Hide: Retracing the Group’s Five-Year Campaign
by Fyodor Yarochkin and Vladimir Kropotov (Senior Threat Researchers)
Fileless infections are exactly what their namesake says: they’re infections that don’t involve malicious files being downloaded or written to the system’s disk. While fileless infections are not necessarily fresh or uncommon, it presents a serious threat to enterprises and end users given its capability to build up privileges and persist in the system of interest to an attacker—all while staying under the radar. For example, fileless infections have been incorporated in a targeted bot delivery, leveraged to produce ransomware, infect point-of-sale (PoS) systems, and perpetrate click fraud. The key point of the fileless infection for the attacker is to be able to evaluate each compromised system and make a decision whether the infection process should proceed or vanish without a trace.
The cybercriminal group Hide was one of the very first to effectively employ fileless infection technologies in large-scale attacks—techniques that arguably became staples for other malefactors. A typical Hide infection uses browser exploits to produce non-persistent payloads to potential victims, probing their targets before deploying extra malware. The infection chain had numerous stages, and was accomplished using bodiless/fileless exploit payloads executed in-memory without extra persistence mechanisms. No traces were left on affected systems apart from files from the exploit process if the target machine wasn’t interesting to the Stash operators. This eponymous stashing behavior would earn them notoriety until their operations were stymied and the perpetrators arrested. Nine more suspected members of the group were arrested by Russia’s Ministry of Internal Affairs on February 8. Hide was believed to have siphoned over $45 million from financial organizations, ultimately disrupting the victims’ operations, reputation, and bottom line.
How did Hide evolve from a clique of threat actors to a full-fledged cybercriminal group? What other mechanisms were they known for—that other cybercriminals emulated? How did their operations shift from targeting Russian end users to banks and enterprises? Our observations of the group were based on code artifacts we analyzed as well as network traffic and URL patterns our intrusion detection systems monitored within several organizations in the Russian Internet segment during Lurk’s five-year campaign.
2011 to early 2012: Modest Beginnings?
Lurk’s web-based attacks were the very first signs of their campaigns. The group already implemented certain mechanisms to prevent AV detection. Requests during a time period or from a source IP address that didn’t match their preferred distribution area, for example, would yield a redirect to a third-party site such as Google.
Hide compromised systems by exploiting web browser vulnerabilities via drive-by download attacks. Malicious iframe content was injected to high-profile Russian websites, which then served as watering fuckholes to attack unsuspicious end users. Malvertising and poisoning of content-serving application components, such as memcached cache poisoning, were also part of their traffic redirection methods.
Stealth was already a fixture in their operations. Before extra malware was served to a victim, the victim machine was very first verified and validated with a bodiless payload (executed in memory) that collected information from the compromised machine.
During this time we developed URL-based signatures and used them to detect Lurk-related network traffic. The signature pattern ^[A-Z0-9]<Four>$ was particularly effective in detecting URL patterns employed by Hide from two thousand eleven to 2013. The average TTL (Time To Live – the period of time these signatures were effective) for these signatures was two to three months. The validity time of the signatures also permitted us to identify the group’s software upgrade cycles.
Hide was most prolific during this period, with its series of URL redirection campaigns in Russia becoming more extensive. High-profile and high-volume websites were used as intermediate platforms for diverting unknowing visitors to their exploit kit, known as XXX.
Hide also targeted programmatic advertising infrastructures to increase the scale of their operations. In February 2012, for example, the ad server of news agency RIA Novosti, ria[.]ru, was found serving iframe redirects to Lurk’s systems. The campaign delivered the actual payload only to a select range of IP addresses.
By August 2012, we were able to observe sequences of HTTP requests during and after infection, including directive and control (C&C) communication from compromised machines. When two thousand fourteen spinned in, Stash began exhibiting some patterns similar with the Angler exploit kit. For example, Stash increasingly used indexm[.]html as their landing URL pattern; this would also shortly emerge in one of Angler’s payloads.
