The Russian ICC (X): the intelligence ecosystem

coat_of_arms_of_the_russian_federation-svgWe cannot conceive the Russian intelligence community, described in this series, as a set of services dependent on political or military power. The degree of penetration of these services throughout Russian society is very high, both officially and unofficially. It is no secret that former KGB or FSB officials occupy positions of responsibility in politics or big companies in the country. As a curiosity, in 2006 it was reported that 78% of the country’s top 1,000 politicians had worked for the Russian secret services [1]. So much so that these profiles have a proper name: siloviki, a term that comes to mean people in power. And it is no secret who is the most well-known siloviki: Vladimir Putin, President of the Russian Federation, who was agent of the KGB in the Soviet era and later Director of the FSB.

To understand this degree of penetration of Russian intelligence in certain organs of power it is necessary to go back especially to the 1990s. The dismemberment of the Soviet Union caused a chaotic situation in Russia, with high unemployment or poverty rates. Many people had lost their jobs – among them, it is estimated that 40% of the KGB (2) – and the easy exit for these citizens was obviously illegal. Many former members of the security forces, the army or the intelligence services ended up swelling the ranks of organized crime groups or working in the legal or illegal protection of oligarchs or mafia leaders. This transfer of specialized personnel to organized crime groups was not only the way of survival of these people, but also a considerable reinforcement of these groups, both in volume and quality: thanks to these new signings, many of them went from small, un-specialized small groups who used basic techniques of intimidation, to be converted in perfectly organized mafia groups, with better human and material resources and highly specialized tactics. And especially, with better relations with the Russian security, defense or intelligence services, the cradle of a good part of the new personnel of the mafia groups.

In this convulsive situation, it seemed that the most stable business was organized crime; for example, the number of homicides had tripled in 1995 compared to the 1988 figures. When the Russian Government began to privatize state enterprises and services, organized crime groups, with a lot of money and power, identified the opportunity to position themselves In these, which automatically not only increases their economic power, but also positions mafias in the front line of political power.

Let us recapitulate: organized crime maintained a close relationship with the security or intelligence services, since many of its members came from them, and also with the large privatized companies and therefore with national politics. A perfect combination to become a key piece for the country. The Russian Government was aware that, in order to return the country to a situation of relative normality, organized crime had to be compulsory. So much so that in 1994 Boris Yeltsin came to call Russia “the greatest mafia state in the world”.

But the arrival of Vladimir Putin to the government in 1999, tries to change this situation with two objectives: to return the control of the strategic assets to the state and to let the world know that the state controlled these assets again – and, therefore, Russia was a world power as was the USSR. It takes control of the main companies and command posts to oligarchs and criminals and places former KGB officers or their successor, the FSB, in the assurance that they all identified the same Mother Russia of which we have already spoken about in this series.

With a hard-handed dose, Vladimir Putin achieves his challenge and largely eliminates organized crime from strategic positions for the country; but the power acquired by the Mafia groups during the 1990s was too high, and trying to eliminate their activities altogether could even destabilize Russia [2], thus Putin should be content with removing them from these strategic positions but veiledly allow them to continue their illegal business.

Let’s look at the big spider web: Russian intelligence maintains connections with organized crime, gained in the 1990s, and widespread penetration in the country’s political (government) and economic (strategic enterprises) circles of power, gained in the first decade of this century. With this degree of infiltration into the power circles, Russian intelligence achieves two clear objectives: coverage and control (or collaboration, depending on the degree required in each case). This has been the case since the Soviet era and it is – coincidentally or not – in the Russian. In fact, until recently, a high percentage of senior Russian government officials were siloviki, although with Medvedev this percentage has been reduced and the siloviki have lost some of their power in politics, although they still constitute a relevant lobbying group (or several, as there are several “families” of siloviki). With the election of Medvedev as Russian Prime Minister, Putin reinforced the liberals (economists and lawyers, many of them from St. Petersburg) in front of the siloviki, headed by Sergei Ivanov, who was granted the Presidential Executive Office Headquarters; an interesting movement between two opposing clans that from that moment have a nexus of union almost unique: President Putin himself.

In addition to these circles of power, Russian services are closely related to citizen movements and even to the Russian Orthodox Church; although this last relation we are not going to describe – we are focusing on, or attempting to do so in a cyber environment – it does not fail to be a good indication of the extent to which there is a broad social penetration of intelligence in Russian society. And we will see that this penetration is not restricted to classical intelligence, but is automatically extrapolated to the cyber domain.

The relations of the Russian services with some of these actors are generally protected by the Law and can only cause ethical prejudices; however, in “unofficial” relationships legality is more than doubtful, not only with organized crime (in our case, with organized cybercrime) but also with movements like patriotic hackers, which have launched real offensive campaigns against the Russian homeland, perhaps covered by the country’s own services…

We will review in these next entries the relations of the Russian intelligence community, previously described, with the different actors relevant to that community, which allow it to increase its control and its acting capacities, especially unofficially.

References
[1] Alexander Klimburg, Heli Tirmaa-Klaar. Cybersecurity and cyberpower: concepts, conditions and capabilities for cooperation for action within the EU. Directorate-General for External Policies of the Union. Directorate B. Policy Department. European Parliament, 2011.

[2] Fred Burton, Scott Stewart. Russia and the Return of the FSB. Stratford Security Weekly. April, 2008.

