Details on Uzbekistan Government Malware: SandCat

Kaspersky has uncovered an Uzbeki hacking operation, mostly due to incompetence on the part of the government hackers.

The group's lax operational security includes using the name of a military group with ties to the SSS to register a domain used in its attack infrastructure; installing Kaspersky's antivirus software on machines it uses to write new malware, allowing Kaspersky to detect and grab malicious code still in development before it's deployed; and embedding a screenshot of one of its developer's machines in a test file, exposing a major attack platform as it was in development. The group's mistakes led Kaspersky to discover four zero-day exploits SandCat had purchased from third-party brokers to target victim machines, effectively rendering those exploits ineffective. And the mistakes not only allowed Kaspersky to track the Uzbek spy agency's activity but also the activity of other nation-state groups in Saudi Arabia and the United Arab Emirates who were using some of the same exploits SandCat was using.

Posted on October 11, 2019 at 6:14 AM • 24 Comments

Comments

RealFakeNewsOctober 11, 2019 7:02 AM

...so Kaspersky is spyware now?

Who develops malware on a system running anti-virus? Surely any self-respecting virus author would guess they MIGHT trigger their own AV heuristics or whatever during development?

Did they get a pop-up saying their own creation had bedn detected, or are these AV apps taking data that looks interesting without notifying the user?

Surely the user in this case would know their AV snagged a copy for "research purposes" when it detected it?

Knowing Kaspersky can be used for remote access, did they get the source code?

_shocked_October 11, 2019 7:04 AM

Is it only my impression that having a Kaspersky anti-virus program equals to having a piece of pervasive surveillance software equipped with administrator rights in your system?

RenOctober 11, 2019 7:13 AM

I get wanting to test your malware against current antivirus software, but on the same internet connected machine. Reeks of laziness.

Erdem MemisyaziciOctober 11, 2019 7:23 AM

So 0-days patched. Two hidden actors revealed. I'd call that a win-win for the rest of the world. Thanks guys.

Clive RobinsonOctober 11, 2019 8:16 AM

@ ALL,

The behaviour of the Kaspersky AV software has been long known, the US Gov did drone on about it for long ebough.

Also there was that unnamed person in the US who turned Kaspersky off put malware from a us Gov entity they worked at on their machine dod a few things, but did not clean it up properly. When they turned Kaspersky back on it found what had not been cleaned up.

The US Gov got it's panties right royaly bunched over it at the time, which as the Kaspersky software was "doing as advertised" did make me laugh.

What Kaspersky will tell you if you ask is that you can permanently didable the "ET Phone Home" behaviour.

What the Kaspersky AV software does is at the end of the day considerably less than Google has put in Android and Microsoft has put in Win10 with neither of those alowing the consumer to turn of "Mothership Calls".

Plain and simple what has happened here is not Kaspersky AV being "Spyware" or sinister in any other way, but people not reading the documentation and not hsving an iota of OPsec knowledge.

Anyone else old enough to remember the Bob Morris Worm? Well back then people were talking about using isolated networks for testing what we now generically call "propergating malware" or "fire and forget" attacks.

Sometimes I wonder what an earth has gone wrong with the educational process in Information Security. None of this is new, and it's all well within living memory...

nobodyOctober 11, 2019 8:19 AM

@RealFakeNews

...so Kaspersky is spyware now?

I have Kaspersky running inside a VM that I use for different kinds ofs things. The Windows 7 OS running inside that VM has a simple password.

Some weeks back I registered an account with some website with the same password, and received a little prompt from Kaspersky telling me that its not safe practice to use the same password for a website that I use for the OS.

Not sure if it was just using the hashes of the passwords somehow or if it does some other stuff with them.

AndersOctober 11, 2019 10:10 AM

There's no way that one AV software can detect all the
0day exploiting attempts. There are so many variables.

This leads only to one conclusion - Kaspersky grabs
everything unknown, just in case. Real spyware.

MSOctober 11, 2019 10:27 AM

@Anders and some of the others: maybe you could try reading the article Bruce has linked you to before spreading FUD about Kaspersky AV?

