Darknet Diaries - 89: Cybereason - Molerats in the Cloud
Episode Date: April 6, 2021The threat research team at Cybereason uncovered an interesting piece of malware. Studied it and tracked it. Which lead them to believe they were dealing with a threat actor known as Molerats.... SponsorsThis episode is sponsored by Cybereason. Cybereason reverses the attacker’s advantage and puts the power back in your hands. Their future-ready attack platform gives defenders the wisdom to uncover, understand, and piece together multiple threats. And the precision focus to end cyberattacks instantly – on computers, mobile devices, servers, and the cloud. They do all this through a variety of tools they’ve developed such as antivirus software, endpoint monitoring, and mobile threat detection tools. They can give you the power to do it yourself, or they can do all the monitoring and respond to threats in your environment for you. Or you can call them after an incident to get help cleaning up. If you want to monitor your network for threats, check out what Cybereason can do for you. Cybereason. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.View all active sponsors.Sources https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf https://malpedia.caad.fkie.fraunhofer.de/actor/molerats https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html
Transcript
Discussion (0)
Hey there! Did I surprise you? I release episodes of this show every other week. That's two episodes a month, right?
So why do we have an episode here, in the off week?
Well, there's this company called Cyber Reason, who are big fans of this show, and they wanted to bring you an extra episode.
So a deal was made, which means this entire episode is brought to you by Cyber Reason.
I've never done anything like this before, and so I want to be clear.
This episode is only here because Cyber Reason sponsored it.
But I'm excited because it's a fantastic story
that links back to one of my most popular episodes.
You're going to hear from their CEO,
who has quite the backstory.
And later in the episode,
we're going to hear a story from their threat research team,
who investigates and uncovers malicious activity.
And they'll tell us about a time when they found a threat actor lurking in someone's emails.
They spent months tracking that threat actor, which they called mole rats in the cloud.
These are true stories from the dark side of the internet.
I'm Jack Recider. This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore. Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds
of data brokers' websites and continuously works to keep it off. Data brokers hate them because
Delete.me makes sure your personal profile is no longer theirs to sell. I tried it and they
immediately got busy scouring the internet for my name and gave me reports on what they found. And then they got busy deleting
things. It was great to have someone on my team when it comes to my privacy. Take control of your
data and keep your private life private by signing up for Delete Me. Now at a special discount for
Darknet Diaries listeners. Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries and use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help. But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like
penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can. Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to blackhillsinfosec.com to learn more about what services they offer
and find links to their webcasts to get some world-class training.
That's blackhillsinfosec.com.
Blackhillsinfosec.com.
Okay, so let's get started.
Can you just tell us your name and who are you?
Hi, I'm Lior Div, CEO and co-founder of Cyber Reason.
Yeah, I got the CEO of Cyber Reason on for this. I'm not messing around here, going right to the top.
But the reason why I wanted to talk with Lior is not so much to hear about his company, but I'm fascinated with what he did before that. Basically, my story starts at the age of 16.
I, you know, for years I really wanted to be a combat pilot.
And so here's the thing.
Lior grew up in Israel and it's mandatory for everyone in Israel to serve in the military.
So he knew he was going in and was hoping he would be picked to fly jets.
So basically there is a very rigorous kind of list of tests that you need to go through.
So at the beginning, we were, I think, probably 1,000 people doing the first test.
I did not know back then kind of the test is for which unit or for what occupation specifically.
After that, they cut it by half and it was 500 people.
Then from the 500, they cut it again to 100 people.
From the 100 people, they choose 20 people.
And out of the 20, they choose kind of four.
He did not get assigned to become a combat pilot, though.
Lior was assigned to work in Unit 8200.
So at the beginning, I was very disappointed
because, you know, I had a very clear vision of what I want to do.
Hindsight 2020, I'm super happy that I was chosen to go to the 8200 unit
and not to do other things.
I think that, in a sense, kind of they knew better than I am what I'm better at
and direct me to this direction.
I think that after all the tests that they did, they know you very well.
I'm joking sometimes when I'm saying probably they know you better than you know yourself.
So no matter what you're assigned to do in the Israeli military, you must first do basic training. You have to wear the
military gear, do your push-ups and running and learn how to use a weapon and that sort of thing.
But once all that's done, he reported for duty with Unit 8200, which is sort of like Israeli's
version of the NSA. Back then, you know, I did not know that we're talking about the 8200 unit.
It was super classified.
This is before the days that you could read all about this unit on Wikipedia.
I think that only a month after I joined the army, I realized that we're talking about
this unit and kind of starting to understand what the unit is
all about. This unit is basically focusing in the field of signal intelligence. So he joined Unit
8200 back in the late 90s. And yeah, it was a very secret organization back then. Not only did the
world not know about it, but even people who worked in 8200 could not even tell their family
what unit they were working in.
And as a kid, Lior was fascinated with wireless technology and especially how cell phones worked.
And for me, it was fascinating because it's like all those things that I was fascinated as a kid to really understand how things work and try to manipulate them.
Suddenly, there is kind of a full unit that's focusing on this field and very smart
people and very creative.
But the story is not ending there.
It's just starting there.
