Security researchers have found an apparent link between the malicious code used to attack France’s TV5Monde and an Iraqi program developer identified by the handle “Security.Najaf.”
The link, while it cannot be fully verified, might suggest that the massive cyberattack was indeed perpetrated by sympathizers of the Islamic State of Iraq and Syria (ISIS) as opposed to a copycat.
TV5Monde, a French television network that broadcasts worldwide, was knocked off the air on Wednesday after hackers took control of 11 channels. The intruders, who posted images and propaganda supporting ISIS, also gained control of the network’s social media pages.
Experts said the attack reveals a new level of sophistication for ISIS-affiliated hackers, who typically employ rudimentary measures to deface websites. The TV5Monde attack might be the first time the group has successfully hacked a TV station.
Researchers with software maker Blue Coat analyzed a string of malware similar to the one purportedly used in the cyberattack, finding it contained greetings that appear linked to “Security.Najaf,” a “prolific poster in [online] forums.”
An online search for the handle turns up links in Arabic-language forums, as well as a seemingly abandoned Twitter feed identifying its owner with the phrase, “designer, programming hacker.” The Twitter account is baed in Najaf, Iraq.
While claiming no insider knowledge of the attack, Blue Coat’s researchers said the malware appears to be an adaption of the Visual Basic Script worm KJ_W0rm, a derivative of the NJ_W0rm.
“VBS worms based on NJ_W0rm and KJ_W0rm should by now be picked up by most [anti-virus] products, though it’s always a challenge to reliably detect text-based malware, because they are so easily modified,” the firm wrote in a blog post.
The group behind the attack called itself the CyberCaliphate, the same name used by hackers that broke into the Twitter feeds for the U.S. Central Command and Newsweek magazine earlier this year.
Meanwhile, French authorities denied that hackers released any classified army documents during their siege, as they had claimed.
The CyberCaliphate had posted documents on Facebook they said were the identification cards of people tied to French soldiers fighting ISIS. “None of these documents mention the identity of French soldiers or of their families,” the French defense ministry said in a statement.
The cyberattack follows a terrorist attack by Islamic militants left 20 dead in Paris in January.
Source (The Hill): http://thehill.com/policy/cybersecurity/238450-tv5monde-attack-might-be-tied-to-iraqi-hacker-researchers-say
April 9, 2015
On Thursday April 9th the French TV station TV5 Monde was reportedly knocked off the air by supporters of the Islamic State.
Information on how the attack was performed has been scarce. The only semi-technical information we have seen at the time of writing came from one of the initial news reports.
Blue Coat has no insider information on this intrusion, but we were able to find a piece of malware which, though not identical, matches many of the indicators given in the Breaking3Zero story. Among others, it contains references to the same aliases (JoHn.Dz and Najaf).
The md5 hash of this sample is 2962c44ce678d6ca1246f5ead67d115a.
Jenxcus and Bladabindi
This sample appears to be an adaptation of the Visual Basic Script worm KJ_W0rm, a derivative of the old and widespread NJ_W0rm.
This malware is commonly known by AV tools under the name VBS/Jenxcus. Since this is script-based, the malware is very easy to modify, something which has spawned a lot of modifications.
Jenxcus often occurs in the company of another malware called Bladabindi or NJ_Rat. Unlike Jenxcus, Bladabindi is not a script, but a Windows executable written in .NET. It has an extensive set of features, and can for example take screenshots, steal various online credentials, and download and install more malware.
Bladabindi is possible to create and configure using a publicly available creation tool, making the production of new variants straightforward. This has made it a very popular tool to use in the underground, and it is now one of the dominant malware families, particularly in the Middle East region. Indeed, it has been so common that Microsoft decided to take aggressive action against it. This resulted in the somewhat controversial botnet takedown in June 2014. The legal papers filed with this takedown identify the authors of the Bladabindi backdoor and Jenxcus worm as Naser Al Mutairi (Kuwait), and Mohamed Benabdellah (Algeria). Mutairi reportedly used the online handle njq8, and is presumably the person referenced in the "Credits" section in "our" malware sample. This mention is however likely to be just a shout out to the original author of what essencially now is an open source malware.
The Najaf variant - md5 2962c44ce678d6ca1246f5ead67d115a
If we compare the “Najaf” sample with a regular KJ_W0rm sample, we can see that there are clear similarities. Most differences revolve around how hardcoded parameters are placed in the code.
Above: Najaf vs regular KJ_W0rm
The script is pretty tight and simple, and differs only marginally in functionality from KJ_W0rm.
It copies itself to the startup folder (eg. C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ on Win7)
Run keys are created in the registry so as to run the script from there as well:
HKCU\software\microsoft\windows\currentversion\run securitynajaf = wscript.exe /B "SecurityNajaf.vbs"
HKLM\software\microsoft\windows\currentversion\run securitynajaf = wscript.exe /B "SecurityNajaf.vbs"
Once this initial installation is done, it copies itself to the root folder of all connected removable drives. A shortcut (*.LNK) file will also be created, pointing to this. The script will attempt to refresh this every six seconds. From here the script goes into a pretty tight loop where it connects back to its configured C&C server over HTTP, announcing that it is ready to accept commands. The C&C server is hardcoded to 127.0.0.1, so there is no obvious remote command and control address in this sample. This may mean that the sample is just a test, or that there was some kind of loopback mechanism installed on the computer where it ran.
In the User-Agent field of this POST request, the malware puts information about the current system – things like username, computername, OS and so on.
On the Internet, anyone can claim to be associated with any movement of their choosing. Not only that, they can use whatever tool they want, claim to be totally different people, and generally lie as much as they want to. Because of this attribution is hard, though not impossible. It requires solid data, experience, and often the involvement of law enforcement to do right. Because of this we’ll not make any assumptions about who was behind the intrusion in TV5. However, we can point out some indicators.
The 2962c44ce678d6ca1246f5ead67d115a sample is similar to the VBS script mentioned in the Breaking3Zero article. The script contains the same greetings, mentions the same JoHn.Dz and Najaf.
Security.Najaf seems to match the online handle of a developer apparently located in the Najaf province of Iraq. He is a prolific poster on the dev-point[.]com forums, a forum which has contained a lot of NJ-Rat/Worm-associated material. He is listed as recoder – presumably modifying programmer – in many other malicious scripts. One example is the file with md5 de8e6e14b7e548eda7d4ff33bb3705ad:
In this file, the C&C server is defined to aziza12.no-ip.biz, a domain which also has been used as C&C by Bladabindi malware such as the sample with md5 a5ce6dcb062ceb91a6fce73e99b3514d. This is a DynDNS domain, meaning that there is no domain registration data to look at. However, if we examine the IP history of this domain, we see that it has mapped to a number of IP addresses over time, many of which are located in Iraq. One of these, 188.8.131.52, has also earlier this year pointed to the domain islamstate.no-ip[.]biz.
So, does this really mean anything? No, not necessarily. IP overlaps can happen for any number of reasons, and aliases on forums and inside malwares are just text strings. NJRat and its related malware are used by a lot of activists in the Middle East, so their use in this intrusion - if that indeed is confirmed - can not be used as basis for any conclusion.
VBS worms based on NJ_W0rm and KJ_W0rm should by now be picked up by most AV products, though it’s always a challenge to reliably detect text-based malware, because they are so easily modified. In any case, we have added detection for these families in our Malware Analysis Appliance:
The intrusion of TV5 Monde, similar to the Sony attack, shows that any entity on the Internet is a target now. All conflicts now have carry a likelihood for them to have a cyber dimension, because these attacks are cheap, easy, and relatively risk free. Unfortunately there seems to be no silver bullet for this situation. Modern computer systems are so interconnected and complex that there is always an opportunity for mischief if you are persistent; and in many case you don't even have to be that. If the attacker cannot immediately find a way in, there's always the human factor. And humans are - unfortunately - difficult to patch. Nevertheless, skilled people can make the difference between a win and a loss.
Passive DNS data was graciously provided by Farsight Security.
( Blue Coat )