Miners, miners everywhere!

It is evident that cryptocurrencies are fashionable. The price increase of, for example, Bitcoin with respect to last year is exponential, as can be seen in the following Coinbase graph:

Everyone, including cybercriminals, want to take advantage of this hype, and we have detected that, just as the price increase of Bitcoin or Monero (widely used in cybercrime) has been exponential, so has the activity of attacks related to the distribution of miners who plan to compromise computers and get our electricity for free.

So far this year we have detected an increasing tendency to distribute miners. Through a specific technique, they use vulnerabilities in the insecure processes of “deserialization” of Java objects to, after exploiting them, download and execute the miner on the compromised server or computer. These vulnerabilities, although not new, are trying to be exploited by numerous groups of criminals. [Read more…]

Templates with bad intentions

A few days ago while analyzing several emails I came across one that contained a suspicious attachment. It was a .docx document that at first glance had nothing inside but it occupied 10 kb.

The mail had passed all the barriers, both SPF, as the two antiviruses that gateways have, and also the anti-spam filter.

The .docx file can be treated as a tablet. Once extracted its content, I began to analyze all the files in the directory in search of domains or IP addresses that could be seen clearly:

And I managed to find something interesting inside the path word/_rels/document.xml.rels where the following appears:
[Read more…]

Droppers from Locky Ransomware with extra anti-Sandboxing

Recently an old acquaintance has returned to his old ways. This is the Ransomware “Locky”, which about a year ago was very active through #Malspam campaigns (Spam Mail with the purpose of installing malware in the victim’s system) mostly with scripting files such as “.js “,” .wsf “or” .vbe “. Since then it has continued to maintain activity, although to a lesser extent.
Recently they have started a new campaign in which they use .doc (MSOffice Word) files with macros, like the following:


[Read more…]

Phishing: improving our campaigns

One of the most important things when carrying out a phishing campaign [Obviously, always from legal terms Ed.] is to ensure that our mail gets to evade the anti-spam filters and thus be able to reach the victim’s inbox.

In this post we are not going to explain how Gophish, que ya hemos mencionado en algún post, we will simply explain a series of steps to follow to make our emails more reliable. It is worth adding that following these steps does not ensure 100% success, each mail manager has its own filtering rules.

We start from the basis that Gophish is already installed, so the next step would be to obtain a domain and make a series of changes in DNS administration.
[Read more…]

Analysis of Linux.Helios

For several weeks we have been detecting a new variant of malware for Linux and IoT architectures from the malware laboratory of S2 Grupo, registered for the first time on the VirusTotal platform on October 18, which we have called Linux.Helios, due to the name of certain functions present in the sample.

We emphasize that the main antivirus signatures do not unanimously classify this sample: they range from ELF.DDoS to Tsunami, through Gafgyt or Mirai.
[Read more…]

JAFF Ransomware via PDF attachment with Doc

We continuously receive phishing emails coming from a variety of sources, often containing attachments with malicious payloads. In this case the attachment was a bit more interesting because it embedded a .docm file inside a .pdf file.

The email that arrived to our servers had “Order” as subject, and no visible content, only a p(paragraph) HTML entity with an empty symbol, but fun was on the attachment.

Attack stages

The attachment was a proper PDF file that contained a .docm file embedded. Once you opened the pdf file de docm would unpack and execute its macros leading to the download of a file that, once repacked by the macro on execution, would be executed in the system.
[Read more…]

Personal Countersurveillance (I): Facial Recognition

(Please note some of the internal links are in Spanish)

Those of us who work in the cybersecurity sector are accustomed to hearing about threats and defense measures, but almost always referring to a virtual environment. However, there are other dimensions, such as physical security, that can affect us in different ways.

This series has been inspired by the paper by Adam Harvey of the Chaos Communication Congress of 2016: “Retail Surveillance / Retail Countersurveillance”. In it I will discuss some concepts concerning surveillance systems and counter-surveillance measures that can be used to avoid recognition by third parties.

This first article focuses on facial recognition, some of its most controversial applications to date and their implications.

Figure 1: Anonymous. Image taken from http://luisjimenez.com/wp-content/uploads/2016/05/faception.jpg [Posted on 15/05/2017]

[Read more…]

The mimi (mimikatz) side of #NotPetya

(Please note some of the internal links are in Spanish)
One of the things that most caught our attention from the #NotPetya malware lab is the module that appears to contain code from the mimikatz tool. It is an automation of the process of any pentest that we believe is worth studying and treat it with love, to learn.
For the analysis we focus on the 32-bit version of the binary:
[Read more…]

The Evolution of Trickbot

From the malware lab of S2 Grupo we have been monitoring the movements of a Trojan known as Trickbot. Its relationship with Dyre, another older Trojan with which it shares many design features, and the speed at which it evolves, has captured our interest ever since we saw the first samples.

This malware is usually categorized as a banking Trojan since it has so far been very oriented towards data theft relating to banking, but its modular design allows to expand its capabilities at any time so as to perform any kind of extra action.

During its early versions, some very good analyses were already done such as those of @hasherezade in the malwarebytes blog and Xiaopeng Zhang in that of Fortinet. But the development of Trickbot has continued during the last few months, reaching version 17 in less than 6 months. So we thought that it would be interesting to check the changes it has undergone during its evolution and to delve deeper into some of its most curious techniques when performing different actions.
[Read more…]