This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q1 2022. It was last updated on February 28, 2022.

January

• We terminated 3 YouTube channels as part of our investigation into coordinated influence operations. The campaign uploaded content in Arabic that was critical of former Sudanese president Omar al-Bashir and supportive of the 2019 Sudanese coup d’état. Our findings are similar to findings reported by Meta.
• We terminated 1 AdSense account and 1 Play developer as part of our investigation into coordinated influence operations linked to Turkey. The campaign was sharing content in Arabic that was about news and current events in Libya. Our findings are similar to findings reported by Meta.
• We terminated 42 YouTube channels and 2 Ads accounts as part of our investigation into coordinated influence operations linked to Iraq. The campaign uploaded content in Arabic that was in support of the Iraqi Harakat Hoquq party. We received leads from Mandiant that supported us in this investigation.
• We terminated 4 YouTube channels, 2 AdSense accounts, and 1 Blogger blog and blocked 6 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into reported coordinated influence operations linked to Belarus, Moldova, and Ukraine. The campaign was sharing content in English that was about a variety of topics including US and European current events. We believe this operation was financially motivated.
• We terminated 4361 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China and U.S. foreign affairs. These findings are consistent with our previous reports

Google TAG actively monitors threat actors and the evolution of their tactics and techniques. We use our research to continuously improve the safety and security of our products and share this intelligence with the community to benefit the internet as a whole.

As announced today, Google has taken action to disrupt the operations of Glupteba, a multi-component botnet targeting Windows computers. We believe this action will have a significant impact on Glupteba's operations. However, the operators of Glupteba are likely to attempt to regain control of the botnet using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain.

Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices. TAG has observed the botnet targeting victims worldwide, including the US, India, Brazil and Southeast Asia.

The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS). For a period of time, we observed thousands of instances of malicious Glupteba downloads per day. The following image shows a webpage mimicking a software crack download which delivers a variant of Glupteba to users instead of the promised software.

While analyzing Glupteba binaries, our team identified a few containing a git repository URL: “git.voltronwork.com”. This finding sparked an investigation that led us to identify, with high confidence, multiple online services offered by the individuals operating the Glupteba botnet. These services include selling access to virtual machines loaded with stolen credentials (dont[.]farm), proxy access (awmproxy), and selling credit card numbers (extracard) to be used for other malicious activities such as serving malicious ads and payment fraud on Google Ads.

This past year, TAG has been collaborating with Google’s CyberCrime Investigation Group to disrupt Glupteba activity involving Google services. We’ve terminated around 63M Google Docs observed to have distributed Glupteba, 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with their distribution. Furthermore, 3.5M users were warned before downloading a malicious file through Google Safe Browsing warnings.

In the last few days, our team partnered with Internet infrastructure providers and hosting providers, including CloudFlare, to disrupt Glupteba’s operation by taking down servers and placing warning interstitial pages in front of the malicious domain names. During this time, an additional 130 Google accounts associated with this operation were terminated.

Parallel to the analysis, tracking, and technical disruption of this botnet, Google has filed a lawsuit against two individuals believed to be located in Russia for operating the Glupteba Botnet and its various criminal schemes. Google is alleging violations under the Racketeer Influenced and Corrupt Organizations Act (RICO), the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, the Lanham Act, and tortious interference of business relationships, and unjust enrichment.

While these actions may not completely stop Glupteba, TAG estimates that combined efforts will materially affect the actor’s ability to conduct future operations.

Glupteba’s C2 Backup Mechanism

The command and control (C2) communication for this botnet uses HTTPS to communicate commands and binary updates between the control servers and infected systems. To add resilience to their infrastructure, the operators have also implemented a backup mechanism using the Bitcoin blockchain. In the event that the main C2 servers do not respond, the infected systems can retrieve backup domains encrypted in the latest transaction from the following bitcoin wallet addresses:

• '1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1' [1]
• '15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6’ [2]
• '1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97' [3]

The following 32 byte AES keys for decryption are hard coded in the binaries:

• 'd8727a0e9da3e98b2e4e14ce5a6cf33ef26c6231562a3393ca465629d66503cf'
• ‘1bd83f6ed9bb578502bfbb70dd150d286716e38f7eb293152a554460e9223536’

The blockchain transaction’s OP_RETURN data can be decrypted using AES-256 GCM to provide a backup command and control domain name. The first 12 bytes of the OP_RETURN contains the IV, the last 16 bytes the GCM tag, while the middle section is the AES-256 GCM encrypted domain. Full details of Glupteba’s network protocol can be found in this report from 2020, the following Python script illustrates how one can decrypt an encrypted domain name:

IOCs

Recent domains used for command and control:

• nisdably[.]com
• runmodes[.]com
• yturu[.]com
• retoti[.]com
• trumops[.]com
• evocterm[.]com
• iceanedy[.]com
• ninhaine[.]com
• anuanage[.]info

Recent sha256 hashes of malware samples:

• df84d3e83b4105f9178e518ca69e1a2ec3116d3223003857d892b8a6f64b05ba
• eae4968682064af4ae6caa7fff78954755537a348dce77998e52434ccf9258a2
• a2fd759ee5c470da57d8348985dc34348ccaff3a8b1f5fa4a87e549970eeb406
• d8a54d4b9035c95b8178d25df0c8012cf0eedc118089001ac21b8803bb8311f4
• c3f257224049584bd80a37c5c22994e2f6facace7f7fb5c848a86be03b578ee8
• 8632d2ac6e01b6e47f8168b8774a2c9b5fafaa2470d4e780f46b20422bc13047
• 03d2771d83c50cc5cdcbf530f81cffc918b71111b1492ccfdcefb355fb62e025
• e673ce1112ee159960f1b7fed124c108b218d6e5aacbcb76f93d29d61bd820ed
• 8ef882a44344497ef5b784965b36272a27f8eabbcbcea90274518870b13007a0
• 79616f9be5b583cefc8a48142f11ae8caf737be07306e196a83bb0c3537ccb3e
• db84d13d7dbba245736c9a74fc41a64e6bd66a16c1b44055bd0447d2ae30b614

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q4 2021. It was last updated on December 2, 2021.

October

• We terminated 9 YouTube channels and 1 ads account as part of our investigation into coordinated influence operations linked to Vietnam. The campaign uploaded conspiracy theory content in English and Korean. We believe this operation was financially motivated
• We terminated 4 AdSense accounts and blocked 22 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into a reported coordinated influence operation linked to India. The campaign uploaded a variety of news content in English to domains that were designed to look as if they were independent news outlets in various US states and European countries. We believe this operation was financially motivated. We received leads from the FBI that supported us in this investigation.
• We terminated 37 YouTube channels and 4 blogs as part of our investigation into coordinated influence operations linked to Sudan. The campaign uploaded content in Arabic that was supportive of the Sudanese military. Our findings are similar to findings reported by Facebook.
• We terminated 3 YouTube channels as part of our investigation into coordinated influence operations linked to Uganda. The campaign uploaded content in English that was critical of Ugandan opposition political parties. Our findings are similar to findings reported by Twitter.
• We terminated 3,311 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports.

To protect our users, TAG routinely hunts for 0-day vulnerabilities exploited in-the-wild. In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group. The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.

As is our policy, we quickly reported this 0-day to the vendor (Apple) and a patch was released to protect users from these attacks.

Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code.

In this blog we analyze the technical details of the exploit chain and share IOCs to help teams defend against similar style attacks.

Watering Hole

The websites leveraged for the attacks contained two iframes which served exploits from an attacker-controlled server—one for iOS and the other for macOS.

iOS Exploits

The iOS exploit chain used a framework based on Ironsquirrel to encrypt exploits delivered to the victim's browser. We did not manage to get a complete iOS chain this time, just a partial one where CVE-2019-8506 was used to get code execution in Safari.

macOS Exploits

The macOS exploits did not use the same framework as iOS ones. The landing page contained a simple HTML page loading two scripts—one for Capstone.js and another for the exploit chain.

The parameter rid is a global counter which records the number of exploitation attempts. This number was in the 200s when we obtained the exploit chain.

While the javascript starting the exploit chain checks whether visitors were running macOS Mojave (10.14) or Catalina (10.15) before proceeding to run the exploits, we only observed remnants of an exploit when visiting the site with Mojave but received the full non-encrypted exploit chain when browsing the site with Catalina.

The exploit chain combined an RCE in WebKit exploiting CVE-2021-1789 which was patched on Jan 5, 2021 before discovery of this campaign and a 0-day local privilege escalation in XNU (CVE-2021-30869) patched on Sept 23, 2021.

Remote Code Execution (RCE)

Loading a page with the WebKit RCE on the latest version of Safari (14.1), we learned the RCE was an n-day since it did not successfully trigger the exploit. To verify this hypothesis, we ran git bisect and determined it was fixed in this commit.

