A Trend Micro Research Paper Operation Pawn Storm Using Decoys to Evade Detection Loucif Kharouni Feike Hacquebord Numaan Huq Jim Gogolinski Fernando Mercês Alfred Remorin Douglas Otis Forward-Looking Threat Research Team Trend Micro | Operation Pawn Storm CONTENTS Introduction ....................................................................................................................................1 Ties That Bind the Operation Pawn Storm Attacks Together .........................................................2 SEDNIT....................................................................................................................................2 Attack Timeline ........................................................................................................................2 Attack Details ...........................................................................................................................4 Attack Evolution .......................................................................................................................5 Next-Level Phishing Targets ..................................................................................................11 Case 1: Ministry of Defense, Hungary .............................................................................11 Case 2: OSCE, Austria ....................................................................................................13 Case 3: SAIC, United States ...........................................................................................13 Case 4: Academi ..............................................................................................................13 Other Webmail Services ........................................................................................................14 Conclusion ...................................................................................................................................16 References ..................................................................................................................................17 TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an “as is” condition. Trend Micro | Operation Pawn Storm INTRODUCTION Operation Pawn Storm refers to economic particularly dangerous to any organization and political espionage attacks instigated by that allows employees to use OWA. a group of threat actors primarily targeting military, embassy, and defense contractor An in-depth look at six multistage attacks personnel from the United States and its revealed one thing in common―the use of allies. Opposing factions to and dissidents SEDNIT/Sofacy malware [1], [2]. The use of the Russian government, international of such multistage downloaders provided media, and even the national security attackers additional protection against department of a U.S. ally were also targeted. detection. We believe the threat actors aimed The threat actors used three attack vectors― to confuse their targets’ IT administrators spear-phishing emails with malicious by making it hard for them to string attack attachments, an advanced network of components together, thus evading detection. phishing websites, and exploits injected into legitimate conference and media websites. This research paper details when certain They used a nonmalicious JavaScript to attacks occurred, what tools were used in victimize Microsoft™ Outlook® Web Access attempts to get in to target networks, and (OWA) users from carefully selected target target profiles to form a general picture of organizations. The OWA phishing attacks Operation Pawn Storm. proved extremely effective and could be 1 Trend Micro | Operation Pawn Storm TIES THAT BIND THE OPERATION PAWN STORM ATTACKS TOGETHER SEDNIT Attack Timeline SEDNIT malware are mostly backdoors [3], [4] The investigation focused on a group of and information stealers [5] that log affected attacks that has been dubbed “Operation users’ keystrokes, steal system information, Pawn Storm” [6] due to the attackers’ use of and send stolen information to remote two or more connected tools/tactics to attack command-and-control (C&C) servers. a specific target similar to the chess strategy it was named after. This paper illustrates how Analyses of the SEDNIT infectors that arrived the Pawn Storm attacks were carried out with as email attachments in the attacks featured the aid of five spear-phishing emails, which in this paper revealed six distinct chains [see used contextually relevant subjects to get diagram on page 3]. specific targets from different countries to open weaponized attachments designed to compromise their systems. Timeline of spear-phishing emails sent to specific targets The attackers sent emails to potential victims, “International Military.rtf.” Trend Micro including military, embassy, and defense received a sample of this on October contractor personnel. The following emails 17, 2011 and has been detecting it as were among those that were found related to TROJ_ARTIEF.AP [8] since then. this operation: • An email sent to a potential victim • An email sent to a potential victim working from the Vatican Embassy from the Ministry of Defense in France in Iraq used reports of a bombing had an exploit for CVE-2010-3333 incident [9] that occurred on January [7] disguised as a document named 9, 2012 as social engineering lure. 2 Trend Micro | Operation Pawn Storm SEDNIT infectors attached to targeted attack campaign emails Sent a day after the incident, the email had a Microsoft Word® file attachment named “IDF_Spokesperson_Terror_ Attack_011012.doc,” which exploited CVE-2012-0158 [10]. Exploit for CVE-2012-0158 disguised as a Word (.DOC) file Sample email sent to recipients from the Vatican Embassy in Iraq 3 Trend Micro | Operation Pawn Storm • An email sent on September 20, doc,” which exploited CVE-2012- 2013 to military officials from several 0158. countries used the then-upcoming “Asia-Pacific Economic Cooperation (APEC) Indonesia 2013” conference as bait. The email had two Microsoft Excel® file attachments named “APEC Media list 2013 Part1.xls,” which exploited CVE-2012-0158, and “APEC Media list 2013 Part2.xls,” which was nonmalicious. Sample email sent to military officials from Pakistan using the “Homeland Security Summit Middle East” conference as bait • An email sent to Polish government employees [12] on August 11, 2014 had a MIME HTML (.MHT) file attachment named “MH17.doc,” which exploited CVE-2012-0158. Sample email sent to military officials across countries using the “APEC Indonesia 2013” conference as bait Exploit for CVE-2012-0158 disguised as a MIME HTML (.MHT) file Attack Details All of the observed Operation Pawn Storm attacks comprised several stages. Each attack had at least two phases: Exploit for CVE-2012-0158 disguised as an Excel • In phase 1, opening the email (.XLS) file(APEC Media list 2013 Part1.xls) attachment displays a decoy document while the exploit runs in • An email sent to Pakistani military the background. The exploit drops officials on January 23, 2014 used the a downloader component (.DLL file) “Homeland Security Summit Middle named “netids.dll,” “netidt.dll,” or East” [11] conference as bait. It had a “coreshell.dll.” Word file attachment named “Details. 4 Trend Micro | Operation Pawn Storm • In phase 2, the downloader capturing information from infected component communicates with a C&C systems, the keylogger sends data server and downloads a dropper that back to the C&C server. ultimately installs a keylogger. After Phases 1 and 2 in an Operation Pawn Storm attack We only managed to collect latter- Although some of the C&C servers were still stage payloads for two out of the six