Sign up to our newsletter
This blog post describes details that we discovered during our analysis of malware that focuses on a specific country — Libya. The malware has existed since at least 2012, with threat actors using it for mass-spreading malware campaigns and for ongoing targeted attacks.
Despite the lack of sophistication of the technical details of the malware and its mechanisms for spreading, the threat actors have demonstrated ability to compromise governmental websites successfully. This, combined with its focus on a specific region, makes this threat interesting from the malware researchers’ perspective.
During our research we observed that for mass-spreading malware campaigns, these attackers tend to compromise profiles in social networks such as Facebook or Twitter and post links there that lead to malware downloads. Figure 1 demonstrates an example of a Facebook post from 2013. The post is written in Libyan Arabic and says that the Prime Minister has been captured twice, this time in a library. This short text message is followed by a link to a compromised governmental website that served malware at that time.
Figure 2 illustrates an example of a post with a malicious link by a Twitter user’s profile, which impersonates Saif Gaddafi‘s account.
In addition to mass-spreading campaigns, attackers are conducting targeted attacks by sending spear phishing emails with malicious attachments. In order to convince the intended victim to execute a malicious binary, standard social engineering tricks are implemented, such as MS Word and PDF icons of executables and double file extensions such as .pdf.exe in the filename. In some cases the malware may display a decoy document.
To help attackers to identify specific infections or attempts at infection, the malware contains a special text string that we name Campaign ID. Here is list of Campaign IDs that we identified during our research:
The malware is written using the .NET Framework; the source code is not obfuscated. Some samples of the malware contain PDB-paths that reveal the original name of the malware used by its authors and possible targets.
The malware is a classic information stealer Trojan that attempts to collect various information. It can be deployed in various configurations. The full-featured version of the malware can log keystrokes, collect profile files of Mozilla Firefox and Google Chrome browsers, record sound from the microphone, grab desktop screenshots, capture photo from the webcam, and collect information about the version of the operation system and installed anti-virus software. In some cases the malware can download and execute third-party password recovery tools in order to try to collect saved passwords from installed applications.
Most of the analyzed samples of the malware use the SMTP protocol to exfiltrate data to specific email addresses. Figure 4 shows the decompiled function make_email_mozela, which is used by the malware to collect and send Mozilla Firefox profile files.
Since the code in the majority of the samples contains the same destination address, this suggests that the malware is used exclusively by one individual or group of people.
Alternatively, the malware can upload stolen information directly to its C&C server using HTTP communication.
As is evident in Figure 5, the malware connects to the worldconnection[.]ly server and uploads data using a PHP script. The domain name was registered in June 2016; the server used by the malware is located in Libya.
We analyzed a piece of malware that was active since at least 2012 in a specific region. The cyberthreat actors behind the malware used it for mass-spreading in the past and it should be noted that it is still being used in spearphishing attacks.
ESET detection names:
Author Anton Cherepanov, ESET