The unit have a very unique way to take people right out of high school and basically teach
them all the things that they need to do in order to be an
expert in something. And at the beginning, you're not an expert, but you gain your knowledge. So
in my case, it basically was six months of very, very rigorous training that every week we were
learning something different. And in the end of this week, you need to have a test.
If you pass the test, you can go home.
If not, you stay and you need to pass the test.
There is no option not to pass it.
You ended up to have kind of a very, very large understanding and knowledge
when it comes to technology.
Everything from, you know, how cellular network works, how the internet works, you know, how
computer works and what do you need to know in order to write the Python script, write
code and so on and so forth.
He can't go into specifics about what he did there.
But what's public knowledge about Unit 8200 is that they're the signals intelligence branch of the Israeli military.
So they're code makers and code breakers.
And in the modern era, they're using computers and technology to collect intelligence, which sometimes means hacking into the adversary.
Lior was part of an advanced persistent threat or nation state actor.
And from the inside, he was learning a lot about how cyber attacks work.
He spent six years in Unit 8200.
The requirement is only to stay like a year or two,
but Lior was really into it, so he stayed longer.
He was promoted to officer and even captain before leaving.
The 8200, that was kind of the beginning of my career.
So after six years in the army, I went to the university.
And over there, it's kind of in the reverse order.
You're getting your knowledge or the theoretical knowledge that you need,
but probably you already know the majority of it because of your hands-on experience.
From there, he got a job at a tech startup, which got bought out by a larger company.
And then basically I established my own company.
This company eventually was a company that focused in the field of hacking,
cracking, reverse engineering, you name it.
And eventually this company was providing services to different government agencies. This company would provide services for intelligence agencies in Israel.
And so Lior got to work with some pretty secret and classified missions there,
learning advanced ways to hack, crack, reverse engineer, and more,
and providing these services to intelligence agencies.
So the work that we used to do is, sometimes I'm joking about it, is take
things that by definition that they're impossible and make them possible. Usually what's happening,
you have a mission that you need to get information or you need to manipulate information
or you need to gain access to a specific type of knowledge.
And in order to get it, first you have to understand
where these knowledges exist.
But then once you understand that thing,
you have to plan and execute an operation,
basically soup to nuts.
For example, you will have a team that focus in the deception, meaning that if he
wants to go into an asset and collect information, but you know that they are going to protect
themselves very good. Okay, I find this interesting. When hackers use deception as part of their
methods, Lior's team had a mission to get into someone's computer. But if he just launches an
attack from his office, that can easily be traced back to him. So he doesn't want to do that. The target can't know
who he is. So he has to be tricky. And one way to be deceptive is to get his team to distract
the target. Let's say that they're doing a massive DDoS attack on them. They will think
that this is what's happening. But on the back end of this DDoS attack, actually there is the real hacking going on.
And somebody has managed to install, let's say, a piece of software on one of their machines and have the initial access.
Ah, that's an interesting way to do it.
When you're breaking into an adversary's computer, you want to be as quiet and sneaky as possible, right?
Well, Lior here decided to do the opposite. He wanted to ring alarms, but he wanted to ring so many alarms that when he did
break into the computer, he would just be able to hide in the noise, which is one way to get in
undetected. But usually most of the stories are stopping when we're talking about the initial
access. But in reality, the penetration,
the first act of going in and had a foothold in an environment,
this is just the beginning of an operation.
That's not the end.
Usually from that point,
there is a very lengthy process that you have to do
in order to first understand where did you land,
what asset do you have,
and then to the ability to move from
one machine to another machine in order to keep map the environment. And the most important piece
is to really locate the data that you need and start to collect it. Even once you find the data
and you manage to collect it, the operation is not ended because then you have to exfiltrate the data outside of organization.
And that by itself can be a separate operation to do.
Because just to get the data, this is one thing, but the ability to take it out, it's another thing.
But this is another kind of false notion that people think that operation is starting and ending
and then hackers goes out
and that's it. But in reality, when you talk about government against government,
once you manage to go in, you want to stay in. You don't want to go out and you want to have
the ability to keep collecting information and you want the ability to keep doing it.
And even if somebody finds you
and you need to clear the environment and go out,
you want to make sure that you have a backdoor
to go in every time again and again.
According to Lior's bio,
it says he's an expert in hacking operations,
forensics, reverse engineering, malware analysis,
cryptography, and evasion.
Yeah, evasion.
That's the practice of not being caught or stopped.
Like evading antivirus detections and hiding your tracks
and being unseen in the network.
But yeah, looking back at the experience he got from being in Unit 8200
and then formal studies of computer science at a university
and then working with intelligence agencies to conduct secret missions,
yeah, I'd say Lior is an expert hacker.
As part of my time in those different, you know, units, I received the Medal of Honor
for kind of one of, it was a very strategic operation that we needed to plan and execute.
Needless to say that we cannot go to the details of it.
Maybe one day we will be. But for me, it was
fascinating to understand that with enough
creativity and ingenuity,
you can manipulate almost any network that exists out there
and almost kind of bend physics to your benefits.
And for me, to be part of this type of capabilities,
it's kind of proving to yourself,
but it's not just about me,
it's about the team that we were working together,
that if you really want to achieve something
and you have the time and
resources and creativity, you can almost bend physics to your benefit. And I think that in
that situation, we managed to do that. I was super proud of the team and the execution of
the mission back then. Now, what's interesting is Lior was helping the Israeli intelligence units
when Stuxnet was going on.
