🔒
There are new articles available, click to refresh the page.
✇Threat Analysis Group (TAG)

Google’s efforts to identify and counter spyware

The following testimony was delivered to the U.S. House Intelligence Committeeby Shane Huntley, Senior Director of Google’s Threat Analysis Group (TAG) on July 27, 2022.

Chairman Schiff, Ranking Member Turner, and esteemed Members of the Committee:

Thank you for the opportunity to appear before the Committee to discuss Google’s efforts to protect users from commercial spyware. We appreciate the Committee’s efforts to raise awareness about the commercial spyware industry that is thriving and growing, creating risks to Americans and Internet users across the globe.

Our expert teams

Google has been tracking the activities of commercial spyware vendors for years, and we have been taking critical steps to protect our users. We take the security of our users very seriously, and we have dedicated teams in place to protect against attacks from a wide range of sources. Our Threat Analysis Group, or TAG, is dedicated to protecting users from threats posed by state-sponsored malware attacks and other advanced persistent threats. TAG actively monitors threat actors and the evolution of their tactics and techniques. For example, TAG has been closely tracking and disrupting campaigns targeting individuals and organizations in Ukraine, and frequently publishes reports on Russian threat actors.

We use our research to continuously improve the safety and security of our products and share this intelligence with our industry peers. We also publicly release information about the operations we disrupt, which is available to our government partners and the general public. TAG tracks and proactively counters serious state-sponsored and financially motivated information cyber criminal activities, such as hacking and the use of spyware. And we don’t just plug security holes – we work to eliminate entire classes of threats for consumers and businesses whose work depends on the Internet. We are joined in this effort by many other security teams at Google, including Project Zero, our team of security researchers at Google who study zero-day vulnerabilities in the hardware and software systems that are depended upon by users around the world.

Our ongoing work

Google has a long track record combating commercial surveillance tools targeting our users. In 2017, Android – which is owned by Google – was the first mobile platform to warn users about NSO Group’s Pegasus spyware. At the time, our Android team released research about a newly discovered family of spyware related to Pegasus that was used in a targeted attack on a small number of Android devices. We observed fewer than three dozen installs of this spyware. We remediated the compromises for these users and implemented controls to protect all Android users.

NSO Group continues to pose risks across the Internet ecosystem. In 2019, we confronted the risks posed by NSO Group again, relying upon NSO Groups’s marketing information suggesting that they had a 0-day exploit for Android. Google was able to identify the vulnerability in use and fix the exploit quickly. In December 2021, we released research about novel techniques used by NSO Group to compromise iMessage users. iPhone users could be compromised by receiving a malicious iMessage text, without ever needing to click a malicious link. Short of not using a device, there is no way to prevent exploitation by a zero-click exploit; it's a weapon against which there is no defense. Based on our research and findings, we assessed this to be one of the most technically sophisticated exploits we had ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.

Although this Committee must be concerned with the exploits of NSO Group, it is not the only entity posing risks to our users. For example, TAG discovered campaigns targeting Armenian users which utilized zero-day vulnerabilities in Chrome and Internet Explorer. We assessed that a surveillance vendor packaged and sold these technologies. Reporting by CitizenLab linked this activity to Candiru, an Israeli spyware vendor. Other reporting from Microsoft has linked this spyware to the compromise of dozens of victims, including political dissidents, human rights activists, journalists, and academics.

Most recently, we reported in May on five zero-day vulnerabilities affecting Chrome and Android which were used to compromise Android users. We assess with high confidence that commercial surveillance company Cytrox packaged these vulnerabilities, and sold the hacking software to at least eight governments. Among other targets, this spyware was used to compromise journalists and opposition politicians. Our reporting is consistent with earlier analysis produced by CitizenLab and Meta.

TAG also recently released information on a segment of attackers we call “hack-for-hire” that focuses on compromising accounts and exfiltrating data as a service. In contrast to commercial surveillance vendors, who we generally observe selling a capability for the end user to operate, hack-for-hire firms conduct attacks themselves. They target a wide range of users and opportunistically take advantage of known security flaws when undertaking their campaigns. In June, we provided examples of the hack-for-hire ecosystem from India, Russia, and the United Arab Emirates.

The growth of commercial spyware vendors and hack-for-hire groups has necessitated growth in TAG to counter these threats. Where once we only needed substreams to focus on threat actors such as China, Russia, and North Korea, TAG now has a dedicated analysis subteam dedicated to commercial vendors and operators.

Risks posed by commercial spyware are increasing

Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments. These vendors operate with deep technical expertise to develop and operationalize exploits. We believe its use is growing, fueled by demand from governments.

Seven of the nine zero-day vulnerabilities our Threat Analysis Group discovered in 2021 were originally developed by commercial providers and sold to and used by state-sponsored actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to state-sponsored actors.

This industry appears to be thriving. In fact, there was recently a large industry conference in Europe, sponsored by many of the commercial spyware vendors we track. This trend should be concerning to the United States and all citizens. These vendors are enabling the proliferation of dangerous hacking tools, arming nation state actors that would not otherwise be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are found to be used by some state actors for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers, and opposition party politicians.

We have also observed proliferation risk from nation state actors attempting to gain access to the exploits of these vendors. Last year, TAG identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attributed to a government-backed entity based in North Korea, have employed a number of means to target researchers.

In addition to these concerns, there are other reasons why this industry presents a risk more broadly across the Internet. While vulnerability research is an important contributor to online safety when that research is used to improve the security of products, vendors stockpiling zero-day vulnerabilities in secret can pose a severe risk to the Internet when the vendor itself gets compromised. This has happened to multiple spyware vendors over the past ten years, raising the specter that their stockpiles can be released publicly without warning.

The proliferation of commercial hacking tools is a threat to national security, making the Internet less safe and undermining the trust on which a vibrant, inclusive digital society depends. This is why when Google discovers these activities, we not only take steps to protect users, but also disclose that information publicly to raise awareness and help the entire ecosystem, in line with our historical commitment to openness and democratic values.

Google’s work to protect users

Across all Google products, we incorporate industry-leading security features and protections to keep our users safe. On Search, Google’s Safe Browsing is an industry-leading service to identify unsafe websites across the web and notify users and website owners of potential harm. Google Safe Browsing helps protect over four billion devices every day by showing warnings to users when they attempt to navigate to unsafe sites or download harmful files. Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem so that their visitors stay safer.

On Gmail, we recommend certain Gmail security precautions to prevent spoofing, phishing, and spam. Spoofers may send forged messages using an organization’s real name or domain to subvert authentication measures. We use email authentication to protect against email spoofing, which is when email content is changed to make the message appear from someone or somewhere other than the actual source. And we offer other advanced phishing and malware protection to administrators to better protect their users. By default, Gmail displays warnings and moves untrustworthy emails to the user’s spam folder. However administrators can also use advanced security settings to enhance their users’ protection against suspicious attachments and scripts from untrusted senders.

For Android, through its entire development lifecycle, we subject the products to a rigorous security program. The Android security process begins early in the development lifecycle, and each major feature of the platform is reviewed by engineering and security resources. We ensure appropriate controls are built into the architecture of the system. During the development stage, Android-created and open source components are subject to vigorous security reviews For users, Android provides safety and control over how apps and third parties can access the data from their devices. For example, users are provided visibility into the permissions requested by each app, and they are able to control those permissions.

We have also built additional tools to prevent successful attacks on devices that run Android once those devices are in users’ hands. For example, Google Play Protect, our built-in malware protection for Android, continuously scans devices for potentially harmful applications.

Although our security precautions are robust, security issues can still occur, which is why we created a comprehensive security response process to respond to incidents. Google manages a vulnerability rewards program (VRP), rewarding researchers millions of dollars for their contributions in securing our devices and platforms. We also provide research grants to security researchers to help fund and support the research community. This is all part of a larger strategy to keep Google products and users, as well as the Internet at large more secure. Project Zero is also a critical component of this strategy, pushing transparency and more timely patching of vulnerabilities.

Finally, we also offer the leading tools to protect important civil society actors such as journalists, human rights workers, opposition party politicians, and campaign organizations – in other words, the users who are frequently targeted by surveillance tools. Google developed Project Shield, a free protection against distributed denial of service (DDoS) attacks, to protect news media and human rights organization websites. We recently expanded eligibility to protect Ukraine government organizations, and we are currently protecting over 200 Ukraine websites today. To protect high risk user accounts, we offer the Advanced Protection Program (APP), which is our highest form of account security. APP has a strong track record protecting users – since the program’s inception, there are no documented cases of an account compromise via phishing.

Whole of Society response necessary to tackle spyware

We believe it is time for government, industry and civil society to come together to change the incentive structure which has allowed these technologies to spread in secret. The first step is to understand the scope of the problem. We appreciate the Committee’s focus on this issue, and recommend the U.S. Intelligence Community prioritize identifying and analyzing threats from foreign commercial spyware providers as being on par with other major advanced threat actors. The U.S. should also consider ways to foster greater transparency in the marketplace, including setting heightened transparency requirements for the domestic surveillance industry. The U.S. could also set an example to other governments by reviewing and disclosing its own historical use of these tools.

We welcome recent steps taken by the government in applying sanctions to the NSO Group and Candiru, and we believe other governments should consider expanding these restrictions. Additionally, the U.S. government should consider a full ban on Federal procurement of commercial spyware technologies and contemplate imposing further sanctions to limit spyware vendors’ ability to operate in the U.S. and receive U.S. investment. The harms from this industry are amply evident by this point, and we believe they outweigh any benefit to continued use.

Finally, we urge the United States to lead a diplomatic effort to work with the governments of the countries who harbor problematic vendors, as well as those who employ these tools, to build support for measures that limit harms caused by this industry. Any one government’s ability to meaningfully impact this market is limited; only through a concerted international effort can this serious risk to online safety be mitigated.

Google is investing heavily as a company and as an industry to counter serious threats to our users. In the modern world, we must be able to trust the devices we use every day and ensure that foreign adversaries do not have access to sophisticated exploits. While we continue to fight these threats on a technical level, the providers of these capabilities operate openly in democratic countries. Google is committed to leading the industry in detecting and disrupting these threats.

I thank the Committee for this attention on this critical issue.

✇Threat Analysis Group (TAG)

Continued cyber activity in Eastern Europe observed by TAG

Google’s Threat Analysis Group (TAG) continues to closely monitor the cybersecurity environment in Eastern Europe with regard to the war in Ukraine. Many Russian government cyber assets have remained focused on Ukraine and related issues since the invasion began, while Russian APT activity outside of Ukraine largely remains the same. TAG continues to disrupt campaigns from multiple sets of Russian government-backed attackers, some of which are detailed in our previous updates.

Similarly, Russian observed disinformation efforts are also focused on the war in Ukraine and TAG has disrupted coordinated influence operations from several actors including the Internet Research Agency and a Russian consulting firm as detailed in the TAG Bulletin. Most of these coordinated influence operations are Russian language efforts aimed at ensuring domestic support in Russia for the war.

Here is a deeper look at some campaign activity TAG has observed since our last update:

Turla, a group publicly attributed to Russia’s Federal Security Service (FSB), recently hosted Android apps on a domain spoofing the Ukrainian Azov Regiment. This is the first known instance of Turla distributing Android-related malware. The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services. We believe there was no major impact on Android users and that the number of installs was miniscule.

The app is distributed under the guise of performing Denial of Service (DoS) attacks against a set of Russian websites. However, the 'DoS' consists only of a single GET request to the target website, not enough to be effective. The list of target websites for the app can be seen in the CyberChef recipe here.

An example of the Turla website disseminating fake DoS Android Apps.

Turla website disseminating fake DoS Android Apps.

During our investigation into the Turla CyberAzov apps, we identified another Android app first seen in the wild in March 2022 that also claimed to conduct DoS attacks against Russian websites. In this case, the Android app name was stopwar.apk (com.ddos.stopwar) and was distributed from the website stopwar.pro. This app is quite different from the Turla apps described above and written by a different developer. It also downloads a list of targets from an external site, but unlike the Turla apps, it continually sends requests to the target websites until it is stopped by the user.

An example of a pro-Ukrainian website used for disseminating StopWar.apk.

Pro-Ukrainian website used for disseminating StopWar.apk.

Based on our analysis, we believe that the StopWar app was developed by pro-Ukrainian developers and was the inspiration for what Turla actors based their fake CyberAzov DoS app off of.

The Follina vulnerability (CVE-2022-30190), first disclosed in late May, received significant usage from both APT and cybercrime groups throughout June after it was patched by Microsoft. Follina is a remote code execution (RCE) vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).

Consistent with CERT-UA reporting, TAG observed multiple Russian GRU actors - APT28 and Sandworm - conduct campaigns exploiting the Follina vulnerability. The Sandworm campaign used compromised government accounts to send links to Microsoft Office documents hosted on compromised domains, primarily targeting media organizations in Ukraine.

