For the X-Tunnel sample, which is malware associated with FANCY BEAR, our analysis confirmed three distinct features that are of note: It’s worth noting that seppuku is a Japanese word for harakiri or self-disembowelment.Ĭ. The SeaDaddy sample had a self-delete function named “seppuku” which was identified in a previous SeaDuke sample described by Symantec and attributed to the COZY BEAR APT group. lnk file stored in the Startup directory).ī. They both used identical persistence methods (Powershell, a RUN registry key, and a. In fact, once decompiled, the two programs were very similar in form and function.
#CRIMINALIZING INFORMATION FROM THE DNC SERVER CODE#
For instance, in one of their Unit 42 blog posts Palo Alto Networks provides some detailed reversing and analysis on other malware that they attributed to COZY BEAR named “SeaDuke.” The Fidelis Reverse Engineering team noted that in the samples of “SeaDaddy,” that were provided to us from the DNC incident, there were nearly identical code obfuscation techniques and methods. In addition, they were similar and at times identical to malware that other vendors have associated to these actor sets.Ī. The malware samples contained complex coding structures and utilized obfuscation techniques that we have seen advanced adversaries utilize in other investigations we have conducted. The malware samples matched the description, form and function that was described in the CrowdStrike blog post.Ģ. Here are a few highlights of our findings from reverse engineering the provided malware:ġ. The overlaps noted here are commonly accepted.Īs part of our investigation, we analyzed the same malware files that were used in the DNC incident. Different research methodologies and necessarily separate encounters with these actors lead to unique attribution sets. However, it’s important to note that actor mappings between attribution sets aren’t precise. Our analysis relies on the intelligence repository we have built through this analysis as well as Open Source Intelligence to substantiate our findings.īefore we proceed to the details of our analysis here’s a quick cheat sheet on different names that security researchers have used to refer to these threat actors. We have helped hundreds of organizations deal with similar situations so we know the latest tactics, techniques, and procedures (TTPs) exceptionally well. The following day, the story got all the more interesting when an individual using the moniker Guccifer 2.0 claimed that CrowdStrike got it wrong and that he had, in fact, been the one to penetrate the DNC’s servers. Their post attributed the incident to Advanced Persistent Threat (APT) actors associated with the Russian Government named COZY BEAR and FANCY BEAR. Many of you may be following the recent news related to the compromise of the Democratic National Committee’s servers that was first reported by our colleagues over at CrowdStrike in a blog post published on June 14, 2016.
0 kommentar(er)