Sandbox Escape and Local Privilege Escalation (LPE)

Capstone.js

It was interesting to see the use of Capstone.js, a port of the Capstone disassembly framework, in an exploit chain as Capstone is typically used for binary analysis. The exploit authors primarily used it to search for the addresses of dlopen and dlsym in memory. Once the embedded Mach-O is loaded, the dlopen and dlsym addresses found using Capstone.js are used to patch the Mach-O loaded in memory.

With the Capstone.js configured for X86-64 and not ARM, we can also derive the target hardware is Intel-based Macs.

Embedded Mach-O

After the WebKit RCE succeeds, an embedded Mach-O binary is loaded into memory, patched, and run. Upon analysis, we realized this binary contained code which could escape the Safari sandbox, elevate privileges, and download a second stage from the C2.

Analyzing the Mach-O was reminiscent of a CTF reverse engineering challenge. It had to be extracted and converted into binary from a Uint32Array.

Then the extracted binary was heavily obfuscated with a relatively tedious encoding mechanism--each string is XOR encoded with a different key. Fully decoding the Mach-O was necessary to obtain all the strings representing the dynamically loaded functions used in the binary. There were a lot of strings and decoding them manually would have taken a long time so we wrote a short Python script to make quick work of the obfuscation. The script parsed the Mach-O at each section where the strings were located, then decoded the strings with their respective XOR keys, and patched the binary with the resulting strings.

Once we had all of the strings decoded, it was time to figure out what capabilities the binary had. There was code to download a file from a C2 but we did not come across any URL strings in the Mach-O so we checked the javascript and saw there were two arguments passed when the binary is run–the url for the payload and its size.

After downloading the payload, it removes the quarantine attribute of the file to bypass Gatekeeper. It then elevated privileges to install the payload.

N-day or 0-day?

Before further analyzing how the exploit elevated privileges, we needed to figure out if we were dealing with an N-day or a 0-day vulnerability. An N-day is a known vulnerability with a publicly available patch. Threat actors have used N-days shortly after a patch is released to capitalize on the patching delay of their targets. In contrast, a 0-day is a vulnerability with no available patch which makes it harder to defend against.

Despite the exploit being an executable instead of shellcode, it was not a standalone binary we could run in our virtual environment. It needed the address of dlopen and dlsym patched after the binary was loaded into memory. These two functions are used in conjunction to dynamically load a shared object into memory and retrieve the address of a symbol from it. They are the equivalent of LoadLibrary and GetProcAddress in Windows.

To run the exploit in our virtual environment, we decided to write a loader in Python which did the following:

• load the Mach-O in memory
• find the address of dlopen and dlsym
• patch the loaded Mach-O in memory with the address of dlopen and dlsym
• pass our payload url as a parameter when running the Mach-O

For our payload, we wrote a simple bash script which runs id and pipes the result to a file in /tmp. The result of the id command would tell us whether our script was run as a regular user or as root.

Having a loader and a payload ready, we set out to test the exploit on a fresh install of Catalina (10.15) since it was the version in which we were served the full exploit chain. The exploit worked and ran our bash script as root. We updated our operating system with the latest patch at the time (2021-004) and tried the exploit again. It still worked. We then decided to try it on Big Sur (11.4) where it crashed and gave us the following exception.

The exception indicates that Apple added generic protections in Big Sur which rendered this exploit useless. Since Apple still supports Catalina and pushes security updates for it, we decided to take a deeper look into this exploit.

Elevating Privileges to Root

The Mach-O was calling a lot of undocumented functions as well as XPC calls to mach_msg with a MACH_SEND_SYNC_OVERRIDE flag. This looked similar to an earlier in-the-wild iOS vulnerability analyzed by Ian Beer of Google Project Zero. Beer was able to quickly recognize this exploit as a variant of an earlier port type confusion vulnerability he analyzed in the XNU kernel (CVE-2020-27932). Furthermore, it seems this exact exploit was presented by Pangu Lab in a public talk at zer0con21 in April 2021 and Mobile Security Conference (MOSEC) in July 2021.

In exploiting this port type confusion vulnerability, the exploit authors were able to change the mach port type from IKOT_NAMED_ENTRY to a more privileged port type like IKOT_HOST_SECURITY allowing them to forge their own sec_token and audit_token, and IKOT_HOST_PRIV enabling them to spoof messages to kuncd.

MACMA Payload

After gaining root, the downloaded payload is loaded and run in the background on the victim's machine via launchtl. The payload seems to be a product of extensive software engineering. It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2. It also has several components, some of which appear to be configured as modules. For example, the payload we obtained contained a kernel module for capturing keystrokes. There are also other functionalities built-in to the components which were not directly accessed from the binaries included in the payload but may be used by additional stages which can be downloaded onto the victim's machine.