TAG has also observed an increasing number of financially motivated actors targeting Ukraine. One recent campaign from a group tracked by CERT-UA as UAC-0098 delivered malicious documents with the Follina exploit in password-protected archives, impersonating the State Tax Service of Ukraine. We assess this actor is a former initial ransomware access broker who previously worked with the Conti ransomware group distributing the IcedID banking trojan based on overlaps in infrastructure, tools used in previous campaigns, and a unique cryptor.

Ghostwriter/UNC1151, a threat actor attributed to Belarus, has remained active targeting accounts of webmail and social media networks of Polish users. They continue to use the 'Browser in the Browser' phishing technique that TAG first observed and described in March. An example of this technique, used to target Facebook users, can be seen in the screenshot below.

An image of a technique used to target Facebook users

An example of this technique used to target Facebook users

COLDRIVER, a Russian-based threat actor sometimes referred to as Callisto, continues to send credential phishing emails to targets including government and defense officials, politicians, NGOs and think tanks, and journalists. In addition to including phishing links directly in the email, the attackers also link to PDFs and/or DOCs, hosted on Google Drive and Microsoft One Drive, that contain a link to an attacker-controlled phishing domain. In at least one case, unrelated to Ukraine, they have leaked information from a compromised account.

These phishing domains have been blocked through Google Safe Browsing – a service that identifies unsafe websites across the web and notifies users and website owners of potential harm.

Image of an example of a recent COLDRIVER phishing lure

Example of a recent COLDRIVER phishing lure

Recently observed COLDRIVER indicators:

In another campaign tracked by CERT-UA as UAC-0056 we observed compromised email addresses of a Regional Prosecutor’s office of Ukraine leveraged to send malicious Microsoft Excel documents with VBA macros delivering Cobalt Strike. In just two days, the volume observed and categorized as spam by Gmail exceeded 4,500 emails. Email contents vary from COVID-19 vaccine policy to the humanitarian crisis in Ukraine.

✇Threat Analysis Group (TAG)

Countering hack-for-hire groups

As part of TAG's mission to counter serious threats to Google and our users, we've published analysis on a range of persistent threats including government-backed attackers, commercial surveillance vendors, and serious criminal operators. Today, we're sharing intelligence on a segment of attackers we call hack-for-hire, whose niche focuses on compromising accounts and exfiltrating data as a service.

In contrast to commercial surveillance vendors, who we generally observe selling a capability for the end user to operate, hack-for-hire firms conduct attacks themselves. They target a wide range of users and opportunistically take advantage of known security flaws when undertaking their campaigns. Both, however, enable attacks by those who would otherwise lack the capabilities to do so.

We have seen hack-for-hire groups target human rights and political activists, journalists, and other high-risk users around the world, putting their privacy, safety and security at risk. They also conduct corporate espionage, handily obscuring their clients’ role.

To help users and defenders, we will provide examples of the hack-for-hire ecosystem from India, Russia, and the United Arab Emirates and context around their capabilities and persistence mechanisms.

How Hack-For-Hire Operations Work

The hack-for-hire landscape is fluid, both in how the attackers organize themselves and in the wide range of targets they pursue in a single campaign at the behest of disparate clients. Some hack-for-hire attackers openly advertise their products and services to anyone willing to pay, while others operate more discreetly selling to a limited audience.

For example, TAG has observed Indian hack-for-hire firms work with third party private investigative services — intermediaries that reach out for services when a client requires them — and provide data exfiltrated from a successful operation. This is detailed in depth in today’s Reuters investigation into the Indian hack-for-hire ecosystem. We have also observed Indian hack-for-hire firms work with freelance actors not directly employed by the firms themselves.

The breadth of targets in hack-for-hire campaigns stands in contrast to many government-backed operations, which often have a clearer delineation of mission and targets. A recent campaign from an Indian hack-for-hire operator was observed targeting an IT company in Cyprus, an education institution in Nigeria, a fintech company in the Balkans and a shopping company in Israel.

Recent Hack-for-Hire Campaigns

India

Since 2012, TAG has been tracking an interwoven set of Indian hack-for-hire actors, with many having previously worked for Indian offensive security providers Appin and Belltrox.

One cluster of this activity frequently targets government, healthcare, and telecom sectors in Saudi Arabia, the United Arab Emirates, and Bahrain with credential phishing campaigns. These credential phishing campaigns have ranged from targeting specific government organizations to AWS accounts to Gmail accounts.

Sample AWS Phishing Email

Sample AWS phishing email

Sample AWS phishing page

Sample AWS phishing page

TAG has linked former employees of both Appin and Belltrox to Rebsec, a new firm that openly advertises corporate espionage as an offering on its company website.

Rebsec’s offerings as per the company’s website

Rebsec’s offerings as per the company’s website

Russia

While investigating a 2017 credential phishing campaign that targeted a prominent Russian anti-corruption journalist, we discovered the Russian attacker targeting other journalists, politicians across Europe, and various NGOs and non-profit organizations. But what stuck out during this investigation was the breadth of targeting, which also included individuals that had no affiliation with the selected organizations, and appeared to be regular, everyday citizens in Russia and surrounding countries. This hack-for-hire actor has been publicly referred to as 'Void Balaur'.

These campaigns were similar regardless of target, consisting of a credential phishing email with a link to an attacker-controlled phishing page. The lures ranged from fake Gmail and other webmail provider notifications to messages spoofing Russian government organizations. After the target account was compromised, the attacker generally maintained persistence by granting an OAuth token to a legitimate email application like Thunderbird or generating an App Password to access the account via IMAP. Both OAuth tokens and App Passwords are revoked when a user changes their password.

Russian hack-for-hire phishing email

Russian hack-for-hire phishing email

Russian hack-for-hire phishing site

Russian hack-for-hire phishing site

During our early investigation, TAG discovered the attacker’s public website (no longer available) advertising account hacking capabilities for email and social media services. The site claimed to have received positive reviews on Russian underground forums such as Dublikat and Probiv.cc. Over the past five years, TAG has observed the group targeting accounts at major webmail providers like Gmail, Hotmail, and Yahoo! and regional webmail providers like abv.bg, mail.ru, inbox.lv, and UKR.net.

Pricing list from hacknet-service.com in 2018

Pricing list from hacknet-service.com in 2018

United Arab Emirates

TAG is also tracking a hack-for-hire group now based in the United Arab Emirates that is mostly active in the Middle East and North Africa. They have primarily targeted government, education, and political organizations including Middle East focused NGOs in Europe and the Palestinian political party Fatah. Amnesty International has also reported on their campaigns.

The group commonly uses Google or OWA password reset lures to steal credentials from targets, often using the MailJet or SendGrid API to send phishing emails. Unlike many hack-for-hire actors that use open source phishing frameworks like Evilginx or GoPhish, this group uses a custom phishing kit that utilizes Selenium, a self described 'suite of tools for automating web browsers.' Previously described by Amnesty, this phishing kit has remained under active development over the past five years.

Google Security Alert phishing page

Google Security Alert phishing page

After compromising an account, the actor maintains persistence by granting themselves an OAuth token to a legitimate email app like Thunderbird, or by linking the victim Gmail account to an attacker-owned account on a third-party mail provider. The attacker would then use a custom tool to download the mailbox contents via IMAP.

This group also has links to the original developers of H-Worm, also known as njRAT. In 2014, Microsoft filed a civil suit against the developer, Mohammed Benabdellah, for the development and dissemination of H-Worm. Benabdellah, who also goes by the moniker Houdini, has been actively involved in the day-to-day development and operational deployment of the credential phishing capabilities used by this group since its inception.

Protecting Our Users

As part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further harm. We encourage any high risk user to enable Advanced Protection and Google Account Level Enhanced Safe Browsing and ensure that all devices are updated. Additionally, our CyberCrime Investigation Group is sharing relevant details and indicators with law enforcement.

TAG is committed to sharing our findings as a way of raising awareness with the security community, and with companies and individuals that might have been targeted. We hope that improved understanding of the tactics and techniques will enhance threat hunting capability and lead to stronger user protections across the industry.

With contributions from Winnona DeSombre

Indicators of Compromise

UAE hack-for-hire Group Domains:

  • myproject-login[.]shop
  • mysite-log[.]shop
  • supp-help[.]me
  • account-noreply3[.]xyz
  • goolge[.]ltd
  • goolge[.]help
  • account-noreply8[.]info
  • account-server[.]xyz
  • kcynvd-mail[.]com
  • mail-goolge[.]com
  • kcynve-mail[.]com

Indian hack-for-hire Group Domains:

  • dtiwa.app[.]link
  • share-team.app[.]link
  • mipim.app[.]link
  • processs.app[.]link
  • aws-amazon.app[.]ink
  • clik[.]sbs
  • loading[.]sbs
  • userprofile[.]live
  • requestservice[.]live
  • unt-log[.]com
  • webtech-portal[.]com
  • id-apl[.]info
  • rnanage-icloud[.]com
  • apl[.]onl
  • go-gl[.]io

Russian hack-for-hire Group Domains:

  • login-my-oauth-mail[.]ru
  • oauth-login-accounts-mail[.]ru
  • my-oauth-accounts-mail[.]ru
  • login-cloud-myaccount-mail[.]ru
  • myaccounts-auth[.]ru
  • security-my-account[.]ru
  • source-place-preference[.]ru
  • safe-place-smartlink[.]ru
  • safe-place-experience[.]ru
  • preference-community-place[.]ru
✇Threat Analysis Group (TAG)

Spyware vendor targets users in Italy and Kazakhstan

Google has been tracking the activities of commercial spyware vendors for years, and taking steps to protect people. Just last week, Google testified at the EU Parliamentary hearing on “Big Tech and Spyware” about the work we have done to monitor and disrupt this thriving industry.

Seven of the nine zero-day vulnerabilities our Threat Analysis Group discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.

Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits. This makes the Internet less safe and threatens the trust on which users depend.

Today, alongside Google’s Project Zero, we are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android. We have identified victims located in Italy and Kazakhstan.

Campaign Overview

All campaigns TAG observed originated with a unique link sent to the target. Once clicked, the page attempted to get the user to download and install a malicious application on either Android or iOS. In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity. Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. We believe this is the reason why most of the applications masqueraded as mobile carrier applications. When ISP involvement is not possible, applications are masqueraded as messaging applications.

An example screenshot from one of the attacker controlled sites, www.fb-techsupport[.]com.

An example screenshot from one of the attacker controlled sites, www.fb-techsupport[.]com.

The page, in Italian, asks the user to install one of these applications in order to recover their account. Looking at the code of the page, we can see that only the WhatsApp download links are pointing to attacker controlled content for Android and iOS users.

code

iOS Drive-By

To distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with the following manifest file and using com.ios.Carrier as the identifier.

code

The resulting application is signed with a certificate from a company named 3-1 Mobile SRL (Developer ID: 58UP7GFWAA). The certificate satisfies all of the iOS code signing requirements on any iOS devices because the company was enrolled in the Apple Developer Enterprise Program.

These apps still run inside the iOS app sandbox and are subject to the exact same technical privacy and security enforcement mechanisms (e.g. code side loading) as any App Store apps. They can, however, be sideloaded on any device and don't need to be installed via the App Store. We do not believe the apps were ever available on the App Store.

The app is broken up into multiple parts. It contains a generic privilege escalation exploit wrapper which is used by six different exploits. It also contains a minimalist agent capable of exfiltrating interesting files from the device, such as the Whatsapp database.

The app we analyzed contained the following exploits:

  • CVE-2018-4344internally referred to and publicly known as LightSpeed.
  • CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet
  • CVE-2020-3837 internally referred to and publicly known as TimeWaste.
  • CVE-2020-9907 internally referred to as AveCesare.
  • CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.
  • CVE-2021-30983 internally referred to as Clicked3, fixed by Apple in December 2021.

All exploits used before 2021 are based on public exploits written by different jailbreaking communities. At the time of discovery, we believe CVE-2021-30883 and CVE-2021-30983were two 0-day exploits. In collaboration with TAG, Project Zero has published the technical analysis of CVE-2021-30983.

Android Drive-By

Installing the downloaded APK requires the victim to enable installation of applications from unknown sources. Although the applications were never available in Google Play, we have notified the Android users of infected devices and implemented changes in Google Play Protect to protect all users.

Android Implant

This analysis is based on fe95855691cada4493641bc4f01eb00c670c002166d6591fe38073dd0ea1d001 that was uploaded to VirusTotal on May 27. We have not identified many differences across versions. This is the same malware family that was described in detail by Lookout on June 16.

The Android app disguises itself as a legitimate Samsung application via its icon:

samsung

When the user launches the application, a webview is opened that displays a legitimate website related to the icon.