If you're not familiar with Stuxnet, check out episode 29.
But this was an attack on an Iranian nuclear enrichment facility in order to thwart their enrichment process.
And this virus literally made its way into the centrifuges to degrade them.
Which is just phenomenal because nothing in the enrichment facility was connected to the internet.
So how could hackers get all the way into the centrifuges
and then have this malware run all by itself without any remote control?
That's just incredible.
Now, of course, Stuxnet is classified super tight,
but the circumstantial evidence shows that the US and Israel were behind this attack.
So I just wonder if Lior had anything to do with that.
But of course, I can't ask him.
But he does think that Stuxnet changed the world.
I think that Stuxnet was the first time that people got a real demonstration of how you can leverage software and code in order to achieve military or government goals. That was the first time that people managed to see
kind of in a large scale,
the ability to leverage it
in order to create a link between the cyber world
into the physical world
and actually to achieve results in the physical world
while you're leveraging software.
Till that point, it was like no real big demonstration
of this capability.
It was a lot of theoretical one.
We're talking about an isolated network,
air-gapped, that has no connection to the internet.
Then it's become almost like a magic.
The fascinating thing was that this virus or worm was not manually operated,
meaning it was dormant. And once it's understood that it's on the target machine, it started to
run automatically and do whatever it's need to do. Zero communication to the outside world.
So the combination of all those things together kind of created, I believe, sparked the imagination of people.
And for me and my two co-founders, we just knew that from that moment, people will understand that there is a different type of problem out there.
That we're not talking about IT security anymore, that when there is attackers
that kind of really determined to go after a target, they will be able to do that.
And we knew from our kind of personal background that this is a reality and it's not a mystery.
So for us, we decided that this is time to basically do something because we knew that till that moment,
the adversary has an advantage. And we said to ourselves, we have to reverse the adversary
advantage. We have to give back the power to the defenders in order to do something.
And in order to do that, we said, look, we're going to take all the massive amount of years that we have
and really understand how hackers works, like really, you know, by viewing it from the first
row seat and take all the knowledge that we have and to be able to create something new, a new
mindset. And what he determined is defenders don't have enough indicators to detect attacks.
I mean, if Lior was able to bypass antivirus, evade intrusion detection tools,
and then plant himself in a system for a long period of time without being detected,
then yeah, he knows defenders are unable to detect him.
And what's more, he knows exactly where to look to be detected.
So while traditionally defending teams look for indicators of compromise,
which could be a known bad IP address or malicious packets or malware present,
Lior and his team started looking for malicious indicators of behavior,
which are signs that a malicious actor is conducting their operation.
So basically we invented a new method and the method is operation centric.
We call it the MELOP, the malicious operation approach.
The MALOP approach basically assumes that hackers
have many steps to do in an environment.
This is not just the act of penetrating into the environment.
And we're going to meet the hackers whenever they are.
So every step that they're going to do,
we're going to anticipate the step
and we're going to be there and collect information before they're doing anything.
So in a sense, think about it that you just put a camera in every room, every door, and you record everything.
And you know that if you're starting to see a behavior that is bad, you can say, hey, right now there is a malicious operation going on here.
So it's not about the malware.
It's about the mallop that you want to find.
It's not about the gun.
It's about the people that's using the gun.
I like this.
This sounds like user behavior analytics to me.
And this is where you watch to see what users typically do
and then alert when they do something
that's out of their typical activity.
Like if Charles from accounting
typically accesses the same six systems
every day to do his work and then suddenly starts trying to connect to some other people's computers that he's never connected to before ever.
This behavior is abnormal and worth looking into. And then analyze the data as the data is coming through the system and to make quick decisions that can rely on a lot of data that we collected from the past.
But this technology does not exist.
So basically, between 2012 to mid-2015, we invested heavily in building a new technology.
This is an in-memory graph processing technology.
This is kind of the secret sauce behind Cyber Reason.
Many people think that we are just an endpoint company,
but in reality, if you look behind the curtain,
we're a big data analytic company
that can really analyze massive amounts of data in real time
and to find malicious operation in organization
and not just the malware.
And so Cyber Reason was born.
Lior and his co-founders developed this method
for collection and analysis.
In order for this to work effectively,
he needs to install a little tool on every computer
in a company to collect data and send it to Cyber Reason.
This is called endpoint detection.
Actually, I think they call it endpoint protection
because the tool doesn't just detect,
but also stops attacks.
And they got this thing up and running.
Cyber Reason was officially ready
and they started telling people about their solution.
It was a big cellular network that approached us
and said, look, we think that we are under attack.
We're not sure.
We see artifacts.
We have every technology that exists out there,
but we cannot point the finger of what's really going on.
Okay, their first customer.
They're seeing some weird activity
and they think a hacker was in the network,
but they couldn't find him.
So it was go time for cyber reason.
This was the first real test.
Time to get in the network,
install this software on every computer in the whole company
and see if this method of detection actually works.
But this was a big company.
It took us a few days to deploy 50,000 sensors
on every, basically, machine that they have,
on-premise, in the cloud, you know, everything that they own.
The system's starting to run,
and for us that was kind of the first demonstration to see it's live.
They got everything installed and were collecting tons of data from this company and analyzing it.
