WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel

APT 3个月前 admin
74 0 0

WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel

Our research team has identified a new APT group, dubbed “WildCard,” initially detected through its use of the SysJoker malware, which targeted Israel’s educational sector in 2021. WildCard has since expanded its reach, creating sophisticated malware variants disguised as legitimate software, and a recently developed malware called ‘RustDown,’ written in Rust for potential operational advantages. Connections to Operation ElectricPowder indicate WildCard’s advanced capabilities with a focus on critical sectors within Israel. While we’ve begun to understand WildCard’s tactics and methods, their precise identity is still enigmatic, demanding deeper analysis and collaboration within the infosec community.
我们的研究团队发现了一个名为“WildCard”的新 APT 组织,该组织最初是通过使用 SysJoker 恶意软件检测到的,该恶意软件于 2021 年针对以色列的教育部门。此后,WildCard 扩大了其影响范围,创建了伪装成合法软件的复杂恶意软件变体,以及最近开发的名为“RustDown”的恶意软件,该恶意软件是用 Rust 编写的,具有潜在的操作优势。与Operation ElectricPowder的联系表明了WildCard的先进能力,重点是以色列境内的关键部门。虽然我们已经开始了解 WildCard 的策略和方法,但它们的确切身份仍然是个谜,需要在信息安全社区内进行更深入的分析和合作。

The current war between Israel and Hamas has brought increased interest in a variety of threats targeting Israel. Of course, this includes the usual suspects like Iranian, Hezbollah, and Hamas-affiliated groups that consistently target Israeli organizations and are likely to increase their operational tempo to match the current conflict. We believe the shadow of a previously unidentified threat actor has slipped below the threshold and deserves greater attention. Its first sighting began with our discovery of the SysJoker malware targeting the educational sector in Israel in 2021. Since then, the group behind SysJoker has evolved its tooling and targeting in important ways.
目前以色列和哈马斯之间的战争使人们对针对以色列的各种威胁越来越感兴趣。当然,这包括伊朗、真主党和哈马斯附属团体等通常的嫌疑人,这些团体一直以以色列组织为目标,并可能加快行动节奏以配合当前的冲突。我们认为,以前未识别的威胁行为者的影子已经滑落到阈值以下,值得更多关注。它的首次发现始于我们在 2021 年发现针对以色列教育部门的 SysJoker 恶意软件。从那时起,SysJoker 背后的团队以重要方式发展了其工具和目标。

As we continued to track this threat cluster, we found previously undiscovered 2022 variants masquerading as ‘DMAdevice’ and ‘AppMessagingRegistrar’ software, both also written in C++. They share code and behavior patterns with our original discovery of SysJoker for Windows. Then in October 2023, we noticed a new malware written in Rust that shares behavioral traits with SysJoker. The developers refer to the malware as ‘RustDown’. The original version of SysJoker was used to target Windows, macOS, and Linux machines, the migration to Rust might be an attempt to simplify multi-platform targeting in addition to making it harder to analyze.
当我们继续跟踪这个威胁集群时,我们发现以前未发现的 2022 年变体伪装成“DMAdevice”和“AppMessagingRegistrar”软件,两者都是用 C++ 编写的。它们与我们最初发现的 SysJoker for Windows 共享代码和行为模式。然后在 2023 年 10 月,我们注意到一种用 Rust 编写的新恶意软件,它与 SysJoker 具有共同的行为特征。开发人员将恶意软件称为“RustDown”。SysJoker 的原始版本用于针对 Windows、macOS 和 Linux 机器,迁移到 Rust 可能是为了简化多平台定位,除了使其更难分析之外。

We’ve also uncovered possible connections with ClearSky’s Operation ElectricPowder. If proven, we see an actor displaying worrying capabilities and intent primarily targeting different critical sectors in Israel. To better describe the threat actor that ties these 3-4 different sets of activity together, we are clustering these sets of activity under the name WildCard. At this time, we can better describe WildCard’s TTPs across multiple operations and variants, but attribution remains elusive.
我们还发现了与 ClearSky 的 Operation ElectricPowder 的可能联系。如果得到证实,我们看到一个行为者表现出令人担忧的能力和意图,主要针对以色列的不同关键部门。为了更好地描述将这 3-4 个不同的活动集联系在一起的威胁参与者,我们将这些活动集聚集在名称 WildCard 下。目前,我们可以更好地描述通配符在多个操作和变体中的 TTP,但归因仍然难以捉摸。

WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel
Timeline of WildCard operations.
通配符操作的时间线。

Technical Analysis 技术分析

The Original SysJoker Malware
原始的 SysJoker 恶意软件

In January 2022, we published our discovery of SysJoker, an unattributed multi-platform backdoor leveraged against an educational institute in Israel. SysJoker masqueraded as a system update and generated its command-and-control by decoding a string retrieved from a text file hosted on GDrive. This dead drop resolver method is a consistent theme in the WildCard threat actor’s future operations, along with naming their malware after legitimate components. Note that the development of C++ multi-platform backdoors is rare in the Middle East and aroused further suspicion about the nature of the unidentified malware developers.
2022 年 1 月,我们发布了对 SysJoker 的发现,这是一个针对以色列教育机构的未归属多平台后门。SysJoker 伪装成系统更新,并通过解码从 GDrive 上托管的文本文件中检索到的字符串来生成其命令和控制。这种死掉解析器方法是通配符威胁参与者未来行动中的一贯主题,以及以合法组件命名他们的恶意软件。请注意,C++ 多平台后门的开发在中东很少见,并引起了对身份不明的恶意软件开发人员性质的进一步怀疑。

Previously Undiscovered Variants Appear
出现以前未发现的变体

After our publication, the WildCard threat actor continued to evolve their malware, re-implementing some of the malware’s behaviors to avoid detection and adding new capabilities. We found three samples of a malware variant written in C++. Two named DMAdevice.exe and one named AppMessagingRegistrar.exe. These variants were compiled five months after our original publication. 
在我们发布后,通配符威胁行为者继续发展他们的恶意软件,重新实现恶意软件的一些行为以避免检测并添加新功能。我们发现了三个用 C++ 编写的恶意软件变体样本。两个名为 DMAdevice.exe,另一个名为 AppMessagingRegistrar.exe。这些变体是在我们最初出版五个月后编制的。

Hash 散 列 Compilation Timestamp 编译时间戳 Filename 文件名
e076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836 19 May 2022 18:07:42 19 5月 2022 18:07:42 DMAdevice.exe DMA设备.exe
6c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95 19 May 2022 18:05:18 19 5月 2022 18:05:18 DMAdevice.exe DMA设备.exe
67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706 19 Jun 2022 20:20:06 19 6月 2022 20:20:06 AppMessagingRegistrar.exe

DMAdevice DMA设备

Using Intezer Analyze we were able to identify code reuse between these samples and the original Windows SysJoker samples.
使用 Intezer Analyze,我们能够识别这些示例和原始 Windows SysJoker 示例之间的代码重用。

The structure of the main methods is largely similar, with some differences.
主要方法的结构大致相似,但有一些不同之处。

Comparison between SysJoker and the DMAdevice variant.
SysJoker 和 DMAdevice 变体之间的比较。

Besides the shared code, the two DMAdevice variants share a unique string with SysJoker, a custom alphabet: 
除了共享代码之外,两个 DMAdevice 变体还与 SysJoker 共享一个唯一的字符串,这是一个自定义字母表:

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghilmnopqrstuvmxyz

Note the missing ‘jk’ from the lowercase portion of the custom alphabet. This is likely a minor slip on the part of the developers but one that has consistently carried over into these newer variants.
请注意自定义字母表的小写部分缺少的“jk”。这可能是开发人员的一个小失误,但这种失误一直延续到这些较新的变体中。

Previous versions of SysJoker used GDrive as a dead drop resolver. The retrieved file content is base64 decoded before it is decrypted using a hardcoded RSA key as an XOR key. The decrypted data is the address of the intended C2 server. 
以前版本的 SysJoker 使用 GDrive 作为死点解析器。检索到的文件内容在使用硬编码的 RSA 密钥作为 XOR 密钥进行解密之前,会进行 base64 解码。解密的数据是预期 C2 服务器的地址。