Upon installation, it requests many permissions via the Manifest file:

table

The configuration of the application is contained in the res/raw/out resource file. The configuration is encoded with a 105-byte XOR key. The decoding is performed by a native library libvoida2dfae4581f5.so that contains a function to decode the configuration. A configuration looks like the following:

code

Older samples decode the configuration in the Java code with a shorter XOR key.

The C2 communication in this sample is via Firebase Cloud Messaging, while in other samples, Huawei Messaging Service has been observed in use. A second C2 server is provided for uploading data and retrieving modules.

While the APK itself does not contain any exploits, the code hints at the presence of exploits that could be downloaded and executed. Functionality is present to fetch and run remote modules via the DexClassLoader API. These modules can communicate events to the main app. The names of these events show the capabilities of these modules:

code

TAG did not obtain any of the remote modules.

Protecting Users

This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need. Basic infection vectors and drive by downloads still work and can be very efficient with the help from local ISPs.

To protect our users, we have warned all Android victims, implemented changes in Google Play Protect and disabled Firebase projects used as C2 in this campaign.

How Google is Addressing the Commercial Spyware Industry

We assess, based on the extensive body of research and analysis by TAG and Project Zero, that the commercial spyware industry is thriving and growing at a significant rate. This trend should be concerning to all Internet users.

These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians.

Aside from these concerns, there are other reasons why this industry presents a risk to the Internet. While vulnerability research is an important contributor to online safety when that research is used to improve the security of products, vendors stockpiling zero-day vulnerabilities in secret poses a severe risk to the Internet especially if the vendor gets compromised. This has happened to multiple spyware vendors over the past ten years, raising the specter that their stockpiles can be released publicly without warning.

This is why when Google discovers these activities, we not only take steps to protect users, but also disclose that information publicly to raise awareness and help the entire ecosystem, in line with our historical commitment to openness and democratic values.

Tackling the harmful practices of the commercial surveillance industry will require a robust, comprehensive approach that includes cooperation among threat intelligence teams, network defenders, academic researchers, governments and technology platforms. We look forward to continuing our work in this space and advancing the safety and security of our users around the world.

Indicators of Compromise

Sample hashes

  • APK available on VirusTotal:
    • e38d7ba21a48ad32963bfe6cb0203afe0839eca9a73268a67422109da282eae3
    • fe95855691cada4493641bc4f01eb00c670c002166d6591fe38073dd0ea1d001
    • 243ea96b2f8f70abc127c8bc1759929e3ad9efc1dec5b51f5788e9896b6d516e
    • a98a224b644d3d88eed27aa05548a41e0178dba93ed9145250f61912e924b3e9
    • c26220c9177c146d6ce21e2f964de47b3dbbab85824e93908d66fa080e13286f
    • 0759a60e09710321dfc42b09518516398785f60e150012d15be88bbb2ea788db
    • 8ef40f13c6192bd8defa7ac0b54ce2454e71b55867bdafc51ecb714d02abfd1a
    • 9146e0ede1c0e9014341ef0859ca62d230bea5d6535d800591a796e8dfe1dff9
    • 6eeb683ee4674fd5553fdc2ca32d77ee733de0e654c6f230f881abf5752696ba

Drive-by download domains

  • fb-techsupport[.]com
  • 119-tim[.]info
  • 133-tre[.]info
  • 146-fastweb[.]info
  • 155-wind[.]info
  • 159-windtre[.]info
  • iliad[.]info
  • kena-mobile[.]info
  • mobilepays[.]info
  • my190[.]info
  • poste-it[.]info
  • ho-mobile[.]online

C2 domains

  • project1-c094e[.]appspot[.]com
  • fintur-a111a[.]appspot[.]com
  • safekeyservice-972cd[.]appspot[.]com
  • comxdjajxclient[.]appspot[.]com
  • comtencentmobileqq-6ffb5[.]appspot[.]com

C2 IPs

  • 93[.]39[.]197[.]234
  • 45[.]148[.]30[.]122
  • 2[.]229[.]68[.]182
  • 2[.]228[.]150[.]86
✇Threat Analysis Group (TAG)

TAG Bulletin: Q2 2022

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q2 2022. It was last updated on July 29, 2022.

April

  • We terminated 138 YouTube channels and 2 Ads accounts as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to a Russian consulting firm and was sharing content in Russian that was supportive of Russia’s actions in Ukraine and Russian President Vladimir Putin and critical of NATO, Ukraine, and Ukrainian President Volodymyr Zelenskyy.
  • We terminated 44 YouTube channels and 9 Ads accounts as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to the Internet Research Agency (IRA) and was sharing content in Russian, French, Arabic, and Chinese that was supportive of Russia’s 2014 invasion of Crimea and the Wagner Group’s activity in Ukraine and Africa.
  • We terminated 6 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to Russian state-sponsored entities and was sharing content in Russian that was supportive of pro-Russian activity in Ukraine and critical of Russian opposition politician Alexei Navalny.
  • We terminated 3 YouTube channels and 1 AdSense account and blocked 1 domain from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Slovakia and Germany. The campaign was sharing content in Slovak that was supportive of Russian President Vladimir Putin and Russia’s claimed justifications for its invasion of Ukraine. We received leads from Mandiant that supported us in this investigation.
  • We terminated 37 YouTube accounts and 1 Ads account and blocked 2 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Costa Rica. The campaign was linked to Noelix Media and was sharing content in Spanish that was critical of Costa Rican and Salvadoran politicians and political parties. Our findings are similar to findings reported by Meta.
  • We terminated 1,546 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China and U.S. foreign affairs. These findings are consistent with our previous reports.

May

  • We terminated 20 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to a Russian consulting firm and was sharing content in Russian that was supportive of Russia’s actions in Ukraine and Russian President Vladimir Putin and critical of NATO, Ukraine, and Ukrainian President Volodymyr Zelenskyy.
  • We terminated 5 YouTube channels, 1 AdSense account, and 1 Blogger blog as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to Russian state-sponsored entities and was sharing content in Russian and Bulgarian that was supportive of separatist movements in the disputed regions of Ukraine and critical of Ukraine and the West.
  • We terminated 14 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to the Internet Research Agency (IRA) and was sharing content in Russian that was critical of Ukrainian politicians.
  • We blocked 1 domain from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Iran. The campaign was linked to Endless Mayfly and was sharing content in English about a variety of topics including US and global current events. We received leads from Mandiant that supported us in this investigation.
  • We terminated 3 YouTube channels as part of our investigation into coordinated influence operations linked to China. The campaign was sharing content in English about the origins of COVID-19.
  • We terminated 4067 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China and U.S. foreign affairs. These findings are consistent with our previous reports.

June

  • We terminated 4 YouTube channels and 1 AdSense account as part of our investigation into coordinated influence operations linked to Russia and Azerbaijan. The campaign was sharing sensational content in Russian about the war in Ukraine. We believe this operation was financially motivated.
  • We terminated 1,556 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China and U.S. foreign affairs. These findings are consistent with our previous reports.
✇Threat Analysis Group (TAG)

Protecting Android users from 0-Day attacks

To protect our users, Google’s Threat Analysis Group (TAG) routinely hunts for 0-day vulnerabilities exploited in-the-wild. In 2021, we reported nine 0-days affecting Chrome, Android, Apple and Microsoft, leading to patches to protect users from these attacks.

This blog is a follow up to our July 2021 post on four 0-day vulnerabilities we discovered in 2021, and details campaigns targeting Android users with five distinct 0-day vulnerabilities:

We assess with high confidence that these exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different government-backed actors who used them in at least the three campaigns discussed below. Consistent with findings from CitizenLab, we assess likely government-backed actors purchasing these exploits are operating (at least) in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia.

The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits.

Seven of the nine 0-days TAG discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.

Campaign Deep Dives

All three campaigns delivered one-time links mimicking URL shortener services to the targeted Android users via email. The campaigns were limited — in each case, we assess the number of targets was in the tens of users. Once clicked, the link redirected the target to an attacker-owned domain that delivered the exploits before redirecting the browser to a legitimate website. If the link was not active, the user was redirected directly to a legitimate website. We've seen this technique used against journalists and other unidentified targets, and alerted those users when possible.

We assess that these campaigns delivered ALIEN, a simple Android malware in charge of loading PREDATOR, an Android implant described by CitizenLab in December 2021. ALIEN lives inside multiple privileged processes and receives commands from PREDATOR over IPC. These commands include recording audio, adding CA certificates, and hiding apps.

Campaign #1 - redirecting to SBrowser from Chrome (CVE-2021-38000)

The first campaign, detected in August 2021, used Chrome on a Samsung Galaxy S21 and the web server immediately replied with a HTTP redirect (302) pointing to the following intent URL. This URL abused a logic flaw and forced Chrome to load another URL in the Samsung Browser without user interaction or warnings.

We did not capture the subsequent stages, but assess the attackers did not have exploits for the current version of Chrome (91.0.4472) at that time, but instead used n-day exploits targeting Samsung Browser, which was running an older and vulnerable version of Chromium.

We assess with high confidence this vulnerability was sold by an exploit broker and probably abused by more than one surveillance vendor.

More technical details about this vulnerability are available in this RCA by Maddie Stone.

hash

Related IOCs

  • s.bit-li[.]com - landing page
  • getupdatesnow[.]xyz - exploit delivery server

Campaign #2 - Chrome sandbox escape (CVE-2021-37973, CVE-2021-37976)

In September 2021, TAG detected a campaign where the exploit chain was delivered to a fully up-to-date Samsung Galaxy S10 running the latest version of Chrome. We recovered the exploit used to escape the Chrome Sandbox, but not the initial RCE exploit.

The sandbox escape was loaded directly as an ELF binary embedding libchrome.so and a custom libmojo_bridge.so was used to ease the communication with the Mojo IPCs. This means the renderer exploit did not enable MojoJS bindings like we often see in public exploits.

Analysis of the exploit identified two different vulnerabilities in Chrome:

  • CVE-2021-37973: A use-after-free in the handling of Portals API and Fenced subframes.
  • CVE-2021-37976: An information leak in memory_instrumentation.mojom.Coordinator where Global Memory Dumps can be acquired for privileged processes. These dumps include sensitive information (addresses) which can be used for ASLR bypass.

After escaping the sandbox, the exploit downloaded another exploit in /data/data/com.android.chrome/p.so to elevate privileges and install the implant. We haven’t retrieved a copy of the exploit.

Related IOCs

  • shorten[.]fi - landing page
  • contents-domain[.]com - exploit delivery and C2 server

Campaign #3 - Full Android 0-day exploit chain (CVE-2021-38003, CVE-2021-1048)

In October 2021, we detected a full chain exploit from an up-to-date Samsung phone running the latest version of Chrome.

The chain included two 0-day exploits:

  • CVE-2021-38003: A Chrome renderer 0-day in JSON.stringify allowing the attacker to leak TheHole value and fully compromise the renderer.
  • CVE-2021-1048: Unlike the previous campaign, the sandbox escape used a Linux kernel bug in the epoll() system call. This system call is reachable from the BPF sandbox and allows the attacker to escape the sandbox and compromise the system by injecting code into privileged processes. More information can be found in this RCA by Jann Horn.

Of note, CVE-2021-1048 was fixed in the Linux kernel in September 2020, over a year before this campaign. The commit was not flagged as a security issue and therefore the patch was not backported in most Android kernels. At the time of the exploit, all Samsung kernels were vulnerable; LTS kernels running on Pixel phones were recent enough and included the fix for this bug. Unfortunately, this is not the first time we have seen this happen with exploits in the wild; the 2019 Bad Binder vulnerability is another example. In both cases, the fix was not flagged as a security issue and thus not backported to all (or any) Android kernels. Attackers are actively looking for and profiting from such slowly-fixed vulnerabilities.

sample image

Related IOCs

  • shorten[.]fi - landing page
  • redirecting[.]page - exploit delivery and C2 server
  • 8e4edb1e07ebb86784f65dccb14ab71dfd72f2be1203765b85461e65b7ed69c6 - ALIEN

Conclusion

We’d be remiss if we did not acknowledge the quick response and patching of these vulnerabilities by Google’s Chrome and Android teams. We would also like to thank Project Zero for their technical assistance in helping analyze these bugs. TAG continues to track more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. We remain committed to updating the community as we uncover these campaigns.

Tackling the harmful practices of the commercial surveillance industry will require a robust, comprehensive approach that includes cooperation among threat intelligence teams, network defenders, academic researchers and technology platforms. We look forward to continuing our work in this space and advancing the safety and security of our users around the world.

NOTE: On May 20th, we updated our attribution to more precisely describe our findings.

✇Threat Analysis Group (TAG)

Update on cyber activity in Eastern Europe

Google’s Threat Analysis Group (TAG) has been closely monitoring the cybersecurity activity in Eastern Europe with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. Similar to other reports, we have also observed threat actors increasingly target critical infrastructure entities including oil and gas, telecommunications and manufacturing.

Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links. Financially motivated and criminal actors are also using current events as a means for targeting users.

As always, we continue to publish details surrounding the actions we take against coordinated influence operations in our quarterly TAG bulletin. We promptly identify and remove any such content but have not observed any significant shifts from the normal levels of activity that occur in the region.

Here is a deeper look at the campaign activity TAG has observed and the actions the team has taken to protect our users over the past few weeks:

APT28 or Fancy Bear, a threat actor attributed to Russia GRU, was observed targeting users in Ukraine with a new variant of malware. The malware, distributed via email attachments inside of password protected zip files (ua_report.zip), is a .Net executable that when executed steals cookies and saved passwords from Chrome, Edge and Firefox browsers. The data is then exfiltrated via email to a compromised email account.

Malware samples:

TAG would like to thank the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in this investigation.

Turla, a group TAG attributes to Russia FSB, continues to run campaigns against the Baltics, targeting defense and cybersecurity organizations in the region. Similar to recently observed activity, these campaigns were sent via email and contained a unique link per target that led to a DOCX file hosted on attacker controlled infrastructure. When opened, the DOCX file would attempt to download a unique PNG file from the same attacker controlled domain.

Recently observed Turla domains:

  • wkoinfo.webredirect[.]org
  • jadlactnato.webredirect[.]org

COLDRIVER, a Russian-based threat actor sometimes referred to as Callisto, continues to use Gmail accounts to send credential phishing emails to a variety of Google and non-Google accounts. The targets include government and defense officials, politicians, NGOs and think tanks, and journalists. The group's tactics, techniques and procedures (TTPs) for these campaigns have shifted slightly from including phishing links directly in the email, to also linking to PDFs and/or DOCs hosted on Google Drive and Microsoft One Drive. Within these files is a link to an attacker controlled phishing domain.

These phishing domains have been blocked through Google Safe Browsing – a service that identifies unsafe websites across the web and notifies users and website owners of potential harm.

An example of this technique

An example of this technique

Recently observed COLDRIVER credential phishing domains:

  • cache-dns[.]com
  • docs-shared[.]com
  • documents-forwarding[.]com
  • documents-preview[.]com
  • protection-link[.]online
  • webresources[.]live

Ghostwriter, a Belarusian threat actor, has remained active during the course of the war and recently resumed targeting of Gmail accounts via credential phishing. This campaign, targeting high risk individuals in Ukraine, contained links leading to compromised websites where the first stage phishing page was hosted. If the user clicked continue, they would be redirected to an attacker controlled site that collected the users credentials. There were no accounts compromised from this campaign and Google will alert all targeted users of these attempts through our monthly government-backed attacker warnings.

Both pages from this campaign are shown below.

an example webpage
An example page

In mid-April, TAG detected a Ghostwriter credential phishing campaign targeting Facebook users. The targets, primarily located in Lithuania, were sent links to attacker controlled domains from a domain spoofing the Facebook security team.

Facebook campaign

Recently observed Ghostwriter credential phishing domains and emails:

  • noreply.accountsverify[.]top
  • microsoftonline.email-verify[.]top
  • lt-microsoftgroup.serure-email[.]online
  • facebook.com-validation[.]top
  • lt-meta.com-verification[.]top
  • lt-facebook.com-verification[.]top
  • [email protected][.]lt

Curious Gorge, a group TAG attributes to China's PLA SSF, has remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. In Russia, long running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company.

Protecting Our Users

Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further exploitation. We also send all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity. We encourage any potential targets to enable Google Account Level Enhanced Safe Browsing and ensure that all devices are updated.

The team continues to work around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information. We’ll continue to take action, identify bad actors and share relevant information with others across industry and governments, with the goal of bringing awareness to these issues, protecting users and preventing future attacks. While we are actively monitoring activity related to Ukraine and Russia, we continue to be just as vigilant in relation to other threat actors globally, to ensure that they do not take advantage of everyone’s focus on this region.

✇Threat Analysis Group (TAG)

Tracking cyber activity in Eastern Europe

In early March, Google’s Threat Analysis Group (TAG) published an update on the cyber activity it was tracking with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links.

Financially motivated and criminal actors are also using current events as a means for targeting users. For example, one actor is impersonating military personnel to extort money for rescuing relatives in Ukraine. TAG has also continued to observe multiple ransomware brokers continuing to operate in a business as usual sense.

As always, we continue to publish details surrounding the actions we take against coordinated influence operations in our quarterly TAG bulletin. We promptly identify and remove any such content, but have not observed any significant shifts from the normal levels of activity that occur in the region.

Here is a deeper look at the campaign activity TAG has observed over the past two weeks:

Curious Gorge, a group TAG attributes to China's PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. While this activity largely does not impact Google products, we remain engaged and are providing notifications to victim organizations.

Recently observed IPs used in Curious Gorge campaigns:

  • 5.188.108[.]119
  • 91.216.190[.]58
  • 103.27.186[.]23
  • 114.249.31[.]171
  • 45.154.12[.]167

COLDRIVER, a Russian-based threat actor sometimes referred to as Calisto, has launched credential phishing campaigns, targeting several US based NGOs and think tanks, the military of a Balkans country, and a Ukraine based defense contractor. However, for the first time, TAG has observed COLDRIVER campaigns targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence. These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown. We have not observed any Gmail accounts successfully compromised during these campaigns.

Recently observed COLDRIVER credential phishing domains:

  • protect-link[.]online
  • drive-share[.]live
  • protection-office[.]live
  • proton-viewer[.]com

Ghostwriter, a Belarusian threat actor, recently introduced a new capability into their credential phishing campaigns. In mid-March, a security researcher released a blog post detailing a 'Browser in the Browser' phishing technique. While TAG has previously observed this technique being used by multiple government-backed actors, the media picked up on this blog post, publishing several stories highlighting this phishing capability.

Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites. The new technique, displayed below, draws a login page that appears to be on the passport.i.ua domain, overtop of the page hosted on the compromised site. Once a user provides credentials in the dialog, they are posted to an attacker controlled domain.

Example of hosting credential phishing landing pages on compromised sites

Example of hosting credential phishing landing pages on compromised sites

Recently observed Ghostwriter credential phishing domains:

  • login-verification[.]top
  • login-verify[.]top
  • ua-login[.]top
  • secure-ua[.]space
  • secure-ua[.]top

The team continues to work around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information. We’ll continue to take action, identify bad actors and share relevant information with others across industry and governments, with the goal of bringing awareness to these issues, protecting users and preventing future attacks. While we are actively monitoring activity related to Ukraine and Russia, we continue to be just as vigilant in relation to other threat actors globally, to ensure that they do not take advantage of everyone’s focus on this region.

✇Threat Analysis Group (TAG)

Countering threats from North Korea

On February 10, Threat Analysis Group discovered two distinct North Korean government-backed attacker groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609. These groups' activity has been publicly tracked as Operation Dream Job and Operation AppleJeus.

We observed the campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries. However, other organizations and countries may have been targeted. One of the campaigns has direct infrastructure overlap with a campaign targeting security researchers which we reported on last year. The exploit was patched on February 14, 2022. The earliest evidence we have of this exploit kit being actively deployed is January 4, 2022.

We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques. It is possible that other North Korean government-backed attackers have access to the same exploit kit.

In this blog, we will walk through the observed tactics, techniques and procedures, share relevant IOCs and analyze the exploit kit used by the attackers. In line with our current disclosure policy, we are providing these details 30 days after the patch release.

Campaign targeting news media and IT companies

The campaign, consistent with Operation Dream Job, targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors. The targets received emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities. The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter.

Example of spoofed job hunting websites

Example of spoofed job hunting websites

Victims who clicked on the links would be served a hidden iframe that would trigger the exploit kit.

Attacker-Owned Fake Job Domains:

  • disneycareers[.]net
  • find-dreamjob[.]com
  • indeedus[.]org
  • varietyjob[.]com
  • ziprecruiters[.]org

Exploitation URLs:

  • https[:]//colasprint[.]com/about/about.asp (legitimate but compromised website)
  • https[:]//varietyjob[.]com/sitemap/sitemap.asp

Campaign targeting cryptocurrency and Fintech organizations

Another North Korean group, whose activity has been publicly tracked as Operation AppleJeus, targeted over 85 users in cryptocurrency and fintech industries leveraging the same exploit kit. This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit.

example website

Attacker-Owned Websites:

  • blockchainnews[.]vip
  • chainnews-star[.]com
  • financialtimes365[.]com
  • fireblocks[.]vip
  • gatexpiring[.]com
  • gbclabs[.]com
  • giantblock[.]org
  • humingbot[.]io
  • onlynova[.]org
  • teenbeanjs[.]com

Compromised Websites (Feb 7 - Feb 9):

  • www.options-it[.]com
  • www.tradingtechnologies[.]com

Exploitation URLs:

  • https[:]//financialtimes365[.]com/user/finance.asp
  • https[:]//gatexpiring[.]com/gate/index.asp
  • https[:]//humingbot[.]io/cdn/js.asp
  • https[:]//teenbeanjs[.]com/cloud/javascript.asp

Exploit kit overview

The attackers made use of an exploit kit that contained multiple stages and components in order to exploit targeted users. The attackers placed links to the exploit kit within hidden iframes, which they embedded on both websites they owned as well as some websites they compromised.

The kit initially serves some heavily obfuscated javascript used to fingerprint the target system. This script collected all available client information such as the user-agent, resolution, etc. and then sent it back to the exploitation server. If a set of unknown requirements were met, the client would be served a Chrome RCE exploit and some additional javascript. If the RCE was successful, the javascript would request the next stage referenced within the script as “SBX”, a common acronym for Sandbox Escape. We unfortunately were unable to recover any of the stages that followed the initial RCE.

Careful to protect their exploits, the attackers deployed multiple safeguards to make it difficult for security teams to recover any of the stages. These safeguards included:

  • Only serving the iframe at specific times, presumably when they knew an intended target would be visiting the site.
  • In some email campaigns the targets received links with unique IDs. This was potentially used to enforce a one-time-click policy for each link and allow the exploit kit to only be served once.
  • The exploit kit would AES encrypt each stage, including the clients’ responses with a session-specific key.
  • Additional stages were not served if the previous stage failed.

Although we recovered a Chrome RCE, we also found evidence where the attackers specifically checked for visitors using Safari on MacOS or Firefox (on any OS), and directed them to specific links on known exploitation servers. We did not recover any responses from those URLs.

Example Exploit Kit:

The attackers made multiple attempts to use the exploit days after the vulnerability was patched on February 14, which stresses the importance of applying security updates as they become available.

Protecting Our Users

As part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further exploitation. We also sent all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity. We encourage any potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated.

TAG is committed to sharing our findings as a way of raising awareness with the security community, and with companies and individuals that might have been targeted or suffered from these activities. We hope that improved understanding of the tactics and techniques will enhance threat hunting capability and lead to stronger user protections across industry.

✇Threat Analysis Group (TAG)

Exposing initial access broker with ties to Conti

In early September 2021, Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to as EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this group's activity, we determined they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike).

Initial access brokers are the opportunistic locksmiths of the security world, and it’s a full-time job. These groups specialize in breaching a target in order to open the doors—or the Windows—to the malicious actor with the highest bid.

EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. At the peak of EXOTIC LILY’s activity, we estimate they were sending more than 5,000 emails a day, to as many as 650 targeted organizations globally. Up until November 2021, the group seemed to be targeting specific industries such as IT, cybersecurity and healthcare, but as of late we have seen them attacking a wide variety of organizations and industries, with less specific focus.

We have observed this threat actor deploying tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.

Spoofing Organizations and Identities

EXOTIC LILY’s attack chain has remained relatively consistent throughout the time we’ve been tracking the group:

EXOTIC LILY attack chain

One notable technique is the use of domain and identity spoofing as a way of gaining additional credibility with a targeted organization. In the majority of cases, a spoofed domain name was identical to a real domain name of an existing organization, with the only difference being a change of TLD to “.us”, “.co” or “.biz”.

Initially, the group would create entirely fake personas posing as employees of a real company. That would sometimes consist of creating social media profiles, personal websites and generating a fake profile picture using a public service to create an AI-generated human face. In November 2021, the group began to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.

One of the fake social media profiles created by EXOTIC LILY

One of the fake social media profiles created by EXOTIC LILY

Using spoofed email accounts, attackers would then send spear phishing emails under the pretext of a business proposal, such as seeking to outsource a software development project or an information security service.

Example of an EXOTIC LILY phishing email impersonating as an employee of a legitimate company

Example of an EXOTIC LILY phishing email impersonating as an employee of a legitimate company

Attackers would sometimes engage in further communication with the target by attempting to schedule a meeting to discuss the project's design or requirements.

