Welcome to the Fancy Bear Den: To Know All Read a Book
By: Eric Ellason and C. Shawn Eib
A massive, sophisticated malware infection campaign, that has been ongoing for well over a year, compromised over 500,000 home and small business routers across 54 countries before the FBI, in coordination with the Shadowserver Foundation, seized a domain responsible for delivering further payloads to infected devices (ref) . The campaign and associated malware has been given the moniker VPNFilter by Talos, the security intelligence and research arm of Cisco. A link to their technical analysis of the malware itself can be found here.
Many experts have given moderate to high confidence that this was the work of Advanced Persistent Threat 28, also known as Fancy Bear, Sofacy Group, Pawn Storm, and Sednit, because of the reuse of code seen in the BlackEnergy malware that targeted the Ukraine, and because it scanned for the protocols used in industrial control systems. Fancy Bear (APT28), which, alongside APT29 also known as Cozy Bear, is viewed by many to be an extension of the Russian government, and are credited with numerous high profile cyber attacks around the world, including the 2016 hack of the Democratic National Committee.
The VPNFilter malware, unlike many other Internet of Things threats, can maintain persistence on the infected device even after a reboot. VPNFilter has a range of capabilities including spying on traffic being routed through the device and is a multi-stage malware. Once in place, the malware reports back to a command-&-control infrastructure that can install custom built modules, according to the Talos report.
The Talos report goes on to say that stage 1 of the VPNFilter malware utilizes multiple redundant command and control (C2) mechanisms to discover the IP address of the current stage 2 deployment server. This built in redundancy makes this malware extremely robust and capable of dealing with unpredictable C2 infrastructure changes. For example one redundancy involves querying specific images on Photobucket.com and pulling out meta data embedded in these images that contains C2 instructions. Below shows some of the, now removed, Photobucket URLs that were used.
If the VPNFilter malware is unable to request one of the hardcoded Photobucket URLs, it then falls back to the fail-safe C2 domain of toknowall[.]com to receive further C2 instructions. The VPNFilter malware also has a destructive capability which could be used to make the router inoperable and essentially take down the network dependent on that router. It does so by overwriting the devices firmware, leaving it unusable.
The FBI led operation appears to have started back in August of 2017 and the stage-2 fail-safe domain, toknowall[.]com, was identified by monitoring an infected router in Pennsylvania. An unidentified resident voluntarily let FBI agents analyze the device and attach a network tap leaving the infected router in place. The FBI essentially established a man-in-the-middle connection and monitored traffic to and from this infected router. This eventually allowed FBI agents to understand the way the malware worked and identify specific network connections it was making.
In a major coup for US law enforcement, the FBI was able to seize control of the fail-safe command and control domain toknowall[.]com allowing the FBI to identify infected routers and minimize further damage to the end-point networks and the potential for DDOS attacks from this botnet. This process is known as sink-holing, allowing law enforcement to identify victims of the infection and cut off the ability to download new payloads and instructions. In this case, as seen in the Department of Justice documents found in the appendix, this was accomplished by taking control of the domain nameserver entries and pointing them to jocelyn.ns.cloudflare.com and plato.ns.cloudflare.com. This in turn redirects all new requests for the toknowall[.]com domain to a server now under the control of the FBI. Until yesterday, the toknowall[.]com domain had been hosted through OVH at the IP address 188.165.218[.]31 for approximately a year. OVH is a French hosting company with a presence throughout Europe and Canada. Before being sinkholed this domain used the nameservers ns-usa.topdns.com, ns-uk.topdns.com, and ns-canada.topdns.com (NForce Entertainment B.V. Choopa, LLC).
The Talos group also observed a spike of VPNFilter infection activity on May 8. Interestingly, this appeared to be a separate and targeted campaign with almost all of newly acquired victims located in the Ukraine. The majority of Ukrainian infections shared a separate stage 2 C2 infrastructure from the rest of the world. The stage 2 C2 connection in this case was to the IP address 46.151.209[.]33 and resolved to the National Computer Systems Co Ltd in Riyadh, Saudi Arabia.