Notable features for this backdoor include:

• victim device fingerprinting
• screen capture
• file download/upload
• executing terminal commands
• audio recording
• keylogging

Conclusion

Our team is constantly working to secure our users and keep them safe from targeted attacks like this one. We continue to collaborate with internal teams like Google Safe Browsing to block domains and IPs used for exploit delivery and industry partners like Apple to mitigate vulnerabilities. We are appreciative of Apple’s quick response and patching of this critical vulnerability.

For those interested in following our in-the-wild work, we will soon publish details surrounding another, unrelated campaign we discovered using two Chrome 0-days (CVE-2021-37973 and CVE-2021-37976). That campaign is not connected to the one described in today’s post.

Related IOCs

Delivery URLs

• http://103[.]255[.]44[.]56:8372/6nE5dJzUM2wV.html
• http://103[.]255[.]44[.]56:8371/00AnW8Lt0NEM.html
• http://103[.]255[.]44[.]56:8371/SxYm5vpo2mGJ?rid=<redacted>
• http://103[.]255[.]44[.]56:8371/iWBveXrdvQYQ?rid=?rid=<redacted>
• https://appleid-server[.]com/EvgSOu39KPfT.html
• https://www[.]apple-webservice[.]com/7pvWM74VUSn2.html
• https://appleid-server[.]com/server.enc
• https://amnestyhk[.]org/ss/defaultaa.html
• https://amnestyhk[.]org/ss/4ba29d5b72266b28.html
• https://amnestyhk[.]org/ss/mac.js

Javascript

• cbbfd767774de9fecc4f8d2bdc4c23595c804113a3f6246ec4dfe2b47cb4d34c (capstone.js)
• bc6e488e297241864417ada3c2ab9e21539161b03391fc567b3f1e47eb5cfef9 (mac.js)
• 9d9695f5bb10a11056bf143ab79b496b1a138fbeb56db30f14636eed62e766f8

Sandbox escape / LPE

• 8fae0d5860aa44b5c7260ef7a0b277bcddae8c02cea7d3a9c19f1a40388c223f
• df5b588f555cccdf4bbf695158b10b5d3a5f463da7e36d26bdf8b7ba0f8ed144

Backdoor

• cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8 (2021 sample)
• f0b12413c9d291e3b9edd1ed1496af7712184a63c066e1d5b2bb528376d66ebc (2019 sample)

C2

• 123.1.170.152
• 207.148.102.208

Google’s Threat Analysis Group tracks actors involved in disinformation campaigns, government backed hacking, and financially motivated abuse. Since late 2019, our team has disrupted financially motivated phishing campaigns targeting YouTubers with Cookie Theft malware.

The actors behind this campaign, which we attribute to a group of hackers recruited in a Russian-speaking forum, lure their target with fake collaboration opportunities (typically a demo for anti-virus software, VPN, music players, photo editing or online games), hijack their channel, then either sell it to the highest bidder or use it to broadcast cryptocurrency scams.

In collaboration with YouTube, Gmail, Trust & Safety, CyberCrime Investigation Group and Safe Browsing teams, our protections have decreased the volume of related phishing emails on Gmail by 99.6% since May 2021. We blocked 1.6M messages to targets, displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts. With increased detection efforts, we’ve observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz and aol.com). Moreover, to protect our users, we have referred the below activity to the FBI for further investigation.

In this blog, we share examples of the specific tactics, techniques and procedures (TTPs) used to lure victims, as well as some guidance on how users can further protect themselves.

Tactics, techniques and procedures

Cookie Theft, also known as “pass-the-cookie attack,” is a session hijacking technique that enables access to user accounts with session cookies stored in the browser. While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics.

Social engineering YouTubers with advertisement offer

Many YouTube creators provide an email address on their channel for business opportunities. In this case, the attackers sent forged business emails impersonating an existing company requesting a video advertisement collaboration.

The phishing typically started with a customized email introducing the company and its products. Once the target agreed to the deal, a malware landing page disguised as a software download URL was sent via email or a PDF on Google Drive, and in a few cases, Google documents containing the phishing links. Around 15,000 actor accounts were identified, most of which were created for this campaign specifically.

Fake software landing pages and social media accounts

The attackers registered various domains associated with forged companies and built multiple websites for malware delivery. To date, we’ve identified at least 1,011 domains created solely for this purpose. Some of the websites impersonated legitimate software sites, such as Luminar, Cisco VPN, games on Steam, and some were generated using online templates. During the pandemic, we also uncovered attackers posing as news providers with a “Covid19 news software.”

