|From Cylance Report|
If you are wondering how Cylance knows about the attacks’ origin … well, the answer is straight into the code. If you reverse Clever Malware (BTW, you want to download it from here) you’ll see : Persian names, most ips and DNA written into the code belong to Iranians, ASN belonging to Iranian companies, the entire infrastructure is hosted in Netafraz.com an Iranian provider, and so on.
The initial compromise techniques according to Cylance where simple and well known even if having them all together into an unique piece of Malware make this attack “spectacular”! Quoting the report:
- “Initial compromise techniques include SQL injection, web attacks, and creative deceptionbasedattacks – all of which have been implemented in the past by Chinese and Russian hacking teams.
- Pivoting and exploitation techniques leveraged existing public exploits for MS08-067 and Windows privilege escalations, and were coupled with automated, worm-like propagation mechanisms.
- Customized private tools with functions that include ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging. “
One of the most difficult questions to be answered is “What the most attacked country” ? Well, it’s going to be easy answering to such a question talking about numbers but considering opportunities and economy speaking… almost all the top countries (economy wise) in the world have been targeted.
|Targeted Countries, taken from Cylance Report|
|Piece of Shell Creator from Cylance Report|
“Tarh Andishan has been suspected in the past of launching attacks in the interest of Iran. The operators of the blog IranRedLine.org, which comments on Iran’s nuclear weapons efforts, has mentioned in multiple posts having been the target of debilitating brute-force authentication attacks from IP addresses registered to the same Tarh Andishan team found in Cleaver. In one of IranRedLine.org’s blog posts8, the author speculates on Tarh Andishan’s involvement with the Iranian government by showing close proximity to SPND, the Organization of Defensive Innovation and Research; however, the phone number listed under the registrant contact information has yet to be completely validated.”
It is a pretty nice piece of Malware which, in my personal point of view, shows how easy could be making a world wide targeted attack having good development skills and wise “underground knowledge”. “Undergraund Knowledge” is useful to re-use piece of malware, shellcode generators, encryptors, proxies, spreading techniques, infection vectors, multiple stage infections, etc… in order to avoid new developments or new infection processes; development skills are useful to fit all the re-used software together and to make it working.