At the final stage, the attacker would upload the payload to a public file-sharing service (TransferNow, TransferXL, WeTransfer or OneDrive) and then use a built-in email notification feature to share the file with the target, allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker’s email, which presents additional detection challenges.

Attacker uses a file-sharing service email notification feature to send BazarLoader ISO payload

Attacker uses a file-sharing service email notification feature to send BazarLoader ISO payload

Human-Operated Phishing at Scale

Further evidence suggests an operator’s responsibilities might include:

  • customizing the initial “business proposal” templates when first reaching out to a targeted organization;
  • handling further communications in order to gain affinity and trust;
  • uploading malware (acquired from another group) to a file-sharing service prior to sharing it with the target.

A breakdown of the actor’s communication activity shows the operators are working a fairly typical 9-to-5 job, with very little activity during the weekends. Distribution of the actor’s working hours suggest they might be working from a Central or an Eastern Europe timezone.

Breakdown of actor’s communication activity. Deeper color indicates more activity.

Breakdown of actor’s communication activity. Deeper color indicates more activity.

Malware and Attribution

Although the group came to our attention initially due to its use of documents containing an exploit for CVE-2021-40444, they later switched to the delivery of ISO files with hidden BazarLoader DLLs and LNK shortcuts. These samples have some indicators that suggest they were custom-built to be used by the group. For example, metadata embedded in the LNK shortcuts shows that a number of fields, such as the “Machine Identifier” and “Drive Serial Number” were shared with BazarLoader ISOs distributed via other means, however other fields such as the command line arguments were unique for samples distributed by EXOTIC LILY.

local path

In March, the group continued delivering ISO files, but with a DLL containing a custom loader which is a more advanced variant of a first-stage payload previously seen during CVE-2021-40444 exploitation. The loader can be recognized by its use of a unique user-agent “bumblebee” which both variants share. The malware, hence dubbed BUMBLEBEE, uses WMI to collect various system details such as OS version, user name and domain name, which are then exfiltrated in JSON format to a C2. In response, it expects to receive one of the several supported “tasks”, which include execution of shellcode, dropping and running executable files. At the time of the analysis, BUMBLEBEE was observed to fetch Cobalt Strike payloads.This malware can be found using this VirusTotal query.

EXOTIC LILY activities overlap with a group tracked as DEV-0413 (Microsoft) and were also described by Abnormal in their recent post. Earlier reports of attacks exploiting CVE-2021-40444 (by Microsoft and other members of the security community) have also indicated overlaps between domains involved in the delivery chain of an exploit and infrastructure used for BazarLoader and Trickbot distribution.

We believe the shift to deliver BazarLoader, along with some other indicators such as a unique Cobalt Strike profile (described by RiskIQ) further confirms the existence of a relationship between EXOTIC LILY and actions of a Russian cyber crime group tracked as WIZARD SPIDER (CrowdStrike), FIN12 (Mandiant, FireEye) and DEV-0193 (Microsoft). While the nature of those relationships remains unclear, EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors.

Improving User Protection

As part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. In collaboration with Gmail and Safe Browsing, we are improving protections by adding additional warnings for emails originating from website contact forms, better identification of spoofing, and adjusting the reputation of email file sharing notifications. Additionally, we’re working with Google’s CyberCrime Investigation Group to share relevant details and indicators with law enforcement.

TAG is committed to sharing our findings as a way of raising awareness with the security community, and with companies and individuals that might have been targeted or suffered from this threat actor’s activities. We hope that improved understanding of the group’s tactics and techniques will enhance threat hunting capability and lead to stronger user protections across industry.

Indicators of Compromise (IOCs)

Recent domains used in email campaigns:

  • conlfex[.]com
  • avrobio[.]co
  • elemblo[.]com
  • phxmfg[.]co
  • modernmeadow[.]co
  • lsoplexis[.]com
  • craneveyor[.]us
  • faustel[.]us
  • lagauge[.]us
  • missionbio[.]us
  • richllndmetals[.]com
  • kvnational[.]us
  • prmflltration[.]com
  • brightlnsight[.]co
  • belcolnd[.]com
  • awsblopharma[.]com
  • amevida[.]us
  • revergy[.]us
  • al-ghurair[.]us
  • opontia[.]us

BazarLoader ISO samples:

  • 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be
  • 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269
  • c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

Recent BUMBLEBEE ISO samples:

  • 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32
  • 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8
  • 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9
  • 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd
  • 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225

Recent BUMBLEBEE C2:

  • 23.81.246[.]187:443
✇Threat Analysis Group (TAG)

An update on the threat landscape

Online security is extremely important for people in Ukraine and the surrounding region right now. Government agencies, independent newspapers and public service providers need it to function and individuals need to communicate safely. Google’s Threat Analysis Group (TAG) has been working around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information.

This work continues our longstanding efforts to take action against threat actors in this region. In the last 12 months, TAG has issued hundreds of government-backed attack warnings to Ukrainian users alerting them that they have been the target of government backed hacking, largely emanating from Russia.

Over the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement, including FancyBear and Ghostwriter. This activity ranges from espionage to phishing campaigns. We’re sharing this information to help raise awareness among the security community and high risk users:

FancyBear/APT28, a threat actor attributed to Russia GRU, has conducted several large credential phishing campaigns targeting ukr.net users, UkrNet is a Ukrainian media company. The phishing emails are sent from a large number of compromised accounts (non-Gmail/Google), and include links to attacker controlled domains.

In two recent campaigns, the attackers used newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages. All known attacker-controlled Blogspot domains have been taken down.

Example of APT28 credential phishing page

Example of APT28 credential phishing page

Example credential phishing domains observed during these campaigns:

  • id-unconfirmeduser[.]frge[.]io
  • hatdfg-rhgreh684[.]frge[.]io
  • ua-consumerpanel[.]frge[.]io
  • consumerspanel[.]frge[.]io

Ghostwriter/UNC1151, a Belarusian threat actor, has conducted credential phishing campaigns over the past week against Polish and Ukrainian government and military organizations. TAG has also identified campaigns targeting webmail users from the following providers:

  • i.ua
  • meta.ua
  • rambler.ru
  • ukr.net
  • wp.pl
  • yandex.ru

Example credential phishing domains observed during these campaigns:

  • accounts[.]secure-ua[.]website
  • i[.]ua-passport[.]top
  • login[.]creditals-email[.]space
  • post[.]mil-gov[.]space
  • verify[.]rambler-profile[.]site

These phishing domains have been blocked through Google Safe Browsing – a service that identifies unsafe websites across the web and notifies users and website owners of potential harm.

Mustang Panda or Temp.Hex, a China-based threat actor, targeted European entities with lures related to the Ukrainian invasion. TAG identified malicious attachments with file names such as 'Situation at the EU borders with Ukraine.zip'. Contained within the zip file is an executable of the same name that is a basic downloader and when executed, downloads several additional files that load the final payload. To mitigate harm, TAG alerted relevant authorities of its findings.

Targeting of European organizations has represented a shift from Mustang Panda’s regularly observed Southeast Asian targets.

DDoS Attacks

We continue to see DDoS attempts against numerous Ukraine sites, including the Ministry of Foreign Affairs, Ministry of Internal Affairs, as well as services like Liveuamap that are designed to help people find information. We expanded eligibility for Project Shield, our free protection against DDoS attacks, so that Ukrainian government websites, embassies worldwide and other governments in close proximity to the conflict can stay online, protect themselves and continue to offer their crucial services and ensure access to the information people need.

Project Shield allows Google to absorb the bad traffic in a DDoS attack and act as a “shield” for websites, allowing them to continue operating and defend against these attacks. As of today, over 150 websites in Ukraine, including many news organizations, are using the service. We encourage all eligible organizationsto register for Project Shield so our systems can help block these attacks and keep websites online.

We’ll continue to take action, identify bad actors and share relevant information with others across industry and governments, with the goal of bringing awareness to these issues, protecting users and preventing future attacks. And while we are actively monitoring activity related to Ukraine and Russia, we continue to be just as vigilant in relation to other threat actors globally, to ensure that they do not take advantage of everyone’s focus on this region.

✇Threat Analysis Group (TAG)

TAG Bulletin: Q1 2022

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q1 2022. It was last updated on May 12, 2022.

January

  • We terminated 3 YouTube channels as part of our investigation into coordinated influence operations. The campaign uploaded content in Arabic that was critical of former Sudanese president Omar al-Bashir and supportive of the 2019 Sudanese coup d’état. Our findings are similar to findings reported by Meta.
  • We terminated 1 AdSense account and 1 Play developer as part of our investigation into coordinated influence operations linked to Turkey. The campaign was sharing content in Arabic that was about news and current events in Libya. Our findings are similar to findings reported by Meta.
  • We terminated 42 YouTube channels and 2 Ads accounts as part of our investigation into coordinated influence operations linked to Iraq. The campaign uploaded content in Arabic that was in support of the Iraqi Harakat Hoquq party. We received leads from Mandiant that supported us in this investigation.
  • We terminated 4 YouTube channels, 2 AdSense accounts, and 1 Blogger blog and blocked 6 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into reported coordinated influence operations linked to Belarus, Moldova, and Ukraine. The campaign was sharing content in English that was about a variety of topics including US and European current events. We believe this operation was financially motivated.
  • We terminated 4361 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China and U.S. foreign affairs. These findings are consistent with our previous reports

February

  • We terminated 416 YouTube channels and blocked 1 domain from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to a Russian consulting firm and was posting content in Russian that was supportive of Russia’s recognition of Ukrainian separatist regions and critical of the United States and NATO.
  • We terminated 1 YouTube channel as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to the media outlet News Front and was sharing content in Ukrainian that was critical of Ukraine’s government and the West. We received leads from Miburo Solutions that supported us in this investigation.
  • We terminated 5 YouTube channels and 21 Blogger blogs as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to the Internet Research Agency (IRA) and was uploading a variety of content in Russian including criticism of Ukraine’s handling of the COVID-19 pandemic, criticism of US and EU support for Ukraine, and criticism of local politicians in St. Petersburg.
  • We terminated 12 YouTube channels as part of our investigation into coordinated influence operations linked to Latin America. The campaign uploaded content in Spanish that was critical of local and national politicians in Ecuador and Honduras. Our findings are similar to findings reported by Meta.
  • We terminated 1 Ads account as part of our investigation into coordinated influence operations linked to the Philippines. The campaign promoted content in Tagalog and English that was supportive of presidential candidate Bongbong Marcos and his family.
  • We blocked 1 domain from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Iran. The campaign was linked to actors who were connected to the Liberty Front Press influence campaign and was uploading content in Arabic that was about a variety of topics including current events in Syria and analysis in support of the 1978 Iranian Revolution. We received leads from Mandiant that supported us in this investigation.
  • We terminated 6103 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China and U.S. foreign affairs. These findings are consistent with our previous reports.

We have also taken extraordinary measures beyond our actions against coordinated influence operations to protect users and stop the spread of misinformation and disinformation about the war in Ukraine online.

March

  • We terminated 229 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to a Russian consulting firm and was sharing content in Russian that was supportive of Russia’s actions in Ukraine, critical of condemnation of Russian President Vladimir Putin, and critical of the United States and the West.
  • We terminated 1 YouTube channel as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to the outlet UKR Leaks and was sharing content in Russian that was supportive of Russia’s actions in Ukraine and critical of the Ukrainian military.
  • We terminated 7 YouTube accounts and 1 AdSense account as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to the Russian news agency ANNA News and was sharing content in Russian that was critical of pro-Western Ukrainians and the Ukrainian perspective on both past and present relations with Russia. We received leads from Miburo Solutions that supported us in this investigation.
  • We terminated 3 YouTube channels and 1 AdSense account as part of our investigation into coordinated influence operations linked to Russia. The campaign was sharing content in Russian and English of prank calls targeting UK government officials.
  • We blocked 3 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Russia. The campaign was sharing content in Russian, English, Bulgarian, Georgian, and Turkish that was supportive of independence and separatist movements in Ukraine and Georgia and was critical of Ukraine, the West, and NATO.
  • We terminated 28 YouTube channels and 16 AdSense accounts as part of our investigation into coordinated influence operations linked to Russia and Cameroon. The campaign was sharing content in French that was supportive of Russia and the governing junta in Mali and critical of France and French-led counterinsurgency operations in the region.
  • We terminated 2 YouTube channels and blocked 5 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to Russian state-sponsored entities and was sharing content in Russian that was supportive of Russia’s actions in Ukraine and separatist movements in the disputed regions of Ukraine and that was critical of the Ukrainian government, the United States, NATO, and the EU. We received leads from the FBI that supported us in this investigation.
  • We terminated 9 YouTube accounts and 2 Ads accounts and blocked 8 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Russia. Parts of the campaign were linked to News Front and were sharing content in Russian that was supportive of Russia’s actions in Ukraine and critical of Ukraine, Ukrainian President Volodymyr Zelenskyy, and the United States. Our findings are similar to findings reported by Meta.
  • We terminated 6 YouTube channels and 1 AdSense account as part of our investigation into coordinated influence operations linked to Russia, Azerbaijan, Moldova, and Armenia. The campaign was sharing content in Russian and Ukrainian that was about a variety of topics including the war in Ukraine. We believe this operation was financially motivated. We received leads from Graphika that supported us in this investigation.
  • We terminated 12 YouTube channels and 1 AdSense account and blocked 1 domain from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to the Donbass region. The campaign was sharing content in Russian that was supportive of separatist movements in the disputed regions of Ukraine.
  • We terminated 10 YouTube channels as part of our investigation into coordinated influence operations linked to Palestine. The campaign was sharing content in Arabic that was about a variety of topics including tensions between Palestine and Israel. We believe this operation was financially motivated.
  • We terminated 7304 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China and U.S. foreign affairs. These findings are consistent with our previous reports.
✇Threat Analysis Group (TAG)

New action to combat cyber crime

Today, we took action to disrupt Glupteba, a sophisticated botnet which targets Windows machines and protects itself using blockchain technology. Botnets are a real threat to Internet users, and require the efforts of industry and law enforcement to deter them. As part of our ongoing work to protect people who use Google services via Windows and other IoT devices, our Threat Analysis Group took steps to detect and track Glupteba’s malicious activity over time. Our research and understanding of this botnet’s operations puts us in a unique position to disrupt it and safeguard Internet users around the world.