In one case, we observed a fake social media page copying content from an existing software company. The following screenshot is an example of a fake page where the original URL is replaced with one leading to a cookie theft malware download.

Because Google actively detects and disrupts phishing links sent via Gmail, the actors were observed driving targets to messaging apps like WhatsApp, Telegram or Discord.

Delivering cookie theft malware

Once the target runs the fake software, a cookie stealing malware executes, taking browser cookies from the victim’s machine and uploading them to the actor's command & control servers. Although this type of malware can be configured to be persistent on the victim's machine, these actors are running all malware in non-persistent mode as a smash-and-grab technique. This is because if the malicious file is not detected when executed, there are less artifacts on an infected host and therefore security products fail to notify the user of a past compromise.

We have observed that actors use various types of malware based on personal preference, most of which are easily available on Github. Some commodity malware used included RedLine, Vidar, Predator The Thief, Nexus stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad (Google’s naming), and Kantal (Google’s naming) which shares code similarity with Vidar. Open source malware like Sorano and AdamantiumThief were also observed.Related hashes are listed in the Technical Details section, at the end of this report.

Most of the observed malware was capable of stealing both user passwords and cookies. Some of the samples employed several anti-sandboxing techniques including enlarged files, encrypted archive and download IP cloaking. A few were observed displaying a fake error message requiring user click-through to continue execution.

Cryptocurrency scams and channel selling

A large number of hijacked channels were rebranded for cryptocurrency scam live-streaming. The channel name, profile picture and content were all replaced with cryptocurrency branding to impersonate large tech or cryptocurrency exchange firms. The attacker live-streamed videos promising cryptocurrency giveaways in exchange for an initial contribution.

On account-trading markets, hijacked channels ranged from $3 USD to $4,000 USD depending on the number of subscribers.

Hack-for-Hire attackers

These campaigns were carried out by a number of hack-for-hire actors recruited on Russian-speaking forums via the following job description, offering two types of work:

This recruitment model explains the highly customized social engineering, as well as the varied malware types given each actor's choice of preferred malware.

Protecting our users from attacks

We are continuously improving our detection methods and investing in new tools and features that automatically identify and stop threats like this one. Some of these improvements include:

• Additional heuristic rules to detect and block phishing & social engineering emails, cookie theft hijacking and crypto-scam livestreams.
• Safe Browsing is further detecting and blocking malware landing pages and downloads.
• YouTube has hardened channel transfer workflows, detected and auto-recovered over 99% of hijacked channels.
• Account Security has hardened authentication workflows to block and notify the user on potential sensitive actions.

It is also important that users remain aware of these types of threats and take appropriate action to further protect themselves. Our recommendations:

• Take Safe Browsing warnings seriously. To avoid malware triggering antivirus detections, threat actors social engineer users into turning off or ignoring warnings.
• Before running software, perform virus scanning using an antivirus or online virus scanning tool like VirusTotal to verify file legitimacy.
• Enable the “Enhanced Safe Browsing Protection” mode in your Chrome browser, a feature that increases warnings on potentially suspicious web pages & files.
• Be aware of encrypted archives which are often bypassing antivirus detection scans, increasing the risk of running malicious files.
• Protect your account with 2-Step-verification (multi-factor authentication) which provides an extra layer of security to your account in case your password is stolen. Starting November 1, monetizing YouTube creators must turn on 2-Step Verification on the Google Account used for their YouTube channel to access YouTube Studio or YouTube Studio Content Manager.

Additional resources: Avoid & Report Phishing Emails.

Technical Details

Related Malware hashes:

