CyberWire Daily - PoetRAT: a complete lack of operational security. [Research Saturday]
Episode Date: November 7, 2020Cisco Talos discovered PoetRAT earlier this year. Since then, they observed multiple new campaigns indicating a change in the actor's capabilities and showing their maturity toward better operational ...security. They assess with medium confidence this actor continues to use spear-phishing attacks to lure a user to download a malicious document from temporary hosting providers. They currently believe the malware comes from malicious URLs included in the email, resulting in the user clicking and downloading a malicious document. These Word documents continue to contain malicious macros, which in turn download additional payloads once the attacker sets their sites on a particular victim. As the geopolitical tensions grow in Azerbaijan with neighboring countries, this is no doubt a stage of espionage with national security implications being deployed by a malicious actor with a specific interest in various Azerbajiani government departments. Joining us in this week's Research Saturday to discuss the research from Cisco's Talos Outreach is Craig Williams. The research can be found here:Â PoetRAT: Malware targeting public and private sector in Azerbaijan evolves Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
We have a data set that's probably unmatched in the industry, and so we look through it
constantly trying to find new samples doing strange and interesting things.
And while doing that one day, we stumbled across PoetRat.
That's Craig Williams.
He's the head of Talos Outreach at
Cisco. The research we're discussing today is titled PoetRat, Malware Targeting Public
and Private Sector in Azerbaijan Evolves. And now a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users
only to specific apps, not the entire network, continuously verifying every request based on
identity and context, simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So the reason it stood out to us initially
was that it doesn't really share that many similarities with known samples.
We believe it's a new APT group, one that we haven't seen before, or perhaps a new actor.
It depends on how you want to find APT, right?
But we believe this actor, we hadn't seen them before, that they came into the space,
that they had the initial
version of Poet Rat that we talked about in April, and then have kind of evolved it since then
along the lines of what you'd see with other nation states, right? Moving towards
more evasive protocols, a little bit more careful OPSEC, and just doing what you would expect as
someone with an initial swing into the APT world and then over
the next period of months would do.
So honing their craft, if you will. Unfortunately so, yes.
Yeah. Well, I mean, let's go back to the original version.
What was going on under the hood there that caught your eye?
So the reason this one stood out was the complete lack of operational security.
Okay.
So that can tell you a couple things about the actor, right?
The most obvious of which is often the actor is not concerned about being caught.
Now, that can mean a couple of different things, right?
For crimeware, it can tell you, well, perhaps they're from a region
where they're not worried about it.
Maybe in certain countries, cybercrime is not something that's heavily punished
or even something that's against the law.
And when it comes to more espionage malware,
when you see malware going after government targets
or people associated with government targets
and they are not practicing operational security,
generally gives you an idea that they're probably from
a less mature organization,
that they don't really care if you detect it,
and that they're probably being a little bit more,
let's call it liberal with the malware,
than you would see with other more mature APT groups.
Huh. Is this an indicator that this could be, for example, the folks who are in power? Like,
you know, what are you going to do if you find out that it's me?
You know, it certainly could be. And I think that's probably the other more interesting thing
about this, right? When we look at common geopolitical interactions these days,
and when we see tensions rise in a region,
we are seeing more and more often a rise in cyber activity
against those countries involved, right?
And so I think that that's something that needs to be expected now,
that it's something that we will continue to see.
And I would say it's something that if we're not seeing it,
then someone found something clever because it's there.
And so I think this is really an extension
of geopolitical tension right now.
If two countries are threatening each other
or there's tensions in a region,
you can expect all countries with interest in those regions
to be trying to gain
intelligence on one another and try and collect different types of intelligence just for standard
purposes. And this is what we're seeing here. So I think it's something that's really interesting.
And I think it's something that we're going to see as part of the political and geopolitical
processes now. Well, let's dig into some of the specifics here together.
In this round of Poet Rat, what's going on?
Well, so this time they changed a little bit of it up, right?
In the first one, one of the reasons it stood out was that they were doing a lot of the
phoning home, well, all of the phoning home over FTP, which, you know, it works.
It's a little, it's like a classic car, right? you know, it works.
It's like a classic car, right?
You can count on it.
Not a lot of computer involved.