We’re doing this in two ways. First, we are coordinating with industry partners to take technical action.

And second, we are using our resources to launch litigation — the first lawsuit against a blockchain enabled botnet — which we think will set a precedent, create legal liability for the botnet operators, and help deter future activity.

About the Glupteba botnet

A botnet is a network of devices connected to the internet that have been infected with a type of malware that places them under the control of bad actors. They can then use the infected devices for malicious purposes, such as to steal your sensitive information or commit fraud through your home network.

After a thorough investigation, we determined that the Glupteba botnet currently involves approximately one million compromised Windows devices worldwide, and at times, grows at a rate of thousands of new devices per day. Glupteba is notorious for stealing users’ credentials and data, mining cryptocurrencies on infected hosts, and setting up proxies to funnel other people’s internet traffic through infected machines and routers.

Technical action

We coordinated with industry partners to take technical action. We have now disrupted key command and control infrastructure so those operating Glupteba should no longer have control of their botnet — for now.

However, due to Glupteba’s sophisticated architecture and the recent actions that its organizers have taken to maintain the botnet, scale its operations, and conduct widespread criminal activity, we have also decided to take legal action against its operators, which we believe will make it harder for them to take advantage of unsuspecting users. .

Legal Strategy & Disruption

Our litigation was filed against the operators of the botnet, who we believe are based in Russia. We filed the action in the Southern District of New York for computer fraud and abuse, trademark infringement, and other claims. We also filed a temporary restraining order to bolster our technical disruption effort. If successful, this action will create real legal liability for the operators.

Making the Internet Safer

Unfortunately, Glupteba’s use of blockchain technology as a resiliency mechanism is notable here and is becoming a more common practice among cyber crime organizations. The decentralized nature of blockchain allows the botnet to recover more quickly from disruptions, making them that much harder to shutdown. We are working closely with industry and government as we combat this type of behavior, so that even if Glupteba returns, the internet will be better protected against it.

Our goal is to bring awareness to these issues to protect our users and the broader ecosystem, and to prevent future malicious activity.

We don’t just plug security holes, we work to eliminate entire classes of threats for consumers and businesses whose work depends on the Internet. We have teams of analysts and security experts who are dedicated to identifying and stopping issues like DDoS, phishing campaigns, zero-day vulnerabilities, and hacking against Google, our products, and our users.

Taking proactive actions like this are critical to our security. We understand and recognize the threats the Internet faces, and we are doing our part to address them.

✇Threat Analysis Group (TAG)

Disrupting the Glupteba operation

Google TAG actively monitors threat actors and the evolution of their tactics and techniques. We use our research to continuously improve the safety and security of our products and share this intelligence with the community to benefit the internet as a whole.

As announced today, Google has taken action to disrupt the operations of Glupteba, a multi-component botnet targeting Windows computers. We believe this action will have a significant impact on Glupteba's operations. However, the operators of Glupteba are likely to attempt to regain control of the botnet using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain.

Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices. TAG has observed the botnet targeting victims worldwide, including the US, India, Brazil and Southeast Asia.

The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS). For a period of time, we observed thousands of instances of malicious Glupteba downloads per day. The following image shows a webpage mimicking a software crack download which delivers a variant of Glupteba to users instead of the promised software.

Example cracked software download site distributing Glupteba

Example cracked software download site distributing Glupteba

While analyzing Glupteba binaries, our team identified a few containing a git repository URL: “git.voltronwork.com”. This finding sparked an investigation that led us to identify, with high confidence, multiple online services offered by the individuals operating the Glupteba botnet. These services include selling access to virtual machines loaded with stolen credentials (dont[.]farm), proxy access (awmproxy), and selling credit card numbers (extracard) to be used for other malicious activities such as serving malicious ads and payment fraud on Google Ads.

Example of a cryptocurrency scam uploaded to Google Ads and by Glupteba services

Example of a cryptocurrency scam uploaded to Google Ads by Glupteba services

This past year, TAG has been collaborating with Google’s CyberCrime Investigation Group to disrupt Glupteba activity involving Google services. We’ve terminated around 63M Google Docs observed to have distributed Glupteba, 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with their distribution. Furthermore, 3.5M users were warned before downloading a malicious file through Google Safe Browsing warnings.

In the last few days, our team partnered with Internet infrastructure providers and hosting providers, including Cloudflare, to disrupt Glupteba’s operation by taking down servers and placing warning interstitial pages in front of the malicious domain names. During this time, an additional 130 Google accounts associated with this operation were terminated.

Parallel to the analysis, tracking, and technical disruption of this botnet, Google has filed a lawsuit against two individuals believed to be located in Russia for operating the Glupteba Botnet and its various criminal schemes. Google is alleging violations under the Racketeer Influenced and Corrupt Organizations Act (RICO), the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, the Lanham Act, and tortious interference of business relationships, and unjust enrichment.

While these actions may not completely stop Glupteba, TAG estimates that combined efforts will materially affect the actor’s ability to conduct future operations.

Glupteba’s C2 Backup Mechanism

The command and control (C2) communication for this botnet uses HTTPS to communicate commands and binary updates between the control servers and infected systems. To add resilience to their infrastructure, the operators have also implemented a backup mechanism using the Bitcoin blockchain. In the event that the main C2 servers do not respond, the infected systems can retrieve backup domains encrypted in the latest transaction from the following bitcoin wallet addresses:

  • '1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1' [1]
  • '15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6’ [2]
  • '1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97' [3]

The following 32 byte AES keys for decryption are hard coded in the binaries:

  • 'd8727a0e9da3e98b2e4e14ce5a6cf33ef26c6231562a3393ca465629d66503cf'
  • ‘1bd83f6ed9bb578502bfbb70dd150d286716e38f7eb293152a554460e9223536’

The blockchain transaction’s OP_RETURN data can be decrypted using AES-256 GCM to provide a backup command and control domain name. The first 12 bytes of the OP_RETURN contains the IV, the last 16 bytes the GCM tag, while the middle section is the AES-256 GCM encrypted domain. Full details of Glupteba’s network protocol can be found in this report from 2020, the following Python script illustrates how one can decrypt an encrypted domain name:

Python script

IOCs

Recent domains used for command and control:

  • nisdably[.]com
  • runmodes[.]com
  • yturu[.]com
  • retoti[.]com
  • trumops[.]com
  • evocterm[.]com
  • iceanedy[.]com
  • ninhaine[.]com
  • anuanage[.]info

Recent sha256 hashes of malware samples:

  • df84d3e83b4105f9178e518ca69e1a2ec3116d3223003857d892b8a6f64b05ba
  • eae4968682064af4ae6caa7fff78954755537a348dce77998e52434ccf9258a2
  • a2fd759ee5c470da57d8348985dc34348ccaff3a8b1f5fa4a87e549970eeb406
  • d8a54d4b9035c95b8178d25df0c8012cf0eedc118089001ac21b8803bb8311f4
  • c3f257224049584bd80a37c5c22994e2f6facace7f7fb5c848a86be03b578ee8
  • 8632d2ac6e01b6e47f8168b8774a2c9b5fafaa2470d4e780f46b20422bc13047
  • 03d2771d83c50cc5cdcbf530f81cffc918b71111b1492ccfdcefb355fb62e025
  • e673ce1112ee159960f1b7fed124c108b218d6e5aacbcb76f93d29d61bd820ed
  • 8ef882a44344497ef5b784965b36272a27f8eabbcbcea90274518870b13007a0
  • 79616f9be5b583cefc8a48142f11ae8caf737be07306e196a83bb0c3537ccb3e
  • db84d13d7dbba245736c9a74fc41a64e6bd66a16c1b44055bd0447d2ae30b614
✇Threat Analysis Group (TAG)

TAG Bulletin: Q4 2021

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q4 2021. It was last updated on February 7, 2022.

October

  • We terminated 9 YouTube channels and 1 ads account as part of our investigation into coordinated influence operations linked to Vietnam. The campaign uploaded conspiracy theory content in English and Korean. We believe this operation was financially motivated
  • We terminated 4 AdSense accounts and blocked 22 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into a reported coordinated influence operation linked to India. The campaign uploaded a variety of news content in English to domains that were designed to look as if they were independent news outlets in various US states and European countries. We believe this operation was financially motivated. We received leads from the FBI that supported us in this investigation.
  • We terminated 37 YouTube channels and 4 blogs as part of our investigation into coordinated influence operations linked to Sudan. The campaign uploaded content in Arabic that was supportive of the Sudanese military. Our findings are similar to findings reported by Facebook.
  • We terminated 3 YouTube channels as part of our investigation into coordinated influence operations linked to Uganda. The campaign uploaded content in English that was critical of Ugandan opposition political parties. Our findings are similar to findings reported by Twitter.
  • We terminated 3,311 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports.

November

  • We terminated 86 YouTube channels and 3 blogs as part of our investigation into coordinated influence operations linked to Nicaragua. The campaign posted content in Spanish that was supportive of the Nicaraguan government and critical of opposition political parties. Our findings are similar to findings reported by Facebook.
  • We terminated 15,368 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports. The increased takedown volume compared to prior months is the result of adjustments made to our detection model, and we do not believe it reflects an increase in activity by this campaign.

December

  • We terminated 1 YouTube channel as part of our investigation into coordinated influence operations linked to Iran. The campaign uploaded content in English that was supportive of US politicians.
  • We terminated 15 YouTube channels and 1 Blogger blog as part of our investigation into coordinated influence operations linked to Palestine. The campaign uploaded content in Arabic that was critical of Israel and supportive of Palestine and the Egyptian Muslim Brotherhood. Our findings are similar to findings reported by Meta.
  • We terminated 10 YouTube channels as part of our investigation into coordinated influence operations linked to Belarus. The campaign uploaded content in Arabic that negatively characterized the treatment and conditions of Muslim migrants in Belarus. Our findings are similar to findings reported by Meta.
  • We terminated 2 YouTube channels and 1 Ads account as part of our investigation into coordinated influence operations. The campaign uploaded content in French that was supportive of candidates in past elections in the Central African Republic.
  • We terminated 7 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to the Russian news agency ANNA News and was uploading content in Russian that was about military activity in the Middle East. We received leads from Miburo Solutions that supported us in this investigation.
  • We terminated 99 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to a Russian consulting firm and was posting content in Russian that was supportive of the United Russia party and critical of its opposition.
  • We terminated 8 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. The campaign was uploading content in Russian that was critical of Russian opposition parties.
  • We terminated 1 YouTube channel as part of our investigation into coordinated influence operations linked to Russia. The campaign uploaded content in English pertaining to military conflicts in the Middle East. We received leads from Miburo Solutions that supported us in this investigation.
  • We terminated 5460 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports.
✇Threat Analysis Group (TAG)

Analyzing a watering hole campaign using macOS exploits

To protect our users, TAG routinely hunts for 0-day vulnerabilities exploited in-the-wild. In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group. The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.

As is our policy, we quickly reported this 0-day to the vendor (Apple) and a patch was released to protect users from these attacks.

Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code.

In this blog we analyze the technical details of the exploit chain and share IOCs to help teams defend against similar style attacks.