• RedLine (commodity)
  • c8b42437ffd8cfbbe568013eaaa707c212a2628232c01d809a3cf864fe24afa8
  • 501fe2509581d43288664f0d2825a6a47102cd614f676bf39f0f80ab2fd43f2c
  • c8b42437ffd8cfbbe568013eaaa707c212a2628232c01d809a3cf864fe24afa8
• Vidar (commodity)
  • 9afc029ac5aa525e6fdcedf1e93a64980751eeeae3cf073fcbd1d223ab5c96d6
• Kantal (share code similarity with Vidar)
  • F59534e6d9e0559d99d2b3a630672a514dbd105b0d6fc9447d573ebd0053caba (zip archive)
  • Edea528804e505d202351eda0c186d7c200c854c41049d7b06d1971591142358 (unpacked sample)
• Predator The Thief (commodity)
  • 0d8cfa02515d504ca34273d8cfbe9d1d0f223e5d2cece00533c48a990fd8ce72 (zip archive)
• Sorano (open source)
  • c7c8466a66187f78d953c64cbbd2be916328085aa3c5e48fde6767bc9890516b
• Nexus stealer (commodity)
  • ed8b2af133b4144bef2b89dbec1526bf80cc06fe053ece1fa873f6bd1e99f0be
  • efc88a933a8baa6e7521c8d0cf78c52b0e3feb22985de3d35316a8b00c5073b3
• Azorult (commodity)
  • 8cafd480ac2a6018a4e716a4f9fd1254c4e93501a84ee1731ed7b98b67ab15dd
• Raccoon (commodity)
  • 85066962ba1e8a0a8d6989fffe38ff564a6cf6f8a07782b3fbc0dcb19d2497cb
• Grand Stealer (commodity)
  • 6359d5fa7437164b300abc69c8366f9481cb91b7558d68c9e3b0c2a535ddc243
• Vikro Stealer (commodity)
  • 04deb8d8aee87b24c7ba0db55610bb12f7d8ec1e75765650e5b2b4f933b18f6d
• Masad (commodity)
  • 6235573d8d178341dbfbead7c18a2f419808dc8c7c302ac61e4f9645d024ed85
• AdamantiumThief (open source)
  • Db45bb99c44a96118bc5673a7ad65dc2a451ea70d4066715006107f65d906715

Top Phishing Domains:

• pro-swapper[.]com
• downloadnature[.]space
• downloadnature[.]com
• fast-redirect[.]host
• bragi-studio[.]com
• plplme[.]site
• fenzor[.]com
• universe-photo[.]com
• rainway-gaming[.]com
• awaken1337[.]xyz
• pixelka[.]fun
• vortex-cloudgaming[.]com
• vontex[.]tech
• user52406.majorcore[.]space
• voneditor[.]tech
• spaceditor[.]space
• roudar[.]com
• peoplep[.]site
• anypon[.]online
• zeneditor[.]tech
• yourworld[.]site
• playerupbo[.]xyz
• dizzify[.]me

Google’s Threat Analysis Group tracks actors involved in disinformation campaigns, government backed hacking, and financially motivated abuse. We have a long-standing policy to send you a warning if we detect that your account is a target of government-backed phishing or malware attempts. So far in 2021, we’ve sent over 50,000 warnings, a nearly 33% increase from this time in 2020. This spike is largely due to blocking an unusually large campaign from a Russian actor known as APT28 or Fancy Bear.

We intentionally send these warnings in batches to all users who may be at risk, rather than at the moment we detect the threat itself, so that attackers cannot track our defense strategies. On any given day, TAG is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries. This means that there is typically more than one threat actor behind the warnings.

In this blog, we explore some of the most notable campaigns we’ve disrupted this year from a different government-backed attacker: APT35, an Iranian group, which regularly conducts phishing campaigns targeting high risk users. This is the one of the groups we disrupted during the 2020 US election cycle for its targeting of campaign staffers. For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government.

Hijacked websites used for credential phishing attacks

In early 2021, APT35 compromised a website affiliated with a UK university to host a phishing kit. Attackers sent email messages with links to this website to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo. Users were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for second-factor authentication codes sent to devices.

APT35 has relied on this technique since 2017 — targeting high-value accounts in government, academia, journalism, NGOs, foreign policy, and national security. Credential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate – as they know it's difficult for users to detect this kind of attack.

Utilization of Spyware Apps

In May 2020, we discovered that APT35 attempted to upload spyware to the Google Play Store. The app was disguised as VPN software that, if installed, could steal sensitive information such as call logs, text messages, contacts, and location data from devices. Google detected the app quickly and removed it from the Play Store before any users had a chance to install it. Although Play Store users were protected, we are highlighting the app here as TAG has seen APT35 attempt to distribute this spyware on other platforms as recently as July 2021.

Conference-themed phishing emails

One of the most notable characteristics of APT35 is their impersonation of conference officials to conduct phishing attacks. Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first contact email messages to get users to respond. When they did, attackers sent them phishing links in follow-on correspondence.

Targets typically had to navigate through at least one redirect before landing on a phishing domain. Link shorteners and click trackers are heavily used for this purpose, and are oftentimes embedded within PDF files. We’ve disrupted attacks using Google Drive, App Scripts, and Sites pages in these campaigns as APT35 tries to get around our defenses. Services from Dropbox and Microsoft are also abused.