But all was quiet.
The first days after we installed the system, we did not saw anything. And we asked them,
did you guys install it on every machine that you have?
And it took them a while to admit that they did not install it everywhere.
Ah, right. I get a kick out of this because some companies only focus their security on certain systems in the network.
This reminds me of a personal story.
For a while, I was a security engineer and I was collecting logs and analyzing them for malicious activity.
And I found this one system was showing signs of infection,
and I reported it to the IT team.
And you know what they said?
That's impossible, because that IP doesn't exist on our network.
And so I traced the packets all the way back to where the system was,
and I showed them where it was, and they still didn't believe me.
They didn't take any action on fixing this infected system,
because they were sure there was no such computer in their network with that IP.
But after a few weeks of insisting that it does exist, they finally took a look and found it.
It was a computer that was not authorized to be plugged into the network, and it wasn't using the
IP scheme the company uses. And that's a big problem that some companies face. They have no
idea what computers are even in their network. So anyway, Lior was able to
convince this company they needed to install the endpoint software on all the computers.
Once they decided to deploy it everywhere, immediately we're starting to see those
artifacts of hacking operation or malicious operation going on. For us, it was massive
excitement because that was the first time that we saw
a large-scale attack on a massive network. Think about it. It's 50,000 endpoints connected.
It's a cellular network, so it's very big. We were ecstatic because we knew that this is not
just a proof that the system works. This is a proof that the method of finding malicious operation
is better than just to try to find this tool or that tool.
Because they saw the tools that the hackers used,
but they could not tailor it to a story
in order to be able to say,
hey, this is the story of what's going on right now.
So in a sense, the malicious operation for us
is the ability to tell a story of what hackers are on right now. So in a sense, the malicious operation for us is the ability to tell a story
of what hackers are doing inside your environment.
And the most important thing is to prevent them of doing it.
Were you on that call when you called to tell them,
okay, we found a hacker in your network?
Yeah, it's...
Well, how'd that go?
The call with them, it was a very interesting call
because we basically told them,
look, we know that there is adversarial activity right now.
By then, we managed to prove that this is a group from China that's doing it.
It reached to the point that we knew who is the person that writes the code.
The people that wrote the code, they made a major mistake.
And in one of the files that they compiled, they leave the debugs, basically comments.
And we managed to reverse engineer and see all their comments. And that enabled us to tie it
back to a company in China that later on, it's enabled us to tie it back to a company in China that later on it's enabled us to tie it back to
specific individual that was the owner of it. And then we managed to prove that it was the Chinese
government behind this attack. For us, it was fascinating. On the call, we kind of came,
you know, with the full presentation of, hey, this is the group that attacking you. This is
what they are doing. This is how they are doing it. And they kind of, at the beginning, did not really believe this.
I think that the turning point in the conversation was when Jonathan, my co-founder, said to them,
look, we know that they stole the key to the castle. Basically, they have the password, the admin password for every system that you have.
And they started to laugh and they said, look, we replaced the admin password two days ago.
It can't be.
And basically, he gave them the password.
And then I think that it was like almost three minutes of quiet in the call. And then they realized that it's not just we managed to find those group of hackers.
We really managed to identify every step of the thing that they did
all the way to, you know, to understand which password they're using.
And this is kind of the hackers use.
And they, in that point of time, they just understood that they are owned.
This was a success. Their first customer. And not only did they find this adversary,
but they were also able to figure out who, why, and what data was touched in the network.
Cyber Reason had spent three years getting to this point. And now they knew their product worked
and started building all kinds of extra tools and services on top of that.
Like not only do they have a tool to detect what malicious activity is happening in the network,
but they also have a full response team to go in and fix those issues too. And then on top of that,
they have a threat intelligence team to do research on emerging threats.
We are not just know what's going on out there, meaning what's going on with each and every one
of the attack group. What we're trying to do in a very aggressive way is to find how they're hacking, to find
their tactics and techniques, and to expose them to the world.
Because once you do something like this, you basically throw the attackers back, sometimes
half a year, sometimes a year, depends what you manage to find. So don't be surprised
that it's like every once in a while, cyberism is releasing kind of a
major research that basically
killed the ability of this group to operate now for another year.
We're a big believer that that makes our customers
base safer,
but it makes the world a safer world.
So this is kind of part of the mission of cyberism,
is to reverse the adversary advantage.
We'll take a quick break here, but stay with us,
because after the break, we'll hear a story from their threat research team and how they discovered a new piece of malware that's really interesting.
This episode is sponsored by SpyCloud.
With major breaches and cyber attacks
making the news daily,
taking action on your company's exposure
is more important than ever.
I recently visited spycloud.com
to check my darknet exposure
and was surprised by just how much
stolen identity data criminals have at their disposal.
From credentials to cookies to PII, knowing what's putting you and your organization at risk and what to remediate is critical for protecting you and your users from account
takeover, session hijacking, and ransomware. SpyCloud exists to disrupt cybercrime with a
mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection, you're never in the dark about
your company's exposure from third-party breaches, successful phishes, or info-stealer infections.
Get your free Darknet Exposure Report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
Now it's always fascinating to me when a security company exposes a certain threat actor in the
world because it's always a good story. There's some shady activity group going on, a security
company finds it, researches it, figures out what happens, and then lets the world know about it.
