Cyberspy group repurposes 12-year-old Bifrose backdoor

A group of hackers that primarily targets companies from key industries in Asia is using heavily modified versions of a backdoor program called Bifrose that dates back to 2004.

The group, which researchers from antivirus vendor Trend Micro call Shrouded Crossbow, has been targeting privatized government organizations, government contractors and companies from the consumer electronics, computer, healthcare, and financial industries since 2010.

The group's activities are evidence that engaging in cyberespionage doesn't always require huge budgets, stockpiles of zero-day vulnerabilities and never-before-seen malware programs. Old cybercrime tools can be repurposed and improved for efficient attacks.

This toolset used by the group includes backdoors such as Kivar and Xbow, which are based on or inspired by Bifrose and which in the past have been sold on underground markets for about $10,000.

"What we think happened is that the group purchased the source code of BIFROSE, and after improving its functions, the group then designed a new installation flow, developed a new builder to create unique loader-backdoor pairs, and made more simple and concise backdoor capabilities," the Trend Micro researchers said in a blog post.

This allowed them to remain effective in their operations, despite Bifrose being a very well known and understood threat in the antivirus industry as well as one that is easily detectable.

One interesting aspect about the group is that it is organized in at least two, but possibly three or more teams, according to the Trend Micro researchers. One is the development team, which has at least 10 people who develop new builds of the backdoor. The number of people involved was determined from version strings customized with unique developer IDs.

A second team is responsible for target selection, configuring the malware parameters for each intended victim and building the spear-phishing emails that are used as delivery mechanism. The rogue emails have malicious attachments and masquerade as news reports, resumes, government data or meeting requests.

A third team might be in charge of maintaining the group's extensive command-and-control infrastructure, which includes over 100 servers whose IP addresses and domains are updated in an organized fashion. New domains are being registered all the time, the Trend Micro researchers said.

Espionage app targets iOS devices

Trend Micro has discovered an interesting poisoned pawn - spyware specifically designed for espionage on iOS devices. While spyware targeting Apple users is highly notable by itself, this particular spyware is also involved in a targeted attack.

The iOS malware found is among those advanced malware and it is believed the iOS malware gets installed on already compromised systems, and it is very similar to next stage SEDNIT malware Trend Micro found for Microsoft Windows’ systems. Two malicious iOS applications were found in Operation Pawn Storm. One is called XAgent and the other one uses the name of a legitimate iOS game, MadCap. XAgent is designed to work specifically with iOS7, which is still in one of every 5 iPhones and iPads. Fortunately, for iOS 8 devices, the user will see multiple notifications that the phone is trying to install an app. And it can’t run without the user launching. Both tools have the ability to record audio, which is very intrusive, and highly suggests the targeting of offline and confidential information.

Following analysis, Trend Micro concluded that both are applications related to SEDNIT – which is a spyware that aims to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server. Some of the data theft capabilities include:

• Collect text messages
• Get contact lists
• Get pictures
• Collect geo-location data
• Start voice recording
• Get a list of installed apps
• Get a list of processes
• Obtain Wi-Fi status

There may also be other methods of infection that are used to install this particular malware. One possible scenario is infecting an iPhone after connecting it to a compromised or infected Windows laptop via a USB cable.

For a more detailed analysis of the spyware, read here.

Background of Operation Pawn Storm
Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities, like the military, governments, defense industries, and the media.

The actors of Pawn Storm tend to first move a lot of pawns in the hopes they come close to their actual, high profile targets. When they finally successfully infect a high profile target, they might decide to move their next pawn forward: advanced espionage malware.

The iOS malware we found is among those advanced malware. We believe the iOS malware gets installed on already compromised systems, and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows’ systems.

USB drives left in car park as corporate espionage attack vector

A number of infected USB flash drives were recently left in the car park of Dutch chemical firm DSM in a failed corporate espionage attempt. According to a report from Dutch newspaper Dagblad De Limburger, these drives were planted by an unknown party in hopes that one or more of the company's employees would insert them into their office systems.

However, instead of plugging it into one of the company's systems, an employee who found one of the USB sticks turned it over to DSM's IT department. Upon examination, they discovered that the drives contained malware that was set to automatically run upon being inserted into a computer. The malware is said to have been a key logger designed to capture usernames and passwords, and access the company network to send them to an external site.

Upon finding this, the company blocked all access to the IP addresses which the malware attempted to contact. Because, they say, it was a clumsy attempt to steal data and as no damage was done, DSM decided not to contact the police.

Would you report to the police?