AJAX GROUP
The Ajax group began in 2010 with website defacement attacks, but their activity escalated to cyber espionage by 2013. The group’s C&C infrastructure was set to Iran Standard Time and used the Persian language. The Ajax team consists of 5-10 members and it is unclear if the group is part of a larger movement such as the Iranian Cyber Army. The group may have been founded by members using the monikers “HUrr!c4nE!” and “Cair3x.” The Ajax group uses custom malware, but they do not leverage software exploits. The lack of exploits indicates that the group is more likely a patriotic hacktivist group than a state sponsored threat. Ajax group associated name are Ajax team or Ajax Security team, Operation Flying Kitten and Operation Saffron Rose.
Ajax group may be part of Iranian Cyber Army, the group primarily targets United States defense contractors, firms that developed technologies that bypassed the Iranian censorship policies, and Iranian dissidents. The group has also participated in attacks against Israel with the Anonymous group.
The group tries to lure victims into revealing login credentials or self-installing malware through basic social engineering instead of leveraging software exploits. These social engineering attacks proceed through email, instant messages, private messages on social media, fake login pages, and anti-censorship technology that has been pre-loaded with malware. Past messages have directed targets to a fake login or conference page. The page spoofs a legitimate organization or application and it collects user login credentials. After the user logs in, they are directed to a different page that tells users that their browser is missing a plugin or that they need to install proxy software, which is actually the malware. In some cases, the messages just send the user to the latter page. Iranian Internet Service Providers (ISPs) block “unacceptable content” such as pornography or sources of political dissidence. Ajax team has been infecting anti-censorship software, such as Psiphon and Ultrasurf, with malware and redistributing it.
Ajax team relies on the Stealer malware which consists of a backdoor and tools. Using one tool, the attackers can create new backdoors and bind them to legitimate applications. Stealer collects system data, logs keystrokes, grabs screenshots, collects credentials, cookies, plugin information, and bookmarks from major browsers, and collects email and instant messenger information along with any saved conversations. Stealer also has components that acquire Remote Desktop Protocol (RDP) accounts from Windows vault and collects user browsing history. Data is encrypted using symmetric encryption (AES-256) using a hardcoded encryption key. The information is then exfiltrated using FTP with a built in client (AppTransferWiz.dll).
A new version of the Stealer malware, dubbed Sayad, surfaced in July 2014. The variant includes a dropper called Binder and new communication modules that allow it to exfiltrate data using HTTP POST requests. Binder checks the .NET runtime version of the target machine and drops the relevant version of the malware. The malware is now more modular and contains development files suggesting the future capability to exfiltrate files from the target system.
Sometime between 2008 and 2012, EQUATIONDRUG appears to have been phased out in favor of the GRAYFISH malware platform. GRAYFISH is the most sophisticated Equation Group malware platform discovered. Upon delivery of the installer via TRIPLEFANTASY, a GRAYFISH bootkit is injected into the registry of the operating system. When a computer first powers on, the operating system code executes (booting up) and it enables the majority of the functionality of the system. When an infected system is powered on, GRAYFISH injects code into the boot record so that it can control every stage of the Windows launch process. GRAYFISH, its virtual file system, its stolen information, and its functional modules are stored in the registry of the system. Because everything is stored in the registry and GRAYFISH and its modules are dynamically decrypted and executed by the bootkit, there are no malicious executables contained in the user’s filesystem. This means that the user cannot detect the GRAYFISH malware on the system; at least not with traditional anti-malware tools. During the bootup process, GRAYFISH processes through 4-5 layers of decryption where each layer triggers the execution of the next layer of decryption. If all of the layers successfully decrypt, then GRAYFISH executes its code and the malware silently runs on the machine. If even one layer fails to decrypt during launch, then GRAYFISH proceeds to delete itself from the system. This technique confounds analysis and makes GRAYFISH infection difficult to discover because the malware might delete itself the moment the user detects anomalous behavior and begins diagnostic procedures.
On reason that Equation Group is considered far more sophisticated than any other advanced persistent threat actor is the capability of modules contained in the EQUATIONDRUG and GRAYFISH platforms to reprogram hard-drive firmware. This allows for unprecedented persistence. Security firm F-Secure notes that this rarely seen module might be Tailored Access Operations IRATEMONK program which affects hard-drives produced by Seagate, Maxtor, Western Digital, Samsung, IBM, Micron, and Toshiba.