And so FTP, while it is one of the more stable,
easy to use protocols,
it does kind of stand out a little bit now. I don't know the last time you FTP'd a file on a network.
I don't either.
Yeah, it's been years.
So obviously that was on their list of things to change.
The other problem with FTP is that not only does it stand out,
but all the data is passed in the clear.
And if there's anything in that data that you don't want someone in between to see,
or maybe there's something in there that could be detected,
it's a little bit more risky.
And so in this version they moved over to HTTP,
which is a nice evolution.
They are growing.
They are taking steps.
It's using similar victimology.
If you look at the blog post we have,
we found them targeting diplomatic passports
for people in that region.
When we wrote the intro to the blog, I was discussing with Paul and Warren,
at some point, where does cyber espionage end and just regular espionage over the internet begin?
Do you know what I mean?
People overload the term cyber espionage to be any espionage over the internet began. Do you know what I mean?
People overload the term cyber espionage to be any espionage over the internet.
But really, to me, cyber espionage is becoming more and more of a term to say intellectual property theft, right?
One country to another or one commercial entity to another.
And what we're seeing here with the theft of diplomatic credentials
and things along those lines,
it's really more of just the pure espionage angle.
Yeah, shifting, I suppose, with the shift of where these things are handled,
that more and more of these documents, as a regular course of business,
are being handled electronically and online.
That's just where this stuff is.
Right, and if you look at the way that they're crafting
the Word documents that they use as the vector for this,
they're impersonating official government documentations
for the local government.
And we see that a lot. We saw that with campaigns
in North Korea, a couple in Russia. So it's a common
technique, but it is a way that they can target a specific
country because if they want intelligence on officials in those
regions, they're going to use the right letterhead, they're going to use the right context.
And so that can give you a much more involved picture of who they're targeting, which then can
give you some insight into why they're targeting those people. And in this particular case,
of course, once we found the intel that was attempting to be collected, it was very obvious.
And to be clear here, who are they targeting?
Well, I think we call it VIP folks, right?
Folks with diplomatic passports.
And this is in Azerbaijan.
Yes. Thank you for saying it.
I see.
I was wondering why you were putting it off there, Craig.
But I have your back, my friend.
I could stumble through it for everyone.
No, I think you would not be alone in that.
You know, there's a couple of things that caught my eye here when I was reading through your research that maybe you could clarify for me.
You point out that looking at some of the code here, there's a macro that they're using in a Word document, and it contains literature references.
document, and it contains literature references.
In this case, text from the novel The Brothers Karamazov.
Is this just style points,
or is there some sort of obfuscation tactic here? A little bit of both. I think it's more style
points. Okay. So, it will
allow them to change the file check sums for very, very simplistic
malware detection by including or modifying quotes.
But I think it's more of a calling card, right?
And we see this relatively commonly.
If you read the section below that, it gets even funnier.
Yeah, go on.
If you read the section below that, it gets even funnier.
Yeah, go on.
While we're doing our investigation,
we found the script basically trying to pull down additional payloads and basically enhance the malware with plugin-type activity.
A lot of times when you have malware,
it'll be a loader for different stages down the path.
Well, instead of the next stage,
we got a file named after an expletive
filled with thousands and thousands of lines
of additional expletives.
So I think they were on to us at that point.
I see. Interesting. Interesting.
Now, there were some other changes
that they made here along the way.
What are some of the adjustments
that you all are tracking?
Well, so the major one was the shift towards a little bit more covert of a phone home system,
right? They moved from Python to Lua, which is a little bit more rare. And they also, you know,
they shifted the TTPs. You know, it's, like I said at the beginning, it's basic advances and techniques
that will make them slightly harder to detect.
Now there is still the very real fact that they're using a Microsoft Word document
with a macro embedded in it, which unfortunately is still remarkably successful.
This has been around for decades.
It's something everyone should know and everyone should have, you know, mitigation strategies in place for.
But unfortunately, what we can see here is at least this actor believes that his potential
targets do not have those strategies in place. And they're taking advantage of, I suppose,
social engineering techniques, you know, using some of the political unrest that's going on in Azerbaijan as the hook to the people they're targeting. Absolutely. And if you look at the
pictures of the word document that we included, they even have the official seals in the corners
of it. And again, this is something that we've seen other actors do, right? So we've looked at
some that were impersonating South Korean government officials, and they even went a step further than this, and they would take the localized information classification headers and embed those into the document.