Telegram for threat actor notifications

One of APT35’s novel techniques involves using Telegram for operator notifications. The attackers embed javascript into phishing pages that notify them when the page has been loaded. To send the notification, they use the Telegram API sendMessage function, which lets anyone use a Telegram bot to send a message to a public channel. The attackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent, and locales of visitors to their phishing sites in real-time. We reported the bot to Telegram and they have taken action to remove it.

How we keep users safe from these threats

We warn users when we suspect a government-backed threat like APT35 is targeting them. Thousands of these warnings are sent every month, even in cases where the corresponding attack is blocked. If you receive a warning it does not mean your account has been compromised, it means you have been identified as a target.

Workspace administrators are also notified regarding targeted accounts in their domain. Users are encouraged to take these warnings seriously and consider enrolling in the Advanced Protection Program or enabling two-factor authentication if they haven't already.

We also block malicious domains using Google Safe Browsing – a service that Google's security team built to identify unsafe websites across the web and notify users and website owners of potential harm. When a user of a Safe Browsing-enabled browser or app attempts to access unsafe content on the web, they’ll see a warning page explaining that the content they’re trying to access may be harmful. When a site identified by Safe Browsing as harmful appears in Google Search results, we show a warning next to it in the results.

Threat Analysis Group will continue to identify bad actors and share relevant information with others in the industry, with the goal of bringing awareness to these issues, protecting you and fighting bad actors to prevent future attacks.

Technical Details

Indicators from APT28 phishing campaign:

service-reset-password-moderate-digital.rf[.]gd

reset-service-identity-mail.42web[.]io

digital-email-software.great-site[.]net

Indicators from APT35 campaigns:

Abused Google Properties:

https://sites.google[.]com/view/ty85yt8tg8-download-rtih4ithr/

https://sites.google[.]com/view/user-id-568245/

https://sites.google[.]com/view/hhbejfdwdhwuhscbsb-xscvhdvbc/

Abused Dropbox Properties:

https://www.dropbox[.]com/s/68y4vpfu8pc3imf/Iraq&Jewish.pdf

Phishing Domains:

nco2[.]live

summit-files[.]com

filetransfer[.]club

continuetogo[.]me

accessverification[.]online

customers-verification-identifier[.]site

service-activity-session[.]online

identifier-service-review[.]site

recovery-activity-identification[.]site

review-session-confirmation[.]site

recovery-service-activity[.]site

verify-service-activity[.]site

service-manager-notifications[.]info

Android App:

https://www.virustotal.com/gui/file/5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5/detection

Android App C2:

communication-shield[.]site

cdsa[.]xyz

Introduction

Google’s Threat Analysis Group tracks actors involved in disinformation campaigns, government backed hacking, and financially motivated abuse. Understanding the techniques used by attackers helps us counter these threats effectively. This blog post is intended to highlight a new evasion technique we identified, which is currently being used by a financially motivated threat actor to avoid detection.

Attackers often rely on varying behaviors between different systems to gain access. For instance, attacker’s may bypass filtering by convincing a mail gateway that a document is benign so the computer treats it as an executable program. In the case of the attack outlined below, we see that attackers created malformed code signatures that are treated as valid by Windows but are not able to be decoded or checked by OpenSSL code — which is used in a number of security scanning products. We believe this is a technique the attacker is using to evade detection rules.

Technical Details

Code signatures on Windows executables provide guarantees about the integrity of a signed executable, as well as information about the identity of the signer. Attackers who are able to obscure their identity in signatures without affecting the integrity of the signature can avoid detection longer and extend the lifetime of their code-signing certificates to infect more systems.

OpenSUpdater, a known family of unwanted software which violates our policies and is harmful to the user experience, is used to download and install other suspicious programs.The actor behind OpenSUpdater tries to infect as many users as possible and while they do not have specific targeting, most targets appear to be within the United States and prone to downloading game cracks and grey-area software.

Groups of OpenSUpdater samples are often signed with the same code-signing certificate, obtained from a legitimate certificate authority. Since mid-August, OpenSUpdater samples have carried an invalid signature, and further investigation showed this was a deliberate attempt to evade detection. In these new samples, the signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the 'parameters' element of the SignatureAlgorithm signing the leaf X.509 certificate.

EOC markers terminate indefinite-length encodings, but in this case an EOC is used within a definite-length encoding (l= 13). 

Bytes: 30 0D 06 09 2A 86 48 86  F7 0D 01 01 0B 00 00 

Decodes to the following elements:

SEQUENCE (2 elem)

OBJECT IDENTIFIER 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)

EOC

Security products using OpenSSL to extract signature information will reject this encoding as invalid. However, to a parser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid. This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files. 

