Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRE
T//
NOFORN
Pique Analysis Report
20150807-255-CI-2015 Butterfl
y
Attackers
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 07 Au
g
2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) The following report discusses activities by a group of hackers known as the Butterfly
attackers. These attackers used a zero day exploit that targeted CVE-2013-0422 titled Oracle
Java Runtime Environment Multiple Remote Code Execution Vulnerabilities. This vulnerability
was patched on January 31
st
, 2013. The attackers also used a Windows and Mac backdoor named
OSX.Pintsized and Backdoor.Jiripbot as the payloads.
(S//NF) The attackers used a watering-hole attack to compromise a mobile phone developer
website to deliver the Java exploit. In one case a fully up to date version of Internet Explorer 10
was exploiting indicating that a zero-day for this browser may have been used. No further
information on this exploit was provided.
(S//NF) In some cases the attackers spread using a Citrix profile management application to
create a back door on the infected system. In another instance the attackers used TeamViewer to
create copies of the backdoor.
(S//NF) Various tools used by the hackers were discussed in this report and include:
OSX.Pintsized: A well-documented modification of OpenSSH
Backdoor.Jiripbot: Primary back door tool with fallback domain generation algorithm
Hackertool.Bannerjack: used to receive default messages issued by Telnet, HTTP, and
general TCP servers
Hackertool.Multipurpose: Assists in spreading across network and cleaning up log files
Hackertool.Eventlog: Event log parser
Hacktool.Proxy.A: Creates a Proxy connection to route traffic through intermediary node
(S//NF) In conclusion, this report details attacks using a since patched vulnerability and other
well-known tools. As such no PoC is recommended.
2.0 (U) Description of the Technique
(S//NF) No techniques are recommended for PoC development.
3.0 (U) Identification of Affected Applications
(U) Windows
4.0 (U) Related Techniques
(S//NF) Backdoor
5.0 (U) Configurable Parameters
(U) None

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh