Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRE
T//
NOFORN
Pique Analysis Report
20150904-273-Fir
eEye
-Window into Russian C
y
ber O
p
s
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 04 Se
p
tember 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) This FireEye report focuses on APT28, suspected Russian nation-state sponsored
attacks. The report spends most of its pages on attribution, making the case that the attacks and
tools used in a series of malware events starting in 2007 stem from the same Russian group.
There is very little technical detail on how the malware is installed or implemented. FireEye
seems to be impressed with the modular nature of the malware tools covered in this report, even
though modular malware architectures have become common over the past few years. What little
technical detail that is provided in this report are contained in Appendices C, D, and E.
(S//NF) The attack tools covered in this report are:
SourFace/CoreShell First-stage loader
Chopstick - RAT
OldBait Credential harvester
(S//NF) SourFace, and its recent updated version, CoreShell is a downloader that retrieves a
second stage RAT, Chopstick. CoreShell runs two threads, one thread that beacons back to the
command and control (C2) server with collected information and the other thread is responsible
for downloading and executing payloads from the C2 server. CoreShell uses HTTP as its
communications protocol with the C2 server. The communications between CoreShell and its C2
server is Base64 encrypted. No other technical details on SourFace/CoreShell are provided.
(S//NF) Chopstick is the second stage RAT downloaded by SourFace/CoreShell. Chopstick is a
modular RAT written in C++ and is capable of communicating with its C2 server either via
HTTP or SMTP. When first launched, Chopstick collects basic information about its victim
(Windows version, CPU architecture, Windows Firewall state, UAC configuration, IE settings,
and installed PSP products). Chopsticks has been observed using the target organizations own
mail servers to exfiltrate data. After collecting the initial information about the target, Chopsticks
creates a hidden file for temporary storage and creates a Windows mailslot. The Windows
mailslot could allow external binaries and other malware to write data to it. Chopsticks is capable
of:
Screen capture
Capturing Windows focus events
Keylogging
Windows scraping
Unfortunately, no technical details on implementation of any of these capabilities is provided.
(S//NF) OldBait is a credential harvester that installs itself in \\Application Data\
Microsoft\MediaPlayer. Credentials for the following applications are collected:
Internet Explorer
Firefox
Eudora

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh