PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs

In the wake of the 2016 United States Presidential Election, not even six hours after Donald Trump became the nation's President-Elect, an advanced persistent threat (APT) group launched a series of coordinated and well-planned spear phishing campaigns. Volexity observed five different attack waves with a heavy focus on U.S.-based think tanks and non-governmental organizations (NGOs). These e-mails came from a mix of attacker created Google Gmail accounts and what appears to be compromised e-mail accounts at Harvard's Faculty of Arts and Sciences (FAS). These e-mails were sent in large quantities to different individuals across many organizations and individuals focusing in national security, defense, international affairs, public policy, and European and Asian studies. Two of the attacks purported to be messages forwarded on from the Clinton Foundation giving  insight and perhaps a postmortem analysis into the elections. Two of the other attacks purported to be eFax links or documents pertaining to the election's outcome being revised or rigged. The last attack claimed to be a link to a PDF download on "Why American Elections Are Flawed." Volexity believes a group it refers to as The Dukes (also known as APT29 or Cozy Bear) is responsible for post-election attack activity.

Background

Since August of this year, Volexity has been actively involved in investigating and tracking several attack campaigns from the Dukes. Most notably the Dukes have previously been tied to the breach of the Democratic National Committee (DNC) and intrusions into multiple high-profile United States Government organizations. In July 2015, the Dukes started heavily targeting  think tanks and NGOs. This represented a fairly significant shift in the group's previous operations and one that continued in the lead up to and immediately after the 2016 United States Presidential election.

On August 10, 2016 and August 25, 2016, the Dukes launched several waves of highly targeted spear phishing attacks against several U.S.-based think tanks and NGOs. These spear phishing messages were spoofed and made to appear to have been sent from real individuals at well-known think tanks in the United States and Europe. These August waves of attacks purported to be from individuals at Transparency International, the Center for a New American Security (CNAS),  the International Institute for Strategic Studies (IISS), Eurasia Group, and the Council on Foreign Relations (CFR).

The Dukes are known for launching their attacks by sending links to ZIP files, that contain malicious executables, hosted on legitimate compromised web servers. However, each of the e-mail messages from the August attacks contained a Microsoft Office Word (.doc) or Excel (.xls) attachment. These attachments, when viewed, contained legitimate report content from each of the organizations they appeared to have been sent from. However, the attackers inserted macros into the documents designed to install a malware downloader on the system. Successful exploitation would result in the download of a PNG image file from a compromised webserver. These attack campaigns leveraged steganography in the PNG files by hiding components of a backdoor that would exist only in memory after being loaded into rundll32.exe. Volexity has dubbed this backdoor PowerDuke. Similar attack campaigns using documents with macros dropping PowerDuke were further observed through October, where Universities, and not think tanks appear to have been the primary targets. Details of these attacks have been provided to Volexity customers. Concerned NGO's and Universities that may have been targeted by these attacks campaigns are welcome to reach out for additional details.

November 9 - Post-Election Spear Phishing Waves

The post-election attacks launched by the Dukes on November 9 were very similar to previous attacks seen from the Dukes in both 2015 and 2016. The PowerDuke malware, first seen in August 2016, was once again used in these most recent attacks. Three of the five attack waves contained links to download files from domains that the attackers appear to have control over. The other two attacks contained documents with malicious macros embedded within them. Each of these different attack waves were slightly different from one another and are detailed below.

Attack Wave 1: eFax - The "Shocking" Truth About Election Rigging

The first attack wave is similar to much older attacks from the Dukes that purport to be an electronic Fax. This message claims to have been sent from Secure Fax Corp. and has a link to a ZIP file that contains a Microsoft shortcut file (.LNK). This shortcut file contains PowerShell commands that conduct anti-VM checks, drop a backdoor, and launch a clean decoy document. The e-mail message was sent from the attacker controlled e-mail account [email protected]. The screen shot below shows the e-mail that was sent.

cozy-efax-link

The e-mail contained links pointing to the following URL:

hxxp://efax.pfdweek[.]com/eFax/message0236.ZIP

Inside of this password (1854) protected ZIP file is a Microsoft shortcut file named:

37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk

Note that pfdweek[.]com appears to be under the control of the attackers but may be a hijacked domain.

Details on each of the files are included below.

Filename: message0236.ZIP
File size: 643843 bytes
MD5 hash: bea0a6f069bd547db685698bc9f9d25a
SHA1 hash: ee09bec09388338134d47fa993d5e0f86efe5bd4
Notes: Password protected ZIP file containing malicious Microsoft shortcut file (37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk)

Filename: 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk
File size: 724003 bytes
MD5 hash: c272aebc661c54cc960ba9a4a3578952
SHA1 hash: 52d62213c66a603e33dab326bf4fa29d6ac681c4
Notes: Microsoft shortcut file with embedded PowerShell, PowerDuke backdoor (hqwhbr.lck), and clean decoy document.

