The hacker alleged to be behind the Georbot attack against the country of Georgia has been caught on camera, the nation’s CERT has said. The eventual outing of the accused botmaster was the result of Georgia CERT’s work, where they used his own malware against him.
In 2008, a string of DDoS attacks targeting Georgian financial and government websites preceded Russian military actions into the country. This led the public and the Georgian government to speculate that Russia has conducted the world’s first act of cyberwar – where physical military actions were coordinated with cyber activities. Four years later, the speculation remains.
Earlier this year, SecurityWeek reported on an ESET report (which CERT-Georgia helped draft) that discussed the use of a new type of malware, named Georbot. Georbot is an information stealing Trojan that was being used to target Georgian nationals. After further investigation, ESET researchers were able to gain access to the control panel of the botnet created with this malware, revealing the extent and the intent of this operation.
Amongst other activities, Georbot will try to steal documents and certificates, can create audio and video recordings and browse the local network for information. One unusual aspect is that it will also look for “Remote Desktop Configuration Files” that enables the people receiving these files to connect to the remote machines without using any exploit.
Georgia’s CERT started investigating the attack, and discovered that the malware was targeting specific keyword strings and document types, most related to NGO activities or linked to various government offices. Tracking those behind the attacks was difficult, as the C&C (command and control) servers would rotate soon after being discovered.
The investigation had shown that Georbot was a limited attack, and that it was targeting the nation directly. This is because only 390 systems were infected, and 70% of them were located in their own backyard. The malware itself had the ability to remain hidden from AV, and as it progressed from version 2.1 to 5.5, it was able to infect fully patched systems – suggesting the use of ZeroDay attack vectors.
Additional findings led them to assume that the Russian government was behind Georbot, as one of the sites used to control infected systems belongs to the RBN (Russian Business Network), and another domain linked to the RBN was written directly into the malware itself. Finally, a domain used to send malicious emails spreading Georbot was registered using the address of the FSB (Russia’s Secret Service / previously known as the KGB).
This is when Georgia CERT took matters in a different direction. They used the Georbot malware and infected a lab system. As expected, the attacker uploaded a specially created ZIP file named “Georgian-NATO Agreement” – which itself was another version of Georbot. Once the ZIP was accessed Georgia CERT now had control over the attacker’s system, because he had infected himself.
Tables turned, Georgia CERT was able to capture video of the attacker, and determine his location, ISP, and other identifying information. In addition, they obtained an email attachment where this person was giving instructions to someone on how to use Georbot and infect systems with it.
The 27-page report from Georgia CERT is an interesting read, but despite the clever methods used to track the alleged botmaster down, the links to Russia will remain circumstantial. These days, anyone online can claim to be anywhere at anytime. IP addresses and WHOIS records no longer serve as proof positive.
The entire report is available online here.