Now that another eventful year in cybersecurity is in the rearview mirror, let’s look back on some of the finest malware analysis by ESET researchers in 2018.
Editor’s note: contributed blogs like this are part of ChannelBuzz.ca’s annual sponsorship program. Find out more here. This article was originally posted to the ESET site We Live Security by Tomáš Foltýn.
If you never got the chance to read last year’s investigations by ESET researchers into some of the most dangerous hacker shenanigans in recent years, or if you just want to refresh your memory, now is the time. Let’s cut to the chase and recall just a handful of ESET’s delvings into the murky depths of 2018’s malware, including malicious code targeting Linux servers.
The evil twin
On one occasion, it wasn’t only fellow cybersecurity professionals who sat up and took notice, as ESET researchers uncovered a rootkit that goes to especially great lengths – and, indeed, depths – in order to open a backdoor to the targeted machine. While extremely rare, rootkits that burrow all the way into the computer’s Unified Extensible Firmware Interface (UEFI) aren’t entirely unheard of, and proof-of-concept samples thereof have been seen before. However, this was the first time that such a rootkit was detected in active use.
Unsurprisingly, LoJax – as we named the rootkit – is the work of an Advanced Persistent Threat (APT) group. In this case, our research uncovered solid evidence to tie the rootkit to a particularly nefarious hacking collective nicknamed Sednit (and also called APT28, Sofacy, Strontium, and Fancy Bear). This group has made a name for itself by possessing a diverse set of insidious tools that – as previously documented, on many occasions, by ESET researchers among others – it has deployed against a range of geopolitical targets.
To implant LoJax deep inside a system’s innards, Sednit has repurposed legitimate anti-theft software for laptops, which is known as LoJack (hence the rootkit’s name). LoJax co-opts the LoJack agent in order to maintain usermode persistence, after Sednit’s operators use legitimate utilities to overwrite parts of the victim machine’s SPI flash memory, where the LoJack UEFI module resides.
LoJax is both extremely difficult to detect – particularly for security software that doesn’t incorporate UEFI protection – and exceptionally persistent. Withstanding a reinstallation of the operating system and even a replacement of the hard drive is required by legitimate anti-theft software if it is to enable its owner to track down their lost or stolen computer. After all, a hard drive replacement or an operating system reinstallation could very well be the first thing a thief will do, and it is this ability to resist removal that LoJax co-opts from LoJack.
At any rate, there is a remedy when a system is compromised with LoJax. Its owner has essentially two ways to clean up: re-program the machine’s SPI flash memory or replace the motherboard outright. Neither option is simple, however, and both go far beyond the usual process of malware removal. This, again, helps illustrate just how intrusive, persistent and ultimately dangerous of a threat LoJax is.
Does LoJax portend an explosion in malware targeting computer firmware? Hardly, given that this is not your run-of-the-mill sort of malware. However, attackers do have the habit of borrowing from the devious playbooks of their predecessors, with LoJax aiding and abetting malware writers to expand the frontiers of computer intrusions. And this only highlights the importance of effective UEFI scanning and threat blocking.
Rumor has it … no longer
In another major discovery of 2018, ESET researchers unearthed enough evidence to assert that malware known as Industroyer, which caused the hour-long blackout in and around Ukraine’s capital, Kiev, in late 2016, was the work of the same threat actor that would unleash the NotPetya (DiskCoder.C) wiper disguised as ransomwaresix months later.
The culprit – a prolific APT collective called TeleBots – is descended from a group called BlackEnergy, whose eponymously named malware was responsible for another breakthrough incident: a power outage that affected a quarter of a million homes in Ukraine and lasted several hours in December 2015.
The above effectively ties three of the most impactful malware-induced incidents in memory to the same threat actors.
Speculation that TeleBots hatched Industroyer was rife after ESET researchers released their findings about this most powerful modern malware that targeted industrial control systems. Incriminating evidence was missing, however – until the same ESET researchers picked apart a piece of malware that they code-named Win32/Exaramel and that shared significant code similarities with the main Industroyer backdoor.
At its simplest, Win32/Exaramel is an upgrade of the backdoor that was at the heart of Industroyer. And although the attack deploying the improved version was prevented thanks to ESET’s timely alert to Ukraine’s authorities, “the discovery of Exaramel shows that the TeleBots group is still active in 2018”. That’s reason aplenty to worry as 2018 draws to a close.
More shades of malice
TeleBots isn‘t the only heir apparent to BlackEnergy, which seems to have gone dark after the December 2015 blackout. Another nefarious collective, called GreyEnergy, has been operating in parallel, and probably in close liaison, with TeleBots. That said, the turf and modus operandi of each of the two groups differ substantially.
As revealed by another landmark piece of ESET research – the first to shine a light on GreyEnergy globally – this hacking group doesn’t court attention for its malice. Instead, it engages in reconnaissance and espionage, ostensibly in order to prepare the ground for future attacks of its own making or to grease the wheels of operations to be run by other groups. All the while, GreyEnergy aims to lie low and vanish ‘into the fog’ once it has done its job.
GreyEnergy’s malware toolkit shares a number of similarities with that of its predecessor, although GreyEnergy was actually found to be an enhancement of BlackEnergy and “with an even greater focus on stealth”. At any rate, both groups share a keenly malicious interest in the energy sector and critical infrastructure in Ukraine and Poland.
Ties between GreyEnergy and TeleBots, for their part, are evidenced by the former’s use in December 2016 of a worm, called ‘Moonraker Petya’, that turned out to be a precursor to the NotPetya worm, unleashed by TeleBots six months later. At the risk of repeating ourselves: GreyEnergy is yet another extremely dangerous threat actor that is worth watching closely.
Turning tables
First off, bear with us while we recall a few quick facts from history prior to 2018. More than five years ago, ESET researchers analyzed and helped disrupt Operation Windigo, a malicious campaign that created a botnet comprising tens of thousands of Linux-powered servers. Windigo stood out for many things, but let’s settle for just two of them:
First, at its heart was a highly advanced backdoor and credential-stealer called Linux/Ebury that abused a widely used suite of remote connectivity tools known as OpenSSH. Second, before installing itself, Linux/Ebury would check if other OpenSSH backdoors were present on the system.
Looking at the code allowed ESET researchers to discover other in-the-wild SSH backdoors, some previously unknown to the AV community. Fast forward to 2018 and ESET unveils new research that describes this effort, offering unique insights into the state of affairs in Linux server-side malware.
Having tracked down in-the-wild backdoors in OpenSSH servers, the researchers have documented no fewer than 21 malware families, including 12 that had not been ‘on file’ before. They include both simple (off-the-shelf) and advanced (bespoke) malware, variously operated by crimeware and APT groups.
Eighteen out of the 21 strains are fitted with credential-stealing features, while 17 contain a backdoor mode. The associated white paper provides a comprehensive view of the malware strains and their inner workings, representing a significant contribution to the body of research into Linux-specific malware.
All told, this research effort is also a reminder that, while Linux may, for whatever reasons, be hit with less malware than Windows, the security of Linux-based systems, including internet-facing servers, may not be as bulletproof as some may (want to) believe.
Conclusion
To be sure, the research sketched out above draws on only a sample of the deliberate and purposeful methods used by some of the world’s most resourceful cybercriminals. And yet, that sample is more than enough to illustrate the magnitude of the threat represented by miscreants as the curtain is set to open on 2019.