Filename: kxwn.lock
File size:  10752 bytes
MD5 hash: 28b95a2c399e60ee535c32e73860fbea
SHA1 hash: bf4ce67b6e745e26fcf3a2d41938a9dff1395076
Notes: Primary PowerDuke backdoor (DLL) loader (leverages kxwn.lock:schemas) dropped to "%APPDATA\Roaming\Microsoft\" with persistence via HKCU Run Key "WebCache" (rundll32.exe %APPDATA\Roaming\Microsoft\kxwn.lock , #2). Connects directly to 173.243.80.6:443 for command and control.

Filename: kxwn.lock:schemas
File size:  609853 bytes
MD5 hash: 4e1dec16d58ba5f4196f6a76a0bca75c
SHA1 hash: a7c43d7895ecef2b6306fb00972c321060753361
Notes: Alternate data stream (ADS) PNG  file with the PowerDuke backdoor component hidden and encrypted within using Tiny Encryption Algorithm (TEA).

Attack Wave 2: eFax - Elections Outcome Could Be revised [Facts of Elections Fraud]

The second attack wave that Volexity observed leveraged a Microsoft Word document with a malicious embedded macro. This appears to be consistent with several previous Dukes attack campaigns, such as those on August 25, 2016. The Macros contain several anti-VM checks designed to avoid executing in virtualized environments. The e-mail message was sent from the attacker controlled e-mail account [email protected].

The screen shot below shows the e-mail that was sent.

cozy-efax-docDetails on the malware components of this attack wave are included below.

Filename: election-headlines-FTE2016.docm
File size: 835072 bytes
MD5 hash: a8e700492e113f73558131d94bc9ae2f
SHA1 hash: b5684384c8028f0324ed7119f6abf379f2789970
Notes: Document containing malicious macro that drops

Filename: fywhx.dll
File size: 10752 bytes
MD5 hash: ad6723f61e10aefd9688b29b474a9323
SHA1 hash: dd766876b3be5022bfb062f454f878abfbc670b8
Notes: PowerDuke backdoor file dropped to "%APPDATA\Roaming\HP\" with persistence via HKCU Run Key "ToolboxFX" (rundll32.exe %APPDATA\Roaming\HP\fywhx.dll #2). Connects directly to 185.132.124.43:443 for command and control.

Filename: fywhx.dll:schemas
File size:  608854 bytes
MD5 hash: 8c53ee9137a7d540fcff0d523f7d0822
SHA1 hash: ab32c09c46e0c9dbc576fefee68e5a2f57e0482e
Notes: Alternate data stream (ADS) PNG  file with the PowerDuke backdoor component hidden and encrypted within using Tiny Encryption Algorithm (TEA).

Attack Wave 3: Why American Elections Are Flawed

Volexity believes the following e-mail received the widest distribution among the targeted organizations. The e-mail purports to have been sent from Harvard's "PDF Mobile Service" or "PFD Mobile Service". The spelling of this non-existent service is inconsistent in the e-mail.  The latter spelling appears to be a typographical error that is consistent with the domain names registered by the attackers. The screen shot below shows the e-mail that was sent.

coz-link1The e-mail contained links pointing to the following URL:

hxxp://efax.pfdresearch[.]org/eFax/RWP_16-038_Norris.ZIP

Inside of this password (8734) protected ZIP file is an executable named:

RWP16-038_Norris.exe

Note that pfdresearch[.]org appears to be under the control of the attackers but may be a hijacked domain.

Details on the malware components of this attack wave are included below.

Filename: RWP_16-038_Norris.ZIP
File size: 854996 bytes
MD5 hash: 8b3050a95e3ce00424b85f6e9cc3ccec
SHA1 hash: d5dcf445830c54af145c0dfeaebf28f8ec780eb5
Notes: Password protected ZIP file with malicious executable inside (RWP16-038_Norris.exe).

Filename: RWP16-038_Norris.exe
File size: 1144832 bytes
MD5 hash: 3335f0461e5472803f4b19b706eaf4b5
SHA1 hash: 5cc807f80f14bc4a1d6036865e50d576200dfd2e
Notes: Dropper for PowerDuke backdoor and clean decoy document

Filename: gwV46iIc.idx
File size:  10752 bytes
MD5 hash: ae997d2047705ff46a0c228f7b5d7052
SHA1 hash: 1067ddd5615518e0cbac7389a024b32f119a3229
Notes: Primary PowerDuke backdoor (DLL) loader (leverages gwV46iIc.idx:schemas) dropped to "%APPDATA\Roaming\Apple\" with persistence via HKCU Run Key "ConnectionCenter" (rundll32.exe %APPDATA\Roaming\Apple\gwV46iIc.idx, #2). Connects directly to 185.124.86.121:443 for command and control.

