Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

XTunnel Malware Specifically Built for DNC Hack: Report

The XTunnel malware that was used by Russian APT threat actor Fancy Bear to penetrate the Democrat National Committee (DNC) network was specifically designed to work against this target, Invincea researchers say.

The XTunnel malware that was used by Russian APT threat actor Fancy Bear to penetrate the Democrat National Committee (DNC) network was specifically designed to work against this target, Invincea researchers say.

The attack was carried out in April this year, but was the second time a Russian threat actor targeted DNC, after another group going by the name of Cozy Bear managed to penetrate the network in the summer of 2015. The incidents were analyzed by Crowdstrike, after DNC employees started receiving alerts from Yahoo regarding their potential account compromises.

The researchers discovered that the Fancy Bear threat actor used the XTunnel malware for compromise purposes. After taking a closer look at the malware, Invincea discovered that the malware didn’t cluster with other known threats and says that it was likely a “purpose-built original piece of code” meant to target the DNC network specifically.

As it turns out, the XTunnel tool has several capabilities that allowed it to easily compromise the targeted network, including VPN-style capabilities and the use of encryption (it exchanges SSH keys, uses private encryption keys, compresses and decompresses data, etc.). The malware also supports access to locally stored passwords, and can access the LDAP server, researchers discovered.

What’s more, the threat is modular, meaning that it can download additional files when needed, and can also probe the network for open ports, PING hosts, and send and receive emails. The malware has many other capabilities, some of which are shared by legitimate programs, Invincea reveals.

Some of the most important functions of the tool, however, include the ability “to hook into system drivers, access the local LDAP server, access local passwords, use SSH, OpenSSL, search and replace local files, and of course be able to maintain a persistent connection to a pre-specified IP address, even if the host is behind a NATed firewall,” Invincea’s Pat Belcher explains.

As if these abilities weren’t enough, the threat was also found to be able to monitor keyboard and mouse movements, and even to access webcams and USB drives. “That is a lot of capabilities packed into a file that is less than 2 MB in size,” Belcher notes.

Another interesting aspect of XTunnel is that its code isn’t obfuscated, as most modern malware employs this technique to make analysis challenging. This piece of malware contains strings of code that appear to be transparently showing exactly what the binary is intended to do, “as if it were originally developed to be an open source tool to provide encrypted tunnel access to internet hosts,” the security researcher says.

The researchers also discovered that the hackers used a very old but reliable network module –associated with softphone and VoIP applications over a decade ago – to maintain a fully encrypted, end-to-end Remote Access Trojan (RAT). Thus, the DNC didn’t have many options when it came to detecting the malware’s network activity, except to catch it “port knocking” on the inside of the firewall.

However, the security company notes that, since many organizations run a firewall configuration where inside host are allowed outbound without restrictions, this type of activity would have been almost impossible to detect if only logs were used. Even with restricted outbound access, XTunnel could have used ICMP or UDP protocols to connect to the Russian command and control server, Invincea says.

Related: FBI Investigating Democratic Party Email Hack: Official

Related: Pawn Storm Cyberspies Target German Ruling Party

Written By

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Cyberwarfare

Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...