"In October 2018, researchers at Kaspersky stumbled across SandCat after discovering an already known piece of malware called Chainshot on a victim’s machine in the Middle East. Chainshot had been used by two other nation-state threat actors in the Middle East in the past—groups security researchers have attributed to the UAE and Saudi Arabia—but the malware in this case was using infrastructure not associated with either of these countries, suggesting it was a different group Kaspersky hadn’t seen before. SandCat was also using a zero-day exploit to install Chainshot.

As Kaspersky analyzed machines infected with the exploit and Chainshot, and began to dig into the group’s infrastructure that was tied to the infections, it ultimately led Kaspersky to discover three more zero days used by the same group each of which got essentially burned as the vulnerabilities they attacked got patched"

AndersOctober 11, 2019 10:47 AM

@MS

READ! READ 10 times if you don't get it first time.

"I think we got one of those exploits before they even were able to use it,” Bartholomew said."

New 0day, brought from broker, arrived on USB, never tested.
How on EARTH that AV knew that this is suspicious? Again,
there is myriad of attack points on OS, kernel, drivers, user software, etc.
There's no way that one AV can cover them all.

RealFakeNewsOctober 11, 2019 11:12 AM

What @anders said.

They claim to have caught part of the in-development malware prior to completion.

This implies Kaspersky has more than the infected binary, read at execution...

AndyOctober 11, 2019 2:29 PM

Read the article. SSS had Kaspersky on because they wanted to see if the payload would pass inspection. However they had telemetry turned on so everything they tested and failed was uploaded to Kaspersky. Including the content of a USB drive.

Clive RobinsonOctober 11, 2019 3:51 PM

@ All,

According to the Vice article, there was going to be a presentation on this at VB2019 in London,

    Brian Bartholomew, a researcher with Kaspersky’s Global Research and Analysis Team who will present his findings about SandCat today in London at the VirusBulletin conference.

It's not one of those confrences I attend, but I believe one of the regulars on this blog was presenting a paper[1].

There is the possibility they heard the presentation and can report what they heard back to this blog?

[1] https://t.co/m80dbaQkcE

For Real?October 11, 2019 8:16 PM

Phineas Fisher ?

Really?!

Any relation to Fin Fisher?

https://www.finfisher.com/FinFisher/index.html

https://en.m.wikipedia.org/wiki/FinFisher

This almost Sounds almost like an inside job to damage their own intelligence service. Loyalists to the president.

Many nations intelligence services could learn from this.

Anything that passes through your keyboard to the OS pre encryption can be read easily — passwords or apple pie Recipes. WiFi passwords, website passwords, etc...

It would take a specially designed keyboard to tokenize and obscure its output to the OS and anything with its hooks into it..,anything with root or admin access granted through install.


Clive RobinsonOctober 12, 2019 5:09 AM

@ For Real?

It would take a specially designed keyboard to tokenize and obscure its output to the OS and anything with its hooks into it..,anything with root or admin access granted through install.

Whilst it might be a special keyboard, it's not technically difficult to do, and has already been done --poorly-- and available for sale.

Some wireless keyboards protect the individual key strokes with simple encryption to protect the "Over The Air" (OTA) interface from evesdropping.

However the tend to use very weak encryption and decrypt the keystrokes back to plaintext in the receiver electronics.

There is no reason why they can not do the following,

1, Use stronger encryption.
2, Do the decryption inside the kernel with an appropriate device driver.

Neither upgrade would be difficult to do technically.

However I suspect that Microsoft might find reasons not to make the device driver available in a way they do for other external hardware devices.

Av userOctober 13, 2019 5:03 AM

@all
Kaspersky getting a sample of malware is not spyware, it's normal and excpected behavior. It's written whem you accept the eula.
Microsoft windows defender does the same: check the options there os a default enabled "share suspicipus samples woth microsoft"
Literally every av does the same

Av userOctober 13, 2019 5:13 AM

@all
Sorry for typo, i'm on mobile, i hate touch screen.
Since when an antivirus doing it's job: *detecting malware* is considered spyware?
If i would in you i would install kaspersky immediatly knowing that it works so well!

Here is a liklnk for turning off sample sharing with microsoft for windows defender (included in win10)
https://aboutdevice.com/turn-on-or-off-windows-defender-automatic-sample-submission/

I have never read what does it means but i guess that it can be one of the two:
-any unknown exe (any exe they don't have a copy yet)
-any suspicius exe (so new but only if it call suspicus api)

When you read "cloud protection" you should read "sample sharing"

I really hate fud againt kaspersky, i'm using since ages excatly because of articles like this, i use it because it works so damn well.

But obviously i turned off kaspersky sample sharing (and microsoft one too)

YoloOctober 13, 2019 1:50 PM

> Since when an antivirus doing it's job: *detecting malware* is considered spyware?

Well, the spyware part is sending any of *YOUR* files to others' computers (which are falsely called "cloud").

Should I always assume that detecting malware on my machine has (by design) to reveal any of my data or metadata to others?

It would be nice to have privacy-oriented, well-functioning AV software.
Any ideas/examples?

Av userOctober 14, 2019 6:12 AM

@yolo
> It would be nice to have privacy-oriented, well-functioning AV software.
Any ideas/examples?

Just disable the kaspersky cloud protection option. Same for microsoft antivirus (link above)

> sending any of *YOUR* files

It might send any of your exe but not files, and unless you are a (virus) programmer your programs are public anyway.
Like Bruce sometimes say it'a tradeoff.
So it's up to you:
-have no antivirus
-have kaspersky or any other with the cloud protection/sample sharing off (i chosed this)
-having kaspersky or any other av with sample sharing on

I turned it off because i sometimes make programs and i want that my programs are only mine. But no antivirus will upload your photos documents, they will check only exe

Clive RobinsonOctober 14, 2019 7:42 AM

@ AV User, Yolo,

I turned it off because i sometimes make programs and i want that my programs are only mine. But no antivirus will upload your photos documents, they will check only exe

There are other reasons for turning it off.

Firstly whilst the programs may be publicly available thus "known" your use of them is usually not. As the likrs of pharmaceutical researcers wil tell you, a competitor even knowing what tools you use leaks information about your researc activities.

But not all software is publicly kbown. Back more than a few decades nearly all programs were unique to their users. This did not mean that they were written by the users. Often they were written under contract and subject to Non Disclosure Agreements (NDAs) or similar confidentiality. The reason being that a "bespoke" or "custom tool" reveals much about it's usage. With say a Banking Security program this obviously has significant implications.

But there is an important fact that people sometimes forget,

    Code = Data, Data = Code

That is what you think only as data can also be or contain code. This is especially true of interpreted languages, and worse still for interpreted languages that can be embedded in what you would otherwise consider data files.

PDF files and their predecessors Postscript files are actually code files with embedded data. The language in use "Postscript" is very similar to Forth. Being stack oriented languages and capable of creating new programing words on the fly, they are very "code dense" and "very flexable" whilst being easily implementable on almost any computer. Which makes them ideal for resource limited computers, which printers once were.

Microsoft decided that adding BASIC to Office as "macros" in it's data files was a good idea, much to the disgust of one of it's employees. We know this because they put a "proof of concept" virus using the macros on a Microsoft update CD...

Even more simple graphics files due to the need for compression suffer from this "interpreter" problem, and malware writers have used them to carry virus and other malware.

Further HTML is another interpreter mess not just in JavaScript but over half of HTML5.

Even compressed sound files suffer from the interpreter problem.

Thus as time goes on pure data files are heading for extinction and hybrid "Data + Code" very much the norm.

Thus to protect you from malware AV software has to look inside all your data files. Which means that if it's heuristics find something suspicious then it will if alowed send them back to the mothership.

This has been known for a long time quite publically atleast going back into the last century.

In fact if you think about the way "Turings Tape" worked even before the modern computer was invented. Even Charles Babbage realised this when he was thinking about his "mill" engine, thus back in the 1800's.

DustinOctober 14, 2019 9:02 AM

> It might send any of your exe
> but not files, and unless you
> are a (virus) programmer your
> programs are public anyway.

Programs which I use may be public, but the fact that I use this or that program can be very revealing about me. I would call it simply metadata collection.

Therefore we indeed need antivirus solutions that don't violate our privacy in any way.

Av userOctober 14, 2019 10:59 AM

You are voth right Clive and Dustin.
I turned them off for my explained reason, and while my program are all public (firefox thunderbird... Usual stuff) at work is not the same.
I know that knowing that metadata is a problem and knowing wich program someone uses leaks data.
I just forgot to mention because in my use case it wasn't an issue.

Yes having a clear mesaage "found unknown suspicius program? Would you like to upload so we can check it better?" would be a nice option instead of having random files copied

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.