Historic use of CYBERGATE to target Libyan rebels

A malware analysis walkthrough

Summary

• This blog post analyses a Portable Executable file first identified as being submitted by a user in Libya in 2011 to VirusTotal, identified by targeted searches to identify malware potentially linked to the Libyan Civil War.
• My analysis identified that the file is highly likely a variant of the Delphi-based CYBERGATE Remote Access Trojan (RAT).
• The file connects to ahmed9909.no-ip[.]biz, and IP addresses linked to this domain around the time of file compilation were registered to Libya’s (then) state-run telecommunications company.
• The file has the capability to remotely access and control a victim’s computer, including the capability to view and exfiltrate files, capture screenshots, steal credentials.

Introduction

There’s a lot of historic reporting on how the Syrian regime has targeted its population in cyberspace, but much less on how the Libyan regime did the same during their much shorter fall from power. To try and fill this gap, and thanks to my employer’s VirusTotal subscription, I went hunting.

I began by searching using VirusTotal Enterprise’s advanced features, to find files first submitted from Libya during the approximate dates of the Civil War (15 Feb–23 Oct 2011) which were marked as malicious by at least five anti-virus engines. This gave me a total of 40 results.

Results of a VirusTotal search query looking for malicious files potentially linked to the Libyan Civil War

I then manually reviewed each result, in order to see if anything stood out. One file that immediately caught my attention was abb554d56c92b52963e6213cf2c8db0c8620cc7fc8c5a7c981c97699d81dc9a9 (MD5: 07b796a4bf0e94105a41005c7bcca936). This was because:

• It was widely detected as malicious.
• It was tagged by VirusTotal as using anti-analysis techniques.
• It used a Microsoft Word icon, while being a PE file.
• It was first submitted with the filename jeel-libya.exe, which sounded interesting.
• It made a network connection to a No-IP domain, a dynamic DNS provider which the Syrian Electronic Army has been reported to use (as well as other low sophistication Middle Eastern threat actors).

File information

So, let’s crack on with analysis, beginning with a look at the vital stats via static analysis.

Metadata

Our file is a Portable Executable file, with an MD5 hash of 07b796a4bf0e94105a41005c7bcca936. VirusTotal tells me this, but I can verify by finding the MZ magic header and using PEstudio to calculate the hash.

It’s marked as malicious by 53/73 anti-virus engines on VirusTotal as of 3 January 2021, with detections generally indicating it as some form of trojan. The file was first submitted to the site on 16 February 2011 by a user in Libya, with the filename jeel-libya.exe (and also with a range of other names subsequently).

VirusTotal entry showing the submission date, name and country of the file

The file’s metadata indicates it was initially created on 8 January 2011, eight days before first submission to VirusTotal.

PEStudio showing the compilation timestamp of the file

Despite being a Portable Executable, the file uses the icon of a Microsoft Office Word document.

The file as it appears in Windows Explorer to the target

Identifying packing

Before proceeding it’s worth considering whether the file is in some way obfuscated, which might prevent or frustrate our analysis.

A common way for malware to achieve this is by using a packer. Packers can be detected by the signature they leave in the packed executable (detected by tools such as PEiD and Exeinfo PE), or by calculating the entropy of the packed file (this article from the IEEE states that any executable with an entropy higher than 6.677 is likely to be packed or encrypted).

PEstudio shows that jeel-libya.exe has an entropy of 7.923, which indicates the file is likely to be packed or otherwise obfuscated. However, neither Exeinfo PE nor PEiD identifies the file as packed. The file is therefore likely packed, but using a custom packer that isn’t currently signatured by either of these two programs.

Both PEiD and Exeinfo PE not identifying jeel-libya.exe as packed

Understanding functionality through static analysis

While the likely use of packing will make static analysis more difficult, it’s worth having a go.

First of all, a quick pass with strings shows some potentially interesting contents indicative of imports (such as RegSetValueA, OpenClipboard, and CreateThread).

This is validated by a look at the imports tab in PEstudio, which confirms a number of likely malicious imports.