Cyber Reason has so many of these stories where they faced off against adversaries.
And so I asked Asaf to come on to tell us one of these stories.
So my name is Asaf Dahan. I am heading the Nocturnus Threat Research Team at Cyber Reason.
So there's this team inside Cyber Reason, which is called Nocturnus. And the Nocturnus team are
security researchers who hunt through the massive data they've collected to try to find new threats nobody's ever seen before. So for instance,
suppose some computer is demonstrating indicators of malicious behavior, but an antivirus scan can't
find any vulnerabilities. So they narrow down what app or process of that system is doing bad stuff,
and that might lead them to discover an unknown piece of malware. Malware that was just created by an adversary recently that has never been seen before in the security community.
And this is what the Nocturnus team lives for.
Now they'll reverse engineer that and dissect every part of the malware to try to figure out everything about it.
Who made it? Where did it come from? What does it do?
So this is where asaf enters the scene
and begins to investigate and just i'm curious how many languages do you speak
it's a um okay uh i i speak 10 languages not all uh on the same level or the same level of fluency
but yeah i speak 10 languages 10 And how does that fit into doing
threat research? Actually, it fits in quite well. I think one of the most important things to keep
in mind when working in the field of threat intelligence or threat research is that beyond
the technical aspect of like how a certain malware works or uncovering an infrastructure, you have
to tie it to a global context or a geopolitical context, for instance, in that matter, or other
research papers that we published. So the ability to have firsthand, almost unmediated
linguistic capabilities is quite helpful. In our team, I think if we combine all the languages,
so we speak like 15 languages, I'm accounting for 10 of those.
So it helps.
Yeah, it really helps, especially if you go on the darknet,
there are different hacking forums.
There's some slang that is unique for hackers
or just like reading documents,
whether it's phishing lure content and others.
So it really gives you some understanding
or better grasp of what is actually going on
beyond the technical aspects of how, you know,
the bits and bytes of how a certain malware works.
So Saf has been with Cyber Reason for five years now.
And back in early 2020 is when he saw something interesting,
a loose thread worth tugging at.
Back then, we started noticing some interesting looking phishing lures
that were quite politically charged, targeted Middle Eastern entities.
Let's call it that way.
And they were very much focused on targeting Arabic speakers.
The phishing emails were written in Arabic.
And they were from a group called the Popular Front of the Liberation of Palestine,
which I don't understand Middle Eastern culture or politics all that much.
But from Wikipedia, it looks like this is a group that's fighting to retake Palestine back. So this group sent out phishing emails with malicious software
attached. Or did they? Upon closer analysis, it looks like the emails didn't actually come from
that group, but it was made to look like it was coming from them in order to get their targets
to read the emails and open the
attachment. We believe, it's our assessment that they targeted political figures within the
Palestinian Authority that associated with Fadakh, with the Fadakh movement, as well as other
political entities in the Middle East. So that was back in February 2020. And that's where we when we
discovered the spark backdoor. Hold on, I'm reading more on Wikipedia here. And I'm finding
this fascinating. Palestine is a sovereign state that controls the Gaza Strip and West Bank,
which both border Israel. And yes, there are many land disputes between Israel and Palestine.
But there's also internal disputes just within Palestine itself. I mean, look at what
happened in 2007 at the Battle of Gaza. At the time, the Gaza Strip was controlled by Fatah. But
Hamas, another faction within Palestine, waged a military-style attack against Palestine itself
in an attempt to take over the state. So you had Fatah and Hamas fighting to the death over who would be in control of the Gaza Strip.
It was bloody and Hamas took over.
So you see the geopolitical aspect of all this is complicated.
But Asaf grew up in Israel with multicultural parents and speaks 10 languages.
So he understands this pretty well.
So again, he said, They targeted political figures within the Palestinian Authority that associated with the Farah movement,
as well as other political entities in the Middle East.
And the emails say things like,
For instance, it shows details, crown prince held secret meeting with Israeli prime minister,
or details of the crown prince meeting with the
U.S. secretary of state. So just from looking at the contents of these emails alone, we can already
see that having a strong geopolitical understanding has a role in doing this threat research.
But anyway, they examine these emails and the emails have an attachment, which is an executable file, but the file name
ends in.doc.exe, and it has an icon which looks like a regular Microsoft Word document.
But when you double-click on that, it actually installs the backdoor, or malware. And then it
actually opens a Word doc, a decoy document, as they say. So this wasn't really using any advanced vulnerability
to get the malware installed on the system,
but the Cyber Reason endpoint monitoring tools
spotted this backdoor, which they called Spark.
So it's a malware.
It's a fully-fledged application
that runs on the victim's endpoints.
Usually it could be laptops or desktop,
and it gives the attacker pretty much a full access to the computer or the endpoint.
They can run different commands.
They can use it to steal information, to control in a way, if they choose to, they can also control the machine.
They can download additional payloads, secondary payloads, which we see often, and basically harvest any information.
So this is, it's actually more of a, when you think about it, it's more of a spyware, actually.
It's a tool that enables the attackers to carry out espionage attacks on their target.
Now, when they discover malware like this,
they first check to see if this has been documented before.
One popular malware repository is virustotal.com.
So you could send it there, and they'll tell you if they've ever seen it before.
