Author: Nathan Toporek<\/p>\n
TLP:WHITE<\/p>\n
On 17 September, the Federal Bureau of Investigation (FBI) published a new FLASH alert in coordination with the Department of Homeland Security (DHS), and the Department of the Treasury (Treasury).1<\/sup> The report describes multiple types of malware that the Iranian Rana Intelligence Computing Company – also known as APT39 – has used in their global operations. In the report, the FBI included descriptions of how the various types of malware operate, as well as a set of YARA rules for each type. The FBI also published a representative set of malware samples to VirusTotal for public analysis.<\/p>\n Rana Intelligence Computing Company is a front company for Iran’s Ministry of Intelligence and Security (MOIS). According to the FBI, it has targeted hundreds of individuals and entities in more than 30 countries spread across Asia, Africa, Europe, and North America. It has previously targeted foreign citizens, foreign governments, and organizations predominantly in the travel, hospitality, academic, and telecommunications industries. Specifically in Iran, it has targeted individuals and dissidents, in addition to companies and academic institutions.<\/p>\n The FLASH alert describes multiple variants of malware that Rana used in its operations, including signatures for indicators of compromise (IOCs), along with sets of YARA rules that the FBI has developed to identify samples. The report includes variants of malicious Visual Basic Script (VBS), AutoIt Malware, two executables leveraging the Background Intelligent Transfer Service (BITS), an executable that mocks the Firefox web browser, a Python-based malware script, a malicious Android Package (APK), and a malicious Microsoft Cabinet file named depot.dat<\/em>.<\/p>\n APT39 embedded multiple VBS scripts inside Microsoft Office documents, which it sent to victims via spear phishing and other techniques that use social engineering. When a victim opens one of the documents, the VBS code will:<\/p>\n Both the VBS and the PowerShell scripts work to upload a victim’s files and execute commands locally via cmd.exe<\/em>.<\/p>\n APT39 leveraged several AutoIt scripts, which were likely embedded in Microsoft Office documents or malicious links, then sent to victims via a technique such as spear phishing. The FBI’s analysis determined these scripts to be similar in nature to the VBS malware. Each will:<\/p>\n Both the VBS and AutoIt malware download this malware, which uses Microsoft’s Background Intelligent Transfer Service (BITS) to upload a victim’s data to a C2 server. The FBI’s analysis showed that this malware installs a dropper containing two Microsoft cabinet (CAB) files. One of them is empty, while the other contains two Microsoft executable files (EXEs), along with XML files that create and run scheduled tasks to upload victim data. The two EXE files in the CAB exfiltrate the victim’s data to attacker infrastructure via BITS.<\/p>\n This variant is similar to the BITS 1.0 malware above in how it communicates with attacker infrastructure, but it has significant technical differences. Compared to the BITS 1.0 malware, the BITS 2.0 malware is a self-extracting executable containing an image, a VBS file, and another EXE. The VBS file creates and runs a persistent scheduled task to exfiltrate data; the EXE leverages BITS to exfiltrate data to attacker infrastructure.<\/p>\n This malware masquerades as a legitimate Firefox executable. It contains files and functionality that allow it to:<\/p>\n This Python-based malware came packaged in a Roshal Archive (RAR) file. It reaches out via HTTP to a C2 server and downloads additional malware when it runs. The FBI did not specify the nature or function of additional malware.<\/p>\n APT39 used a malicious APK named optimizer.apk<\/em> that was designed to communicate with the C2 server saveingone[.]com,<\/em> and can:<\/p>\n The depot.dat<\/em> malware is a Microsoft CAB file containing four dynamic link libraries (DLLs) that can perform keylogging, and capture screenshots of the victim’s computer. A separate dropper file decrypts and achieves persistence of the files in depot.dat<\/em> by overriding the SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows<\/em> registry key.<\/p>\n The FBI FLASH report provides the following set of recommendations to mitigate this malware:<\/p>\n Below is a list of MD5 hashes representative of each malware variant. In-depth YARA rules for each are included in the FLASH report.<\/p>\nAnalysis<\/strong><\/h3>\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
Prevention and Mitigation<\/strong><\/h3>\n
\n
\n
Indicators of Compromise<\/strong><\/h3>\n