but let’s get back to those pesky and numerous domains eh?

CYBER-BERKUT.SU
CYBER-BERKUT.TK
CYBER-BERKUT.RU
CYBER-BERKUT.COM
CYBER-BERKUT.INFO
CYBER-BERKUT.BIZ
CYBER-BERKUT.CENTER
CYBER-BERKUT.ORG
CYBER-BERKUT.US
CYBER-BERKUT.ME
CYBER-BERKUT.CZ
CYBER-BERKUT.IM

It seems that whoever created these sites (including a defuct darknet site) really wanted to get information penetration maxed out. Many of the sites still work and others have been decommissioned and the domains are up for sale. in each case though of creation they all have been created anonymously with domain registrations all over the world except for the six or seven I located with early creation dates going back to 2014. Is this because this Aleksandr created them without figuring what he was doing with them? Or were these created with that name as a means to an end to mislead people? If in fact Berkut is just a anonymous hacker group wanna be aligned with the Russian state then maybe this guy just figured that historical whois costs money and long enough goes by and no one pays attention? If it is the other case where someone is using his name, why be so consistent with it? Does someone hold a grudge or is this a famous person that they are just using the name of? I started looking around to see and here’s what I came up with.

Aleksandr Panchenko 1: Mathematician currently studying in Germany on Phd

Aleksandr Panchenko 2: Chessmaster (deceased)

Aleksandr Panchenko 3: 32 year old  living in Kyiv Ukraine who’s profession is in computers (Oracle Dev, Unix Admin etc)

Aleksandr Panchenko 4: Wedding Photographer in Kyiv Ukraine

There were others but you get the sense that the name Aleksandr Panchenko in the Baltics is kinda like John Lee in China if you catch my drift. Though, that one guy, the one with all the technical experience does kinda stand out right? That is someone who has the technical chops to do some hacking and dumping as well as run sites right? It is all way circumstantial but I for one, if I were the FBI say, might go look this guy up and ask em a few questions. After all, the Berkut has been naughty and attacked us as well as others in the wider internet world.

The Manafort intersection though still interests me. I wonder if they will continue on trying to muddy the waters now that Manny has decided he will testify in front of Congress. As the shoes of the millipede keep dropping I am sure that the RU factions will try to drop chaff on things to confuse everyone. I will keep an eye on the site(s) to see if they dump anything else of interest but for now just take a gander at these files and the results of the searches…

Doc 1

Doc 2

Doc 3

K.

Written by Krypt3ia

2017/03/24 at 18:24

Posted in Disinformation

Fabricator

leave a comment »

I have been ruminating lately on our situation regarding aspects of Russian interference (active measures) and the new President of the United States. In previous posts I have delved into the Wilderness of Mirrors of counterintelligence that we find ourselves in today as well as some other musings on motives that the Russians and the President (and his minions) may have in relation to their actions. Today though, on the morning of the big Comey interview in congress, I would like to cover the fabricator. By fabricator I mean the intelligence term and not the guy who makes something on the line at the local plant. A fabricator in the parlance of spies means someone who lies, creates stories, and half truths in order to deceive in order to mislead intelligence operations. More to the point, I would like to submit that in the goings on today you will have to ponder whether or not the president and his minions are all fabricators acting in whatever interest they have against us all.

Fabricators have motives just like any other liar but here are the defined reasons in the intelligence definition:

  • Fanaticism or ideology is often cited as the key reason behind fabricator activity. When fanaticism is involved or ideology becomes stronger than morals, fabrication may then be seen as a reasonable means to an end. The fabricator may invent the fake intelligence to help bring about a specific outcome to a situation.[7][9]
  • Mental illness, such as confabulation, often combined with alcoholism, causes some individuals to fabricate intelligence, most often done as part of a fantasy of being a secret agent or to gain official attention.[10][11]
  • Money is a strong incentive for some fabricators. Often, a reliable intelligence source agent will become a fabricator because of financial problems or greed. When the agent no longer has valid intelligence to sell to the conducting intelligence officer, the agent may decide to sell fabricated intelligence in order to satisfy need or greed. (Source: Wikipedia)

As you can see these are not so different from any other liar, however in the context of the intelligence world and what we see playing out today all of them could also easily fit the Presidents and the White Houses machinations of late. many have speculated already on all of these with regard to Trump and his coterie of minions in the White House today. I would put it to you here that all of these are likely but money and fanaticism are two of the key players here with a healthy helping of political expeditiousness. While Trump seems to be in his own reality much of the time, his outright lying and cognitive dissonance has multiple purposes. I would say that he has all of these factors, the mental illness, (narcissism) Desire for money and power, (Money) and a fanaticism that he wears like a cloak to keep him in the seat of power by using a base that he may not in fact believe in truly, but needs their support to win. I would say that this was a thumbnail of his campaign and what we are seeing now as he is running the country.

Looking back I would say the one biggest tell has been his claims of the Obama admin “tapping his wires” at Trump Tower during the election. Trump used this, as he does many other outrageous claims by Tweet, to distract everyone. He is specifically distracting the media, from looking at the real problem at hand (e.g. Russian ties between himself and his coterie and the monies involved) in what I am calling a WMD attack (Weapon of Mass Distraction) vis a vis early am Tweet storms. As we have seen with the claim of wiretapping there is no evidence but he uses spin and word salad to confabulate and bamboozle the media and the populace to look the other direction. I put it to you now that you can expect some other outbursts today or tomorrow post the Comey hearing in an attempt to spin things away from the connections that he and his people have with Russia.

Trump is a fabricator.

See through it.

K.

Written by Krypt3ia

2017/03/20 at 12:26

Posted in HUMINT