But that doesn't work very well for Arabic-written malware.
So they checked other sources,
and they determined they were dealing with a brand new piece of malware.
So that happened in February 2020.
Around, let's say, October, November 2020, we started noticing new activity.
We've been monitoring them since the discovery of Spark.
They've had like different campaigns going on at the same time.
But around October, November, we also noticed new tools that were never used or seen before
being used in this specific campaign. What drew our attention was actually the geopolitical context. We started seeing different fishing lure documents pertaining to the Israeli peace process or normalization between Israel and the Saudis, the Emirates, and other content that is more related to internal Palestinian domestic affairs.
When doing threat research, you sometimes pull on a string and a whole fishing net comes up with it.
The Cyber Reason Nocturnist team was uncovering a whole bunch of this threat actors infrastructure.
It wasn't just phishing emails and the Spark malware,
but now they're seeing different kinds of malware and more email addresses of interest and watching how the hackers were communicating with this malware
and so many more things to look into. Basically, we started following a trail of evidence.
So we know that operators sent a phishing PDF to their victims. That PDF contained a simple link to either a Dropbox or a Google Drive
archive file that was stored on either of those platforms. And that archive file,
whether it's a zip or R, it doesn't matter, contained the backdoors. So one backdoor was
Spark. The other backdoor was Sharp Stage, which I'm going to talk about later.
And the third one was DropBook.
Okay, interesting.
Whoever these hackers were, were not using the same malware for every target.
They had three different backdoors that they were trying to get installed on their victims' computers.
Spark, SharpStage, and DropBook.
And these would all allow hackers to take full control over their victims' computers.
And this gave them even more stuff to reverse engineer and to look for clues
and what other tools the hackers might be using and who they were.
Now, these viruses were interesting.
Let's first look at SharpStage.
Basically, once it's installed on the victim's machine, they can control the machine.
They can run arbitrary commands, fetch information.
But what's interesting about it is the exfiltration method is using a Dropbox client.
So the code itself, in the code itself, we found an implementation of a Dropbox client.
So once the hacker gets the information they needed from that
computer they're in, they need to download that data. And you want to do that secretly, so nobody
notices you're doing it. So how do you hide in the shadows of the wires? Well, they use Dropbox,
and sometimes Google Drive. Because so many people use Dropbox, it would look like normal traffic and
blend right in without detection. Pretty clever.
Another interesting thing that we saw is that the backdoor itself was targeting Arabic-speaking users.
So one of the first things that the malware does was to check whether Arabic language was installed on the infected machine.
If it wasn't installed, the malware wouldn't work.
So it's also a clever way to avoid most sandboxes.
So if you uploaded it to VirusTotal or like other online sandboxes,
it simply wouldn't run because the default language is English,
something that I think people need to be more aware of, because sometimes files may seem benign or they may seem like they're not doing much.
But once you dive into the code, you can see, you know, the reason behind it.
So that's that was sharp stage.
The second backdoor that we discovered was Dropbook.
And I think this is by far, I think, the most interesting one.
Okay, so this malware called Dropbook was very similar.
Once it's installed, it gives the hacker remote backdoor access into that computer and it exfiltrates that data through Dropbox.
But what's interesting with this one is how the hackers were able to control it remotely.
See, every piece of malware must get instructions
on what it should do once it's installed.
Sometimes it's hard-coded in the malware itself.
But other times, malware reaches out to another system
to get those commands, asking, what should I do?
And that remote system will then tell them what to do.
And you might think these remote systems
issuing commands to backdoor viruses
are some secret and elaborate server somewhere, right?
Well, as it turned out with Dropbook, it was just using Facebook to send commands to the malware.
They actually used Facebook fake accounts.
So they created fake accounts on Facebook. Facebook, literally, when you look at the account, as you can see in our blog, there are, I mean, like these accounts don't have any friends, interests, like almost like zero details.
But what they do have is like, they have posts that contain very obscure content. Some of it is, let's say, it could be like encryption keys or it could be a Dropbox API key.
But we also found like Windows commands to run, like for creating persistence and other things like that.
So that was, I think, one of the most, I guess, striking or shocking pieces that we uncovered during this investigation.
Not only were they abusing, let's say, Dropbox or Google Drive to hide in plain sight, if you will,
but a lot of bad actors do that.
But they actually implemented a C2 communication channel using Facebook fake accounts,
which I think is pretty cool.
He calls it pretty cool.
It's weird how defenders have a certain respect for the attackers
and how they work,
because there really are so many similarities between the two, you know?
Both the hackers and defenders love technology.
They're both computer geeks.
They love learning about ways to exploit systems.
The only thing that's different is their motive on what to use computers for.
And to be able to hunt for bad guys all day and to try to unravel quite interesting because as an Israeli, I mean, you can't be you can't stay indifferent, I guess, to what was going on at the same time where Israel, with the help of the U.S.,
were signing peace accords or normalizations agreements with Arab countries
like the Emirates.
There were talks with the Saudis and so on.
So, you know, you read about it in the news,
which is, you know, exciting on its own coming from my part of the world.