Watering Hole

The websites leveraged for the attacks contained two iframes which served exploits from an attacker-controlled server—one for iOS and the other for macOS.

iframes

iOS Exploits

The iOS exploit chain used a framework based on Ironsquirrel to encrypt exploits delivered to the victim's browser. We did not manage to get a complete iOS chain this time, just a partial one where CVE-2019-8506 was used to get code execution in Safari.

macOS Exploits

The macOS exploits did not use the same framework as iOS ones. The landing page contained a simple HTML page loading two scripts—one for Capstone.js and another for the exploit chain.

scripts

The parameter rid is a global counter which records the number of exploitation attempts. This number was in the 200s when we obtained the exploit chain.

While the javascript starting the exploit chain checks whether visitors were running macOS Mojave (10.14) or Catalina (10.15) before proceeding to run the exploits, we only observed remnants of an exploit when visiting the site with Mojave but received the full non-encrypted exploit chain when browsing the site with Catalina.

The exploit chain combined an RCE in WebKit exploiting CVE-2021-1789 which was patched on Jan 5, 2021 before discovery of this campaign and a 0-day local privilege escalation in XNU (CVE-2021-30869) patched on Sept 23, 2021.

Remote Code Execution (RCE)

Loading a page with the WebKit RCE on the latest version of Safari (14.1), we learned the RCE was an n-day since it did not successfully trigger the exploit. To verify this hypothesis, we ran git bisect and determined it was fixed in this commit.

Sandbox Escape and Local Privilege Escalation (LPE)

Capstone.js

It was interesting to see the use of Capstone.js, a port of the Capstone disassembly framework, in an exploit chain as Capstone is typically used for binary analysis. The exploit authors primarily used it to search for the addresses of dlopen and dlsym in memory. Once the embedded Mach-O is loaded, the dlopen and dlsym addresses found using Capstone.js are used to patch the Mach-O loaded in memory.

capstone.js

With the Capstone.js configured for X86-64 and not ARM, we can also derive the target hardware is Intel-based Macs.

configured

Embedded Mach-O

After the WebKit RCE succeeds, an embedded Mach-O binary is loaded into memory, patched, and run. Upon analysis, we realized this binary contained code which could escape the Safari sandbox, elevate privileges, and download a second stage from the C2.

Analyzing the Mach-O was reminiscent of a CTF reverse engineering challenge. It had to be extracted and converted into binary from a Uint32Array.

Mach-O

Then the extracted binary was heavily obfuscated with a relatively tedious encoding mechanism--each string is XOR encoded with a different key. Fully decoding the Mach-O was necessary to obtain all the strings representing the dynamically loaded functions used in the binary. There were a lot of strings and decoding them manually would have taken a long time so we wrote a short Python script to make quick work of the obfuscation. The script parsed the Mach-O at each section where the strings were located, then decoded the strings with their respective XOR keys, and patched the binary with the resulting strings.

decoded strings

Once we had all of the strings decoded, it was time to figure out what capabilities the binary had. There was code to download a file from a C2 but we did not come across any URL strings in the Mach-O so we checked the javascript and saw there were two arguments passed when the binary is run–the url for the payload and its size.

payload

After downloading the payload, it removes the quarantine attribute of the file to bypass Gatekeeper. It then elevated privileges to install the payload.

N-day or 0-day?

Before further analyzing how the exploit elevated privileges, we needed to figure out if we were dealing with an N-day or a 0-day vulnerability. An N-day is a known vulnerability with a publicly available patch. Threat actors have used N-days shortly after a patch is released to capitalize on the patching delay of their targets. In contrast, a 0-day is a vulnerability with no available patch which makes it harder to defend against.

Despite the exploit being an executable instead of shellcode, it was not a standalone binary we could run in our virtual environment. It needed the address of dlopen and dlsym patched after the binary was loaded into memory. These two functions are used in conjunction to dynamically load a shared object into memory and retrieve the address of a symbol from it. They are the equivalent of LoadLibrary and GetProcAddress in Windows.

exploit

To run the exploit in our virtual environment, we decided to write a loader in Python which did the following:

  • load the Mach-O in memory
  • find the address of dlopen and dlsym
  • patch the loaded Mach-O in memory with the address of dlopen and dlsym
  • pass our payload url as a parameter when running the Mach-O

For our payload, we wrote a simple bash script which runs id and pipes the result to a file in /tmp. The result of the id command would tell us whether our script was run as a regular user or as root.

Having a loader and a payload ready, we set out to test the exploit on a fresh install of Catalina (10.15) since it was the version in which we were served the full exploit chain. The exploit worked and ran our bash script as root. We updated our operating system with the latest patch at the time (2021-004) and tried the exploit again. It still worked. We then decided to try it on Big Sur (11.4) where it crashed and gave us the following exception.

exception type

The exception indicates that Apple added generic protections in Big Sur which rendered this exploit useless. Since Apple still supports Catalina and pushes security updates for it, we decided to take a deeper look into this exploit.

Elevating Privileges to Root

The Mach-O was calling a lot of undocumented functions as well as XPC calls to mach_msg with a MACH_SEND_SYNC_OVERRIDE flag. This looked similar to an earlier in-the-wild iOS vulnerability analyzed by Ian Beer of Google Project Zero. Beer was able to quickly recognize this exploit as a variant of an earlier port type confusion vulnerability he analyzed in the XNU kernel (CVE-2020-27932). Furthermore, it seems this exact exploit was presented by Pangu Lab in a public talk at zer0con21 in April 2021 and Mobile Security Conference (MOSEC) in July 2021.

In exploiting this port type confusion vulnerability, the exploit authors were able to change the mach port type from IKOT_NAMED_ENTRY to a more privileged port type like IKOT_HOST_SECURITY allowing them to forge their own sec_token and audit_token, and IKOT_HOST_PRIV enabling them to spoof messages to kuncd.

MACMA Payload

After gaining root, the downloaded payload is loaded and run in the background on the victim's machine via launchtl. The payload seems to be a product of extensive software engineering. It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2. It also has several components, some of which appear to be configured as modules. For example, the payload we obtained contained a kernel module for capturing keystrokes. There are also other functionalities built-in to the components which were not directly accessed from the binaries included in the payload but may be used by additional stages which can be downloaded onto the victim's machine.

Notable features for this backdoor include:

  • victim device fingerprinting
  • screen capture
  • file download/upload
  • executing terminal commands
  • audio recording
  • keylogging

Conclusion

Our team is constantly working to secure our users and keep them safe from targeted attacks like this one. We continue to collaborate with internal teams like Google Safe Browsing to block domains and IPs used for exploit delivery and industry partners like Apple to mitigate vulnerabilities. We are appreciative of Apple’s quick response and patching of this critical vulnerability.

For those interested in following our in-the-wild work, we will soon publish details surrounding another, unrelated campaign we discovered using two Chrome 0-days (CVE-2021-37973 and CVE-2021-37976). That campaign is not connected to the one described in today’s post.

Related IOCs

Delivery URLs

  • http://103[.]255[.]44[.]56:8372/6nE5dJzUM2wV.html
  • http://103[.]255[.]44[.]56:8371/00AnW8Lt0NEM.html
  • http://103[.]255[.]44[.]56:8371/SxYm5vpo2mGJ?rid=<redacted>
  • http://103[.]255[.]44[.]56:8371/iWBveXrdvQYQ?rid=?rid=<redacted>
  • https://appleid-server[.]com/EvgSOu39KPfT.html
  • https://www[.]apple-webservice[.]com/7pvWM74VUSn2.html
  • https://appleid-server[.]com/server.enc
  • https://amnestyhk[.]org/ss/defaultaa.html
  • https://amnestyhk[.]org/ss/4ba29d5b72266b28.html
  • https://amnestyhk[.]org/ss/mac.js

Javascript

  • cbbfd767774de9fecc4f8d2bdc4c23595c804113a3f6246ec4dfe2b47cb4d34c (capstone.js)
  • bc6e488e297241864417ada3c2ab9e21539161b03391fc567b3f1e47eb5cfef9 (mac.js)
  • 9d9695f5bb10a11056bf143ab79b496b1a138fbeb56db30f14636eed62e766f8

Sandbox escape / LPE

  • 8fae0d5860aa44b5c7260ef7a0b277bcddae8c02cea7d3a9c19f1a40388c223f
  • df5b588f555cccdf4bbf695158b10b5d3a5f463da7e36d26bdf8b7ba0f8ed144

Backdoor

  • cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8 (2021 sample)
  • f0b12413c9d291e3b9edd1ed1496af7712184a63c066e1d5b2bb528376d66ebc (2019 sample)

C2

  • 123.1.170.152
  • 207.148.102.208
✇Threat Analysis Group (TAG)

TAG Bulletin: Q3 2021

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2021. It was last updated on October 29, 2021.


July 

  • We terminated 7 YouTube channels as part of our investigation into coordinated influence operations linked to Ukraine. This campaign uploaded content in Ukrainian and Russian that was supportive of Russia’s government and critical of the Ukrainian military. We received leads from FireEye that supported us in this investigation.
  • We blocked 10 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian that was critical of Ukraine’s government and supportive of Russia.
  • We terminated 2 YouTube channels as part of our investigation into coordinated influence operations linked to Iraq. This campaign uploaded content in Arabic that was supportive of Iran-backed militias and critical of the U.S. and its allies. Our findings are similar to findings reported by Facebook.
  • We terminated 7 YouTube channels as part of our investigation into coordinated influence operations linked to Jordan. This campaign uploaded content in Arabic that was supportive of the Jordanian government and critical of its opposition. Our findings are similar to findings reported by Facebook.
  • We terminated 15 YouTube channels as part of our investigation into coordinated influence operations linked to Algeria. This campaign uploaded content in Arabic that was supportive of the Algerian government and its military. Our findings are similar to findings reported by Facebook. We received leads from Graphika that supported us in this investigation.
  • We terminated 6 YouTube channels as part of our investigation into coordinated influence operations linked to Mexico. This campaign uploaded content in Spanish that was critical of certain local politicians in Campeche, Mexico. Our findings are similar to findings reported by Facebook.
  • We terminated 4 YouTube channels as part of our investigation into coordinated influence operations linked to Mexico. This campaign uploaded content in Spanish that was supportive of a member of the National Action Party. Our findings are similar to findings reported by Facebook.
  • We terminated 16 YouTube channels and 1 ads account as part of our investigation into coordinated influence operations linked to Sudan. This campaign uploaded content in Arabic that was supportive of the Muslim Brotherhood and critical of the current Sudanese government. Our findings are similar to findings reported by Facebook.
  • We terminated 850 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports.

August

  • We terminated 1 advertising account and blocked 2 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Arabic that was supportive of Syria’s and Russia’s governments.
  • We terminated 137 YouTube channels and 2 blogs as part of our investigation into coordinated influence operations linked to Myanmar. This campaign uploaded content in Burmese that was supportive of Myanmar’s military coup in February 2021.
  • We terminated 9 YouTube channels and 1 blog as part of our investigation into coordinated influence operations linked to Vietnam. This campaign uploaded content in Vietnamese that was supportive of the Vietnamese Army’s interests in the region.
  • We terminated 1,196 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports.

September

  • We terminated 5 blogs and blocked 3 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Germany. This campaign uploaded content in German that was supportive of the German "Reichsbürger" conspiracy movement.
  • We terminated 1,217 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports.
✇Threat Analysis Group (TAG)

Phishing campaign targets YouTube creators with cookie theft malware

Google’s Threat Analysis Group tracks actors involved in disinformation campaigns, government backed hacking, and financially motivated abuse. Since late 2019, our team has disrupted financially motivated phishing campaigns targeting YouTubers with Cookie Theft malware.

The actors behind this campaign, which we attribute to a group of hackers recruited in a Russian-speaking forum, lure their target with fake collaboration opportunities (typically a demo for anti-virus software, VPN, music players, photo editing or online games), hijack their channel, then either sell it to the highest bidder or use it to broadcast cryptocurrency scams.

In collaboration with YouTube, Gmail, Trust & Safety, CyberCrime Investigation Group and Safe Browsing teams, our protections have decreased the volume of related phishing emails on Gmail by 99.6% since May 2021. We blocked 1.6M messages to targets, displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts. With increased detection efforts, we’ve observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz and aol.com). Moreover, to protect our users, we have referred the below activity to the FBI for further investigation.

In this blog, we share examples of the specific tactics, techniques and procedures (TTPs) used to lure victims, as well as some guidance on how users can further protect themselves.

Tactics, techniques and procedures

Cookie Theft, also known as “pass-the-cookie attack,” is a session hijacking technique that enables access to user accounts with session cookies stored in the browser. While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics.

Social engineering YouTubers with advertisement offer

Many YouTube creators provide an email address on their channel for business opportunities. In this case, the attackers sent forged business emails impersonating an existing company requesting a video advertisement collaboration.

