FREE ELECTRONIC LIBRARY - Dissertations, online materials

Pages:   || 2 |

«Thamar Reservoir An Iranian cyber-attack campaign against targets in the Middle East Clearsky TLP:WHITE For public distribution © Clearsky - Cyber ...»

-- [ Page 1 ] --



Thamar Reservoir

An Iranian cyber-attack campaign

against targets in the Middle East



For public distribution


© Clearsky - Cyber security. clearskysec.com

Page 1of 18



Modus operandi - investigation of targeted attacks

Part 1 -spear phish #1 - with malware

Part 2 - phone calls to victims

Part 3 - spear phishing #2

Part 4 - breaking into an Israeli research institute to set up phising page #3

Part 5 - spear phishing #4

Part 6 - Abusing account recovery mechanisms

Part 7 - Private messages

Targets and further incidents


Further incidents

The Iranian connection

Malware analysis




CWoolger Keylogger

Technical indicators and IoC




Malicious Email accounts


© Clearsky - Cyber security. clearskysec.com Page 2 of 18 Foreword This report reviews an ongoing cyber-attack campaign dating back to mid-2014. Additional sources indicate this campaign may date as far back as 2011. We call this campaign Thamar Reservoir, named after one of the targets, Thamar E. Gindin1, who exposed new information about the attack and is currently assisting with the investigation.

The campaign includes several different attacks with the aim of taking over the target’s computer or gain access to their email account. We estimate that this access is used for espionage or other nation-state interests, and not for monetary gain or hacktivism. In some cases, the victim is not the final target; the attackers use the infected computer, email, or stolen credentials as a platform to further attack their intended target.

The attackers are extremely persistent in their attempts to breach their targets. These attempts include:

 Breaching trusted websites to set up fake pages  Multi-stage malware  Multiple spear phishing emails based on reconnaissance and information gathering.

 Phone calls to the target.

 Messages on social networks.

While very successful in their attacks, the attackers are clearly not technically sophisticated. They are not new to hacking, but do make various mistakes, such as grammatical errors, exposure of attack infrastructure, easy to bypass anti analysis techniques, lack of code obfuscation, and more.

These mistakes enabled us to learn about their infrastructure and methods. More importantly, we have learned of 550 targets, most of them in the Middle East, from various fields: research about diplomacy, Middle East and Iran, international relations, and other fields; Defense and security; Journalism and human rights; and more.

Various characteristics of the attacks and their targets bring us to the conclusion that the threat actors are

Iranian. In addition, we note that these attacks share characteristics with previously documented activities:

 Attacks conducted using the Gholee malware, which we discovered.

 Attacks reported by Trend Micro in Operation Woolen-Goldfish.

 Attacks conducted by the Ajax Security Team as documented by FireEye.

 Attacks seen during Newscaster as documented by iSight.

–  –  –

1 Dr. Gindin is an expert on Iranian linguistics and Pre-Islamic Iran, renowned lecturer and research fellow at the Ezri Center for Iran and Persian Gulf Research in the University of Haifa.

http://www.thmrsite.com/?page_id=198 ______________________________________________________________________________

© Clearsky - Cyber security. clearskysec.com Page 3 of 18 Modus operandi - investigation of targeted attacks This chapter contains an in-depth analysis of a series of attacks against one of the Thamar Reservoir targets.

The heavy attack began two days after the target, Dr. Thamar E. Gindin, was interviewed on the IDF radio station2.

Over the course of two weeks, the threat actor used the following attacks against a single target:

1. One spear phishing email containing malware.

2. Three separate email messages with links to a fake log-in page, (including two factor authentication), one of them hosted on a breached website, the other two on dedicated domains.

3. Two phone calls from the attacker, designed to build rapport for one of the phishing emails.

4. Numerous attempts to take over cloud accounts using their Account Recovery mechanism.

5. Numerous messages on Facebook and by e-mail.

While we describe this case mostly from the point of view of a single target, we would like to emphasize that these scenarios repeated themselves for many other targets.

Part 1 -spear phish #1 - with malware In May 2015 a legitimate email was sent asking several researchers to fill out a form that was sent as a Word document. The attackers obtained this correspondence, presumably by breaching the email account of the sender. They created a new Gmail account with a username similar to that of the original sender. Then, they sent the recipients a follow-up message (including the initial correspondence), asking them to fill up the attached form again. This time, the attachment was a weaponized Microsoft Excel file (The file is analyzed in the “Malware analysis” chapter of this report).

In other cases the attackers used the same methods - sending malware or phishing from a cloud email service (such as Gmail or Hotmail) using a username similar to that used by one of the target’s acquaintances.

The malicious email was written in the original language of the correspondence - Hebrew. But it is clear that the attackers do not know Hebrew, as they made grammatical errors in the few words they have added to it (the rest were copied from the original email). Other messages, in English and Farsi, were analyzed by several specialists3and were determined to have been written by a native Iranian Persian speaker.

2 The interview revolved around “her own way to being a linguist and an Iranist, and promoting her books "The Good, the Bad and the World - a Journey to Pre-Islamic Iran" and "The Book of Esther, Unmasked" “.

3 Three of the targets are Iran and the Middle East researchers, and two of them are native Farsi speakers. Going through numerous messages they have received, and in one case a phone call - they have determined that the writer/speaker is native in Iranian Persian.


© Clearsky - Cyber security. clearskysec.com Page 4 of 18 Below is an example of another case (the email includes the professional signature of the impersonated


Part 2 - phone calls to victims A week later, the attackers called the target’s office number. The office manager, who received the call, later said that someone with “bad English” had asked to schedule an interview. The attackers later called the target’s personal cell phone, and left a similar message with a callback number in London.

The attackers called the targets in other cases as well. For example, after breaching the password of a victim back in November 2014, the attacker called, pretending to be the assistant of a professor abroad who wished to talk to the victim. After several “unexplained” cut-offs during the call, the attacker said they should switch to Google Hangout, asking for the “conversation code” the victim had just received to his cell phone. The code was actually the second factor authentication for the victim’s Gmail account. As soon as he gave it away - the attackers took over his Gmail, Facebook and other accounts.

Part 3 - spear phishing #2 That evening, the target received an email written in Farsi, coming from a spoofed persian@bbc.co.uk email address (the real address of BBC Farsi). The message was a follow up on the call that morning, asking to

schedule the interview for the next day:


© Clearsky - Cyber security. clearskysec.com Page 5 of 18 The headers of the message indicate that it was spoofed, and was actually sent from a server in Hungary, mail5.maxer.hu.

The email contained a linked text, Document.pdf, with this URL:

https://www.google.com/url?q=http://login-users.com/DriveAuto/AutoSecond?Chk=redacted&sa=D&sntz=1&usg=redacted The URL is composed of two parts. The first part is a legitimate Google.com address, with the q= parameter.

The second part is the value of that parameter - a fake Google Drive log-in page in the attackers controlled domain - login-users.com. Upon clicking the link, the target is redirected to the address in the q= parameter.

This is a trick the attackers use to mislead the target - making her think she is about to visit a legitimate Google website.

The fake Google Drive log-in page was customized to the target; her real username was already filled in:


© Clearsky - Cyber security. clearskysec.com Page 6 of 18 The Whois information for the domain is similar to those used in legitimate Google owned domain, except

for the ‘d’ instead of ‘b’ in the “registrant-email” value: gmail-aduse@google.com:

The attacker sent three follow-up emails to make sure the target had received the first one, from the same server in Hungary and with the Reply-To address saeed.kn2003@gmail.com.

Part 4 - breaking into an Israeli research institute to set up phising page #3 The next morning, several targets received an email inviting them to participate in an "Iran Israel Forum” of

an Israeli research institute. The email can be seen below (sensitive information has been redacted):

The headers of the email indicate that they the email was not spoofed, and had been sent from the research institute. As can be seen, the email contained various grammatical mistakes. Moreover, anyone who knows ______________________________________________________________________________

© Clearsky - Cyber security. clearskysec.com Page 7 of 18 the institute would notice that parts of the message are inaccurate (this will not be elaborated here in order not to expose the institute’s identity).

The words “Access To Forum” linked to a page within the real, compromised, website of the institute. The page contained more information about the “forum”, and offered four “sign in” options, as can be seen in

the screenshot below:

Clicking one of the sign-in options led to a custom made log-in page, again, with the target’s username,

email, and picture already present:

–  –  –

Upon submission, the victim is redirected to a static “registration confirmed” page.

Interestingly, the log file for the previous pages was hosted publicly on the same virtual folder. The log

contained the false credentials the target submitted (as she recognized this was a fake)4:

We reported the breach to the institue, and they investigated and cleaned it off. They informed us that their own servers were never breached. Rather, a server run by a researcher who was givenn a “virtual folder” within their domain was. This, of course, did not change the end result - the attackers managed to implant a fake page within the Instititue domain, and were able to send an email using the same domain. This pattern is recurring: The attackrs go after “low hanging fruits” in order to reach their goal rather than using advnaced techincal means.

Part 5 - spear phishing #4

Four days later, the target received the following email from the same fake address as in part 1:

4 The “pass” filed intermingled with the IP filed in the original log, file due to bidirectionality issues.


© Clearsky - Cyber security. clearskysec.com Page 9 of 18 The email contained the real textual signature of the sender, and the word Toda (Thank you, in Hebrew), as the sender usually writes.

The hyperlink text in the message appeared to be leading to youtube.com, but in fact linked to a fake address that only looked like a YouTube domain.

The page contained a “private Youtube video”, asking the viewer to sign in in order to watch it:

After signing in, the page redirected to a specific interview in target’s real YouTube channel - proving once again that the attacks are targeted and based on reconnaissance.

Part 6 - Abusing account recovery mechanisms During the writing of this article, the attackers continued to attempt to take over various accounts of the target. For example, they tried to fool Google into giving them access to the target’s Gmail accounts using the Google Account Recovery process5 (a process which in certain cases enables one to regain access to an account even if the password and other means of authentication are unavailable).

The attackers tried similar methods against the target’s account on Facebook and Yahoo, and had also set up a fake Hotmail account, which was used as the secondary email to which the recovered password should be sent.

Part 7 - Private messages The target has been contacted by various “weird” characters on Facebook and by e-mail. They have been asking her various questions that have nothing to do with her professional expertise and tried to contact her in various ways. The conversation are conducted in Persian.

We cannot find a direct connection between these Facebook characters and the above mentioned attacks.

However, in addition to them happening close to the attacks, we do know that at least one of the accounts is fake.

5 https://www.google.com/accounts/recovery/ ______________________________________________________________________________

Pages:   || 2 |

Similar works:

«Strathprints Institutional Repository Levie, J.D. and Gimmon, E. (2008) Mixed Signals: Why investors may misjudge first time high technology founders. Venture Capital, 10 (3). pp. 233-256. ISSN 1369-1066, This version is available at http://strathprints.strath.ac.uk/16063/ Strathprints is designed to allow users to access the research output of the University of Strathclyde. Unless otherwise explicitly stated on the manuscript, Copyright © and Moral Rights for the papers on this site are...»

«No longer at Ease Chinua Achebe 1 No Longer at Ease First published in 1960 1 For Christie 2 We returned to our places, these Kingdoms, But no longer at ease here, in the old dispensation, With an alien people clutching their gods. I should be glad of another death. T. S. Eliot : 'The Journey of the Magi'. 3 CHAPTER ONE For three or four weeks Obi Okonkwo had been steeling himself against this moment. And when he walked into the dock that morning he thought he was fully prepared. He wore a...»

«GUIA DE PRESTACIONS I SERVEIS A LA FAMÍLIA GUIA DE PRESTACIONS I SERVEIS A LA FAMÍLIA PRESENTACIÓ La Secretaria de Família del Departament de Benestar Social i Família té com a objectiu principal donar suport a totes les famílies oferint acompanyament, formació i informació. En aquest sentit, la Guia de prestacions i serveis a la família que aquí us presentem vol ser una eina pràctica per posar a l’abast de les famílies de Catalunya la màxima informació actualitzada sobre les...»

«Environmental Aspects of Tunnel Ventilation By Dr. Marco Bettelini, Dr. Rune Brandt and Dr. Ingo Riess HBI HAERTER LTD, Zürich (Switzerland) Paper presented at the AITES-ITA 2001 World Tunnel Congress Milano, June 10 – 13, 2001 ABSTRACT: A comprehensive methodology for computing the dispersion of air pollutants and immission levels for road tunnels is described. It is based on the combined use of a socalled Gaussian model and a three-dimensional simulation package. The combined model allows...»

«THE RHETORIC OF SHAKESPEAREAN APPROPRIATION: CONTEMPORARY WOMEN WRITERS RESPOND TO KING LEAR AND THE TEMPEST by ERIN MELINDA DENISE PRESLEY (Under the Direction of Christy Desmet) ABSTRACT This dissertation examines the rhetorical relationship between Shakespeare as an appropriator and Shakespeare as a source for contemporary women novelists. Influenced by early modern pedagogy and its emphasis on imitation, Shakespeare’s relation to his sources reflects the primary sense of “invention”:...»

«Medicare General Information, Eligibility, and Entitlement Chapter 4 Physician Certification and Recertification of Services Table of Contents (Rev. 101, 09-16-16) Transmittals for Chapter 4 10 Certification and Recertification by Physicians for Hospital Services General 10.1 Failure to Certify or Recertify for Hospital Services 10.2 Who May Sign Certification or Recertification 10.3 Certification for Hospital Admissions for Dental Services 10.4 Inpatient Hospital Services Certification and...»

«ALESSE® 28 Tablets (levonorgestrel and ethinyl estradiol tablets) Rx only Patients should be counseled that oral contraceptives do not protect against transmission of HIV (AIDS) and other sexually transmitted diseases (STDs) such as chlamydia, genital herpes, genital warts, gonorrhea, hepatitis B, and syphilis.DESCRIPTION 21 pink active tablets each containing 0.10 mg of levonorgestrel, d(-)-13β-ethyl-17α-ethinyl17β-hydroxygon-4-en-3-one, a totally synthetic progestogen, and 0.02 mg of...»

«Grundad 1919 Verksamhetsberättelse 2015 Sverige-Amerika Stiftelsen ————————————————————————————————————————— Sverige-Amerika Stiftelsen möjliggör akademisk utbildning, forskning och praktik i USA och Kanada för talangfulla och motiverade studenter. När dessa studenter återvänder till Sverige har de med sig spjutspetskompetens, internationella erfarenheter och kontakter av stort värde för svenskt...»

«Bangladesh Union Parishad Elections 2011 Election Observation Report EXECUTIVE SUMMARY Rupantar and Election Observation: Rupantar is one of a member of Elections Working Group-EWG. The Election Working Group-EWG is a non-partisan, national coalition of civil society organizations that share a common commitment to free and fair elections and good governance in Bangladesh. As an active member of Elections Working GroupEWG, Rupantar observed Khulna city corporation election-2007, National...»

«All Hands on Everest Challenge Participant Information Packet Updated February 17, 2016 Table of Contents All Hands Volunteers’ Mission Preparing for your Trip: Packing List Language Cultural Cues Visas Trek Itinerary Pricing and Payments Important Tidbits Travel to Kathmandu, Nepal Safety and Security Health High Altitude Physical Training Guide Frequently Asked Questions The All Hands Story Past All Hands Deployments 2 All Hands Volunteers is thrilled to announce our first ever All Hands On...»

«PRACTICAL THEOSOPHY A PLAIN STATEMENT OF ITS TENETS BY HASH NU HARA 0 AUTHOR OF T lie Road to Success, Concentration and the A cquirement of Personal Magnetism, Mental Alchemy, Practical Hypnotism, T he Complexion B eautiful,' Practical Yoga, etc., etc. LONDON N. FOWLER & CO. L. 7 IMPERIAL ARCADE, LUDGATE CIRCUS, E.C. J9II L. N. FOWLER & Co. COPYRIGHT, 1911, BY Entered at Stationers' Hatt. All Rzghts Reserved. INTRODUCTION -:0:A PRACTICAL handbook upon the subject of Theosophy may seem...»

«viruses Review Viral RNA Silencing Suppression: The Enigma of Bunyavirus NSs Proteins Marcio Hedil and Richard Kormelink * Laboratory of Virology, Department of Plant Sciences, Wageningen University, Wageningen, 6708PB, The Netherlands; marcio.hedil@outlook.com * Correspondence: richard.kormelink@wur.nl; Tel.: +31-317483085 Academic Editor: Ralf Dietzgen Received: 9 June 2016; Accepted: 19 July 2016; Published: 23 July 2016 Abstract: The Bunyaviridae is a family of arboviruses including both...»

<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.