But once you see um an actual
attack that abuses this and and like you see that there are political entities let's call it that
way uh that are trying to um to get intelligence you know using those back doors as spyware, you know, to carry out espionage campaigns about that topic made it
super interesting. I mean, when we find something that is that exciting, we pull all-nighters,
we sometimes work weekends, not because I'm a slave driver or I make anyone, you know,
put in extra hours. It's just, it's so
exciting and we're on it. I mean, like, as I told before, I've been in this business for over 15
years now. I still, like, when I wake up in the morning, I have this, I guess, curiosity. It's
like, I think that's the main drive. It's like to solve problems, to solve mysteries. To me,
really uncovering new activity is very exciting.
So they've spent about 10 months at this point tracking this threat actor, connecting dots,
watching activity, and they have a fairly good understanding of what this group is doing,
what their motivation is, and what tools they use. So once Asaf and his team gets to this stage,
they can use the research they just did to enrich the cyber reason
tools to make it so their endpoint detection tools can spot the activity much quicker and
more effectively. Of course, they consult with the customer too, to let them know that they found
this activity and this is what was going on. But the Nocturnus team doesn't just stop there.
They're a curious bunch of people. And so the question on everyone's mind is,
who would do such a thing? Who exactly is
behind this targeted hacking campaign? Now, the victims appear to be highly targeted. This is not
the result of some massive spam campaign. No, specific individuals were sent these phishing
emails to lure them into opening the attachment. One way to try to figure out who's behind an
attack is to take
everyone who could possibly have done this and put them all together on a spreadsheet or something,
like eliminate all the ones that seem unlikely. So for instance, you might get a list of the
usual suspects here. Cyber criminals, hacktivists, governments around the world, mercenaries for hire,
and other APT groups. But now what? Well, the hacks didn't seem to be financially motivated. And cyber criminals typically are in it to make money.
So you can sort of rule out that whole group.
Next, you're starting to look at who would have interest in these Arabic-speaking political figures.
Well, there's probably a bunch of nations around the world who simply don't have any interest with Palestine.
So you can probably rule them out.
So now you're left looking for who would have the motivation and the ability to hack into these people, and it narrows down the list even further. Now again, you see why it's so important to have
geopolitical awareness to sort through all this. I can't imagine the mental calculus that must go
into figuring this out. Like just asking the question, who would want to attack Palestine?
Well, a lot of people,
including people in Palestine themselves.
I mean, just in 2007,
they had a coup where Hamas used force
to take over part of Palestine.
And I'm sure that left a lot of unhappy residents there.
So this gets pretty sticky to figure out.
But there were some clues that led Cyber Reason to believe
they were dealing with a threat actor called a mole rat.
So we knew that there are Arabic speaking, politically motivated group that has operated in the Middle East since 2012.
They mostly targeted the Middle East and North Africa region.
But we've seen them also target parliaments, for instance, in the U.S.
and Europe. But most of their agenda seems around government entities, political activists,
politicians, diplomats. Because the team at Cyber Reason understood the threat actors in this
geopolitical space, they started looking more into what this mole rat group does.
Mole rats is quite a well-defined activity group, or some would call it adversary, right?
So the profile that there have been reports on them for years, okay? So there's a lot of
information about their modus operandi, like how they work, what malware do they use, who are their targets.
OK, so let's look at some of those reports.
FireEye calls this group mole rats, but Kaspersky calls this same group the Gaza cyber gang.
According to FireEye, their first attack was against the Israeli government, where they were able to take down the internet for the Israeli police force. And that campaign looked a lot like this one. A
highly interesting email was sent to a specific target with the attachment that looked like a
war dock, and when you opened it, it installed the backdoor. It was a different backdoor they
used back then, but still their tactics, techniques, and procedures were the same.
But looking from there, I count 51 different threat intelligence reports
by various security companies who have investigated mole rats in the last nine years.
And when you have a bunch of reports that lists a lot of different targets,
and you can see who the threat actors were trying to hack into,
it starts to paint a picture as to who they might be.
They have mostly targeted people in Palestine and Israel.
But they've also targeted the U.S. and U.K. and a few other countries.
But I did my best to look through these reports.
Never once do I see them list members of Hamas as their targets.
But they do target Fatah.
Hamas is the current acting government party of the Gaza Strip, a part of Palestine.
Fatah controls the West Bank, the other part of Palestine.
Hamas and Fatah both struggle for power in Palestine.
So from my research, my conclusion is that Molraths is somehow allied with Hamas.
Now, Hamas doesn't have many allies.
I think only Qatar and Turkey have showed public support for them. But this activity doesn't lend way for me to believe that mole rats is from
Qatar or Turkey. Cyber Reason didn't want to get into the specifics of who mole rats are exactly,
or who they might even be, because nobody knows for sure. and they don't want to suggest something that's incorrect.
So I'm not sure to what degree mole rats might be connected with Hamas, if at all.
But the evidence does suggest they have aligned adversaries.
So once we looked at the evidence of this new campaign and we correlated to our previous discoveries and we correlated to other intelligence reports that were published in the threat intel community.
And you look at the victims and you look at, you consider geopolitical events.
You can say that with, I don't know, moderate to high confidence that it's likely
mole rats who's behind it.
But again, I'll state that
it's very rare to have
100% attribution if you're not
in intelligence agencies. That's why
we always leave a margin for errors. But that's true for almost any intelligence report that you read that comes out of a vendor.
