Juan Andres Guerrero-Saade, a former Kaspersky and Google researcher, uncovered an old APT operation, tracked Nazar, by analyzing the NSA hacking tools included in the dump leaked by Shadow Brokers in 2017.
The campaign was previously attributed to China-linked APT Emissary Panda (aka APT27, TG-3390, Bronze Union, and Lucky Mouse), it is referenced as SIG37 in one of the documents included in the Shadow Brokers dump.
Guerrero-Saade discovered that the SIG37 campaign references hacking activities dated back as far as 2008 that was carried out by an unknown threat actor, the expert tracked it as Nazar.
Native Farsi speakers told the expert that the term ‘nazar’ translates to ‘supervision’ or ‘monitoring’ from Persian to Roman characters. A more recognizable alternative interpretation is the nazar amulet used for protection against ‘evil eye’.”
The researcher presented his findings in a speech at the OPCDE virtual cybersecurity summit.
The name ‘Nazar’ comes from the debug paths he found in the dump alongside Farsi resources in some of the malware droppers.
The analysis of the submissions times in VirusTotal for the artifacts employed in the Nazar campaign allowed the expert to date the campaign between 2010 and 2013.
The Nazar subcomponents were all submitted to VirusTotal from Iran, a circumstance that suggests that the campaign aimed at Iranian entities.
It was impossible to determine the extent of the campaign because the command and control (C&C) are no more active.
“It’s hard to understand the scope of this operation without access to victimology (e.g.: endpoint visibility or command-and-control sinkholing).” reads a blog post published by Guerrero-Saade.
“Somehow, this operation found its way onto the NSA’s radar pre-2013, as far as I can tell, it’s eluded specific coverage from the security industry. A possible scenario to account for the disparate visibility between the NSA and Western researchers when it comes to this cluster of activity is that these samples were exclusively encountered on Iranian boxes overlapping with EQGRP implants.”
Nazar uses a modular toolkit, its main dropper silently registers multiple DLLs as OLE controls in the Windows registry via ‘regsvr32.exe’. The malware registers the orchestrator (‘Data.bin’), masqueraded as the generic Windows service host process (‘svchost.exe’), as a service (‘EYService’) to achieve persistence.
The droppers are wrongly identified as packed by Armadillo but in reality they’re built with the now defunct Chilkat software, the attackers used ‘Zip2Secure’ to create self-extracting executables.
“The packing alone has led the droppers to be detected under generic AV detections but the subcomponents have low-to-no detections at this time.” continues the expert.
The malware uses Subcomponent DLLs to implement hot mic and screengrab features, along with keylogging features. The malicious code leverages two custom resources, ‘godown.dll’and ‘filesystem.dll’ treated as type libraries and registered as OLE controls, to enumerate attached drives, traverse folder structures, and handle some C&C functionality.
The malicious code uses kernel driver to sniff packets from the victim machine’s interfaces and parse them for specific strings.
“SIG37 has proven a rewarding mystery, unearthing a previously undiscovered subset of activity worthy of our attention.” concludes the expert. “Apart from several places where more skilled reverse engineers can contribute to better understanding the samples already discovered, there’s an opportunity for threat hunters with access to diverse data sets and systems to figure out just how big this iceberg really is.”
Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – Nazar, hacking)