FireEye report and what is in it:
This report says what we knew – a major attack vector is coming from Russia.
Russia is attacking us and others (East European interests)
the first takeaway is the very targeted nature of an attack on the Georgian journalist covering the Caucasus.
The email claimed to originate from Reason Magazine “Caucas Issues Department”. {there is no Issues department at Reason – an American magazine}
The letter welcomed the individual as a contributor and requested topic ideas and identification information in order to
establish him at the magazine. In the background, the decoy document installed a SOURFACE backdoor on the victim’s system.
So if the journalist is at all remotely interested in this email a click on the email may be warranted. The email was written in Russian and English.
It looks like the malware was written by skilled developers and APT28 includes the following pieces of code: Sourface is the downloader, Eviltoss then performs recon and credential theft, Chopstick is a modular implant that indicate formal programming methods (re-usability etc).
One of the comments indicates that the software harvests local information to use local resources (email servers).
There are also inherent difficulties built-in for the reverse engineering folks (empty spaces that cause problems for disassemblers).
So the following diagram is a good vector attack diagram:
Notice the two points of order: The Phishing email into the organization and then the C2 (Command and Control) communication
Here are examples of the Sourface and Coreshell communications:
SOURFACE URL for a sample compiled April 2013:
http://[hostname]/~book/cgi-bin/brvc.cgi?WINXPSP3c95b87a4-05_01
CORESHELL URL for a sample compiled April 2013:
http://[hostname]/~xh/ch.cgi?enhkZm1GNmY1YWg0eGcxMGQ1MDUwMQ==
Apparently April 2013 is important as some changes occurred in the code.
The report’s conclusions indicate that Defense organizations and various government entities were targeted, while the developers were likely a Russian government entity.
My conclusion: a skilled developer can create an infrastructure which can control machines and run various goals.
We can always get attacked from a malicious email attack vector, malware coming in from email is likely always very high on the list of bad things that could happen to you.
The major point I would like to point to is the attack vector of inside your network going out. Specifically, yes the C2 traffic to the Internet:
The C2 traffic to the Internet should be stopped and could be if you develop good security policies.
Contact me(tony Zafiropoulos – 314-504-3974 // tonyz”@”fixvirus.com) to discuss this