Author: Nathan Toporek
TLP:WHITE
Executive Summary
On 17 September, the Federal Bureau of Investigation (FBI) published a new FLASH alert in coordination with the Department of Homeland Security (DHS), and the Department of the Treasury (Treasury).1 The report describes multiple types of malware that the Iranian Rana Intelligence Computing Company – also known as APT39 – has used in their global operations. In the report, the FBI included descriptions of how the various types of malware operate, as well as a set of YARA rules for each type. The FBI also published a representative set of malware samples to VirusTotal for public analysis.
Rana Intelligence Computing Company is a front company for Iran’s Ministry of Intelligence and Security (MOIS). According to the FBI, it has targeted hundreds of individuals and entities in more than 30 countries spread across Asia, Africa, Europe, and North America. It has previously targeted foreign citizens, foreign governments, and organizations predominantly in the travel, hospitality, academic, and telecommunications industries. Specifically in Iran, it has targeted individuals and dissidents, in addition to companies and academic institutions.
Analysis
The FLASH alert describes multiple variants of malware that Rana used in its operations, including signatures for indicators of compromise (IOCs), along with sets of YARA rules that the FBI has developed to identify samples. The report includes variants of malicious Visual Basic Script (VBS), AutoIt Malware, two executables leveraging the Background Intelligent Transfer Service (BITS), an executable that mocks the Firefox web browser, a Python-based malware script, a malicious Android Package (APK), and a malicious Microsoft Cabinet file named depot.dat.
- VBS Malware
APT39 embedded multiple VBS scripts inside Microsoft Office documents, which it sent to victims via spear phishing and other techniques that use social engineering. When a victim opens one of the documents, the VBS code will:
- Deobfuscate and run two scripts: one PowerShell, and another VBS.
- Configure download and upload paths on the victim’s computer.
- Set up a scheduled task to run the VBS file from step one every two minutes.
- Run the PowerShell script from step one.
- Communicate with a command and control (C2) server using a URL of: <actor IP or URL>:port/update.php?req=<victim identifier>. This URL is preceded by information specifying an action to download data, upload data, or download a batch file.
Both the VBS and the PowerShell scripts work to upload a victim’s files and execute commands locally via cmd.exe.
- AutoIt Malware
APT39 leveraged several AutoIt scripts, which were likely embedded in Microsoft Office documents or malicious links, then sent to victims via a technique such as spear phishing. The FBI’s analysis determined these scripts to be similar in nature to the VBS malware. Each will:
- Perform a DNS flush.
- Create upload and download directories on the victim’s computer.
- Check for, then update the following registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion.
- Communicate with a C2, similar to the VBS scripts in the previous section.
- BITS 1.0 Malware
Both the VBS and AutoIt malware download this malware, which uses Microsoft’s Background Intelligent Transfer Service (BITS) to upload a victim’s data to a C2 server. The FBI’s analysis showed that this malware installs a dropper containing two Microsoft cabinet (CAB) files. One of them is empty, while the other contains two Microsoft executable files (EXEs), along with XML files that create and run scheduled tasks to upload victim data. The two EXE files in the CAB exfiltrate the victim’s data to attacker infrastructure via BITS.
- BITS 2.0 Malware
This variant is similar to the BITS 1.0 malware above in how it communicates with attacker infrastructure, but it has significant technical differences. Compared to the BITS 1.0 malware, the BITS 2.0 malware is a self-extracting executable containing an image, a VBS file, and another EXE. The VBS file creates and runs a persistent scheduled task to exfiltrate data; the EXE leverages BITS to exfiltrate data to attacker infrastructure.
- Firefox Malware
This malware masquerades as a legitimate Firefox executable. It contains files and functionality that allow it to:
- Compress / decompress files,
- Log keyboard activity,
- Capture screenshots, and
- Communicate with a C2.
- Python-Based Malware
This Python-based malware came packaged in a Roshal Archive (RAR) file. It reaches out via HTTP to a C2 server and downloads additional malware when it runs. The FBI did not specify the nature or function of additional malware.
- Android Malware
APT39 used a malicious APK named optimizer.apk that was designed to communicate with the C2 server saveingone[.]com, and can:
- Record audio,
- Take photos, and
- Exfiltrate data to a C2 server.
- dat Malware
The depot.dat malware is a Microsoft CAB file containing four dynamic link libraries (DLLs) that can perform keylogging, and capture screenshots of the victim’s computer. A separate dropper file decrypts and achieves persistence of the files in depot.dat by overriding the SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows registry key.
Prevention and Mitigation
The FBI FLASH report provides the following set of recommendations to mitigate this malware:
- Employ regular updates to applications and the host operating system to ensure protection against known vulnerabilities.
- Establish, and backup offline, a “known good” version of the relevant server and a regular changemanagement policy to enable monitoring for alterations to servable content with a file integrity system.
- Employ user input validation to restrict local and remote file inclusion vulnerabilities. Implement a least-privileges policy on the Webserver to:
- Reduce adversaries’ ability to escalate privileges or pivot laterally to other hosts.
- Control creation and execution of files in particular directories.
- If not already present, consider deploying a demilitarized zone (DMZ) between the Web-facing systems and corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.
- Ensure a secure configuration of Webservers. All unnecessary services and ports should be disabled or blocked. All necessary services and ports should be restricted where feasible. This can include whitelisting or blocking external access to administration panels and not using default login credentials.
- Use a reverse proxy or alternative service to restrict accessible URL paths to known legitimate ones.
- Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero day attacks, it will highlight possible areas of concern.
- Deploy a Web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.
Indicators of Compromise
Below is a list of MD5 hashes representative of each malware variant. In-depth YARA rules for each are included in the FLASH report.
- Indicators
| Indicator | Description |
| 9f7c280b20d021f0a0984d1ad0aeba41 | VBS Malware MD5 |
| 486aa8849c173450911f886116f4b5d6 | AutoIt Malware MD5 |
| 91e1793bd5f3f274ddb22b47662cb860 | BITS 1.0 Malware MD5 |
| 2f01092e9cd49448b0de7da48e545682 | BITS 1.0 Malware MD5 |
| 0d6d385354584264e2b37ff3a199ea04 | BITS 1.0 Malware MD5 |
| 8f848b67af0d6ad3dd3419c9d11c28c1 | BITS 1.0 Malware MD5 |
| 45045fa9d428f29e8a3a988048e3aff1 | BITS 1.0 Malware MD5 |
| 43124f6d418b086f3107a8cb708c3d2b | BITS 2.0 Malware MD5 |
| 6269e8ae9d86c648c15e41c7d89509ab | BITS 2.0 Malware MD5 |
| eee655c5522267d63314a0b20162d619 | Firefox Malware MD5 |
| de8986682ab25d98448e688506250b94 | Python Malware MD5 |
| 50ded657ff5a1c80d736fe3b80beb87f | Python Malware MD5 |
| 426351383DFE8F88A0959A9D5E8C43C7 | Android Malware MD5 |
| saveingone[.]com | Android Malware C2 |
| 59c2c1c6451417f054efaee32416c652 | Depot.dat MD5 |
Endnotes