Here is where the story of VPNFilter and Fancy Bear both expands from the current reporting and expands backwards into the period leading up to the Presidential campaign. The WHOIS records reveal something very interesting about the failsafe C2 domain, primarily in the domains it shares a registrant with. The domain is registered to a person at a company called Earthworks Yard Maintenancein the U.K. According to historical WHOIS records, 16 other domains are registered to this same company, which at least according to WHOIS, has employees in Alabama, New York, Pennsylvania, Texas, Germany, Italy, the Czech Republic and the UK. Interestingly, no domain directly related to the company Earthworks Yard Maintenance appears to exist. Even a little digging into these WHOIS records, showing Earthworks Yard Maintenance as the registrant, quickly belies the fact that most if not all of these 17 registrations appear fake. Below is a table showing some of the WHOIS data for these domains:
We have attempted to make contact with the registrants listed on these domains but were unsuccessful in contacting anyone listed as associated with Earthworks Yard Maintenance. Many of the street addresses listed in the registration data do not exist in the state or country listed and a number of employees listed more than once have different email addresses with handles not obviously matching their name. The Mary Schrack entry is using an email address with a domain that has never been registered, and none of the domains this entity has registered seem to be related to the company, although there is interesting overlap between the sites registered and the supposed job listings found. Three domains reference life or home insurance, and one of the job listings describes them as being an insurance company. One listing says Earthworks is a media company, and we have domains with “design”, “studios” and “marketing” in the name. We believe most if not all of these 17 registrations contain fake contact information. Many of the domains are now expired or set to private registration.
At this stage it seemed likely that the Earthworks Yard Maintenance company was also fake. Google searches revealed a bare minimum attempt to make it appear that this was a real company, including this fake incomplete Facebook page.
We also found fake job postings and a fake Manta business listing with once again fake contact information shown below. We also found suspicious LinkedIn pages of employees of Earthworks Yard Maintenance, all set to private with no profile picture, with seemingly incongruous jobs like a Booth Cashier in Chicago with no listed physical address in that city and an SEO specialist for a company that had no existing company website.
The only Earthworks Yard Maintenance owned domain that currently has a live website is verybigmoney[.]net. This one has the most interesting history available, stretching back to 2006 on the Wayback Machine. The first versions are in Russian, and look to be a “digital trading” platform. The domain was registered to someone from Khazakstan at a yandex[.]ru email address from 2006-2012. It was then parked, and purchased around 12/15/14 by a registrant in Moscow by the name of Vladimir Danev. The same name is used to renew it in 2015, but now with a Bulgaria address and it later expires in December 2016. It appears idle until 2/22/17, when it is registered, within weeks of the other associated domains, by Earthworks Yard Maintenance, this time under a Pennsylvania address.
In February of this year, the verybigmoney[.]net domain apparently changed hands once again, this time without lapsing. The current registrant bought up approximately 12 other domains in a very short period of time in July of 2017. Attempts were made to reach this new registration owner of the verybigmoney[.]net domain and current website. We were able to speak with the owner of the phone number used in the Ray Anderson registration, and they confirmed they were not Ray Anderson, did not know who that was, and has had no affiliation with the site.
The verybigmoney[.]net website, as of this writing, is still currently live and running the WordPress CMS and contains only a couple of pages regarding stock trading. The homepage has one image of Ali Tayyebnia, the Economy Minister of Iran and the last post created appears to have been December 1, 2017.
Much of the text on the site appears to either be written in very poor English and/or possibly computer-generated as much of it doesn’t make sense. The site does show a contact email address and we reached out to that address and so far have received no response. Analysis of the WordPress version and elucidation of any plugins currently installed revealed that WordPress version 4.9.1 was being used and the presence of one plugin “Cardoza Facebook Like Box”. A simple Sucuri .net website scan, a publicly available tool to reveal basic WordPress vulnerabilities, produced no obvious problems.
The current recommended version of WordPress is 4.9.4. However, much more concerning was the presence of the “Cardoza Facebook Like Box”. This WordPress plugin is relatively obscure and isn’t included in some of the major WordPress vulnerability databases.
However, this plugin has had an interesting history and highlights a new trend where malicious actors purchase WordPress plugins from the original authors, insert their own, sometimes obfuscated, code and then post an update to the plugin repository. When unsuspecting website owners apply the update to that plugin the malicious actors now essentially have a backdoor or file upload capability into the victims website. This is generally known as a supply-chain attack and is becoming more and more common. It is also very difficult to defend against.
The Cardoza Facebook Like Box WordPress plugin was developed by Vinoj Cardoza, who was a WordPress developer living in London. According to its WordPress plugin download page it has over 20,000 active installations. At some point prior to Ocotober 2017 he sold his plugin to a new group (ref).
New inquires for this plugin are being directed to here. Its not clear who is behind the Johnnash.info website as its registration information is hidden behind a privacy guard. Code changes to the “cardoza_facebook_like_box.php” file reveal a simple unsanitized file upload feature where any executable file can be uploaded into the /custom-css/ folder.
The company White Fir Design LLC first identified this vulnerability back on October 16th, 2017 and did a full write-up here. They also could not identify the new plugin owner or why this vulnerable code was added to the file shortly after they took control of the plugin. One logical explanation would point to some type of malicious intent.
It’s not clear who has control of the verybigmoney[.]net website or what its purpose is. We have attempted to make contact via the email address listed on the contact page to make them aware of the plugin vulnerability. At this point one explanation for the existence of this website would be that this site was setup by the Fancy Bear group for some unknown purpose and used a known but obscure vulnerable WordPress plugin on the site to provide some plausible deniability if the site was ever involved in and/or implicated in some kind of attack on some other target.
Of course there are also other domain names controlled by Earthworks Yard Maintenance with no obvious purpose. Four additional domains listed are of particular interest. Earthworks had bookcutsmall[.]top, bookhappenhappy[.]top and bookreturnbetter[.]top all registered under three different names, all allegedly in Germany, seemingly from 2/5/16-3/13/17 according to historical WHOIS data. Each one of these domains has a registered email address following the pattern dem143***@dlemail.ru, with variations of the last three digits. Another domain, purchased 10 days later, marketingmalawi[.]top, lists East Syracuse NY, but the email address is at mail[.]ru. Its not clear what these domains were used for but they do not appear to have ever been used for anything public facing on the internet, though they were resolvable. However, given the date range involved, APT28 activities during that time, and the connection to known APT28 infrastructure, we feel these domains warrant further research and plan to expand on the details surrounding these .top domains. Something that caught our eye was the use of the word “book” in these names. The sinkholed domain was toknowall[.]com. What better way to know all than reading?
So we have a sinkholed domain, toknowall[.]com, registered to an apparently trans-national yard care service, that was used as a C2 server for a widespread attack on 500k routers worldwide, and has been attributed to the Russian hacking group Fancy Bear with a high degree of confidence. This same company has or had multiple other domains, many associated with [.]ru email addresses, despite the physical addresses all being located in the US, UK, Germany, Italy, and the Czech Republic. And they may have setup a non-descript WordPress site using a known vulnerable WordPress plugin. Who is behind this fake Earthworks Yard Maintenance cutout, what purpose did they have for these other domains, and what others are still to be found?
Appendix
Talos Group’s original technical analysis of the attack:
https://blogs.cisco.com/security/talos/vpnfilter
Department of Justice announcement and court documents related to domain seizure:
C. Shawn Eib can be reached on Twitter as @realShawnEib
Eric Ellason can be reached on Twitter as @slickrockweb
Company News, Cybersecurity, Digital Investigations, Website Security