The DMAdevice variant implements similar behavior but instead abuses OneDrive as its dead drop resolver. Meaning that the threat actors retained the usage of popular benign publicly-available services, unlikely to be blocked across the network while keeping the ability to rotate the C2 as needed. The use of OneDrive as a dead drop resolver continues into the RustDown variant.
DMAdevice 变体实现了类似的行为,但滥用 OneDrive 作为其死点解析程序。这意味着威胁行为者保留了流行的良性公开服务的使用,不太可能在整个网络中被阻止,同时保持根据需要轮换 C2 的能力。使用 OneDrive 作为死点解析器继续到 RustDown 变体。

Interestingly, they have decided to remove the use of the RSA key but keep the same scheme, replacing the key with a different string. In this case, after the stack string is built up, the used XOR key is:
有趣的是,他们决定删除 RSA 密钥的使用,但保留相同的方案,用不同的字符串替换密钥。在本例中,在构建堆栈字符串后,使用的 XOR 键为:

QQL8VJUJMABL8H5YNRC9QNEOHA4I3QDAVWP5RY9L0HCGWZ4T7GTYQTCQTHTTN8RV6BMKT3AICZHOFQS8MTT
The XOR string being built on the stack.
在堆栈上构建的 XOR 字符串。

The hardcoded User Agent string also changes, as follows:
硬编码的用户代理字符串也会更改,如下所示:

Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36

AppMessagingRegistrar

This variant was compiled after the DMAdevice version. While it also shares code with SysJoker, this variant implements different capabilities. For example, it uses multiple XOR keys to decode strings. This variant also uses different url paths:
此变体是在 DMAdevice 版本之后编译的。虽然它还与 SysJoker 共享代码,但此变体实现了不同的功能。例如,它使用多个 XOR 键来解码字符串。此变体还使用不同的 url 路径:

  • api/update API/更新
  • /api/register /api/注册
  • /api/library /api/库
  • /api/requests /api/请求

However, similar to the other WildCard malware, it also uses OneDrive as a dead drop resolver. Also similar, AppMessagingRegistrar is downloaded from a server inside a ZIP file and is executed by a DLL file. The DLL file masquerades as Brave Browser. 
但是,与其他通配符恶意软件类似,它也使用 OneDrive 作为死点解析器。同样类似,AppMessagingRegistrar 是从 ZIP 文件中的服务器下载的,并由 DLL 文件执行。DLL 文件伪装成 Brave Browser。

Company: Brave Browser 公司: Brave Browser
Product: Brave Browser (4.0.1.5)
产品: Brave Browser (4.0.1.5)
Metadate of AppMessagingRegistrar executable.
AppMessagingRegistrar 可执行文件的元日期。

RustDown: WildCard learns Rust
RustDown:通配符学习 Rust

In October 2023, we discovered a new malware written in Rust. The sample is a 32-bit Windows executable masquerading as a PHP framework component. While the codebase is new, the malware consistently shares TTPs used by the WildCard threat actor in both SysJoker and its variants. The name of the malware is derived from the developers, as evidenced by a leftover PDB path:
2023 年 10 月,我们发现了一种用 Rust 编写的新恶意软件。此示例是一个伪装成 PHP 框架组件的 32 位 Windows 可执行文件。虽然代码库是新的,但该恶意软件始终共享 SysJoker 及其变体中通配符威胁参与者使用的 TTP。恶意软件的名称来自开发人员,如剩余的 PDB 路径所示:

– C:\Code\Rust\RustDown-Belal\target\release\deps\RustDown.pdb 

RustDown PDB file path. RustDown PDB 文件路径。

According to the PDB file the malware developers refer to this component as RustDown. Additionally, the term “Belal” in the folder path may be a transliteration of the common Arabic first name ‘Bilal’. We treat this as a low-confidence indicator towards the identity of one of the WildCard developers.
根据 PDB 文件,恶意软件开发人员将此组件称为 RustDown。此外,文件夹路径中的术语“Belal”可能是常见的阿拉伯语名字“Bilal”的音译。我们将其视为对通配符开发人员之一身份的低置信度指标。

