Weapons and the skills to use them are not the only decisive elements in warfare. Rhetoric and imagery are important, too. They are essential for constructing the good and the bad, legitimatizing one’s actions and influencing the events and the result of a conflict. The cyber era has only just begun to highlight the importance of perception management as a part of war.
Perceptions matter enormously: perceptions of us, our opponent, the environment, and the situation on our side, on the opponent’s side, and among the wider public. Perceptions determine how each actor chooses to act. If you can affect the opponent’s policy goals or convince your own following by manipulating perceptions, you can have a great influence over the battlefield. The cyber era has widened the battlefield to cover entire societies, and has made the global public into the audience.
Information operations, the vector for manipulating perceptions, are integral to cyberwarfare. Propaganda and disinformation campaigns can both deceive the opponent and influence what is accepted as true. Think, for example, how Russia fought (and won) an “information war” during the run-up to the Crimean vote. Subtle information operations try to persuade the target audience to view this information in a positive light. For example, the idea behind the recent “Hearts and Minds” operations has been to make the US and American values appealing to the target audience.
In addition to spreading information, denying access to information is a tool in cyberwar. Information operations exist not only to advance one’s own message, but also to block or disrupt the flow of opposing ideas. However, in the cyber era, controlling information flows is complicated, maybe even impossible. Even if the former Egyptian regime managed to take the country offline for a while, people found ways around the maneuver and managed both to receive and disseminate information differing from the official truth.
The pervasive presence of mass media in conflict zones gave us “media wars” in the 1990s. Governments have learned the importance of perception management the hard way. Technological advancement in the new millennium has turned today’s conflicts into something that are present all of the time around the world. Opportunities provided by social media and other forms of citizen journalism have made all of us producers and intermediates as well as targets of information operations. Any form of information—whether fact or rumor—spreads quicker and more freely in the cyber era.
Keep in mind three more points about information operations and cyberwar. First, drawing the line between preparations for cyberwar and the actual fighting is difficult. We live in the gray area between war and peace.
Second, active cyber operations may inflame any conflict. Cyberspace has been a battleground in all recent major conflicts, yet it is difficult to say how and to what extent this activity influences the conflicts’ logic or results. For example, Israel has lately put a lot of effort into social media. “Social media soldiers” have advanced national goals on platforms usually associated with the free exchange of information among private citizens. What influence this has had in the on-going conflict or how it will change the nature of social media in the long term remains to be seen.
Third, intelligence communities actively use cyberspace to collect and manipulate information. Information operations not only influence public opinion; they also influence what we hold as true in any relationship that involves information exchange. The higher the level of political decision making using information, the more substantial the effect of information manipulation will be. In today’s operations, manipulating perceptions is already combined with intelligence and cyber espionage, military deception, and disruptive or destructive cyber operations. Thus the cyberwar information front is key to advancing a nation’s or organization’s goals.
Thanks to the complex connections of information production and dissemination in the cyber era, in principle all information from any source may be compromised, manipulated, or even blocked. Whether to believe a source is a question we all must answer. We need not doubt everything, but we must critically investigate arguments and claims that influence how we perceive the world around us. War is waged on the mental front—to a greater extent than ever before
Iranian Keylogger Marmoolak Enters via Backdoor
As part of the weaponizing phase, attackers often put a payload into a file that, once installed, will connect in the C2 (command and control) phase to the attacker. A very common payload used by many password-stealing malware is a keylogger. The purpose of keylogging is to capture the users’ keystrokes, and gather credentials and links to internal and external resources. The stolen credentials can later be used to weaponize another file or serve as part of the actions phase of the APT kill chain.
One example we recently ran into is the malware Marmoolak, an Iranian keylogger with the MD5 F09D2C65F0B6AD55593405A5FD3A7D91.
We traced the first appearance of this keylogger to a Middle-East forum:
Although some keyloggers may capture keystrokes for legitimate purposes, this one misleads its victims by including a hidden payload. By placing this keylogger on this forum, we believe the developer intended to attack other members of this forum, a popular tactic in that region.
To prevent detection, malware authors often use cheap and easy packer’s, which modify the malware witha runtime compression or encryption program. In this case the files were hidden by a modified version of the well-known packer UPX.
On execution, the file adds a copy of itself into the System32 folder as Mcsng.exe. The malware also launches a process that drops and writes the file 1stmp.sys in the %system32%\config folder:
Although the file extension suggests it is a .sys (system) file, it is not. Its purpose is to function as a log file that contains the encrypted keystrokes of the user. Every time a key is pressed, the process records the keystroke, encrypts it and appends it to 1stmp.sys. The next screen shows a section of encrypted strings:
Although the encryption algorithm is simple, it uses “selective encryption,” with two techniques: Each byte is encrypted by technique 1 if it is odd and technique 2 if it is even. Here is an example of a log after decryption:
After decrypting we can see not only keystrokes, but also the time stamps when they were logged. After the keystrokes are logged and encrypted, the malware mails its content to its author. The malware also sends computer name and user name data to its master.
After cleaning up the standard Visual Basic obfuscation we can see the malware uses Sendmail:
In this case the encrypted log is sent to the email address Marmoolak@red-move.tk. This address is hosted on a domain that is very popular in Iran for hosting malware. The McAfee Labs reputation engine has flagged this domain as malicious: http://www.mcafee.com/threat-intelligence/domain/default.aspx?domain=red-move.tk
After deobfuscation, we observed strings in Persian that contain the word marmoolak, a frequent derogatory term in Persian to describe their Arabic neighbors.
McAfee detects this Trojan keylogger and its variants as Keylog-FAG! To avoid infection from this and other keyloggers, keep your antivirus system updated and do not download content from untrusted sources. Be especially careful of hacker forums. Some members pretend to be helpful and offer their tools. However, these tools are often backdoor malware and exist solely to access systems and abuse them for various malicious ends.
0 comments:
Post a Comment