Romanian Cybersecurity firm reveals all-in-one espionage tool: RadRAT

Bitdefender, a Romanian Cybersecurity firm, has flushed out a powerful all-in-one toolkit for espionage operations dubbed “RadRAT,” which it became aware of in February this year. The toolkit is an advanced remote access tool that allows full control over seized computers.

“Buried in the malware zoo, the threat seems to have been operational since at least 2015, undocumented by the research community,” the company said in a post.

RadRAT offers powerful remote access options that allow “unfettered control of the compromised computer, lateral movement across the organization and rootkit-like detection-evasion mechanisms.”

“Powered by a vast array of features, this RAT was used in targeted attacks aimed at exfiltrating information or monitoring victims in large networked organizations,” the post read.

Apart from its data exfiltration mechanisms, it also features lateral movement mechanisms such as credentials harvesting, NTLM hash harvesting, retrieving a Windows password, and more, and its command set currently supports 92 instructions.

These commands can be used for various malicious purposes, including file or registry operations, data theft operations, network operations, operations on processes, system information, propagation, and more.

“Unfortunately, while our information about the behavior and technical implementation of this remote access toolkit is complete, we can only guess at the original infection vector, which is most likely a spear phishing e-mail or an exploit,” the cybersecurity firm wrote in its whitepaper on the toolkit.

Prevalent Cyber threat group targets UK

As of late a well-known hacking group attempted is as yet trying to focus on the UK with an updated version of malware intended to install itself into the compromised systems and stealthily conduct surveillance. Within the most recent year, the group seems to have been especially centered on diplomatic targets, including consulates and embassies. 

Both the Neuron and Nautilus malware variations have already been credited to the Turla advanced persistent threat group, which is known to routinely carry out cyber-espionage against a range of targets, including government, military, technology, energy, and other business associations and commercial organisations. 

It basically targets Windows mail servers and web servers; the Turla group conveys uniquely made phishing emails to trade off targets in attacks that deploy Neuron and Nautilus in conjunction with the Snake rootkit. By utilizing a combination of these tools, Turla can increase diligent system access on compromised systems, giving secretive access to sensitive data or the capacity to utilize the system as an entryway for carrying out further attacks. 

However the UK's National Cyber Security Centre (NCSC) - the cyber security arm of GCHQ - has issued a notice that Turla is conveying another variant of Neuron which has been altered to sidestep disclosure. 

Alterations to the dropper and loading mechanisms of Neuron have been composed in such a way so as to avoid the malware being detected, enabling its pernicious activities to proceed without being intruded. 

While the creators of Neuron have additionally attempted to change the encryption of the new version, now configuring various hardcoded keys as opposed to simply utilizing one. In the same way as other of alternate changes, it's probably that these have been carried out to make detection and decryption by network safeguards more troublesome. 

At all might be the situation it is believed that the National Cyber Security Centre doesn't point to work by Turla being related with a specific danger on-screen character - rather alluding to it as:
                                 "A predominant digital danger group focusing on the UK".


Russia, India and other Asian countries targeted by Chinese Hackers


According to the Kaspersky Lab's third quarter report, 10 out of the 24 targeted cyber attacks were organized by groups of Chinese speaking hackers.

Experts at Kaspersky said one of the main targets of these cyber criminals was Russian Federation.  They also have targeted other Asian countries which includes India, Mongolia.

In July, Kaspersky detected a cyber espionage campaign(referred as "IronHusky") targeting Russian and Mongolian government, aviation companies, and research institutes.  The incident happened shortly after both countries conducted talks on cooperation in several projects relating to the Air Defense of Mongolia.

Another cyber attack was discovered targeting the Russia and India.  This attack happened after India and Russia signed a much awaited agreement to expand a nuclear power plant in India, as well as further define the defense cooperation between the two countries.  Energy sectors of both countries were targeted with a malicious program named as "H2ODecomposition". 

The experts said that in some case, this malicious software was masquerading as a popular Indian anti-virus solution "QuickHeal".

Kaspersky also noted that Netsarang and CCleaner tools were also targeted by these Chinese-speaking hackers.  The attackers infected the installation packages with a malicious code and hosted on Netsarang distribution site.  Introduction of malicious code into the legitimate software would allow attackers to penetrate the networks of many organizations.

- Christina


Russian Citizen suspected of cybercrime was arrested in Estonia



A 20-year-old Russian IT programmer is suspected of cyber espionage. He was traveling from Estonia to Russia and was detained at the border crossing in Narva.

According to the local media, the Estonian Security Police(KaPo) allowed the suspect to work for some time unhindered, as a result of which he was linked to the Security Service of Russian Federation.

Authorities said that he is a member of the FSB and was preparing a mass cyber attack on the computer systems of the Estonian State Institutions. According to them, the Russians was trying to make some device or computer program with which he can get access to local computer systems.

Elena Vladimirovna, mother of the suspect, told media that it is completely unexpected for her since her son was never seen in any unlawful actions.

"Of course, I hope that everything will end well and we will be able to prove his innocence." Elena was quoted as saying by Local Media Sputnik. "However, the services of a good lawyer cost a lot of money, which I do not have. Perhaps, the Russian embassy will be able to help us in some way, but I will not let my son to Estonia again never"

The Russian Embassy in Estonia is ready to help. The Embassy asked Estonian Foreign Ministry to give permission to meet the arrested person.

A criminal case has been instituted against the suspect under article 233 of the Penal Code of the Republic of Estonia "Non-violent acts of an alien directed against the Republic of Estonia" and article 216 "Preparing a computer crime". He faces up to 15 years in prison, if convicted.

- Christina


Ukrainian Hacker detained for remotely spying on Politicians



A 23 year old Ukrainian Hacker from Kharkiv City detained by the National Police of Ukraine for hacking into personal computers of Ukrainian Citizens and other states.

According to the local press report, the hacker used a malicious software(probably RAT - Remote Access Trojan) to control the victim's computers for almost two years.  It is said he also observed the activities of victims using web camera. The hacker is said to invaded personal life of about 100 people.

A Search and Seizure warrant was executed at the hacker's home, leading to the video recordings of victims and malicious software used in the Cyber espionage.

The motive of the espionage is not clear.  One of the theory says that he received order from some one to target people and got money.  The theory might be true as some of the victims were also members of Ukrainian political parties.

If convicted, the hacker will face up to six years imprisonment.

- Christina


Digital Sleeper Cell: NSA infected 50,000 computer network with data stealing malware

The NSA has infected more than 50,000 computer networks across globe with a malware which is capable of stealing sensitive data from the victim's machine.

According to the NRC.nl report which is based on documents provided by US whistleblower Edward Snowden, the practice called as Computer Network Exploitation (CNE)".

The malware is being referred as "digital Sleeper cell" , it is being controlled by NSA and they can remotely turn it on or off.

The number of infected networks in 2008 is reportedly over 20,000.  By mid of the 2012, the number of infected network is increased to 50k.

UK spies reportedly used fake Linkedin pages to gain access to target network

British Intelligence Agency GCHQ(Government Communications Headquarters ) reportedly tricked employees of mobile communications companies and billing companies with fake Linkedin and Slashdot pages to gain access to their network.

The news was initially reported in the German magazine Der Spiegel based on secret GCHQ documents leaked by NSA whistleblower Edward Snowden.

The first known attack was targeting partly government-owned Belgian telecommunications company Belgacom. 

Once the employees visit the fake pages, the malware surreptitiously installed in the victim's system, it will act as backdoor and gives unauthorized access to Internal networks of Belgacom and its subsidiary BICS. The goal was to gain access to the GRX Router System operated by BICS in order to intercept phone traffic.

Stuxnet worm Created by NSA and Israel, Says Edward Snowden


While it's been widely speculated that the notorious computer worm Stuxnet was the result of partnership between US and Israel, the famous NSA Whistleblower "Edward Snowden" has confirmed it.

Stuxnet was a highly-complex malware discovered in 2010, used as cyber weapon against the Iran's nuclear program.

Snowden answered a few interesting questions in an Interview had with Germany's Der Spiegel Magazine.

When Interviewer asked about the NSA involvement in Stuxnet, Snowden confirmed that saying "NSA and Israel co-wrote it".

When asked about German authorities involvement in NSA surveillance system, Snowden confirmed that saying "Yes, of course. We're 1 in bed together with the Germans the same as with most other Western countries."

Crypted Files in Cyber Espionage

Cryptors are programs which are used for making files FUD(file undetect by antivirus)

The cryptor can make a EXE file not detectable by antivirus. Most cryptors are common and once u buy license can be used to make files undetectable by antivirus.

However antivirus companies keep a tab on almost all cryptors and they keep adding signatures of all the stubs. So cryptors come out with private versions and unique private version of their cryptors.

However portions of their code which they use in public version is reused in private version making it detectable very fast.

There are few cryptors like darksane, fileprotector, aegiscryptor, xprotect and shiekh cryptor which are available from $50-$200 for 6 months license. All these
cryptors give you scanning once you crypt the file. But these scanners are only offline. so even if you get 37/37 FUD and cryptors make tall claim about bypass all known antivirus. These claims are often not true. The scan for FUD you run is using elementscanner which can scan against 43 or 37 antiviruses and show it is FUD.

But often antivirus detects them when they are executed on the machine.

CSPF was approached by a corporate company which had series of cyber espionage attack, we evaluated all the files and found these attacks by spyware(were done using cryptors).

CSPF did a evaluation of these crypted files in run time execution and most of these crypted files get detected in run time. We also evaluated with so called private unique stub written by cryptors almost every single file got detected by kaspersky and nod32 in run time.

Author:
J Prasanna Tech CORE, Cyber Security & Privacy Foundation