Grizzly Steppe and the Appallingly Slow Response to a Digital Threat by the United States.
On December 29th the Department of Homeland Security (DHS) and the Office of the Director of National Intelligence (DNI) released a Joint Analysis Report, or JAR, compiled by the DHS and FBI, that attributed election related security compromises to Russian intelligence operatives. The report was given the codename 'GRIZZLY STEPPE'. One of the apparent goals of the Grizzly Steppe report was to publicly provide "indicators of compromise" from the recently de-classified data collected on the Russian hacking operation meant to affect the 2016 Presidential elections. In a corresponding press release by the White House on the Russian malicious cyber activity the following was stated:
"The report also includes data that enables cybersecurity firms and other network defenders to identify certain malware that the Russian intelligence services use. Network defenders can use this information to identify and block Russian malware, forcing the Russian intelligence services to re-engineer their malware. This information is newly de-classified."
There was only one piece of malware discussed in the accompanying Grizzly Steppe JAR report and that was on the PHP based webshell now more precisely documented and described as PAS v3.1.0 by the company Wordfence. Wordfence determined that this webshell appeared to be an easily obtained webshell written by an Ukrainian researcher and has since been updated to v4.1.1b which is also publicly available for download.
We were curious at just how quickly the Yara signature, provided in the JAR report by the US Government, would be incorporated into the major anti-virus scanners. Maybe more importantly, we wanted to know how effective it would be at identifying this webshell and any of its variants in the wild. We created three different variants of the PAS webshell for testing. The first was the original PAS v3.1.0 described in the Grizzly Steppe report. The second was a modified PAS v3.1.0 where only ten characters were changed. This simple change in one line of code allowed the PAS webshell to retain all its original functionality but altered the code profile such that the Yara signature, as originally stated in the JAR report, might not be as effective. The last test was done on the more current version of the PAS webshell, v4.1.1b.
To our surprise eight days after the initial report by the US Government still only 4 out of 53 anti-virus scanners used by the online virus checker "www.virustotal.com" were able to identify the PAS webshell as malicious (Figure 1). When we tested our modified version of the Grizzly Steppe PAS (change of 10 characters) only the anti-virus scanner by Bkav was able to correctly identify the file as malicious (Figure 2). The other 53 commercial scanners did not identify it as malicious. When we tested the newest version of the PAS webshell, which has significant changes in its code from that of the v3.1.0 version, only Symantec was able to correctly identify it as a malicious webshell (Figure 3). No single anti-virus scanner was able to correctly identify all three variants that we used as malicious.
One would expect that the operators behind these webshells are very well-informed on all the recent news about the Grizzly Steppe report, saw the Yara signature stated in the report, and made necessary adjustments. One of the functions of these webshells is to essentially allow for the creation of additional webshells or to have the existing webshell replaced with a modified version. So it would not take much time to either cover their tracks or burrow further into a breached site.
Its not clear to us why the lag between the Grizzly Steppe report and the implementation of its key points by "Network Defenders", as the report describes , seems unacceptably long. For a state sponsored hacker group eight days is a lifetime.
We retested these three different PAS webshell variants January 20th, now three weeks out from the initial Grizzly Steppe report, and saw no improvements from our initial test done January 7th. The vast majority of the ant-virus scanners continue to not even pick up the original v3.1.0 PAS webshell and our modified v3.1.0 PAS webshell continues to be only picked up by one anti-virus scanner.