Morgan Marquis-Boire finishes his Black Hat presentation with analysis of governmental cyber operations held during protests in a number of other Arab states.Syria isn’t the only country in this region that has experienced these types of operations though. After the success of the revolution in Tunisia, protests on living conditions began in November in Libya: protesters clashed with the police and government officers, and most people know what happened next. The information I’m giving today is from analysis I did for forthcoming case study. During the uprising it was alleged that someone had located Gaddafi’s hiding place and located it on Google Earth (see left-hand image). Having these files suddenly become something that was appealing to many, many people.
One of the not completely understood adversaries of the Lybian opposition figured this out and created an allegedly self-extracting file with these types of data. This malware was targeted at the Libyan opposition fighters using Skype accounts of compromised friends. This particular piece of malware was used to compromise a computer located in one of the key military operations, where decisions were being made about targeting and military strategy. This malware acted as a keylogger, and the same C2 domain was used.So, Bahrain; protests in Bahrain started on 14th of February and were initially aimed at achieving greater political freedom and respect for human rights. Unrest continues to the present day, there’s been imprisonment of human rights campaigners. In addition to this, without drawing any correlation, there has been an information operation involving more advanced malware than any I’ve discussed today so far. In a campaign discovered in April of this year, malware was sent to activists via emails, extensively from reputable figures containing political content pertaining to the uprising. The samples I’ve seen are masqueraded as images or .doc files, and when they’re opened, they display a picture that the user has expected. However, they also perform additional operations.
They install a multi-featured piece of surveillance malware which allows for the harvesting and exfiltration of many different types of data, including screenshots, key strokes, Skype calls, and more. It utilizes a virtualized packer to avoid identification and analysis. It contains many tricks to crash debuggers and bypass anti-virus software.Data is exfiltrated to an address in the range owned by Batelco, Bahrain’s main state-owned telecommunications company. While the malware contained many techniques to frustrate dissection, persistence revealed this. In the memory space of the infected process, what appeared to be debugged strings featuring the word “finspy” were discovered (see right-hand image). According to documents leaked by WikiLeaks, Finspy is allegedly part of an intrusion monitoring kit called FinFisher. This toolkit came to public attention after the Egyptian revolution, when documents of the state security apparatus (see left-hand image) were scrutinized. These documents seem to suggest that the Egyptian government had been involved in the discussion over the purchase of this software.
Because it’s a turbo talk, I don’t have time to go into all the details of this malware or the investigations surrounding it. However, this research has been summarized in a blog post which you can read at this link: https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/.So, what can we actually do about all of this? Letting people know that there’s stuff going on is really important, which is why I have blog posts on the people that they’ve targeted (see right-hand image). They can do smarter things. If people in general know what’s going on, they can be better educated. Also there is a theory that if you know there’s stuff going on, you can come to the Black Hat, to the security community, and give a talk about it, so people that are smarter than you, well, smarter than me, will think about these problems and come up with creative and novel solutions.
So, thank you! Questions?
Question: Were these tools off-the-shelf copies of the RATs or were they custom modified for this purpose?
Morgan Marquis-Boire: Some of these require purchase, and I haven’t actually purchased them, so I can’t comment on whether or not. Anyone else? Otherwise we’ll be on good time for the next turbo talks. Great, thank you!