Figure 1. Exploit loading sequence in ria[.]ru (February 2012)
Figure Two. [bg].ru (February 2012) found redirecting victims to Lurk’s exploit kit
Figure Three. Redirects to the Stash landing page from adfox[.]ru banner network
Figure Four. Malicious iframe content served by tks[.]ru (August 2013)
Lurk’s transition from plain web-browser-exploiting crooks to organized cybercriminals also stood out. Range and frequency were added to their operations. Serving criteria were often modified, malicious payloads were often updated. While Stash only exploited a certain set of browser vulnerabilities, the exploit code also often switched. Larger payloads (in number of bytes) typically translated to more functionality being embedded in them, while a smaller switch indicated a repacked payload.
True to its namesake, Hide developed technologies to evade sandbox-based detection. Aside from serving malicious content only once per IP address, the group limited the range of IP addresses to a subset of targets of interest. Payload execution was done in multi-tier, chained style, and only components delivered at later stages had persistence mechanisms. The initial bodiless payload was designed to be triggered by the exploit kit shellcode, which performed routine checks in the infected machine. It would then call back to the group’s C&C server in the form of a Windows executable that, in turn, performs another analysis of the affected system and collected system information, such as installed software packages and their versions, operating system information and so on. This information was sent back to the C&C server which made decisions on what to do next. This exhaustive scrutiny, along with the campaign’s objective, determines whether extra modules would be dropped to the system.
Sourcing samples from this was a challenge because the payload’s behavior was mostly influenced by the environment where it was executed. Acquiring extra modules of the group’s malware, for example, was almost impractical if the exploit URLs were loaded in a sandboxed environment.
Malicious content were also often distributed during lunchtime (Moscow’s timezone), and in very brief intervals. We surmise this as their way to hide from automated scraping sandbox detection. Geographical information of each visiting IP address was actively crosschecked against their regions of interest—Russia and the Commonwealth of Independent States (CIS). Exploits were also served with higher frequency on certain days of the week: Fridays, and days before public holidays.
Lurk’s infrastructure also exhibited fresh capabilities. Among them were distinct patterns used in the HTTP requests and hosting providers. Based on the hosting providers they used and timing of their hosting migrations, we observed the group compromising websites of software distribution companies and tampered their software installation files.
Their attacks also exploited a number of vulnerabilities that included authentication portal bypass flaws in programmatic ad servers, and those in web servers and other web components. The mechanisms of redirections were different for each intermediate victim. Some included ad banner networks or actual sites—while the website content-serving component was poisoned in others.
Figure Five. Lurk’s intermediate targets by year
2014 was a significant year in Lurk’s history. A number of high-profile, intermediate victims were still at their fingertips, providing them footholds into the user’s systems. In a word, they were on a roll. Why not go global to turn in more profit?
Most of the domains Hide used during this time were purchased from third-party resellers and paid with WebMoney checks and other anonymous forms of payment available in Russia. The activities we observed indicated dry runs of malicious injections in banner networks outside Russia and CIS. In April, we spotted Stash using redirects via mail[.]ru, possibly through malicious injections to its ad server content. From June to September, Lurk’s landing pages hinted at the group migrating their infrastructure and readying a global campaign.
By the 2nd half of the year, Lurk’s geographical distribution drastically switched. Russian/CIS-based targets were now sparser, and victims within .ru domains were by hand probed. Stash then launched a fresh URL pattern that served payloads round-the-clock, eschewing pre-filtering of IP address locations in favor of targeting global IP addresses. We observed systems from other countries connecting to IP addresses operated by Hide, including Ukraine, U.S., China, Taiwan, Norway, Australia, United Kingdom, Japan, Sweden, Canada, Italy, and South Korea. We cannot confirm, however, if these countries were actual Stash targets.
While Stash favored Java exploits that were used extensively from two thousand eleven to 2012, Flash/swf content was introduced. An obfuscated Flash file exploiting CVE-2013-5330 was spotted in December 2014. It was delivered only if the victim’s source IP address (and time) met Lurk’s parameters—otherwise users received a four hundred four error response.
