Information Operations an Integral Part of Cyberwarfare
Weapons and the skills to use them are not the only decisive elements
in warfare. Rhetoric and imagery are important, too. They are essential
for constructing the good and the bad, legitimatizing one’s actions and
influencing the events and the result of a conflict. The cyber era has
only just begun to highlight the importance of perception management as a
part of war.
Perceptions matter enormously: perceptions of us, our opponent, the
environment, and the situation on our side, on the opponent’s side, and
among the wider public. Perceptions determine how each actor chooses to
act. If you can affect the opponent’s policy goals or convince your own
following by manipulating perceptions, you can have a great influence
over the battlefield. The cyber era has widened the battlefield to cover
entire societies, and has made the global public into the audience.
Information operations, the vector for manipulating perceptions, are
integral to cyberwarfare. Propaganda and disinformation campaigns can
both deceive the opponent and influence what is accepted as true. Think,
for example, how Russia fought (and won) an “information war” during
the run-up to the Crimean vote. Subtle information operations try to
persuade the target audience to view this information in a positive
light. For example, the idea behind the recent “Hearts and Minds”
operations has been to make the US and American values appealing to the
target audience.
In addition to spreading information, denying access to information
is a tool in cyberwar. Information operations exist not only to advance
one’s own message, but also to block or disrupt the flow of opposing
ideas. However, in the cyber era, controlling information flows is
complicated, maybe even impossible. Even if the former Egyptian regime
managed to take the country offline for a while, people found ways
around the maneuver and managed both to receive and disseminate
information differing from the official truth.
The pervasive presence of mass media in conflict zones gave us “media
wars” in the 1990s. Governments have learned the importance of
perception management the hard way. Technological advancement in the new
millennium has turned today’s conflicts into something that are present
all of the time around the world. Opportunities provided by social
media and other forms of citizen journalism have made all of us
producers and intermediates as well as targets of information
operations. Any form of information—whether fact or rumor—spreads
quicker and more freely in the cyber era.
Keep in mind three more points about information operations and
cyberwar. First, drawing the line between preparations for cyberwar and
the actual fighting is difficult. We live in the gray area between war
and peace.
Second, active cyber operations may inflame any conflict. Cyberspace
has been a battleground in all recent major conflicts, yet it is
difficult to say how and to what extent this activity influences the
conflicts’ logic or results. For example, Israel has lately put a lot of
effort into social media. “Social media soldiers” have advanced
national goals on platforms usually associated with the free exchange of
information among private citizens. What influence this has had in the
on-going conflict or how it will change the nature of social media in
the long term remains to be seen.
Third, intelligence communities actively use cyberspace to collect
and manipulate information. Information operations not only influence
public opinion; they also influence what we hold as true in any
relationship that involves information exchange. The higher the level of
political decision making using information, the more substantial the
effect of information manipulation will be. In today’s operations,
manipulating perceptions is already combined with intelligence and cyber
espionage, military deception, and disruptive or destructive cyber
operations. Thus the cyberwar information front is key to advancing a
nation’s or organization’s goals.
Thanks to the complex connections of information production and
dissemination in the cyber era, in principle all information from any
source may be compromised, manipulated, or even blocked. Whether to
believe a source is a question we all must answer. We need not doubt
everything, but we must critically investigate arguments and claims that
influence how we perceive the world around us. War is waged on the
mental front—to a greater extent than ever before
Iranian Keylogger Marmoolak Enters via Backdoor
As part of the weaponizing phase, attackers often put a payload into a
file that, once installed, will connect in the C2 (command and control)
phase to the attacker. A very common payload used by many
password-stealing malware is a keylogger. The purpose of keylogging is
to capture the users’ keystrokes, and gather credentials and links to
internal and external resources. The stolen credentials can later be
used to weaponize another file or serve as part of the actions phase of
the APT kill chain.
One example we recently ran into is the malware Marmoolak, an Iranian keylogger with the MD5 F09D2C65F0B6AD55593405A5FD3A7D91.
We traced the first appearance of this keylogger to a Middle-East forum:
Although some keyloggers may capture keystrokes for legitimate
purposes, this one misleads its victims by including a hidden payload.
By placing this keylogger on this forum, we believe the developer
intended to attack other members of this forum, a popular tactic in that
region.
To prevent detection, malware authors often use cheap and easy
packer’s, which modify the malware witha runtime compression or
encryption program. In this case the files were hidden by a modified
version of the well-known packer UPX.
On execution, the file adds a copy of itself into the System32 folder
as Mcsng.exe. The malware also launches a process that drops and writes
the file 1stmp.sys in the %system32%\config folder:
Although the file extension suggests it is a .sys (system) file, it
is not. Its purpose is to function as a log file that contains the
encrypted keystrokes of the user. Every time a key is pressed, the
process records the keystroke, encrypts it and appends it to 1stmp.sys.
The next screen shows a section of encrypted strings:
Although the encryption algorithm is simple, it uses “selective
encryption,” with two techniques: Each byte is encrypted by technique 1
if it is odd and technique 2 if it is even. Here is an example of a log
after decryption:
After decrypting we can see not only keystrokes, but also the time
stamps when they were logged. After the keystrokes are logged and
encrypted, the malware mails its content to its author. The malware also
sends computer name and user name data to its master.
After cleaning up the standard Visual Basic obfuscation we can see the malware uses Sendmail:
In this case the encrypted log is sent to the email address
Marmoolak@red-move.tk. This address is hosted on a domain that is very
popular in Iran for hosting malware. The McAfee Labs reputation engine
has flagged this domain as malicious: http://www.mcafee.com/threat-intelligence/domain/default.aspx?domain=red-move.tk
After deobfuscation, we observed strings in Persian that contain the word marmoolak, a frequent derogatory term in Persian to describe their Arabic neighbors.
McAfee detects this Trojan keylogger and its variants as Keylog-FAG!
To avoid infection from this and other keyloggers, keep your antivirus
system updated and do not download content from untrusted sources. Be
especially careful of hacker forums. Some members pretend to be helpful
and offer their tools. However, these tools are often backdoor malware
and exist solely to access systems and abuse them for various malicious
ends.
world of internet security, latest cyber security news,information,updates on technology,it job vacancies,internet security,breaches,and safeguards
0 comments:
Post a Comment