Hash 散 列 Compilation Timestamp 编译时间戳 Filename 文件名
d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72
d4095f8b2fd0e6deb605baa1530c33336298afd02afc0f41030fa43371e3e72
7 Aug 2023 10:43:32 7 8月 2023 10:43:32 php-cgi.exe

RustDown is intended to look like a legitimate PHP executable named php-cgi. PHP-CGI stands for PHP Common Gateway Interface. Providing an important tool that allows PHP to interact with a web server.
RustDown 旨在看起来像一个名为 php-cgi 的合法 PHP 可执行文件。PHP-CGI 代表 PHP 通用网关接口。提供一个重要的工具,允许 PHP 与 Web 服务器进行交互。

Company: The PHP Group 公司: The PHP Group
Product: PHP (7.4.19) 产品: PHP (7.4.19)
Metadata of RustDown executable.
RustDown 可执行文件的元数据。

As the name suggests, RustDown is a backdoor written in Rust and compiled for Windows operating systems. It uses OneDrive as a dead drop resolver.
顾名思义,RustDown 是一个用 Rust 编写的后门,专为 Windows 操作系统编译。它使用 OneDrive 作为死点解析器。

RustDown implements multiple calls to the Sleep API using randomly chosen time durations, as seen in SysJoker.  
RustDown 使用随机选择的持续时间实现对 Sleep API 的多次调用,如 SysJoker 所示。

Function in RustDown that implements the Sleep functionality.
RustDown 中实现 Sleep 功能的函数。

Next, the backdoor copies the executable to another location and sets up persistence by using a PowerShell command. Both the path and the PowerShell command are obfuscated in an attempt to evade detection. After decrypting the strings, we see that the malware copies itself to the following location, keeping with the theme of the legitimate PHP CGI tool:
接下来,后门程序将可执行文件复制到另一个位置,并使用 PowerShell 命令设置持久性。路径和 PowerShell 命令都经过模糊处理,以试图逃避检测。解密字符串后,我们看到恶意软件将自身复制到以下位置,与合法 PHP CGI 工具的主题保持一致:

C:\ProgramData\php-7.4.19-Win32-vc15-x64\php-cgi.exe
C:\ProgramData\php-7.4.19-Win32-vc15-x64\php-cgi.exe

Next, the malware decodes the PowerShell command that sets the registry value for persistence: 
接下来,恶意软件会解码为持久性设置注册表值的 PowerShell 命令:

“powershell” -Command “$reg=[WMIClass]’ROOT\DEFAULT:StdRegProv’;$results=$reg.SetStringValue(‘&H80000001′,’Software\Microsoft\Windows\CurrentVersion\Run’, ‘php-cgi’, ‘C:\ProgramData\php-7.4.19-Win32-vc15-x64\php-cgi.exe’);”
“powershell” -命令 “$reg=[WMIClass]’ROOT\DEFAULT:StdRegProv’;$results=$reg.SetStringValue(’&H80000001’,’Software\Microsoft\Windows\CurrentVersion\Run’, ‘php-cgi’, ‘C:\ProgramData\php-7.4.19-Win32-vc15-x64\php-cgi.exe’);”

The general mechanism for interacting with the Current User Hive involves using the identifier ‘&H80000001’ as described here. However, the specific command string it uses appears to be unique and relates to a separate campaign, referred to as Operation Electric Powder described further below.
与当前用户配置单元交互的一般机制涉及使用标识符“&H80000001”,如此处所述。但是,它使用的特定命令字符串似乎是唯一的,并且与一个单独的活动相关,称为下文进一步描述的“电火药行动”。

Obfuscation 混淆

As mentioned, the malware encrypts its own strings in two different ways. The bulk of the remaining unobfuscated strings are artifacts of the static compilation of Rust dependencies linked within the binary:
如前所述,恶意软件以两种不同的方式加密自己的字符串。剩下的大部分未混淆的字符串是二进制文件中链接的 Rust 依赖项的静态编译工件:

