Introduction

The Sofacy group, also known as APT28 and Sednit, is a fairly well known cyber espionage group believed to have ties to Russia. Their targets have spanned all across the world, with a focus on government, defense organizations and various Eastern European governments. There have been numerous reports on their activities, to the extent that a Wikipedia entry has even been created for them.

From these reports, we know that the group uses an abundance of tools and tactics, ranging across zero-day exploits targeting common applications such as Java or Microsoft Office, heavy use of spear-phishing attacks, compromising legitimate websites to stage watering-hole attacks, and targeting over a variety of operating systems – Windows, OSX, Linux, even mobile iOS.

The Linux malware Fysbis is a preferred tool of Sofacy, and though it is not particularly sophisticated, Linux security in general is still a maturing area, especially in regards to malware. In short, it is entirely plausible that this tool has contributed to the success of associated attacks by this group. This blog post focuses specifically on this Linux tool preferred by Sofacy and describes considerations and implications when it comes to Linux malware.

Malware Assessment

Fysbis is a modular Linux trojan / backdoor that implements plug-in and controller modules as distinct classes. For reference, some vendors categorize this malware under the Sednit attacker group naming designation. This malware includes both 32-bit and 64-bit versions of Executable and Linking Format (ELF) binaries. Additionally, Fysbis can install itself to a victim system with or without root privileges. This increases the options available to an adversary when it comes to selecting accounts for installation.

Summary information for the three binaries we analyzed follows:

MD5 364ff454dcf00420cff13a57bcb78467 SHA-256 8bca0031f3b691421cb15f9c6e71ce19335

5d2d8cf2b190438b6962761d0c6bb ssdeep 3072:n+1R4tREtGN4qyGCXdHPYK9l0H786

O26BmMAwyWMn/qwwiHNl:n+1R43QcIL

XdF0w6IBmMAwwCwwi Size 141.2 KB (144560 bytes) Type ELF 64-bit (stripped) Install as root /bin/rsyncd Root install desc synchronize and backup service Install as non-root ~/.config/dbus-notifier/dbus-inotifier Non-root install desc system service d-bus notifier C2 azureon-line[.]com (TCP/80) Usage Timeframe Late 2014

Table 1: Sample 1 – Late 2014 Sofacy 64-bit Fysbis

MD5 075b6695ab63f36af65f7ffd45cccd39 SHA-256 02c7cf55fd5c5809ce2dce56085ba43795f2

480423a4256537bfdfda0df85592 ssdeep 3072:9ZAxHANuat3WWFY9nqjwbuZf454U

NqRpROIDLHaSeWb3LGmPTrIW33HxIajF:

9ZAxHANJAvbuZf454UN+rv eQLZPTrV3Z Size 175.9 KB (180148 bytes) Type ELF 32-bit (stripped) Install as root /bin/ksysdefd Root install desc system kernel service defender Install as non-root ~/.config/ksysdef/ksysdefd Non-root install desc system kernel service defender C2 198.105.125[.]74 (TCP/80) Usage Timeframe Early 2015

Table 2: Sample 2 – Early 2015 Sofacy 32-bit Fysbis

MD5 e107c5c84ded6cd9391aede7f04d64c8 SHA-256 fd8b2ea9a2e8a67e4cb3904b49c789d57ed

9b1ce5bebfe54fe3d98214d6a0f61 ssdeep 6144:W/D5tpLWtr91gmaVy+mdckn6BCUd

c4mLc2B9:4D5Lqgkcj+ Size 314.4 KB (321902 bytes) Type ELF 64-bit (not stripped) Install as root /bin/ksysdefd Root install desc system kernel service defender Install as non-root ~/.config/ksysdef/ksysdefd Non-root install desc system kernel service defender C2 mozilla-plugins[.]com (TCP/80) Usage Timeframe Late 2015

Table 3: Sample 3 – Late 2015 Sofacy 64-bit Fysbis

Overall, these binaries are assessed as low sophistication, but effective. They epitomize the grudging reality that Advanced Persistent Threat (APT) actors often don’t require advanced means to affect their objectives. Rather, these actors more often than not hold their advanced malware and zero day exploits in reserve and employ just enough resources to meet their goals. It is only fair that defenders use any shortcuts or tricks at their disposal to shorten the amount of time it takes to assess threats. In other words, defenders should always look for ways to work smarter before they have to work harder.

Getting the Most Out of Strings

Binary strings alone revealed a good amount about these files, increasing the efficacy of activities such as static analysis categorization (e.g., Yara). One example of this is Fysbis installation and platform targeting information for the samples in Table 1 and Table 2.

Figure 1: Sofacy Fysbis installation and platform targeting found in strings

In this case, we can see the binary installation path and local reconnaissance to determine which flavor of Linux the malware is running. This is followed by a number of Linux shell command style commands related to the malware establishing persistence.

Another example of easily obtained information from these samples is capability based.

Figure 2: Sofacy Fysbis capability related leakage through strings

Figure 2 shows interactive status / feedback strings that can give a defender an initial profile of capabilities. In addition to contributing to static analysis detections, this can be useful as a starting point for further incident response prioritization and qualification of the threat.

