Fishing phishers in Azerbaijan


January 15th, 2020

During January 6 – January 11, a number of phishing attempts targeting political activists and journalists in Azerbaijan were carried out. The phishing attempts used fake email addresses of prominent human rights defenders, journalists and members of the Council of Europe. The mails included download links to the file transfer service wetransfer.com, where malicious files had been uploaded.

Qurium has reverse engineered two of the phishing mails. Our research reveals the capabilities of the malware and documents the process of reverse engineering the code. Among the malware we analyzed, one was capable of collecting keystrokes, screenshots, and Wifi credentials from the victim’s computer, while the other malware could obtain remote access to the victim’s machine and hence, gain full control and access to its content.

On of the phishing mails lead to the online user man474019, a persona using the name and avatar of Alibay Mammadov. However, at this point we have no reason to believe that Mammadov is the person behind the attacks.

Thanks to open source threat intelligence and several leaked databases we have managed to link man474019 to the IP address 85{.}132.24.77 and the Ministry of Internal Affairs of Azerbaijan.

Case 1: Mail from Rasul Jafarov (invoice.zip)

On January 6, a phishing mail was sent from a fake email account in the name of Rasul Jafarov, a lawyer and prominent human rights defender in Azerbaijan. The mail was sent to colleagues, social and political activists. The phishing mail asked the recipient to download “Invoice for the EU” from the file transfer service wetransfer.com.

Reverse engineering of malware

The ZIP file was protected by a simple password that was included in the e-mail. After uncompressing the file we obtained the PE32 windows binary. We downloaded the file “Invoice.zip” and proceeded to reverse engineer the malware sample.

d19ed7112ba85b981fd3aa1ac3c87bdf  attachments-invoice.exe

A quick review of the file revealed that it was built with Python 3.6

We proceeded to unpack the binary using python-exe-unpacker that provided a first glimpse of what the malware was capable of doing.

Using the python de-compiler uncompyle6 we obtained parts of the source code of the malware.

The malware was built using the Technowlogger github project. After installation, the malware will try to disable the antivirus and collect keystrokes, screenshots, wifi credentials and periodically send them out by e-mail.

The malware creates an entry in the Windows Registry to remain persistent after reboots.

To our surprise many antivirus did not detect the sample as malicious despite its obvious signature.

Finding the e-mail address

The next step of our research, was to find to which email account the keylogger was sending the stolen data.

The e-mail address and password where the data was sent, were obfuscated in the malware code. We decided to run the malware sample in a sandbox and we could confirm that the malware was contacting Gmail (smtp.gmail.com).

We performed a man-in-the-middle attack and tricked the malware to connect to our own self-signed version of Gmail. In that way, we managed to collect the e-mail account and password used by the attacker.

After a few seconds and key strokes, the malware connected to our mail server using the account man474019 [ @ ] gmail.com and password daldanXXXXX. Judging by the password, we are dealing with a young man with Azeri background.

adverb Frequency (Azeri)
daldanfrom behind, behind, from the rear

Who is man474019?

We started to search for account with the nick man474019 in various online forums. We found accounts in antichat and rdot hacking forums using the nick man474019. The account is used by a Russian speaker interested in pen testing tools, penetration testing and other forms of attacks. In the post below, he is asking how to do a SQL injection attack to the website 3dsecure.az.

“man474019” asking for advice on how to compromise the site 3dsecure.az.

In another forum we found the same nick “man47019”, using the same avatar, reporting his location as Azerbaijan.

“man474019” asking for advice on how to compromise the independent and regime critical news site Contact.az.

Who is the person in the avatar of man474019?

The avatar of the account man474019 corresponds to Alibay Mammadov, President and Representative Director of Azepro Co., Ltd., specializing in business with the former Soviet Union countries such as Azerbaijan in Japan. The picture comes from a TEDx video of Alibay in Japan.

We have our doubts that Alibay Mammadov is the person behind the nick man474019. We have reached out to Alibay via trusted sources in Azerbaijan to ask who might be interested to steal his identity.

Case 2: Mail from Council Of Europe (HTA attack)

On January 11, Qurium was notified about another phishing attempt against Azerbaijani activists. This time, a malicious email was sent from Roberto Fasino, Head of the Secretariat, PACE Committee on Culture, Science, Education, and Media at the Council of Europe. The mail included a download link to the same file sharing service as in Rasul’s case, namely WeTransfer. This time, requesting the recipient to download the document “Report-2019.docx.hta”.

Malicious file to be shared via WeTransfer.

The document contained a HTML obfuscated webpage using “HTML Guardian” from ProtWare.

We started to analyze the code sing jsdetox, an analysis tool for Javascript based malware.

Using Chrome’s developer tools and a Microsoft Windows machine we analyzed the obfuscated code.

The main function of the malware contained a UTF16 encoded payload that once converted to Hexadecimal revealed a “Powershell exploit”.

By decoding the base64 powershell script, which could retrieve a shellcode:

In order to find out what the shell code did, we used “x64 dbg”. Following advises from the Disassemble Blog we decided to analyze the Shellcode with the help of Windows Calc.exe application. First, we opened Calc.exe in the debugger.

Then cut and paste the shellcode into the debugger at the program entry point:

fce8890000006089e531d2648b52308b520c8b52148b72280fb74a2631ff31c0ac3c617c022c2…

Our mysterious shell code was now waiting to be executed (code in Red). 🙂

We added breakpoints in all the function calls and at some point the Shellcode called to “ws2_32.connect”.

And finally using the memory dump function of the debugger we could extract the IP and port number that the malware was trying to connect to (sockaddr structure passed to the Connect function). The Hex values 41 F5 and F5 03 11 CA 81 translated to IP address 3{.}17.202.129 and port number 16885.

What is running on that IP address?

It turns out that the attacker is using the ngrok.com service as command and control. The victim connects to the IP address and port of the ngrok.com service and the attacker hides behind this IP waiting for the victims to connect.

When the victims connect to the attacker machine, the attacker performs the second stage of the attack uploading new malicious code.

We connected to the IP address and immediately the attacker pushed a new payload to our machine.

4d 5a e8 00  00 00 00 5b 52 45 55 

If we look into the first bytes of the payload sent by the attacker, we can see that the bytes do not correspond to a standard PE header. This header (ASM stub) matches the signature of a reflective DLL injection technique. The attacker uploads the second stage of the infection into memory, injecting the code into memory to avoid antivirus detection.

The second stage contains “meterpreter”. Meterpreter is a Metasploit attack payload that provides an interactive shell to the attacker from which to explore the target machine and execute code.

In summary, the “HTA” attack provides the attacker direct access to the victim’s machine. The attacker followed the following steps:

  • Prepared the “powershell” attack using Metasploit framework
  • Obfuscated the code using HTML Guardian (HTA file)
  • Uploaded the file to We-transfer server and mailed to several victims
  • The attacker created an account in ngrok.com service to hide his computer.
  • Once he infected the victims, they connect to the ngrok.com address 3.17.202.129 and port number 16885.
  • The attacker continues his attack by performing a “Reflective DLL” injection into the victim’s computer and uploads the “Merterpreter” code.
  • The attacker has full access to the victim’s computer and has a session to run commands remotely.

Case 3: Attacker keeps phishing using Facebook

On January 6th 2020, the attacker gains access to the Facebook account of an editor at azadliq.info. Via the editor’s Facebook account, the attacker sends personal messages to different editors of the Azadliq newspaper.

The message sent by the attacker reads:

Salam Fizzə, xəstəkiklə bağlı müraciət edəcəyik təşkilatlara. Bu sənəddi zəhmət olmasa yüklə, formu doldur, cəmi 3 sualdı, sənəd şifrə istəsə 1 yazarsan. Mümkün qədər tez etsən kömək olarsan, çox sağol dəstək üçün. https://wetransfer.com/downloads/cf9da3e6505e9e6e3b7873da666bf68620200106110756/0435d1368b2174d257e2a721aa4f899c20200106110756/244e2d

The attacker asks the editors to help him look for financial support for a family member that is ill. The attacker instructs the victims to download a form to their computers, and explicitly asks them not to download the file to their phones.

Facebook chat between attacker and victim.

The attacker “man474019” is found

In May 2016, the cracking community website Nulled was compromised and 599K user accounts were leaked. The compromised data included email and IP addresses, weak salted MD5 password hashes and hundreds of thousands of private messages between members.

During our search for man474019, we found his email in a 1.37GB dump https://archive.org/details/nulled.io_database_dump_06052016

In the database we found the record:

(524997,'mehran1234',3,'man474019@gmail.com',1455534388,'85.132.24.77',0,NULL,1,'4',20,NULL,0,1,NULL,'0',1,1,0,0,0,1,2,0,1,NULL,1455534389,1455534430,0,0,'0','0','0','0&1','a:0:{}','','','eb638c97e75747e9f5c53554f8ebf3e6',1456139189,NULL,NULL,0,1,'mehran1234','mehran1234',0,NULL,0,'mehran1234','mehran1234','',0,1,'dc5e5f4952d6981ee54dd8085f5337c8','~HOB[',0,'default',0,0,'',0,'0,0',NULL,'','','',0,0,'',NULL,NULL,NULL,0,NULL,0,NULL,0,0,0,0,'',0,0,0,NULL,NULL,0,0,0,1,NULL,1,NULL,'','',NULL,0,'',0),

The dump from May 2016 shows that man474019@gmail.com connected to the forum from 85.132.24.77. In Qurium’s forensics report News media websites attacked from Governmental Infrastructure in Azerbaijan released in March 2017, this specific IP address was traced to the government of Azerbaijan.

In this network, several Ministries of the government can be found including the presence of several firewalls with digital certificates signed by the national cert (cert.az).

What is hosted in this network?

While looking into the “Hacking Team” files leaked by Wikileaks in 2015, we found this entry:

The mail headers reveal that the IP 85.132.24.75 was allocated to the Ministry of Internal Affairs (MIA) of Azerbaijan.

Received: from cybercrimePC (unknown [85.132.24.75])

Hence, we can conclude that the person behind the phishing attacks, using the email account man474019@gmail.com, is linked to the Ministry of Internal Affairs (MIA), Azerbaijan.