  • base64-0.13
  • curl-0.4.35 卷曲-0.4.35
  • rand-0.8.3 兰德-0.8.3
  • rand_chacha-0.3.0
  • rand_core-0.6.2
  • rustc-demangle-0.1.21
  • serde_json-1.0.64
  • Whoami-1.1.1 哇-1.1.1

The first type of obfuscation has the following scheme: first, decode the string with a standard Base64 scheme, unlike the first variant of SysJoker, and then decrypt the result with the following XOR key:
第一种混淆的方案如下:首先,使用标准的 Base64 方案解码字符串,这与 SysJoker 的第一种变体不同,然后使用以下 XOR 密钥解密结果:

QQL8VJUJMABL8H5YNRC9QNEOHA4I3QDAVWP5RY9L0HCGWZ4T7GTYQTCQTHTTN8RV6BMKT3AICZHOFQS8MTT

The same XOR key was used by the DMAdevice variant of SysJoker.
SysJoker 的 DMAdevice 变体使用相同的 XOR 密钥。

The malware decrypts additional strings using a XOR cipher, where each string is processed against a distinct key stream. The specific key for each string is determined by using fixed offsets from a table embedded within the malware’s code, combined with a calculation involving hardcoded numerical values and bitwise operations.
该恶意软件使用 XOR 密码解密其他字符串,其中每个字符串都针对不同的密钥流进行处理。每个字符串的特定密钥是通过使用嵌入在恶意软件代码中的表中的固定偏移量,并结合涉及硬编码数值和按位运算的计算来确定的。

Decryption of strings using unique key stream.
使用唯一密钥流解密字符串。

Communication With the C2
与 C2 通信

The communication with the C2 starts with the decoding of a dead drop resolver. This is performed using the first decoding method and the hardcoded XOR key and Base64. The backdoor sends an HTTP Get request to the following resolved URL:
与 C2 的通信从对死滴解析器的解码开始。这是使用第一种解码方法和硬编码的 XOR 密钥和 Base64 执行的。后门程序向以下解析的 URL 发送 HTTP Get 请求:

https://onedrive[.]live.com/download?resid=16E2AEE4B7A8BBB1%21112&authkey=!AED7TeCJaC7JNVQ

The backdoor uses a custom user agent. This is similar to the earlier version of SysJoker, which also communicated using a specific, hardcoded user agent:
后门程序使用自定义用户代理。这类似于早期版本的 SysJoker,后者也使用特定的硬编码用户代理进行通信:

Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537
Mozilla/5.0 (Windows NT 10.0;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537

We were able to get a response from the resolver:
我们能够从解析器得到响应:

KnM5Sjpob2glNTY8AmcaYXt8cAh/fHZ+ZnUNcwdld2Mr

The response is encoded using Base64 and XOR-ed with the same key that was used in the previous step. The decrypted result is the IP address of the C2: {“url”:”http://85.31.231[.]49:443″}. During our investigation, we did not find other C2 domains that were served by this OneDrive link. 
响应使用 Base64 和 XOR 进行编码,密钥与上一步中使用的密钥相同。解密结果是 C2 的 IP 地址:{“url”:“http://85.31.231[.]49:443″}.在我们的调查过程中,我们没有发现此 OneDrive 链接提供的其他 C2 域。

Next, the malware communicates with the C2 using the HTTP protocol. The URL is formatted in the following way: <C2 domain>/api/<command>. In RustDown, we identified two commands attach and req.
接下来,恶意软件使用 HTTP 协议与 C2 通信。URL 的格式如下:/api/。在 RustDown 中,我们确定了两个命令 attach 和 req。

VirusTotal behavior analysis of RustDown showing the connection method to the C2.
RustDown 的 VirusTotal 行为分析显示了与 C2 的连接方法。

Like the original version of Sysjoker, the RustDown will decode the C2 and send the collected user’s information to the C2’s /api/attach path as an initial handshake. The information sent over has the following structure:
与 Sysjoker 的原始版本一样,RustDown 将对 C2 进行解码,并将收集到的用户信息作为初始握手发送到 C2 的 /api/attach 路径。发送的信息具有以下结构:

