securelist-penquins_moonlit_maze2017

Penquin’s Moonlit Maze

by Costin Raiu, Daniel Moore, Juan Andres Guerrero-Saade, and Thomas Rid

2017-04-03

https://securelist.com/penquins-moonlit-maze/77883/ https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180251/Penquins_Moonlit_Maze_PDF_eng.pdf https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180254/Penquins_Moonlit_Maze_AppendixB.pdf https://youtu.be/9RorL9y70GU

I read this article due to the connection with LOKI2, one of the more interesting bits of malware that I have observed that works on Linux systems.

This article provides compelling links to the historic Moonlight Maze espionage campaign and the modern day Turla group.

A variant of LOKI2 was discovered and named “Penguin Turla”. Penguin Turla was originally misattributed as a cd00r variant.

Remark
Kaspersky
SecureList
GReAT
Moonlight Maze
cyberespionage
Turla - aka Snake, Uroburos, Venomous Bear, Krypton
waterhole attack
covert channel
deception
Agent.BTZ
Buckshot Yankee
exfiltration
Equation Group
Solaris
Penguin Turla
Phrack
cd00r by fx http://www.phenoelit.org/stuff/cd00r.c
static linked
libpcap
OpenSSL
Alhambra
daemon9
beachhead
artifacts/artefacts
backups
OPSEC/Operational Security
FBI
FSB
Pentagon
Department of Energy
NASA
HRTest
FOIA - Freedom of Information Act
SPARC
MIPS
IRIX
/var/tmp directory
hands-on-keyboard/operator-at-keyboard
binary tree
sniffer
exfiltration
logs/log files
Storm Cloud operation https://www.wsj.com/articles/SB993588688215931869 (aka Makers Mark/MM)
Wright Patterson Air Force Base
Air Force
Kelly Air Force Base
Army Research Lab
Naval Sea Systems Command
APT - Advanced Persistent Threat
Rise of the Machines book
samples
visibility
forensic evidence
dropper
hop (networking)
Scotland Yard
SunOS
EtherPeek
Karl Grindal
CGI - Common Gateway Interface
phf vulnerability – hxxp://server/cgi-bin/phf?Qalias=%ff/bin/cat%20/etc/passwd
solsniffer
telnet
pop3
ftp
rlogin
ICMP
spy_cli.c
pine email client
log wiper
Silicon Graphics - SGI
lateral movement
Moonlight Maze operators: Max, Iron, Rinat
BPF
SSLeay
NTP - Network Time Protocol
ntpd
trojanize

Links

• https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html
• https://securelist.com/the-epic-turla-operation/65545/
• https://securelist.com/kopiluwak-a-new-javascript-payload-from-turla/77429/
• https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/
• Wave Your False Flags https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf
• https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf
• https://web.archive.org/web/20170401225346/http:/www.zdnet.com/article/pentagon-and-hackers-in-cyberwar-5000101740/
• https://securelist.com/the-penquin-turla-2/67962/
• TurlaSat: The Fault in our Stars https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Baumgartner-VB2015.pdf
• http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html
• https://blog.gdatasoftware.com/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified

Samples

Moonlight Maze samples

YARA rules

Moonlight Maze YARA rules

---