Example phishing email message

Example phishing email message

The phishing typically started with a customized email introducing the company and its products. Once the target agreed to the deal, a malware landing page disguised as a software download URL was sent via email or a PDF on Google Drive, and in a few cases, Google documents containing the phishing links. Around 15,000 actor accounts were identified, most of which were created for this campaign specifically.

Fake software landing pages and social media accounts

The attackers registered various domains associated with forged companies and built multiple websites for malware delivery. To date, we’ve identified at least 1,011 domains created solely for this purpose. Some of the websites impersonated legitimate software sites, such as Luminar, Cisco VPN, games on Steam, and some were generated using online templates. During the pandemic, we also uncovered attackers posing as news providers with a “Covid19 news software.”

Lure message and landing pages for the forged covid news software.

Lure message and landing pages for the forged covid news software.

In one case, we observed a fake social media page copying content from an existing software company. The following screenshot is an example of a fake page where the original URL is replaced with one leading to a cookie theft malware download.

Original (left) and fake (right) instagram accounts

Original (left) and fake (right) instagram accounts

Because Google actively detects and disrupts phishing links sent via Gmail, the actors were observed driving targets to messaging apps like WhatsApp, Telegram or Discord.

Delivering cookie theft malware

Once the target runs the fake software, a cookie stealing malware executes, taking browser cookies from the victim’s machine and uploading them to the actor's command & control servers. Although this type of malware can be configured to be persistent on the victim's machine, these actors are running all malware in non-persistent mode as a smash-and-grab technique. This is because if the malicious file is not detected when executed, there are less artifacts on an infected host and therefore security products fail to notify the user of a past compromise.

We have observed that actors use various types of malware based on personal preference, most of which are easily available on Github. Some commodity malware used included RedLine, Vidar, Predator The Thief, Nexus stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad (Google’s naming), and Kantal (Google’s naming) which shares code similarity with Vidar. Open source malware like Sorano and AdamantiumThief were also observed.Related hashes are listed in the Technical Details section, at the end of this report.

Most of the observed malware was capable of stealing both user passwords and cookies. Some of the samples employed several anti-sandboxing techniques including enlarged files, encrypted archive and download IP cloaking. A few were observed displaying a fake error message requiring user click-through to continue execution.

Fake error window require user click through

Fake error window require user click through

Cryptocurrency scams and channel selling

A large number of hijacked channels were rebranded for cryptocurrency scam live-streaming. The channel name, profile picture and content were all replaced with cryptocurrency branding to impersonate large tech or cryptocurrency exchange firms. The attacker live-streamed videos promising cryptocurrency giveaways in exchange for an initial contribution.

On account-trading markets, hijacked channels ranged from $3 USD to $4,000 USD depending on the number of subscribers.

Hack-for-Hire attackers

These campaigns were carried out by a number of hack-for-hire actors recruited on Russian-speaking forums via the following job description, offering two types of work:

hack-for-hire job description

This recruitment model explains the highly customized social engineering, as well as the varied malware types given each actor's choice of preferred malware.

Protecting our users from attacks

We are continuously improving our detection methods and investing in new tools and features that automatically identify and stop threats like this one. Some of these improvements include:

  • Additional heuristic rules to detect and block phishing & social engineering emails, cookie theft hijacking and crypto-scam livestreams.
  • Safe Browsing is further detecting and blocking malware landing pages and downloads.
  • YouTube has hardened channel transfer workflows, detected and auto-recovered over 99% of hijacked channels.
  • Account Security has hardened authentication workflows to block and notify the user on potential sensitive actions.
Sensitive action blocked in account

Sensitive action blocked in account

It is also important that users remain aware of these types of threats and take appropriate action to further protect themselves. Our recommendations:

  • Take Safe Browsing warnings seriously. To avoid malware triggering antivirus detections, threat actors social engineer users into turning off or ignoring warnings.
  • Before running software, perform virus scanning using an antivirus or online virus scanning tool like VirusTotal to verify file legitimacy.
  • Enable the “Enhanced Safe Browsing Protection” mode in your Chrome browser, a feature that increases warnings on potentially suspicious web pages & files.
  • Be aware of encrypted archives which are often bypassing antivirus detection scans, increasing the risk of running malicious files.
  • Protect your account with 2-Step-verification (multi-factor authentication) which provides an extra layer of security to your account in case your password is stolen. Starting November 1, monetizing YouTube creators must turn on 2-Step Verification on the Google Account used for their YouTube channel to access YouTube Studio or YouTube Studio Content Manager.

Additional resources: Avoid & Report Phishing Emails.

Technical Details

Related Malware hashes:

  • RedLine (commodity)
    • 501fe2509581d43288664f0d2825a6a47102cd614f676bf39f0f80ab2fd43f2c
    • c8b42437ffd8cfbbe568013eaaa707c212a2628232c01d809a3cf864fe24afa8
  • Vidar (commodity)
    • 9afc029ac5aa525e6fdcedf1e93a64980751eeeae3cf073fcbd1d223ab5c96d6
  • Kantal (share code similarity with Vidar)
    • F59534e6d9e0559d99d2b3a630672a514dbd105b0d6fc9447d573ebd0053caba (zip archive)
    • Edea528804e505d202351eda0c186d7c200c854c41049d7b06d1971591142358 (unpacked sample)
  • Predator The Thief (commodity)
    • 0d8cfa02515d504ca34273d8cfbe9d1d0f223e5d2cece00533c48a990fd8ce72 (zip archive)
  • Sorano (open source)
    • c7c8466a66187f78d953c64cbbd2be916328085aa3c5e48fde6767bc9890516b
  • Nexus stealer (commodity)
    • ed8b2af133b4144bef2b89dbec1526bf80cc06fe053ece1fa873f6bd1e99f0be
    • efc88a933a8baa6e7521c8d0cf78c52b0e3feb22985de3d35316a8b00c5073b3
  • Azorult (commodity)
    • 8cafd480ac2a6018a4e716a4f9fd1254c4e93501a84ee1731ed7b98b67ab15dd
  • Raccoon (commodity)
    • 85066962ba1e8a0a8d6989fffe38ff564a6cf6f8a07782b3fbc0dcb19d2497cb
  • Grand Stealer (commodity)
    • 6359d5fa7437164b300abc69c8366f9481cb91b7558d68c9e3b0c2a535ddc243
  • Vikro Stealer (commodity)
    • 04deb8d8aee87b24c7ba0db55610bb12f7d8ec1e75765650e5b2b4f933b18f6d
  • Masad (commodity)
    • 6235573d8d178341dbfbead7c18a2f419808dc8c7c302ac61e4f9645d024ed85
  • AdamantiumThief (open source)
    • Db45bb99c44a96118bc5673a7ad65dc2a451ea70d4066715006107f65d906715

Top Phishing Domains:

  • pro-swapper[.]com
  • downloadnature[.]space
  • downloadnature[.]com
  • fast-redirect[.]host
  • bragi-studio[.]com
  • plplme[.]site
  • fenzor[.]com
  • universe-photo[.]com
  • rainway-gaming[.]com
  • awaken1337[.]xyz
  • pixelka[.]fun
  • vortex-cloudgaming[.]com
  • vontex[.]tech
  • user52406.majorcore[.]space
  • voneditor[.]tech
  • spaceditor[.]space
  • roudar[.]com
  • peoplep[.]site
  • anypon[.]online
  • zeneditor[.]tech
  • yourworld[.]site
  • playerupbo[.]xyz
  • dizzify[.]me
✇Threat Analysis Group (TAG)

Countering threats from Iran

Google’s Threat Analysis Group tracks actors involved in disinformation campaigns, government backed hacking, and financially motivated abuse. We have a long-standing policy to send you a warning if we detect that your account is a target of government-backed phishing or malware attempts. So far in 2021, we’ve sent over 50,000 warnings, a nearly 33% increase from this time in 2020. This spike is largely due to blocking an unusually large campaign from a Russian actor known as APT28 or Fancy Bear.

We intentionally send these warnings in batches to all users who may be at risk, rather than at the moment we detect the threat itself, so that attackers cannot track our defense strategies. On any given day, TAG is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries. This means that there is typically more than one threat actor behind the warnings.

In this blog, we explore some of the most notable campaigns we’ve disrupted this year from a different government-backed attacker: APT35, an Iranian group, which regularly conducts phishing campaigns targeting high risk users. This is the one of the groups we disrupted during the 2020 US election cycle for its targeting of campaign staffers. For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government.

Hijacked websites used for credential phishing attacks

In early 2021, APT35 compromised a website affiliated with a UK university to host a phishing kit. Attackers sent email messages with links to this website to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo. Users were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for second-factor authentication codes sent to devices.

APT35 has relied on this technique since 2017 — targeting high-value accounts in government, academia, journalism, NGOs, foreign policy, and national security. Credential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate – as they know it's difficult for users to detect this kind of attack.

Phishing page hosted on a compromised website

Phishing page hosted on a compromised website

Utilization of Spyware Apps

In May 2020, we discovered that APT35 attempted to upload spyware to the Google Play Store. The app was disguised as VPN software that, if installed, could steal sensitive information such as call logs, text messages, contacts, and location data from devices. Google detected the app quickly and removed it from the Play Store before any users had a chance to install it. Although Play Store users were protected, we are highlighting the app here as TAG has seen APT35 attempt to distribute this spyware on other platforms as recently as July 2021.

Spyware app disguised as a VPN utility

Spyware app disguised as a VPN utility

Conference-themed phishing emails

One of the most notable characteristics of APT35 is their impersonation of conference officials to conduct phishing attacks. Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first contact email messages to get users to respond. When they did, attackers sent them phishing links in follow-on correspondence.

Targets typically had to navigate through at least one redirect before landing on a phishing domain. Link shorteners and click trackers are heavily used for this purpose, and are oftentimes embedded within PDF files. We’ve disrupted attacks using Google Drive, App Scripts, and Sites pages in these campaigns as APT35 tries to get around our defenses. Services from Dropbox and Microsoft are also abused.

Google Sites page disguised as a Google Form to redirect to a phishing site

Google Sites page disguised as a Google Form to redirect to a phishing site

Telegram for threat actor notifications

One of APT35’s novel techniques involves using Telegram for operator notifications. The attackers embed javascript into phishing pages that notify them when the page has been loaded. To send the notification, they use the Telegram API sendMessage function, which lets anyone use a Telegram bot to send a message to a public channel. The attackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent, and locales of visitors to their phishing sites in real-time. We reported the bot to Telegram and they have taken action to remove it.

Public Telegram channel used for attacker notifications

Public Telegram channel used for attacker notifications

How we keep users safe from these threats

We warn users when we suspect a government-backed threat like APT35 is targeting them. Thousands of these warnings are sent every month, even in cases where the corresponding attack is blocked. If you receive a warning it does not mean your account has been compromised, it means you have been identified as a target.

Workspace administrators are also notified regarding targeted accounts in their domain. Users are encouraged to take these warnings seriously and consider enrolling in the Advanced Protection Program or enabling two-factor authentication if they haven't already.

We also block malicious domains using Google Safe Browsing – a service that Google's security team built to identify unsafe websites across the web and notify users and website owners of potential harm. When a user of a Safe Browsing-enabled browser or app attempts to access unsafe content on the web, they’ll see a warning page explaining that the content they’re trying to access may be harmful. When a site identified by Safe Browsing as harmful appears in Google Search results, we show a warning next to it in the results.

Threat Analysis Group will continue to identify bad actors and share relevant information with others in the industry, with the goal of bringing awareness to these issues, protecting you and fighting bad actors to prevent future attacks.

Technical Details

Indicators from APT28 phishing campaign:

service-reset-password-moderate-digital.rf[.]gd

reset-service-identity-mail.42web[.]io

digital-email-software.great-site[.]net

Indicators from APT35 campaigns:

Abused Google Properties:

https://sites.google[.]com/view/ty85yt8tg8-download-rtih4ithr/

https://sites.google[.]com/view/user-id-568245/

https://sites.google[.]com/view/hhbejfdwdhwuhscbsb-xscvhdvbc/

Abused Dropbox Properties:

https://www.dropbox[.]com/s/68y4vpfu8pc3imf/Iraq&Jewish.pdf

Phishing Domains:

nco2[.]live

summit-files[.]com

filetransfer[.]club

continuetogo[.]me

accessverification[.]online

customers-verification-identifier[.]site

service-activity-session[.]online

identifier-service-review[.]site

recovery-activity-identification[.]site

review-session-confirmation[.]site

recovery-service-activity[.]site

verify-service-activity[.]site

service-manager-notifications[.]info

Android App:

https://www.virustotal.com/gui/file/5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5/detection

Android App C2:

communication-shield[.]site

cdsa[.]xyz

❌