“ip”:”[Local IP Address]”
“ip”:“[本地 IP 地址]”

“serial”:”[Host Name]_[Serial Number]_[Username]”
“serial”:“[主机名]_[序列号]_[用户名]”

“name”:”[Username]” “name”:“[用户名]”
“os”:”[Operating System Version]”
“os”:“[操作系统版本]”

“user_token”:”[User Token]”
“user_token”:“[用户令牌]”

This differs from the fields used in SysJoker which included an unused ‘av’ field.
这与 SysJoker 中使用的字段不同,后者包含一个未使用的“av”字段。

“sn”: “[Serial Number]” “sn”: “[序列号]”
“us”: “[Username]” “us”: “[用户名]”
“os”: “[Operating System Version]”
“os”: “[操作系统版本]”

“av”: *Unused “av”: *未使用
“ip”: “[Local IP Address]”
“ip”: “[本地 IP 地址]”

RustDown will send requests to the C2’s /api/req path after registration, similar to older versions. The response from the C2 is a JSON detailing an array of tasks to perform. These instructions include actions along with specific URLs to download a zip archive containing executables and save it at C:\\ProgramData\\php-Win32-lib with the filename specified in the JSON. To unzip the payload, RustDown decryptes another PowerShell command.
注册后,RustDown 会向 C2 的 /api/req 路径发送请求,与旧版本类似。来自 C2 的响应是一个 JSON,其中详细说明了要执行的任务数组。这些说明包括操作以及特定的 URL,用于下载包含可执行文件的 zip 存档,并使用 JSON 中指定的文件名将其保存在 C:\\ProgramData\\php-Win32-lib 中。为了解压缩有效负载,RustDown 解密了另一个 PowerShell 命令。

Connections to Operation ElectricPowder
与 Operation ElectricPowder 的连接

In the process of our investigation, we found an interesting set of connections between the newer SysJoker variants (particularly the ‘DMA Device’) and components of Operation ElectricPowder. The latter was an attack that targeted the Israeli Electric Corporation (IEC) in 2016-2017. In both cases, the following specific string is deobfuscated during execution and used to establish persistence.
在我们的调查过程中,我们发现了较新的 SysJoker 变体(特别是“DMA 设备”)与 Operation ElectricPowder 组件之间的一组有趣的联系。后者是 2016-2017 年针对以色列电力公司 (IEC) 的袭击。在这两种情况下,以下特定字符串在执行过程中都会进行反混淆,并用于建立持久性。

powershell\” -Command \”$reg=[WMIClass]’ROOT\\DEFAULT:StdRegProv’;$results=$reg.SetStringValue(‘&H80000001′,’Software\\Microsoft\\Windows\\CurrentVersion\\Run’, <process>, <path> 
powershell\“ -Command \”$reg=[WMIClass]’ROOT\\DEFAULT:StdRegProv’;$results=$reg.SetStringValue(’&H80000001’,’软件\\Microsoft\\Windows\\CurrentVersion\\Run’, ,

The general mechanism to resolve the Current User hive is described here. However, the way the command string is implemented appears to be limited to these malware sets, suggesting a developmental connection across nearly four years.
此处介绍了解析当前用户配置单元的一般机制。然而,命令字符串的实现方式似乎仅限于这些恶意软件集,这表明了近四年的发展联系。

Additionally, once we discovered RustDown, we found that it also dynamically resolves this PowerShell command string and uses it to achieve persistence. This further strengthens the hypothesis that Operation ElectricPowder may have been the earliest appearance of the WildCard threat actor.
此外,一旦我们发现 RustDown,我们发现它也会动态解析此 PowerShell 命令字符串并使用它来实现持久性。这进一步强化了 Operation ElectricPowder 可能是通配符威胁参与者最早出现的假设。

Infection vectors 感染媒介

In our publication of SysJoker, we suspected that the threat actors used an infected npm package to deliver SysJoker. With the discovery of new versions, we see that this pattern of masquerading as legitimate software continues among all of the components of WildCard.
在我们发布的 SysJoker 中,我们怀疑威胁参与者使用受感染的 npm 包来交付 SysJoker。随着新版本的发现,我们看到这种伪装成合法软件的模式在通配符的所有组件中继续存在。