So actors are really good at this.
These type of techniques are very publicly known.
Now, there are a lot of next-level stuff that you can do, and creativity is the limit.
We're seeing a little bit of that, but not a lot.
I think, again, this is one of those situations where it's very likely
that these attackers will continue to evolve and will continue to improve
their tradecraft as they need to, but it's very possible that right now
they're not meeting enough resistance to need to improve that tradecraft.
So if your current techniques work, there's not going to be a need to evolve.
Is this a case where you and your team are kind of witnessing a nation or a threat actor,
you know, spin up their capabilities in real time, or you're sort of watching them grow up?
I think that's very possible.
How often does something like that happen? I mean, is this a, I guess what I'm getting at is,
is this sort of thing taking a natural spread around the world as, as you mentioned earlier, this sort of thing becomes more routine as more of the information is online.
Is this just part of every nation's toolkit?
Let me answer that question in parts.
I think right now cyber capabilities are part of most established nations' toolkit.
I think where you see things like this, where you can literally watch an actor figure out what works better and what doesn't,
are either due to one of two things. One, like you said, it could be a country exploring new capabilities for the first
time, or two, it could be a new operator hired by a government who, I don't want to say they
fudged the resume a little bit, but perhaps. Right, right. Yeah. My cousin Bob is good with
computers. Right. Let's hire him.
Now, you know, in this actor's defense,
I hate that I have to defend him.
Right, yeah.
But the reality is it doesn't need to be complex, right?
These techniques, even though most of them are well-known and have been seen before, are working, right?
And so that's the thing, right?
You're only going to see malware as advanced as it needs to be.
And this is kind of why it's hilarious
when so many people are worried about zero day
and you see people tweeting about it and concerned about it.
And meanwhile, they're six months behind on patching.
So you've got to realize that this is the type of thing,
word macros, that are probably the largest threat
to most organizations. Simplistic, word macros, that are probably the largest threat to most organizations.
Simplistic, well-known, functional attacks that, you know, yeah, they target the system a little bit, but mostly they target the people.
Right?
And I would guess that probably right behind this is an email saying, hey, click on this.
Right.
Yeah.
Yeah.
So what are your recommendations here in terms of, you terms of best practices to defend against this sort of thing?
As old school as it is, can you take us through some of your recommendations?
Absolutely.
So the right way to defend against word macros are, number one, keep your software up to date.
Modern versions of Office don't allow this by default.
That's step one.
Step two is to have a layered defense.
There are multiple opportunities to detect something like this.
The first one is at the network perimeter.
Your network security devices should be looking for things
like Word documents with macros embedded in them
from outside sites, and they should probably convict them.
And they should especially convict them
if they match a known malware sample.
Next is obviously, let's say it gets to your endpoint.
Somebody checks email at home,
maybe it comes through the network
because you don't have network security devices.
So you've got to have something on that endpoint
besides the person to help them make smart decisions.
And that's where you can get into malware protection products, antivirus, that type of thing.
And even after that, there are a couple of things
you can do. And so after that, I would say DNS security is an
easy one. Have all of your office's computers look up to
a DNS server that provides security so that if
the malware author is trying to have you connect
to a command and control server that doesn't have a known good reputation,
there's a good chance you won't allow that lookup to continue
and will block it.
And all those things can give you slightly more chances
and overlapping chances to block this type of activity.
Yeah, and of course, your blog post here on PoetRat includes some indicators of
compromise. So folks can look up those and see where we stand there. But are you expecting
further evolution here? I think there's a good chance. As long as there's going to be increased
tension in that region, and as long as those countries seem to be investing
in cyber capabilities, we're going to continue to see it.
So I expect in another couple of months,
we're probably going to see some more evolution.
And we may even see more groups, more samples pop up.
So we'll have to keep our eyes on it.
Our thanks to Craig Williams from Cisco Talos for joining us.
The research is titled Poet Rat, Malware Targeting Public and Private Sector in Azerbaijan Evolves.
We'll have a link in the show notes.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Valecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.