Threat Management, Malware

Bachosens trojan: Lone wolf after big game, Symantec report

A lone-wolf hacker is going after big game, albeit to little reward, according to a post on Symantec's Security Response blog.

While the Symantec Security Response researchers who analyzed the attack campaign concluded that the hacker was highly sophisticated – his code bears similarities to malware put in play by nation-state actors – and his tragets were significant in scale, he only eked out a meager living from his criminal exploits and, ultimately, lacked the expertise to avoid detection.

The lone wolf attacker, dubbed Igor, was seen deploying advanced malware in highly targeted cyberattacks against specific large enterprises, the Symantec researchers wrote.

The malware tool Igor crafted, Trojan.Bachosens, opened backdoors on compromised computers and siphoned out information. It also is capable of downloading potentially malicious files. 

His exploits afforded him access to at least two large enterprises, an international airline and a Chinese auto-tech company. Similar to strategies used by nation-state actors, he used spear-phishing emails, Symantec believed, to load his malware onto the systems.

In the case of the auto firm, Igor stole car diagnostic software, which he was observed selling on underground forums and his own site for a highly discounted price. This activity might be traced back as far as 2009, although Symantec initially detected the use of Bacherons in 2014. After the Symantec researchers confirmed links between the domains revealed in Igor's postings – including sightings of unauthorized sales, variants of keyloggers, evidence of Bachosens, phishing emails containing Bachosens and malware infections –  they concluded that the malware author has been active for at least 10 years.

Traces of the trojan were also spotted on the system of a large commercial airline and in an online gambling operation. In these cases, however, the researchers could not discern to what end, although they are certain it was planted by Igor.

While the researchers hypothesize that the sophisticated malware may have simply been purchased, rather than developed by Igor, ultimately, they said, because no other bad actor has been observed using this malware, the conclusion must be that Igor, in fact, did craft it himself.

What distinguishes Igor's technique is the use of "rarely used" covert communication channels, such as DNS, ICMP and HTTP to link with a command-and-control server, Symantec wrote. He also encrypts data siphoned from his victims as its sent to the C&C server, "with the malware programmed to create a set of ephemeral AES keys to encrypt the data before sending it."

He further obfuscates his action by transmitting via IPv6, tougher to detect than if sent via IPv4.

However, Igor messed up and drew the attention of investigators after he submitted some of his malware samples to a tester. He also left traces of his identity by posting personal information on a public auto marketplace forum, where he was selling his stolen software using his name.

Symantec investigation into his identity revealed that Igor is likely located in the town of Tiraspol, the second largest city in Moldova. This is disputed territory as the area has also been self-declared as the republic of Transnistria, not yet recognized by the U.N. In any case, the dominant language here is Russian – Russian language strings were detected in Igor's Bachosens malware and size suffixes were indicated with Russian terminology – further evidence that Igor is a Russian speaker, the Symantec team wrote.

His location in the remote area also explained his meager recoup, Symantec added. "The discovery that all of the attacker's complex coding was for such small financial gain in reselling stolen automotive diagnostic tools was very surprising," Jon DiMaggio, a senior threat intelligence analyst on the Symantec Security Response team, wrote on a company blog detailing his team's investigation.

Igor has been conducting these operations for almost a decade and the Bachosens backdoor was only developed in December 2013, Jon DiMaggio, senior threat intelligence analyst with Symantec Security Response, told SC Media on Wednesday. "We are looking at his previous tactics and believe we are close to validating his malware from earlier campaigns and will have more info on that comparison soon."

However, DiMaggio said he could tell SC that from the first iteration of Bachosens the developer changed the coding to use a Domain Generating Algoritm (DGA) to create the command and control infrastructure used by the malware. "In the first iteration the malware was seen using infrastructure created by the attacker to spoof the targets domain. There may be some additional developments on the technical side, but from a capability and deception perspective this is the biggest change." 

The trojan itself is delivered via phishing emails, which is not a new tactic, DiMaggio said. "The mechanisms that take place after it is in the targets' environment is where this malware stands out among the other 99 percent of malicious binaries we see every day." 

The interesting aspect of the malware that made analyzing and detecting more difficult, said DiMaggio, is the malware's communication method in beginning the communication cycle over DNS, and then switching to ICMP, and finally transmitting over HTTP. "While HTTP is not new, I have only seen malware use these covert communication channels by a cyberespionage group publicly known as the Equation group." 

What it comes down to in the final analysis, said DiMaggio, is that Igor likely studies espionage malware and keeps up with news on publicly known nation-state attackers. "The specific use of these covert channels seen in Igor's malware has been observed previously in malware developed by the Equation group." 

DiMaggio emphasized that there is no relationship whatsoever between the Equation group or Igor's malware itself. "However, Igor clearly took a page from the espionage group's playbook."

Igor missed his calling as a malware developer or espionage hacker, DiMaggio told SC. "If his malware was used by an attacker with greater aspirations than meager financial gain, a lot more damage could have been done."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.