During the past few days a cyber attack
On October 28 at 2.37PM twitter user @a_tweeter_user posted a Virus Total link claiming it was the Malware employee during the KKNPP (Kudankulam Nuclear Power Plant) cyber attack. When I saw that link, I ‘ve been so fascinated about that cyber attack, that I decided to take a closer look to such a Malware in order to better understand what it is and who could be behind such a dangerous cyber attack !
|Threat||KKNPP Targeted Attack|
|Brief Description||According to @a_tweeter_user that sample was used to target KKNPP the biggest Nuclear Plant in India|
The analyzed file is a Windows PE
One of the most interesting function is the
sub_DE33BO where the sample starts to collect information regarding: (i) local IP Addresses, (ii) Task listing, (iii) information on routing and interfaces. Everything is logged into a temporary file located in
Network information is not the only thing the sample is looking for. Indeed it looks for many software assuming they are located into different system volumes such as for example: e:\html\PowerShellCorpus\Github. The following image shows some of the collected files assumed to be in different volumes (C and E).
It is definitely interesting to see that the attacker assumes the existence of a C and E drives. It looks like the attacker already knew what to search on the victim machine. In addition to such information the sample looks for moz_places file and by loading a SQLite driver it begins a querying routine to get urls and rootpage. The Malware has modification modules which could be used to modifies entry points into moz_places but I did not see any running usage on it. Then every collected information is saved into a folder tree that looks like the following one
192.168.56.2 folder holds the found information regarding harvested software on the victim machine having as IP address the one used as folder name. Everything is well organized and the output of each file is human readable and well curated as well. It looks like the sample could be weaponized with more modules holding different behaviors. Once the harvesting process ends its life-cycle, the analyzed sample compresses the entire folder, places it on PPDATA%/Temp/~77FDD3EAMT.tmp and sends it to 10.38.1.35 known as controller5kk. Then it copies that file from the C: drive on the target machine to a more hidden directory such as: Windows\Temp\MpLogs, by assuming that directory is defined on the target machine. Finally it deletes the just moved file (~77FDD3EAMT.tmp) from the shared folder C:\ (where it was placed before being copied). At that stage it looks like the attacker owns the destination machine (10.38.1.35) since acting as a central collector for every infected machine. The following image shows the code section including customized functions, address and credentials of the power implant.
I believe it is interesting for every analyst to read IP addresses and user credentials directly hard-coded into the sample, since if those information are correct (as you might assume once you read the press release note) It is not hard to believe that we are analyzing a sample belonging to a targeted attack, crafted for harvesting information and eventually to control victim machines. The analyzed sample is quite modular and it can be weaponized with many capabilities for example: external communication over TLS, Command and Control and RAT, but on my runs the sample never showed such additional behaviors.
Attribution is always a very hard and challenging section in Malware Analyses. The analyzed sample is very close to what Kaspersky defined as DTrack in HERE. Two main strong similarities to DTrack took me to believe we are facing an initial information gathering stage powered by a customized DTrack Malware. Two of the main similarities are the following ones:
The following image shows the strong similarities between the string preparation function available on address 0x8BB041. On the left side the analyzed sample while on the right side a screen coming from Kaspersky analysis ( published on securelist)
Both samples look for “CCS_” string and manipulate it in the same way. However DTrack is historically related to Lazarus / APT38 group, a threat organization also known as Hidden Cobra and attributed (by FireEye) to North-Corea state which actually is used to target -at least in the past months- financial institutions. The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta (from MITRE). APT38 is not well-known for attacking critical infrastructures, moreover DTrack is a well-known Malware distributed over ATM, in order to attack financial institutions all over the world. However the attack phase is actually aligned with Lazarus modus-operandi as reported in the FireEye document (HERE) Figure 5 page 16.
As a matter of fact, Lazarus is used to initiate a separate phase of Information Gathering before the real attack takes place. If you focus on target, it’s known that Lazarous attacks financial institution but they performed destruction attacks in the past years (such as wiping Sony Entertainment) as well as gov-based attacks (such as the Komisja Nadzoru Finansowego, or KNF attack). At that point every reader would ask: “Is it APT38 moving their targets to critical infrastructure or are we experiencing a well crafted false flag ? ” Hard to answer with scientific precision, in my personal opinion it’s going to be an open question for at least few time, but if I had to bet on, I would probably bet on Lazarus that they are adding to their attack plan more strategic targets like Nuclear Plants.
The original analysis, including Indicators of Compromise, is available on Marco Ramilli’s blog:
(SecurityAffairs – Kudankulam Nuclear Power Plant, malware)