As shown in the following screenshot, the signature is considered to be valid by the Windows operating system. This issue has been reported to Microsoft.

Since first discovering this activity, OpenSUpdater's authors have tried other variations on invalid encodings to further evade detection.

The following are samples using this evasion:

https://www.virustotal.com/gui/file/5094028a0afb4d4a3d8fa82b613c0e59d31450d6c75ed96ded02be1e9db8104f/detection

New variant:

https://www.virustotal.com/gui/file/5c0ff7b23457078c9d0cbe186f1d05bfd573eb555baa1bf4a45e1b79c8c575db/detection

Our team is working in collaboration with Google Safe Browsing to protect users from downloading and executing this family of unwanted software. Users are encouraged to only download and install software from reputable and trustworthy sources.

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2021. It was last updated on August 31, 2021.

July 

• We terminated 7 YouTube channels as part of our investigation into coordinated influence operations linked to Ukraine. This campaign uploaded content in Ukrainian and Russian that was supportive of Russia’s government and critical of the Ukrainian military. We received leads from FireEye that supported us in this investigation.

• We blocked 10 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian that was critical of Ukraine’s government and supportive of Russia.

• We terminated 2 YouTube channels as part of our investigation into coordinated influence operations linked to Iraq. This campaign uploaded content in Arabic that was supportive of Iran-backed militias and critical of the U.S. and its allies. Our findings are similar to findings reported by Facebook.

• We terminated 7 YouTube channels as part of our investigation into coordinated influence operations linked to Jordan. This campaign uploaded content in Arabic that was supportive of the Jordanian government and critical of its opposition. Our findings are similar to findings reported by Facebook.

• We terminated 15 YouTube channels as part of our investigation into coordinated influence operations linked to Algeria. This campaign uploaded content in Arabic that was supportive of the Algerian government and its military. Our findings are similar to findings reported by Facebook. We received leads from Graphika that supported us in this investigation.

• We terminated 6 YouTube channels as part of our investigation into coordinated influence operations linked to Mexico. This campaign uploaded content in Spanish that was critical of certain local politicians in Campeche, Mexico. Our findings are similar to findings reported by Facebook.

• We terminated 4 YouTube channels as part of our investigation into coordinated influence operations linked to Mexico. This campaign uploaded content in Spanish that was supportive of a member of the National Action Party). Our findings are similar to findings reported by Facebook.

• We terminated 16 YouTube channels and 1 ads account as part of our investigation into coordinated influence operations linked to Sudan. This campaign uploaded content in Arabic that was supportive of the Muslim Brotherhood and critical of the current Sudanese government. Our findings are similar to findings reported by Facebook.

• We terminated 850 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports.

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2021. It was last updated on August 31, 2021.

July 

• We terminated 7 YouTube channels as part of our investigation into coordinated influence operations linked to Ukraine. This campaign uploaded content in Ukrainian and Russian that was supportive of Russia’s government and critical of the Ukrainian military. We received leads from FireEye that supported us in this investigation.

• We blocked 10 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian that was critical of Ukraine’s government and supportive of Russia.

• We terminated 2 YouTube channels as part of our investigation into coordinated influence operations linked to Iraq. This campaign uploaded content in Arabic that was supportive of Iran-backed militias and critical of the U.S. and its allies. Our findings are similar to findings reported by Facebook.

• We terminated 7 YouTube channels as part of our investigation into coordinated influence operations linked to Jordan. This campaign uploaded content in Arabic that was supportive of the Jordanian government and critical of its opposition. Our findings are similar to findings reported by Facebook.

• We terminated 15 YouTube channels as part of our investigation into coordinated influence operations linked to Algeria. This campaign uploaded content in Arabic that was supportive of the Algerian government and its military. Our findings are similar to findings reported by Facebook. We received leads from Graphika that supported us in this investigation.

• We terminated 6 YouTube channels as part of our investigation into coordinated influence operations linked to Mexico. This campaign uploaded content in Spanish that was critical of certain local politicians in Campeche, Mexico. Our findings are similar to findings reported by Facebook.

• We terminated 4 YouTube channels as part of our investigation into coordinated influence operations linked to Mexico. This campaign uploaded content in Spanish that was supportive of a member of the National Action Party). Our findings are similar to findings reported by Facebook.

• We terminated 16 YouTube channels and 1 ads account as part of our investigation into coordinated influence operations linked to Sudan. This campaign uploaded content in Arabic that was supportive of the Muslim Brotherhood and critical of the current Sudanese government. Our findings are similar to findings reported by Facebook.

• We terminated 850 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports.