By Gregory Hale
Security provider Nyotron found an advanced malware campaign attempting to attack a company’s Middle Eastern critical infrastructure clients.
“On December 11, 2017 at 01:21 a.m., a night-shift employee working at an around-the-clock critical infrastructure facility located in the Middle East plugged a USB drive into a shared workstation that dozens of the company’s employees use on a daily basis,” said researchers at Nyotron. “The employee was watching the movie La La Land that he had recently downloaded to his USB during his break. After about 30 minutes, (the operator) was interrupted by a call and had to cut his break short. He didn’t know that his actions had initiated a sequence of events that could have been disastrous for his organization. Along with the movie, he had launched a well-crafted attack now known as Operation Copperfield.”
This is the second attack discovered within a weak that went after critical infrastructure facilities. Reports surfaced last week of the Triton/Trisis attack that hit a safety system and control system and shut it down at a separate critical infrastructure facility in the Middle East in August.
Copperfield malware’s predecessor, known as H-worm by Houdini, was discovered years ago. Copperfield, however, used a crypter-based obfuscation technique to change its structure and hash in order to avoid detection. Hence, the sample was unique and was able to bypass two other antivirus products installed in the customer’s environment.
“Copperfield is not nearly as dangerous as Triton and its propagation can be stopped by not allowing engineers and operators to use USB devices connected to Industrial Control Systems (ICS),” said Moreno Carullo, co-Founder and CTO of Nozomi Networks. “Although this is not an improved malware, it could result in data exfiltration, control of a workstation or reconnaissance of the network. It is however, an incident that reiterates the message that cybercriminals are actively probing critical infrastructure for vulnerabilities and are increasing their efforts. All ICS operators should be on high alert as this type of activity is increasing exponentially. In the meantime, ICS operators must strictly adhere to best practices, security protocol and be vigilant about looking for abnormal behaviors in the network using deep packet inspection and hybrid analysis.”
“The fact that infected USBs are behind the Copperfield attack underscores the lack of adequate, foundational security within industrial facilities,” said Eddie Habibi, founder and chief executive at PAS, Global. “Critical infrastructure security is clearly not trending in the right direction. The simple fact is that 80 percent of cyber assets in a facility are highly proprietary, do not work with IT security controls, and are largely invisible to security personnel. If we cannot see these assets, how can we hope to secure them? If we cannot secure them, then we are staring at a tumultuous 2018 because the bad guys are savvy to the insecurity of these systems.”
Copperfield is a Remote Access Trojan ( RAT) that leverages Windows Script Host – an automation tool in Windows – to gain full control capabilities, including:
• Sending information about the machine it is installed on (including antivirus software installed)
• Updating itself
• Exfiltrating sensitive data to an external server
• Arbitrary code execution
• Downloading and running executables such as keyloggers, additional malware, screen grabbers, etc.
The Copperfield campaign infected organizations through a USB Drive. The malware boasts a unique set of masquerading techniques, hiding all original files found on the drive while creating malware-laced LNK files with the same names and even icons as the originals. Upon execution, a user would see nothing out of the ordinary.
In the one case, the user’s movie started as expected while the malware ran silently in the background. The icon swapping feature of Copperfield has not been previously described or used by other malware variants.
Nyotron blocked all damage from the malware after suspicious activity triggered three of the solution’s protection modules:
• Abnormal Communication
• Local Data Exfiltration
• Application Tampering
Copperfield campaign’s Command and Control server IP address points to servers located in Mecca, Saudi Arabia, Nyotron researchers said. Other circumstantial evidence and clues left in the malware point to either Iran or Algeria.
As mentioned this latest attack ended up based on a four-year-old attack and it was still able to slip through multiple security products installed.
That is because the real content of the script was obfuscated, a process malware authors commonly practice to hide their code’s intentions.
Nyotron researchers said there are multiple tools malware writers use to enable obfuscation:
• Crypters (e.g., Cryptex, Debug Crypter)
• Packers/compressors (e.g., UPX)
• Protectors (e.g., WProtect)
• Frameworks (e.g., Veil-evasion, Shelter)
In this case, a $25 generic obfuscation crypter tool called BronCoder ended up used. This crypter tool changed the structure and, hence, the hash of the malware in an unrecognizable way so that it didn’t match previously seen variants.
For more details on the attack, click here for the full Nyotron report.