Source Code of Ratopak/ Pegasus Spyware Targeting the Financial Sector Recently Leaked
On July 6, 2018, a post claiming to contain the source code of Carbanak group malware was published on a Russian-speaking underground forum. Soon after the sharing of the code on the Russian underground, it was uploaded by an unknown actor to the text-sharing platform Pastebin, making it accessible to all. At the same time, malware researchers analyzing the shared code discovered the malware is not one used by the Carbanak group, but rather, it is the Ratopak/Pegasus spyware, used in attacks against Russian banks in 2016.
The Leaked Spyware
The leaked code of Ratopak/Pegasus is a tool set used to generate fraudulent payment requests containing features such as remote access Trojan (RAT) used for credential harvesting, server message block (SMB) pipe communication, KBR (a Russian payment system) data exchanges interception module, and a modified version of the post-exploitation tool, Mimikatz.
The leaked malware was eventually attributed to the Buhtrap group when researchers reviewed a code-signing certificate appearing in the binary code found in the data leak. The certificate was found to have been formerly used in an attack against Russian bank employees by the Buhtrap group in 2016.
Figure 1: The certificate found in the leaked files
Figure 2: Findings confirming the Pegasus malware connection to the Buhtrap group
Although the malware was ostensibly developed by the Buhtrap group, since the group members were arrested in Russia in 2016, it is likely the malware was sold to a different cyber-criminal group after the key members of the group were apprehended. Thus, since the malware supposedly switched hands, it is unclear if the leaked data originated from a Buhtrap group member, or a cybercriminal group/individual threat actor, who purchased the malware.
Analysis of the Leaked Data
The leaked data was stored in a password-protected archive called “group_ib_smart_boys.” The name suggests the threat actors are aware of the Group-IB security company’s success at detecting cyber-attacks against Russian banks, and demonstrates their attempt to challenge that achievement. The leaked archive consisted of a variety of files containing code written in programing languages ranging from Assembly to C++, comprising documentation of tools and instructions collected as part of former operations. The data was organized within four folders – bck_check, cvs_check, gen_payments_script and Pegasus. While bck_check contained parsing logs and gen_payments_script contained a PHP credible fake metadata generating script, the most interesting content was found in the additional two folders.
Figure 3: The four folders comprising the leak
Figure 4: An example of the bank personnel information found in the leak
Among their malware resources, the group uses two relatively old Microsoft Windows server privilege escalation vulnerabilities (CVE-2015-0057 and CVE-2015-1701). Judging from a “To Do List” found in the leak, the threat actors were planning to implement scans into their malware, to avoid machines patched against the Microsoft Windows server vulnerabilities.
The Threat Actor Who Published the Leak
According to the media, the leak was published on an English-speaking forum on July 7, 2018, by an actor named FR3D. However, using our sources, we managed to detect an earlier publication of the leak in the Russian-speaking underground.
A threat actor named Bobby.Axelrod was the first to publish the leaked data on two different Russian-speaking underground forums on July 6, 2018. He appears to be the original source of the leak, as he registered on both forums on the same day of the publication and he only posted twice – once, the links for downloading the materials, and another post, titled “PIR Bank Lost 58 million Rubles in a Cyber-Attack,” referring to an attack in early July 2018, attributed to the MoneyTaker group that operates against banks in the US, the UK, and Russia. The content of this post contains information regarding the AWS CBR (Automated Work Station Client of the Russian Central Bank). Based on these two posts, we assume this threat actor links between the leak and the attack, claiming the leaked malware was used in this recent attack and attributing it to the MoneyTaker attack group.
The publication received numerous replies by the forum members, mostly writing about the sensitivity of the materials, and speculating they were most likely provided by insiders familiar with the Russian banking system. Since attacks against Russian banks are not welcomed on Russian underground forums, we witnessed very restrained replies on the publication. However, we believe that numerous threat actors will use the malware in future attacks, after modifying and upgrading it.
Author: Verint CTI (powered by SenseCy)
In 2017 SenseCy, a global leader of Cyber Threat Intelligence (CTI), proudly became part of the Verint family and now serves as the specialized CTI unit within Verint’s Web Intelligence group.
SenseCy nurtured and developed what has become a large team of carefully chosen CTI experts. Verint’s CTI research group is comprised of SenseCy specialists who have many years of training and experience in cyber threat identification and analysis on social networks, mobile applications, Deep Web sites, Dark Web marketplaces, hacker forums and IRC channels amongst others. This provides the research group with the ability to address a critical challenge on behalf of organizations without a dedicated team of analysts.