
Nazar: Analyzing malware that was uncovered in leaked NSA files - Megabeets
https://research.checkpoint.com/2020/nazar-spirits-of-the-past/
======
sloshnmosh
I believe the use of open source tools to accomplish their tasks is
interesting. Using "living off the land" open source tools also hinders
researchers when trying to attribute an attack to a certain country.

I found malware that was installed remotely on to millions of Android users
under the government "Life Line" program that also used readily available
open-source code found on GitHub.

The malware used an open sourced virtualization shared object library (.so)
named "VirtulApp" and also an open source software development kit called
"TalkingData"

Both code sources were found on GitHub.

The malware in question hides its icon from the users screen but can be found
under Settings/Apps but shows an icon for a well-known "Antivirus/Cleaner" app
that has been removed from the Google Play store many times. The malware also
shares much of the cleaner app's SDK's and excessive permissions.

The malicious app also contains several encrypted files in its assests
directory that are decrypted into executable java .jar files to expand it's
functionality.

Kaspersky Labs names this particular malware variant "Necro"

5a5ab39960d3b96be2b8bbea99477e6f

~~~
outworlder
> I believe the use of open source tools to accomplish their tasks is
> interesting. Using "living off the land" open source tools also hinders
> researchers when trying to attribute an attack to a certain country.

That is one conclusion. But, given that there seems to be a significant amount
of code that's custom (the filesystem module), I'm not sure what that would
accomplish. If that too was opensource and there was a tiny amount of glue
code, then it would make some sense. Leave the most suspicious hooks(like all
input device monitoring) to well known tools.

Based on the report, it is more likely that whoever group created it didn't
have much knowledge. Using the Shutdown Alarm and pissing all over the system
just to accomplish such a tiny task is difficult to justify, and that's what
drew undue attention.

------
itin
The cultural significance of the name is pretty ironic:
[https://en.wikipedia.org/wiki/Nazar_(amulet)](https://en.wikipedia.org/wiki/Nazar_\(amulet\))

~~~
dsl
Researchers usually pick a name when they have started looking at a collection
of samples, and don't really have knowledge of what is going on or who the
threat actor is yet.

The authors call it خضر, a guardian angel type from the Quran that shares
secret knowledge.

~~~
616c
It is also the Arabic for the adjective green (plural) and the name comes from
Arabic as well, and a prophet some i even heard some suggest is Buddha, in
addition to other more obvious Wikipedia suggestions.

That aside, this is what drives me nuts about threat Intel: we use enough
googlable Persian words and give enough hints we know Persian in our code and
opsec and people have a full dossier that confirms we're Iranians? I assume
there is more depth to their claims but you have to work for the reporting
company to know it which makes the whole subset of the industry dubious if you
ask me (but we know no one is, lol).

~~~
slim
you forgot the most common meaning : vegetables :) you know hackers can be
silly sometimes

~~~
boomboomsubban
That explains why it's being used for the root directory.

------
oefrha
> Territorial Dispute
    
    
      def path_normalize(path):
          try:
              path = re.sub('%(.+)%', (lambda m: ('%{0}%'.format(m.group(1)) if (m.group(1) not in datastore.ENV_VARS) else datastore.ENV_VARS[m.group(1)])), path)
          except:
              tedilog.error(...)
          return path
    

What a terrible way to write

    
    
      return re.sub(r'%(.+)%', lambda m: datastore.ENV_VARS.get(m.group(1), m.group(0)), path)

~~~
itsspring
Does yours catch the exception?

~~~
oefrha
Apparently I didn’t include the parts that don’t need to be changed.
(Actually, with the correct input type, this piece of code shouldn’t raise any
exception period other than BaseExcept like KeyboardInterrupt, which usually
shouldn’t be caught like this either. So I would omit the try...except
myself.)

------
hyperman1
So if I want the USA out of my system, all I have to do is create some dummy
exes, dlls and regkeys on my system?

~~~
shrimp_emoji
W-what if you use Linux? :B

~~~
asadlionpk
use Wine.

~~~
kyuudou
I'm sure the Linux kernel would never be compromised by state actors, even if
a retired US Army general was on the board of directors[1] of the most popular
Linux distro, or that the US' most infosec oriented intel agency didn't come
up with the main method for RBAC with it[2]. Or that hardware and the numerous
bits of firmware that control it would ever get back-doored by any state
actor!

"OpenBSD co-founder Theo de Raadt, cited as a top el8 target, angrily refused
to discuss the compromise in late July of a file server maintained by the
open-source, Unix-based operating-system project. On Aug. 1, a dangerous
Trojan horse program was discovered amid the code for OpenBSD, which is used
by thousands of organizations and renowned for its security.

While de Raadt wouldn't comment on whether there were any suspects in the
case, the lead article in the latest el8 newsletter, published in early July,
contains an obvious smoking gun. The article begins with several lines of
screen-display from what appears to be an OpenBSD.org system. The "w-command"
output suggests that attackers had access to one of de Raadt's accounts."[3]

[1][https://www.redhat.com/en/about/press-
releases/shelton](https://www.redhat.com/en/about/press-releases/shelton)

[2][https://www.nsa.gov/what-we-
do/research/selinux/documentatio...](https://www.nsa.gov/what-we-
do/research/selinux/documentation/)

[3][https://www.cc.gatech.edu/computing/acmnews/msg00221.html](https://www.cc.gatech.edu/computing/acmnews/msg00221.html)

~~~
imglorp
And there's the time someone did try to sneak something into an open source
kernel [1].

The cool thing is, anyone can audit the kernels any time, and even if Theo's
or Linus's accounts get compromised, the backdoor will be observable by
everyone.

Try that with Windows: we have no idea what's in there, we never will, and MS
has zero incentive to tell us.

1\. [https://freedom-to-tinker.com/2013/10/09/the-linux-
backdoor-...](https://freedom-to-tinker.com/2013/10/09/the-linux-backdoor-
attempt-of-2003/)

