Crime or Espionage?



ZeuS is a well known crimeware tool kit that is readily available online. The tool allows even the most unskilled to operate a botnet. Typically, Zeus has been associated with banking fraud. Recently, there have been a series of attacks using the Zeus malware that appear to be less motivated by bank fraud and more focused on acquiring data from compromised computers. The themes in the emails — often sent out to .mil and .gov email addresses — focus on intelligence and government issues. After the user receives such an email, and downloads the file referenced in the email, his or her computer will likely (due to the low AV coverage) become compromised by the ZeuS malware used by the attackers and will begin communicating with a command and control server. It will then download an additional piece of malware, an “infostealer”, which will begin uploading documents from the compromised computer to a drop zone under the control of the attackers. Are these series of attacks connected? Are these events indicating a blurring of the boundaries between online crime and espionage? Or are government and military personnel just another target for online criminal activity?

This post was inspired by a recent post at contagio.blogspot.com. What appears to be a one-off attack using Zeus, I believe, is actually another round of a series of Zeus attacks. These attacks appear to be aimed at those interested in intelligence issues and those in the government and military, although the targeting appears to be general rather than targeted.

Round 1

On February 6th, 2010, Brian Krebs reported that attackers using the Zeus trojan targeted a variety of .gov and .mil email addresses in a spear phishing attack that appeared to be from the National Security Agency and enticed users to download a report called the “2020 Project.” The command and control server used in the attacks was updatekernel.com.

Round 2

Following the publication of the article by Brian Krebs, attackers took portions of his article and used them as lure in further spear phishing attacks. Sophos Labs analyzed the sample that used Kreb’s post. A post on Intelfusion.com by Jeff Carr regarding the spear phishing attack was also used in another attack. I documented these attacks in “The ‘Kneber’ Botnet, Spear Phishing Attacks and Crimeware“. The key command and control server in this case was also updatekernel.com.

Round 3

In early March 2010, more emails began circulating, one of which encouraged users to download malware from dhsorg.org (222.122.60.186). This malware used greylogic.org (222.122.60.186) as a command and control server. In addition to sharing an IP address, both domain were registered by hilarykneber@yahoo.com. The attack continued using the domain names dhsinfo.info, greylogic.info, and intelfusion.info (abuseemaildhcp@gmail.com) which were hosted on 218.240.28.34. The domain names used in these attacks were variations of domain names owned by Jeff Carr who has aptly characterized these attacks as a “Poisoning The Well” attack.

Round 4

In June 2010 another campaign began. The lure of the attack emphasizes Jeff Carr’s book “Inside Cyber Warfare: Mapping the Cyber Underworld” with the text copied from http://www.stratcom.mil/reading_list/. The command and control server in this case was from-us-with-love.com.

Round 5

Mila Parkour recently posted details of an interesting attack on contagiodump.blogspot.com. The email used in the attack appeared to be from “ifc@ifc.nato.int” with the subject “Intelligence Fusion Centre” and contained links to a report EuropeanUnion_MilitaryOperations_EN.pdf that exploits CVE-2010-1240 in order to drop a ZeuS binary.

File name: EuropeanUnion_MilitaryOperations_EN.pdf
MD5: 8b3a3c4386e4d59c6665762f53e6ec8e
VT: 11/41 (26.8%)

File name: exe.exe
MD5: 5fb94eef8bd57fe8e20ccc56e33570c5
VT: 3/41 (7.3%)

File name: ntos.exe
MD5: 28c4648f05f46a3ec37d664cee0d84a8
VT: 4/39 (10.3%)

First, the ZeuS malware connects to from-us-with-love.info (91.216.141.171) to receive the Zeus config file. Second, the malware connects to vittles.mobi (174.132.255.10) to download an infostealer. Finally, the infostealer connects to nicupdate.com (85.31.97.194).

logic.exe
MD5: 4f47b495caae1db79987b34afc971eaa
VT: 3/ 42 (7.1%)

The domain name from-us-with-love.info was registered by “Maria Laguer” with the email address admin@from-us-with-love.info, which was also used to register from-us-with-love.com (the name is also associated with other ZeuS domain, see MDL). The decrypted ZeuS config file from from-us-with-love.info contains two additional domain names: enigmazones.eu and askkairatik.net. The domain names were used as part of a previous ZeuS campaign that used from-us-with-love.com as a command and control server. IN addition the location of the malware, quimeras.com.mx, was also used in a previous campaign that had from-us-with-love.com as the command and control server.

One of the email addresses (www-data@nighthunter.ath.cx) that was used to propagate the malware associated with enigmazones.eu also delivered the emails containing malware hosted on dhsorg.org, which was registered by the infamous hilarykneber@yahoo.com and used in attacks in May. The domain dhsorg.org was hosted on 222.122.60.186 along with greylogic.org which was used as a command and control server.

The boundaries between the online crime and espionage appear to be blurring making issues of attribution increasingly more complex. Are online criminals simply targeting those interested in intelligence issues as well as members of the government and military for fraud? Have they determined that they can exploit such persons for fraud in addition to selling and sensitive data acquired to those who would be in the market for such information? Or is the campaign more specifically oriented toward espionage using ZeuS and the malware ecosystem as convenient cover? While these questions are unlikely to be ever definitively answered, we can begin to assess qualitative changes in attacks by tracking them overtime and carefully linking together seemingly disparate peices of data. This post was made possible by a wide variety of sources that each posted components of these attacks. While there is a need to protect certain sources as well as operation security so that the “bad guys” are not tipped off and continued research into their malicious activities remains possible, information sharing remains a key component malware research.

Post a comment.