And so it's fascinating to me that mole rats were targeting high up FATA officials and stealing and collecting information from them. In this context, the intelligence may give them leverage in certain negotiations or let's
say if you're not invited to the table, right, to take part of the discussion, you want to
know what's going on on that, you know, on that table, you know, what was said there. I mean, there could be many reasons why a certain entity
would want to carry out an espionage operation.
It could be to, but definitely to give them the advantage
of knowing what they shouldn't know.
And then they can do different things with that knowledge.
That's some shady, underhand, bad guy behavior for sure,
to hack into political opponents' computers just to spy on them.
But that's what so many governments around the world are doing now.
It's common knowledge that the NSA hacks into foreign governments all the time. So I guess the point is, don't trust anyone online, friends or enemies. So it's fascinating to see how Cyber
Reason is able to track these groups and publish reports on them. And this helps make the world
more secure because in their report, they show tons of different indicators and signs that you
might have mole rats in your network. So antivirus companies all over can create new signatures in their products and security
companies can detect their presence much quicker. But on top of that, all this research makes
cyber reason, the detection tools more enriched and robust at detecting bad behavior in the network.
Our product is first and foremost, well, don't kill me for the buzzwords, right? But like is AI-based using machine learning algorithms
and mostly is based on behavioral detection.
So there are teams in Cyber Reason that are,
I mean, that's their daily job to write detection rules based off behavior.
The Nectariness team, my team, as an intelligence team,
we pinpoint or we flag certain techniques as, let's say,
more relevant or more interesting than others.
But there are a lot of teams that work together in cyber reason
to make sure that we're able to detect things behaviorally,
regardless to whether it's a known or unknown threat.
This is not just a big data analytic platform.
This is Lior again, the CEO of Cyber Reason.
Today, Cyber Reason is operating in the EPP world, EDR, XDR, and MDR. Basically, everything that's related to detection and response
anywhere in a big enterprise environment,
we know how to find and understand
if there is a hacking activity over there
and then basically prevent it.
So today, Cyberism has, we call it the defense platform.
It's the most comprehensive platform that exists,
really cover enterprises.
We call it from endpoint to everywhere.
Really the ability to see everything
that hackers can do in an environment,
monitor it 24 by 7,
and finding those malicious operations
with the operation-centric approach.
We found out that the organization that is implementing and using this approach,
basically they're not just more safer,
they're basically future ready to deal with any attack.
Okay, yeah. Tell me about the products you have
and what solutions you have.
Today we have a full protection on the endpoint.
The way that cyber isn't think about
protecting an organization,
we call it from endpoint to everywhere.
So it started by deploying a sensor
on every endpoint that the company has.
And over there we have everything
from antivirus, next-gen antivirus,
anti-ransomware, anti-fileless attack, really the ability to prevent everything that is malicious
on those endpoints. But we're not stopping there. This is just the beginning. Then we know how to
collect data from each and every one of those systems in real time. We collect all the data unfiltered, send this
data into our cloud architect.
And over there, we're running the graph processing in real time.
Basically, we collect data from every endpoint that the organization
has, and then we're analyzing all the data in parallel.
Basically, what we're doing, we're creating, building the network of relationship between everything to everything.
So every process of communicating with another process, every connection that's going in and out of the environment.
Think about it as a big graph that we're basically painting while kind of the data is flowing.
So this has really enabled us to really understand the interaction of every process,
every machine, every user with the world and within the inner groups.
So every deviation from abnormality, we know how to identify and we call it the evidence.
So let's say that the process usually
communicated with X amount of processes and suddenly it's deviating from the normality.
We'll mark it as evidence. Let's say that there is a connection between two computers that usually
are not communicated. Suddenly we become communicated. We're going to mark it as
evidence as well. So the system is collecting endless amount of evidence as the data flows through the system and then try to evolve the evidence to suspicions, basically to correlate multiple evidence together to a suspicious.
And once there is enough suspicious, then we collect them and correlate them to a malicious operation. So when cyber reason is triggering,
hey, there is a malicious operation right now and we stopped it,
we can tell you the full story of what's happened.
So this has really enabled us to go back and show you all the points
and everything that the hackers did
in order to be able to really understand what they did.
Then we show how we blocked it.
And then you can basically improve your capability
in order to do better in the future.
So are you still disappointed
you didn't get to fly fighter jets?
Running cyber isn't every day.
It's like flying a jet every day.
So you don't need to do it in reality.
You can do it in the cyber world.
A big thank you to Cyber Reason
for sponsoring this episode.
They obviously have a very sharp
and skilled team over there,
which is doing a great job
at making their customers more secure.
Remember their first customer they had
where they found a whole bunch of malicious activity
in the network? Yeah, well, all these years later, they're still a customer of Cyber Reason.
Cyber Reason doesn't just operate in the Middle East. They have offices all over the world.
Boston, Tokyo, London, Tel Aviv, and France. If you're interested in learning more or even want
a demo of their products, visit cyberreason.com. The show is made by me, the Pizza Rat, Jack Recider.
Sound design this episode by the memory intensive
Andrew Merriweather.
Editing help this episode by the backlit Damien.
And our theme music is by the perpetual machine
known as Breakmaster Cylinder.
And even though when I was a little kid,
I used to watch cartoons where bears lived up in the clouds,
but the reality is mole rats live in the clouds.
This is Darknet Diaries.