Now with the DMAdevice, AppMessagingRegistrar variant, and Rustdown, we see a pattern of using legitimate services to masquerade the malware. We can assume WildCard uses phishing campaigns to convince victims to download their malware.
现在有了 DMAdevice、AppMessagingRegistrar 变体和 Rustdown,我们看到了一种使用合法服务来伪装恶意软件的模式。我们可以假设 WildCard 使用网络钓鱼活动来说服受害者下载他们的恶意软件。

As mentioned, part of WildCard’s operations share behavioral patterns with Operation ElectricPowder. This malware also masqueraded as legitimate software and used an elaborate and diverse phishing campaign, including decoy news sites and Facebook profiles. 
如前所述,WildCard 的部分操作与 Operation ElectricPowder 共享行为模式。该恶意软件还伪装成合法软件,并使用了精心策划的多样化网络钓鱼活动,包括诱饵新闻网站和 Facebook 个人资料。

If the connection between the two operations is solid, it supports WildCard’s investment in extensive social engineering campaigns to reach their targets. The early malware of Operation Electric Powder was poorly disguised as legitimate Microsoft components. SysJoker variants were more elaborately disguised as benign applications or web development components with names reminiscent of TypeScript projects. The newest iteration follows in that web development tool theme by disguising RustDown as a PHP CGI component. At this time, we have not discovered the latest infection vector but feel that these TTPs suggest possible targeting of developer communities in Israel with trojanized applications.
如果这两项业务之间的联系是稳固的,它就支持WildCard在广泛的社会工程活动中的投资,以实现其目标。Operation Electric Powder的早期恶意软件伪装成合法的Microsoft组件。SysJoker 变体被更精心地伪装成良性应用程序或 Web 开发组件,其名称让人想起 TypeScript 项目。最新的迭代遵循该 Web 开发工具主题,将 RustDown 伪装成 PHP CGI 组件。目前,我们尚未发现最新的感染媒介,但认为这些 TTP 表明可能使用木马应用程序针对以色列的开发者社区。

The detection of SysJoker traces back to a 2021 incident at an Israeli educational institution. After analyzing the malware, we identified behavioral patterns akin to those of another malware variant that previously targeted Israeli infrastructure. This similarity points to a deliberate pattern of victim targeting shared between the two types of malware.
SysJoker 的检测可以追溯到 2021 年在以色列教育机构发生的事件。在分析了恶意软件后,我们发现了类似于以前针对以色列基础设施的另一种恶意软件变种的行为模式。这种相似性表明,两种类型的恶意软件之间共享了一种故意针对受害者的模式。

Network infrastructure 网络基础设施

Another interesting TTP connecting different WildCard operations is the abuse of benign web services as dead drop resolvers or C2 hosting. First-stage components consistently reach out to services like GDrive or OneDrive to receive text that is decoded into the address of the intended C2. The threat actor has used a number of hosting providers to host their C2 infrastructure, most recently Hostinger. During analysis, we found that the C2 is possibly geofenced to respond only to IP addresses from Israel, further supporting our sense of WildCard’s targeting.
连接不同通配符操作的另一个有趣的 TTP 是滥用良性 Web 服务作为死滴解析器或 C2 托管。第一阶段组件始终与 GDrive 或 OneDrive 等服务联系,以接收解码为预期 C2 地址的文本。威胁行为者使用许多托管服务提供商来托管他们的 C2 基础设施,最近的是 Hostinger。在分析过程中,我们发现 C2 可能被地理围栏设置为仅响应来自以色列的 IP 地址,这进一步支持了我们对通配符定位的理解。