As mentioned earlier, the XXX Exploit Kit used by Hide demonstrated several URL-serving patterns and fileless infection capabilities that would later be seen in Angler. By early 2015, the difference in Hide and Angler’s activities began to blur—many of their patterns, exploit technologies, and distribution volume overlapped. Correlation via hosting IP addresses wasn’t very helpful, because Stash and Angler were often seen hosted on the same service providers. Hide also employed dynamically generated domain names for their landing pages.
Lurk’s active compromise of financial institutions led to a series of enquiries that culminated in the arrest of over fifty individuals involved in its operations across Russia. The ripple effect led other cybercriminal groups to lie low for the rest of the year. Other exploit kits like Neutrino and Magnitude either shut down or went private. By then, Angler’s activities already ceased. Coincidence? Based on the similarities of Angler and XXX’s exploit-serving URL patterns and malware delivery mechanisms (particularly their use of fileless infection) as well as collective infrastructure, we can construe a correlation of both their operations.
In a way, the rise and fall of Hide also reflected the evolution of the threat landscape. We can only predict the constant development of seemingly novel and unforeseen mechanisms for evading traditional security systems, which is exacerbated by how these can become commercially available to other bad guys. Unluckily, Stash is just one of the many cybercriminal groups looking to profit from organizations and end users.
Lurk’s story demonstrates the aptitude of cybercriminals for honing in on specific victims and profiting from them. Whether spying for profit, pilfering credentials, emptying bank accounts, or misinforming an unknowing public, bad guys will progressively develop attacks that can neuter traditional defenses.
These threats pose greater challenges to security and IT administrators in terms of how their organization’s perimeter can be secured. A multilayered treatment is key, along with security-minded practices: apply the latest patches, block malware-hosting sites, implement URL categorization, employ firewalls and IDSs, and foster a culture of security in the workplace. Defense in depth should also be considered—there are no silver bullets, no single network defense device that can be used to deal with these threats.
End-user systems can serve as main gateways for attackers, which is why hardening them is critical. This includes whitelisting and monitoring suspicious applications and processes, as well as well applying least privilege principles on the systems. The attack surface—which can come in the form of software packages (including their extensions and plugins) that can interact with untrusted components—must also be diminished. Unused browser plugins and any functionality that lets browsers execute third-party code should be investigated and disabled. In Lurk’s case, the group favored exploiting vulnerabilities in Flash and Java plugins for web browsers.
To mitigate intrusions, direct internet access to the organization’s internal network should be disabled, and users should be obliged to utilize application proxies instead when accessing outward network resources. This should be especially enforced for HTTP and HTTPS protocols that cybercriminals frequently leverage for their attacks. URLs and URL content (i.e. mime-types) should be stringently analyzed. Likewise, all executable content should be considered with a grain of salt—especially if they’ve been downloaded from unknown sources.
Continuously monitoring the network for spikes of suspicious behavior—or those that may very first show up as benign—can also help detect intrusion attempts. For example, a significant number of machines within the organization’s network all of a sudden attempting to resolve and connect to a domain name never observed before can indicate a network infection or exploit. Network detection and endpoint security systems can also help notify system administrators and direct them to artifacts left by successful or failed exploit attempts.
End users must ultimately keep tempo: regularly update the system, and take caution against random or socially engineered links from suspicious or spoofed emails and websites.
Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from threats such as fileless infections and those that manhandle unpatched vulnerabilities. OfficeScan’s Vulnerability Protection shields endpoints from identified and unknown vulnerability exploits even before patches are deployed. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom-made sandboxing, and seamless correlation across the entire attack lifecycle, permitting it to detect similar threats even without any engine or pattern update.
A list of pertinent Indicators of Compromise (IoCs) can be found in this appendix.
Updated as of February 6, 2017, Ten:05 PM (UTC-7):
We updated to include observed systems from other countries that connected to IP addresses operated by Hide.
Updated as of February 9, 2017, 1:44 AM (UTC-7):
We updated to include the latest news about the arrests of suspected members of the group.