Jigsaw Security is aware of a highly successful campaign to target Government and security industry professionals the world over. On 18 January, 2018 Jigsaw Security detected highly suspicious traffic on Windows, Linux, Android and Mac devices. We have seen similar information published from Lookout Security and at first we thought that it was just another campaign. What is troubling is that the indicators being shared are now outdated and the threat actors have moved on to a new infrastructure that is extremely difficult to detect.
We have seen the threat actors using proxy servers to capture web traffic from some of the most sensitive networks in the world. We have also observed TOR exit node monitoring as well as malware that has been attached to legitimate programs to try and avoid detection. The interesting thing is that these applications appears to be and function just like the original application, however once installed and used for the first time, memory resident malware is being installed every time the application is started.
CDN is a huge risk
While network operators use CDN to ensure information is available regardless of load, we are seeing that some unwitting operators are being manipulated or are directly involved with the activity or are being used to spread applications which appear to be download from legitimate websites.
In late 2016 Jigsaw Security started noticing a very large uptick in malware on CDN networks. When we contacted the CDN operators about the malware they would clean the infected applications (Firefox, Chrome, Whatsapp and others) and take down the infected binaries. However if we checked the same content provider the next day, the offending malware would once again be back and would again be distributed from legitimate websites hosting the real applications.
A screenshot from Virustotal with information showing trojaned files
As you can see in the screen shot above, if you are downloading audacity for Windows you are being targeted. What is problematic here is that these downloads are being hosted on the actual side and are redirecting to the CDN networks where users are installing them without even knowing. We have also observed instances where different files are being downloaded based on the IP address in which the requester is using at the time of the file request. In short you can't trust anything without scanning it.
Russia, US, Brazil and others...
Our initial research has shown that this is occurring from sites in the US, Russia, Brazil and is affecting literally hundreds of common applications. This points to a widespread problem and we believe that we are only seeing and detecting some of these issues. We truly believe that this vector may be used by Governments and is targeting specific end users.
ISP's matter... When doing our research we noted the Microsoft and Verizon CDN services were widely affected. Some lesser known CDN's appear to be serving the real files in an unaltered state. We believe that this is a coordinated effort to backdoor thousands of users without them being aware of what is happening.
We would like to give a shoutout to Trend Micro for actively following and protecting against this attack. It appears as though users of this product are protected from this issue. All of the links we have tested with Trend Micro have resulted in the content being blocked. In addition all Jigsaw Security customers have also been able to avoid this method of infection if using our DNS RPZ protection products.
We still don't know why...
Although we have been tracking this issue we still have no idea why this is occurring and the CDN operators will fix things but the problems resurface without 24 hours. We honestly believe this to be a coordinated effort to backdoor common applications and spy on millions of unsuspecting users.
We put out previous alerts on this but it appears as though most popular Antivirus products with the exception of Trend Micro are not detecting the activity. Some of the trojaned files are believed to be associated with APT28 but we see content that is coming from the US and Brazil and it is not known if hackers or state sponsored intelligence agencies are behind the infections. What is troubling is that as soon as one of these infections is discovered and blocked, within 24 hours we see the same content with other infections from the same CDN sources.
Technical Information on the Activity
We have researched the activity of the malware and have found some very interesting points that we are sharing with our customers and the public. Some of the malware includes code to dial specific phone numbers. We do not know why the numbers are being dialed but we did detect some pay phone destinations leading us to believe that this method may also be used by malicious actors to make money off of unsuspecting users by calling numbers in which there are fees attached. We believe that infections are being conducted in specific geographical areas based on targeting by the threat actors.
One very interesting thing we noted was the some of the patches and utilities for Spectre and Meltdown are also being infected. We also have seen others reporting the same issue.
For IOC and related information Jigsaw Subscribers can login to our Threat Intelligence products and keyword search CDN (multiple issues). A report will be provided in the next several days with an in depth look at the activity and will be released directly to Jigsaw Security customers and partners.
It should be noted that other security researchers are seeing similar activity to this and also that a recent campaign known as Dark Caracal is also using some similar tricks to what we are seeing except that the method is different.