{ "Event": { "analysis": "2", "date": "2016-09-10", "extends_uuid": "", "info": "OSINT - The Dukes R&D Finds a New Anti-Analysis Technique", "publish_timestamp": "1473511519", "published": true, "threat_level_id": "3", "timestamp": "1473511326", "uuid": "57d3fee7-b838-4ac0-a575-4f45950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#3a7300", "local": false, "name": "circl:incident-classification=\"malware\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1473511176", "to_ids": false, "type": "comment", "uuid": "57d3ff08-6c70-44e0-9143-446d950d210f", "value": "Threat actors constantly hunt for evasion and anti-analysis techniques in order to increase the success rate of their attacks and to lengthen the duration of their access on a compromised system. In some cases, threat groups use techniques they find discussed on the Internet during their operations, such as the Office Test Persistence method that the Sofacy group found within a blog published in 2014. While analyzing a recent attack that occurred on August 10, 2016, we observed an interesting anti-analysis technique used by the Dukes threat group (aka APT29, CozyBear, Office Monkeys) that we had not seen in the past. The use of the anti-analysis technique that we will discuss in this blog confirms that this threat group continually researches new anti-analysis techniques." }, { "category": "Payload delivery", "comment": "In an attack that occurred on August 10, 2016, the Dukes group used a malicious OLE file (XLS)", "deleted": false, "disable_correlation": false, "timestamp": "1473511204", "to_ids": true, "type": "sha256", "uuid": "57d3ff24-c69c-44af-a200-4183950d210f", "value": "23a8a6962851b4adb44e3c243a5b55cff70e26cb65642cc30700a3e62ef180ef" }, { "category": "Payload delivery", "comment": "In an attack that occurred on August 10, 2016, the Dukes group used a malicious OLE file (XLS) - Xchecked via VT: 23a8a6962851b4adb44e3c243a5b55cff70e26cb65642cc30700a3e62ef180ef", "deleted": false, "disable_correlation": false, "timestamp": "1473511214", "to_ids": true, "type": "sha1", "uuid": "57d3ff2e-833c-4b4f-9499-437602de0b81", "value": "881f621a249b3c0d97d109fff49068c5fbcfebed" }, { "category": "Payload delivery", "comment": "In an attack that occurred on August 10, 2016, the Dukes group used a malicious OLE file (XLS) - Xchecked via VT: 23a8a6962851b4adb44e3c243a5b55cff70e26cb65642cc30700a3e62ef180ef", "deleted": false, "disable_correlation": false, "timestamp": "1473511214", "to_ids": true, "type": "md5", "uuid": "57d3ff2e-d2f0-4ab1-ba3f-4a3d02de0b81", "value": "e1c383cc6aa2449f149e142433eff5e5" }, { "category": "External analysis", "comment": "In an attack that occurred on August 10, 2016, the Dukes group used a malicious OLE file (XLS) - Xchecked via VT: 23a8a6962851b4adb44e3c243a5b55cff70e26cb65642cc30700a3e62ef180ef", "deleted": false, "disable_correlation": false, "timestamp": "1473511214", "to_ids": false, "type": "link", "uuid": "57d3ff2e-9d18-4e08-9eb6-487a02de0b81", "value": "https://www.virustotal.com/file/23a8a6962851b4adb44e3c243a5b55cff70e26cb65642cc30700a3e62ef180ef/analysis/1473439654/" }, { "category": "Artifacts dropped", "comment": "The malicious payload is a dynamic link library (DLL) that the macro saves to the following location", "deleted": false, "disable_correlation": false, "timestamp": "1473511245", "to_ids": true, "type": "filename", "uuid": "57d3ff4d-cf44-4a72-8891-4356950d210f", "value": "%APPDATA%\\Adobe\\qpbqrx.dat" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1473511326", "to_ids": false, "type": "comment", "uuid": "57d3ff9e-db30-4dbf-bf05-42a9950d210f", "value": "Threat groups research new techniques to evade detection and increase the difficulty needed to analyze their payloads. Not all research is based on organic efforts within the threat group, as we can see from this incident that the group appears to obtain techniques from open sources on the Internet. In this case, the Dukes threat group knows that malware analysts tasked with reverse engineering their tools typically use the IDA disassembler. It appears this group looks for ways to evade analysis tools, specifically in this case by monitoring release notes from known malware analysis tools to deploy their own countermeasures. Let this be a reminder to those running older versions of IDA to update in order to keep up with the threat groups anti-analysis techniques.\r\nWe will continue to provide details as appropriate about this incident and the involvement of the Dukes threat group, including our observations of overlap in targeted organizations and individuals, technique overlap with known Dukes tool HAMMERTOSS \u00e2\u20ac\u201d specifically the use of images land steganography to download secondary payloads \u00e2\u20ac\u201d and the use of compromised servers to host C2." } ] } }