__ ___ __ / /_____< /___ _____/ / __ / __/ ___/ / __ `/ __ / |/_/ / /_/ / / / /_/ / /_/ /> < \__/_/ /_/\__,_/\__,_/_/|_|home | about | articles | intel | contact
tr1adx Intelligence Bulletin (TIB) 00002: The "Digital Plagiarist" Campaign: TelePorting the Carbanak Crew to a New Dimension
[January 1, 2017]
Over the past few months, the tr1adx team has been tracking a Threat Actor which we codenamed "TelePort Crew".
At this time, we are able to disclose that we have seen activity associated with the "Digital Plagiarist" campaign in the following countries:
Focused Industries for the "Digital Plagiarist" campaign include:
Activity attributed to the "Digital Plagiarist" campaign first came on tr1adx's radar in the fall of 2016, when the TelePort Crew threat actor was seen registering a number of domain names which raised flags due to the suspicious nature of the domain names, attributes associated with the domain registration, and content served on these domains. Further research indicates that the "Digital Plagiarist" campaign has been active since at least July 2016, and possibly earlier, with very rapid turn around times between the provisioning of attack/C2 infrastructure and execution of the actual attacks.
Based on our observations, we believe the TelePort Crew threat actor has performed considerable research on their targets, including mapping out business/customer relationships between the targets as well as understanding other geographic and target "trust" specific attributes often seen in cases of watering hole attacks.
Overview of Attack Methodology and TTP's
The TelePort Crew would start off by registering domain names, which closely resemble those of legitimate web sites. These web sites would be designed to either mimic the group's intended target, or a third party trusted by the intended target. The majority of these domain registrations appear to use a single registrar, "PDR Ltd. d/b/a PublicDomainRegistry.com", and in some cases the Threat Actor would recycle the same Registrant Information. We also noted a number of specific differentiators when it comes to comparing the Registrant Information and the types of malicious websites that were used.
The following table summarizes some of the more interesting domains we have seen the TelePort Crew threat actor register as part of the "Digital Plagiarist" campaign. While some of these domains are used for malware delivery, others are used for email domain spoofing, and C2 communications. A full list of (disclosable) domains suspected to be associated with the TelePort Crew's "Digital Plagiarist" campaign is provided in the Indicators of Compromise section:
(*) Legitimate organization reclaimed the mimicked/spoofed domain.
Once the malicious domain had been registered, the group would point it to one of the following IP addresses:
The Threat Actor would then use the TelePort Pro or TelePort Ultra software to mirror the content of the legitimate organization's web site to the newly registered domain. While in the majority of cases the TelePort Pro software would "flawlessly" mirror the web sites, if the web page contains links to external pages which are outside the scope of the TelePort site mirroring configuration, the software will rewrite some of the links in the mirrored HTML files as follows:
Traces of TelePort Pro seen on prsnewwire[.]com domain:
We were able to identify and confirm at least two separate instances where above domains were used to serve up malicious Office documents:
The malware document "order.docx" is a stage 1 binary which, when opened by the end user, will download a stage 2 binary through the embedded macros in the malicious Office document. TrustWave recently did a great write up entitled "New Carbanak / Anunak Attack Methodology", which provides additional details regarding the malware used in that campaign, as well as an overview of C2 communications and actor TTPs. Based on correlation of TTP's and infrastructure, we are fairly confident that the TelePort Crew is closely affiliated with, or is in fact the Carbanak Threat Actor. We also believe the "Digital Plagiarist" campaign is associated with, or an evolution of, the campaign described in the recent TrustWave report.
Once the domains were properly mirrored and outfitted with malware, the TelePort Crew would craft spearphishing emails to their targets in order to lure them to download and open malicious Office documents hosted on one of the above domains. We have been able to observe at least one reported instance of such a spearphishing email related to the "Digital Plagiarist" campaign.
email@example.com -> "mailto:firstname.lastname@example.org" From: email@example.com Sent: Wednesday, December 14, 2016 10:33 AM To: R_bgt, Briargate 0186 Subject: catering Hello, My name is George Thon and I'm an Project Manager with Sizzier Ltd. We have composed a list of services we require and interested in. Enclosed link contains all catering informatiom - http://www.sizzier.com/docs/order.docx Click on edit anyway at the top of the page and than double click to unlock content Sincerely, George Thon Sizzier Ltd.
Campaign and Infrastructure Clean Up
At the time of this writing, at least one of the malicious documents is still being served on one of the above listed domains. While all of the above listed domains are still active, only a few are still serving up mirrored content. When we started investigating this threat actor a few months ago, we were able to observe that almost all of the above listed domains were, at one time, serving up mirrored page content.
Based on all elements of our research, we believe the TelePort Crew threat actor will remove malicious and non-malicious content once successful execution of the malware on the target has been achieved. At the same time, our analysis leads us to suggest that the TelePort Crew may also delete or rename malicious content when the Threat Actor believes their operation has been compromised.
Targeted Industry / Organizations Interrelations
As we started investigating the Teleport Crew threat actor and the "Digital Plagiarist" campaign, it became apparent fairly quickly that the group has spent a considerable effort in understanding and mapping out affinities and business/customer relationships between their targets and the domains they would register.
Another, yet less obvious example, is that of the "relationship" between Perrigo (TelePort Crew registered "perrigointernational[.]com") and Syngenta (TelePort Crew registered "syngenta-usa[.]com"):
In a potentially more sinister, and entirely speculative twist, there may be a relationship between TrustWave and iris Worldwide Marketing (TelePort Crew registered "iris-woridwide[.]com"):
The tr1adx team initially started tracking this Threat Actor under the codename "TelePort Crew" as a result of some of their TTP's. As we were delving deeper into the group's activities, we were seeing increasing overlap with TTP's and infrastructure associated with the Carbanak / Anunak threat actor, which was confirmed as we compared notes with the information in the TrustWave article, entitled "New Carbanak / Anunak Attack Methodology", published in November 2016.
Several elements strongly suggest TelePort Crew and Carbanak/Anunak may be one and the same threat actor:
The tr1adx team believes it is important to note that while we have seen this threat actor register domains similar in nature to domains belonging to legitimate organizations, we are in no way suggesting that these legitimate organizations or its customers were a direct target for the TelePort Crew threat actor. We do believe the group has leveraged the reputation and legitimacy of these organizations to give more credit to the "Digital Plagiarist" campaign, in turn potentially yielding a higher rate of success for compromising the group's victims.
Indicators of Compromise
Indicators of Compromise (IOCs): Domains (25+) - Summary Table
Indicators of Compromise (IOCs): IP Addresses - Summary Table
Indicators of Compromise (IOCs): File Hashes - Summary Table
Indicators of Compromise (IOCs) [Downloadable Files]:
If a log search for any of these Indicators of Compromise returns positive hits, we recommend you initiate appropriate cyber investigative processes immediately and engage Law Enforcement where appropriate.