Symbolic Information Can Shorten Analysis Time

Interestingly, the most recent ELF 64-bit binary we analyzed (Table 3) was not stripped prior to delivery, which offered additional context in the form of symbolic information. Defenders more familiar with Windows Portable Executable (PE) binaries can equate this with compilation of a Debug version versus a Release version. For comparison, if we were to inspect Fysbis “RemoteShell” associated strings in one of the stripped variants, we would only see the following:

Figure 3: Sofacy Fysbis stripped binary string references to RemoteShell capability

Compare this with what is available from the non-stripped variant:

Figure 4: Sofacy Fysbis non-stripped binary strings referenes to RemoteShell capability

Little static analysis gifts like these can help to speed defender enumeration of capabilities and – more importantly – further contribute to correlation and detection across related samples.

Additionally, this latest sample demonstrated minor evolution of the threat, most notably in terms of obfuscation. Specifically, both samples in Table 1 and Table 2 leaked installation information in the clear within binary strings. This was not the case with the sample in Table 3. Taking a closer look at this non-stripped binary using a disassembler, the following corresponds to decoding malware installation information for a root-privilege account.

Figure 5: Assembly code view of Sample 3 installation decoding

In this case, the symbolic information hints at the method used for decoding, with references to mask, path, name, and info byte arrays.

Figure 6: Assembly view of Sample 3 root installation related byte arrays

As it turns out, the referenced byte mask is applied to the other byte arrays using a rolling double-XOR algorithm to construct malware installation paths, filenames, and descriptions for a Linux root account. Corresponding INSTALLUSER byte arrays exist, which facilitate the non-root installation for the trojan. The same masking method is also used by the binary to decode malware configuration C2 information, further showcasing how a little symbolic information can go a long way towards completeness and higher confidence in assessment of a malware sample.

If you would like to learn more about how Fysbis works, the samples analyzed remain fairly consistent with the sample analysis found here.

Infrastructure Analysis

As Unit 42 has discussed in depth in other blog articles, we have observed that adversaries in general are seemingly hesitant in changing their infrastructure. This may be due to not wanting to commit additional resources, or simply a matter of retaining familiarity for the sake of timeliness. In either case, we see the same type of behavior here with the Fysbis samples in use by Sofacy.

The oldest sample (Table 1), was found to beacon to the domain azureon-line[.]com, which had already been widely publicized as a known command and control domain for the Sofacy group. Using passive DNS, we can see that two of the original IPs this domain resolved to, 193.169.244[.]190 and 111.90.148[.]148 also mapped to a number of other domains that had been in use by the Sofacy group during that time period.

Figure 7: Sample 1 C2 resolutions

The first of the newer samples (Table 2), continues the trend and beacons to an IP also widely associated with the Sofacy group, 198.105.125[.]74. This IP has been mostly associated with the tool specifically known as CHOPSTICK, which can be read about here.

Figure 8: Sample 2 C2 resolutions

The newest sample (Table 3), introduces a previously unknown command and control beacon to mozilla-plugins[.]com. This activity aligns with the previously observed Sofacy group tactic of integrating legitimate company references into their infrastructure naming convention. Neither this new domain nor the IP it resolves to have been observed in the past, indicating that the sample in Table 3 may be associated with a newer campaign. Comparing this sample’s binary with the other two however, shows there are significant similarities on the code level as well as in terms of shared behavior.

Figure 9: Sample 3 C2 resolutions

Conclusion

Linux is used across business and home environments and appears in a variety of form factors. It is a preferred platform within data centers and the cloud for businesses, as well as an ongoing favorite when it comes to a majority of Internet-facing web and application servers. Linux is also at the foundation of Android devices and a number of other embedded systems. The value proposition of Linux – especially when it comes to its use in the enterprise – can be broken out into three perceived benefits: lower total cost of ownership (TCO), security, and feature set. While numbers and comparison alone can contribute to measurement of TCO and feature set, security requires further qualification. Expertise in the Linux platform is highly sought after across all industries for multiple disciplines, from system administration to big data analytics to incident response.

The majority of businesses still maintain Windows-heavy user environments where certain core infrastructure components also operate under Windows servers (e.g., Active Directory, SharePoint, etc.). This means, from a practical perspective, most of a business’s focus remains on supporting and protecting Windows assets. Linux remains a mystery to a number of enterprise IT specialists –most critically for network defenders. Identifying and qualifying potential incidents requires a familiarity with what constitutes normal operation in order to isolate anomalies. The same is true for any other asset in an environment, normal operation is entirely dependent on a given asset’s role / function in the enterprise.

Lack of expertise and visibility into non-Windows platforms combine in some environments to present significant risks against an organization’s security posture. As a recent caution, the Linux vulnerability described under CVE-2016-0728 further demonstrates the potential breadth of real-world risks to associated platforms. A natural extension of this exposure is increased targeting by both dedicated and opportunistic attackers across various malicious actor motivations. Despite the lingering belief (and false sense of security) that Linux inherently yields higher degrees of protection from malicious actors, Linux malware and vulnerabilities do exist and are in use by advanced adversaries. To mitigate associated risks requires tailored integration of the people, processes, and technology in support of prevention, monitoring, and detection within an environment.

Linux malware detection and prevention is not prevalent at this time, but Palo Alto Networks customers are protected through our next-generation security platform:

IPS signature 14917 deployed to identify and prevent command and control activity

The C2 domains and files mentioned in this report are blocked in our Threat Prevention product.

Indicators