Conclusion 结论

As we continue to monitor the threat landscape surrounding the ongoing Israeli-Hamas war, it’s important to emphasize the existence of non-traditional threat actors like WildCard that have slipped below the radar. At the time of our initial discovery of SysJoker, we were missing the necessary components to bring this threat actor into view fully. As additional variants were discovered, we found connections to a notable earlier campaign targeting electric power generation in Israel. More recently, the WildCard developers have undertaken the popular move from C++ to Rust. Despite having to start their project over in Rust, RustDown also shows the same specific traits as newer SysJoker variants and older ElectricPowder components. Clustering these different sets of activities showcases an APT group consistently targeting Israeli critical sectors like education, IT infrastructure, and possibly electric power generation active to this day.
随着我们继续监测围绕正在进行的以色列-哈马斯战争的威胁形势,重要的是要强调像 WildCard 这样的非传统威胁行为者的存在,这些行为者已经悄悄地被忽视了。在我们最初发现 SysJoker 时,我们缺少将这个威胁参与者完全纳入视野的必要组件。随着其他变种的发现,我们发现与以色列早期一项针对发电的著名活动有关。最近,通配符开发人员已经进行了从C++到Rust的流行迁移。尽管不得不在 Rust 中重新开始他们的项目,但 RustDown 也显示出与较新的 SysJoker 变体和较旧的 ElectricPowder 组件相同的特定特征。将这些不同的活动集聚为一类,展示了一个 APT 小组始终以以色列的关键部门为目标,如教育、IT 基础设施,以及可能至今仍在活跃的发电。

I would like to extend my sincere gratitude to Juan Andres Guerrero-Saade and Ryan Robinson for their contributions to the development and refinement of this blog.
我要衷心感谢胡安·安德烈斯·格雷罗-萨德和瑞安·罗宾逊为本博客的发展和完善所做的贡献。

IOCs 国际奥委会

Rustdown  锈迹斑斑

d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72
d4095f8b2fd0e6deb605baa1530c33336298afd02afc0f41030fa43371e3e72

DMAdevice (SysJoker May 2022 Variant)
DMAdevice(SysJoker 2022 年 5 月变体)

e076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836

6c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95

AppMessagingRegistrar (SysJoker June 2022 Variant)
AppMessagingRegistrar(SysJoker 2022 年 6 月变体)

67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706

SysJoker Downloader SysJoker 下载

96dc31cf0f9e7e59b4e00627f9c7f7a8cac3b8f4338b27d713b0aaf6abacfe6f

Dead Drop Resolver URL Dead Drop Resolver 网址

https://onedrive.live[.]com/download?resid=16E2AEE4B7A8BBB1%21112&authkey=!AED7TeCJaC7JNVQ (RustDown)
https://onedrive.live[.]com/download?resid=16E2AEE4B7A8BBB1%21112&authkey=!AED7TeCJaC7JNVQ (RustDown) 迪拉姆

https://onedrive.live[.]com/download?cid=F6A7DCE38A4B8570&resid=F6A7DCE38A4B8570%21115&authkey=AKcf8zLcDneJZHw (DMAdevice.exe)
https://onedrive.live[.]com/download?cid=F6A7DCE38A4B8570&resid=F6A7DCE38A4B8570%21115&authkey=AKcf8zLcDneJZHw (DMAdevice.exe)

https://onedrive[.]live.com/download?cid=3014636895E3FE3B&resid=3014636895E3FE3B%21106&authkey=AD4OGrVz9h17Jzo (AppMessagingRegistrar.exe)
https://onedrive[.]live.com/download?cid=3014636895E3FE3B&resid=3014636895E3FE3B%21106&authkey=AD4OGrVz9h17Jzo (AppMessagingRegistrar.exe)

C2

85.31.231[.]49:443 (Rustdown)
85.31.231[.]49:443 (锈迹斑斑)

sharing-u-file[.]com (DMAdevice.exe)
sharing-u-file[.]com (DMAdevice.exe)

audiosound-visual[.]com (AppMessagingRegistrar.exe)filestorage-short[.]org (SysJoker Downloader)
音频声音-视觉[.]com (AppMessagingRegistrar.exe)filestorage-short[.]org (SysJoker 下载器)

原文始发于Nicole Fishbein:WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel

版权声明:admin 发表于 2023年11月30日 上午9:14。
转载请注明:WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...