As the curtain has fallen on yet another
eventful year in cybersecurity, let’s look back on some of the finest malware
analysis by ESET researchers in 2018
If you never got the chance to read this
year’s investigations by ESET researchers into some of the most dangerous
hacker shenanigans in recent years, or if you just want to refresh your memory,
now is the time. Let’s cut to the chase and recall just a handful of ESET’s
delvings into the murky depths of 2018’s malware, including malicious code targeting
Linux servers.
The
evil twin
On one occasion, it wasn’t only fellow
cybersecurity professionals who sat up and took notice, as ESET researchers uncovered a rootkit that goes to especially
great lengths – and, indeed, depths – in order to open a backdoor to the
targeted machine. While extremely rare, rootkits that burrow all the way into
the computer’s Unified Extensible Firmware Interface (UEFI) aren’t entirely
unheard of, and proof-of-concept samples thereof have been seen before.
However, this was the first time that such a rootkit was detected in active
use.
Unsurprisingly, LoJax – as we named the
rootkit – is the work of an Advanced Persistent Threat (APT) group. In this
case, our research uncovered solid evidence to tie the rootkit to a
particularly nefarious hacking collective nicknamed Sednit (and also called
APT28, Sofacy, Strontium, and Fancy Bear). This group has made a name for
itself by possessing a diverse set of insidious tools that – as previously documented, on
many occasions, by ESET researchers among others – it has deployed
against a range of geopolitical targets.
To implant LoJax deep inside a system’s
innards, Sednit has repurposed legitimate anti-theft software for laptops,
which is known as LoJack (hence the rootkit’s name). LoJax co-opts the LoJack
agent in order to maintain usermode persistence, after Sednit’s operators use
legitimate utilities to overwrite parts of the victim machine’s SPI flash
memory, where the LoJack UEFI module resides.
LoJax is both extremely difficult to detect –
particularly for security software that doesn’t incorporate UEFI protection –
and exceptionally persistent. Withstanding a reinstallation of the operating
system and even a replacement of the hard drive is required by legitimate
anti-theft software if it is to enable its owner to track down their lost or
stolen computer. After all, a hard drive replacement or an operating system
reinstallation could very well be the first thing a thief will do, and it is
this ability to resist removal that LoJax co-opts from LoJack.
At any rate, there is a remedy when a system
is compromised with LoJax. Its owner has essentially two ways to clean up:
re-program the machine’s SPI flash memory or replace the motherboard outright.
Neither option is simple, however, and both go far beyond the usual process of
malware removal. This, again, helps illustrate just how intrusive, persistent
and ultimately dangerous of a threat LoJax is.
Does LoJax portend an explosion in malware
targeting computer firmware? Hardly, given that this is not your
run-of-the-mill sort of malware. However, attackers do have the habit of
borrowing from the devious playbooks of their predecessors, with LoJax aiding
and abetting malware writers to expand the frontiers of computer intrusions.
And this only highlights the importance of effective UEFI scanning and threat
blocking.
Rumor
has it … no longer
In another major discovery of 2018, ESET researchers unearthed enough evidence to assert that
malware known as Industroyer, which caused the hour-long blackout in and around
Ukraine’s capital, Kiev, in late 2016, was the work of the same threat actor
that would unleash the NotPetya (DiskCoder.C) wiper disguised as ransomware
six months later.
The culprit – a prolific APT collective
called TeleBots – is descended from a group called BlackEnergy, whose
eponymously named malware was responsible for another breakthrough incident: a
power outage that affected a quarter of a million homes in Ukraine and lasted
several hours in December 2015.
The above effectively ties three of the most
impactful malware-induced incidents in memory to the same threat actors.
Speculation that TeleBots hatched Industroyer
was rife after ESET researchers released their findings about this most
powerful modern malware that targeted industrial control systems. Incriminating
evidence was missing, however – until the same ESET researchers picked apart a
piece of malware that they code-named Win32/Exaramel
and that shared significant code similarities with the main Industroyer
backdoor.
At its simplest, Win32/Exaramel is an upgrade
of the backdoor that was at the heart of Industroyer. And although the attack
deploying the improved version was prevented thanks to ESET’s timely alert to
Ukraine’s authorities, “the discovery of Exaramel shows that the TeleBots group
is still active in 2018”. That’s reason aplenty to worry as 2018 draws to a
close.
More shades
of malice
TeleBots isn‘t the only heir apparent to
BlackEnergy, which seems to have gone dark after the December 2015 blackout.
Another nefarious collective, called GreyEnergy, has been operating in
parallel, and probably in close liaison, with TeleBots. That said, the turf and
modus operandi of each of the two groups differ substantially.
As revealed by another landmark piece of ESET research – the first to shine a
light on GreyEnergy globally – this hacking group doesn’t court attention for
its malice. Instead, it engages in reconnaissance and espionage, ostensibly in
order to prepare the ground for future attacks of its own making or to grease
the wheels of operations to be run by other groups. All the while, GreyEnergy
aims to lie low and vanish ‘into the fog’ once it has done its job.
GreyEnergy’s malware toolkit shares a number
of similarities with that of its predecessor, although GreyEnergy was actually
found to be an enhancement of BlackEnergy and “with an even greater focus on
stealth”. At any rate, both groups share a keenly malicious interest in the
energy sector and critical infrastructure in Ukraine and Poland.
Ties between GreyEnergy and TeleBots, for
their part, are evidenced by the former’s use in December 2016 of a worm,
called ‘Moonraker Petya’, that turned out to be a precursor to the NotPetya
worm, unleashed by TeleBots six months later. At the risk of repeating
ourselves: GreyEnergy is yet another extremely dangerous threat actor that is
worth watching closely.
Turning
tables
First off, bear with us while we recall a few
quick facts from history prior to 2018. More than five years ago, ESET researchers analyzed and helped disrupt Operation Windigo,
a malicious campaign that created a botnet comprising tens of thousands of
Linux-powered servers. Windigo stood out for many things, but let’s settle for
just two of them:
First, at its heart was a highly advanced
backdoor and credential-stealer called Linux/Ebury that abused a widely used suite of remote
connectivity tools known as OpenSSH. Second, before installing itself,
Linux/Ebury would check if other OpenSSH backdoors were present on the system.
Lo oking at the code allowed ESET researchers
to discover other in-the-wild SSH backdoors, some previously unknown to the AV
community. Fast forward to 2018 and ESET unveils new research that describes this effort, offering
unique insights into the state of affairs in Linux server-side malware.
Having tracked down in-the-wild backdoors in
OpenSSH servers, the researchers have documented no fewer than 21 malware
families, including 12 that had not been ‘on file’ before. They include both
simple (off-the-shelf) and advanced (bespoke) malware, variously operated by
crimeware and APT groups.
Eighteen out of the 21 strains are fitted
with credential-stealing features, while 17 contain a backdoor mode. The
associated white paper provides a comprehensive view of the malware
strains and their inner workings, representing a significant contribution to
the body of research into Linux-specific malware.
All told, this research effort is also a
reminder that, while Linux may, for whatever reasons, be hit with less malware than Windows,
the security of Linux-based systems, including internet-facing servers, may not
be as bulletproof as some may (want to) believe.
Conclusion
To be sure, the research sketched out above
draws on only a sample of the deliberate and purposeful methods used by some of
the world’s most resourceful cybercriminals. And yet, that sample is more than
enough to illustrate the magnitude of the threat represented by miscreants as
the curtain is set to open on 2019.
More findings from the ESET research
community are available in a dedicated section on our website.