Filename: gwV46iIc.idx:schemas
File size:  580968 bytes
MD5 hash: 7b9b51cb44cd6a7af1cd28faeeda04a7
SHA1 hash: e3bd7bdfe0026cf4ee39fd75a771eac52ffea095
Notes: Alternate data stream (ADS) PNG  file with the PowerDuke backdoor component hidden and encrypted within using Tiny Encryption Algorithm (TEA).

Attack Wave 4: Clinton Foundation FYI #1

The fourth attack wave that Volexity observed leveraged a Microsoft Word document with a malicious embedded macro. This appears to be consistent with several previous Dukes attack campaigns, such as those on August 25, 2016. The Macros contain several anti-VM checks designed to avoid executing in virtualized environments. The screen shot below shows the e-mail that was sent.

cozy-doc

coz-doc-bottom

Details on the malware components of this attack wave are included below.

Filename: harvard-iop-fall-2016-poll.doc
File size: 2808832 bytes
MD5 hash: ead48f15ebc088384a4bd6190c2343fa
SHA1 hash: 0b9dccfcb2cc8bced343b9d930e475f1d0e5d966
Notes: Document containing malicious macro that drops impku.dat and impku.dat:shemas.

Filename:  impku.dat
File size: 10752 bytes
MD5 hash: 9f420779c90e118a0b5fd904380878a1
SHA1 hash: 11523d859e9a818c2628d7954502cbdb5eeb2199
Notes: PowerDuke backdoor file dropped to "%APPDATA\Roaming\Dell\" with persistence via HKCU Run Key "Communicator" (rundll32.exe %APPDATA\Roaming\Dell\impku.idat, #2). Connects directly to 185.26.144.109:443 for command and control.

Filename: impku.dat:schemas
File size:  608854 bytes
MD5 hash: b774f39d31c32da0f6a5fb5d0e6d2892
SHA1 hash: ae3ff39c2a7266132e0af016a48b97d565463d90
Notes: Alternate data stream (ADS) PNG  file with the PowerDuke backdoor component hidden and encrypted within using Tiny Encryption Algorithm (TEA).

Attack Wave 5: Clinton Foundation FYI #2

The fifth attack wave that Volexity observed once against leveraged a download link and a new domain that appears to be under control of the attackers. The link in the e-mail points to a ZIP file that has a Microsoft shortcut file (.LNK) inside of it. This shortcut file contains PowerShell commands that conduct anti-VM checks, drop a backdoor, and launch a clean decoy document. Like Attack Wave #3, this e-mail message also purported to be forwarded from Laura Graham at the Clinton Foundation. The message body contained dozens of e-mail addresses to which the message originally claims to have been sent, with organizations similar to Attack Wave #3. The e-mail message from this attack wave, with identifying information removed, is shown below.

cozy-link2cozy-link2-bottom

As seen in the screen shot above, the e-mail contained links pointing to the following URL:

hxxp://efax.pfdregistry[.]net/eFax/37486.ZIP

Inside of this password (6190) protected ZIP file a Microsoft Shortcut file named:

37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk

Note that pfdregistry[.]net appears to be under the control of the attackers but may be a hijacked domain.

Details on the malware components of this attack wave are included below.

Filename: 37486.ZIP
File size: 580688 bytes
MD5 hash: f79caf27a99c091e6c1775b306993341
SHA1 hash: a76c02c067eae26d78f4b494274dfa6aedc6fa7a
Notes: Password protected ZIP file containing malicious Microsoft shortcut file 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk.

Filename: 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk
File size: 661782 bytes
MD5 hash: f713d5df826c6051e65f995e57d6817d
SHA1 hash: 68ce4c0324f03976247ff48803a7d988f9f9f43f
Notes: Microsoft shortcut file with embedded PowerShell, PowerDuke backdoor (hqwhbr.lck), and clean decoy document.

Filename: hqwhbr.lck
File size: 10752 bytes
MD5 hash: 57c627d68e156676d08bfc0829b94331
SHA1 hash: 4bcbf078a78ba0e842f78963ba9dd71240ab6a6d
Notes: PowerDuke backdoor file dropped to "%APPDATA\Roaming\Skype\" with persistence via HKCU Run Key "IAStorIcon" (rundll32.exe %APPDATA\Roaming\Apple\hqwhbr.lck, #2).  Connects directly to 177.10.96.30:443 for command and control.

Filename: hqwhbr.lck:schemas
File size: 547636 bytes
MD5 hash: cbf96820dc74a50a91b2b8b94376682a
SHA1 hash: 5f105801a1abb398dadc756480713f9bd7a4aa73
Notes: Alternate data stream (ADS) PNG  file with the PowerDuke backdoor component hidden and encrypted within using Tiny Encryption Algorithm (TEA).

The PowerDuke Backdoor

The PowerDuke backdoor boasts a pretty extensive list of features that allow the Dukes to examine and control a system. Volexity suspects the feature set that has been built into PowerDuke is an extension of their anti-VM capabilities in the initial dropper files. Several commands supported by PowerDuke facilitate getting information about the system.

A previous analysis of PowerDuke showed it supported the following commands.

comp get the NetBIOS name via GetComputerNameEx
domain get the computer's domain via NetWkstaGetInfo
drives get logical drives, drive type, free space, serial number, etc.
fsize get the size of a file via GetFileAttributesExW or failing that, by mapping the file and getting the size
kill stop a process via TerminateProcess
memstat get memory usage status via GlobalMemoryStatusEx, total RAM, percent used, etc.
osdate get the time the machine was built (via InstallDate registry key)
osver get OS info via registry, such as ProductName, CurrentBuild, CurrentVersion, CSDBuildNumber, etc.
pslist list processes via CreateToolhelp32Snapshot
pwd get current directory via GetCurrentDirectoryW
run start a process via CreateProcessW
# runs cmd.exe /c and gets the output via Named Pipe and sends the data back
siduser gets the current user's SID via GetTokenInformation and LookupAccountSidW
time the time + timezone (GetLocalTime and GetTimeZoneInformation)
uptime number of seconds since the last boot
user the user's name via GetUserNameExW
wipe writes random data across a file, then deletes the file
wnd gets the text of the current foreground window
fgetp download file
fputp upload file
power reboot or shutdown (via previously loaded PowrProf.dll)
cdt change to temporary directory
reqdelay sleep for specified time

Volexity has not fully examined the PowerDuke instances from these campaigns but has noted the malware appears to support the following additional commands not described above:

  • sidcomp
  • buzy
  • exit
  • copy
  • detectav
  • mkdir
  • software
  • shlist
  • shinfo
  • shdel
  • shadd
  • setpng
  • conn
  • setsrv

Volexity may update this post following further PowerDuke analysis.

Network Indicators

Below are network indicators associated with download URLs for the aforementioned Dukes attack campaigns.

Hostname IP Address ASN Information
efax.pfdresearch.org 81.82.196.162 6848 | 81.82.0.0/15 | TELENET | BE | telenet.be | Telenet Operaties N.V.
efax.pfdregistry.net 65.15.88.243 7018 | 65.15.64.0/19 | ATT-INTERNET4 | US | bellsouth.net | Bellsouth.net Inc.
efax.pfdweek.com 84.206.44.194 31581 | 84.206.0.0/16 | KOPINT | HU | ekg.kopdat.hu | National Infocommunications Service Company Limited by Shares

Below are network indicators associated with command and control servers for the aforementioned Dukes attack campaigns.

IP Address ASN Information
185.124.86.121 43260 | 185.124.86.0/24 | DGN | TR | - | -
185.132.124.43 43260 | 185.132.124.0/24 | DGN | TR | - | -
185.26.144.109 60721 | 185.26.144.0/24 | BURSABIL | TR | bursabil.com.tr | Bursabil Konfeksiyon Tekstil Bilisim Teknoloji insaat Sanayi ve Ticaret Limited Sirketi
173.243.80.6 14979 | 173.243.80.0/24 | AERONET-WIRELESS | PR | aeronetpr.com | Aeronet Wireless
177.10.96.30 262848 | 177.10.96.0/21 | Naja | BR | najatel.com.br | Naja Telecomunicacoes Ltda.

 

Conclusion

The Dukes continue to launch well-crafted and clever attack campaigns. They have had tremendous success evading anti-virus and anti-malware solutions at both the desktop and mail gateway levels. The group's anti-VM macros and PowerShell scripts appear to have drastically reduced the number of sandboxes and bots that the group has to deal with on their command and control infrastructure. This combined with their use of steganography to hide their backdoor within PNG files that are downloaded remotely and loaded in memory only or via alternate data streams (ADS) is quite novel in its approach. Volexity believes that the Dukes are likely working to gain long-term access into think tanks and NGOs and will continue to launch new attacks for the foreseeable future.

Follow us on Twitter: @Volexity, @stevenadair, @5ck, @imhlv2, @attrc