PEStudio showing potentially malicious imports for jeel-libya.exe

• Importing the RegDeleteKeyW, RegSetValueA and RegSetValueW functions suggest that the file interacts with the registry, likely for persistence.
• Importing the CallNextHookEx function suggests that the file uses Windows Hooks, which MSDN says may allow it to “intercept events, such as messages, mouse actions, and keystrokes”, and indicates that the file may include keylogging (or similar) functionality.
• Importing the OpenClipboard function suggests that the file opens and interacts with the clipboard, potentially providing additional information stealing functionality in addition to keylogging.

Finally, running the file against FireEye’s capa identifies some more information about the file’s potential capabilities. This corroborates some existing information (e.g., the file interacting with registry keys and the clipboard) and also provides some new insights, for example, virtual machine detection.

The output of FireEye’s capa run against jeel-libya.exe

Dynamic file analysis

Having confirmed some basic information about the file’s metadata and expected behaviour (and that it definitely looked worthy of further inspection) I brought the file into an isolated Windows 7 virtual machine and executed it to determine its capabilities.

While static analysis indicated that the file uses anti-analysis techniques including virtual machine detection, the file was able to successfully execute within a VirtualBox-based virtual machine without Guest Additions installed.

File creation

Process Monitor identified that, on initial execution jeel-libya.exe creates a number of new files, including:

• C:\Documents and Settings\%USERNAME%\Local Settings\Temp\%USERNAME%2.txt
• C:\Users\%USERNAME%\AppData\Local\Temp\%USERNAME%2.txt (Windows 10)
• C:\Documents and Settings\%USERNAME%\Application Data\%USERNAME%log.dat
• C:\Users\%USERNAME%\AppData\Roaming\%USERNAME%log.dat (Windows 7/10)
• C:\Program Files (x86)\installs (Windows 7/10)
• C:\Users\%USERNAME%\AppData\Roaming\installs (Windows 10)
• C:\Program Files (x86)\installs\vip.exe (Windows 7/10)
• C:\Users\%USERNAME%\AppData\Roaming\installs\vip.exe (Windows 10)
• C:\Users\%USERNAME%\AppData\Local\Temp\%USERNAME%7 (Windows 7/10)

Of particular note in the above is C:\Program Files\installs\vip.exe, which is a copy of the original jeel-libya.exe placed in a more obscure location, and marked as a protected system file so as to evade detection.

Process injection

Running Get-InjectedThread on the infected analysis system identified that something was injecting into both jeel-libya.exe and explorer.exe (Windows Explorer).

Any attempt to exit the running jeel-libya.exe process results in the execution of vip.exe and the malware continues running.

Based on this behaviour, it’s highly likely that some form of “watcher” code is being injected into explorer.exe to monitor for jeel-libya.exe termination, and in the event of this the malware is re-launched from its persistent location of C:\Program Files\installs\vip.exe.

Persistence

Analysis of the infected system using Autoruns and CaptureBAT showed C:\Program Files (x86)\installs\vip.exe had been added to the following Windows registry keys, in order to ensure persistence after system reboots:

• HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
• HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\
• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6I2BONQY-88W6-H005–46SN-R8U6427THGS3}

Microsoft Autoruns showing the registry keys created by the file

Mutexes

Process Explorer identified that the file creates a number of mutexes in order to ensure only one version runs concurrently, including the following:

• %USERNAME%5
• 8H1N2VDA40SFT7
• 8H1N2VDA40SFT7%USERNAME%15
• 8H1N2VDA40SFT7_SAIR
• 8H1N2VDA40SFT7_RESTART
• ZonesCounterMutex
• ZonesCacheCounterMutex
• ZonesLockedCacheCounterMutex

Beaconing out

After executing jeel-libya.exe I used Wireshark to monitor for any network communications on the infected system. This identified the file making a DNS request for the domain ahmed9909.no-ip[.]biz immediately after execution, and then attempting to establish a TCP connection over port 82.

This is highly likely an attempt by the file to check in to a command and control server, to register a new infection.

Packet capture showing the file querying the command and control domain

Looking at passive DNS records using RiskIQ, ahmed9909.no-ip[.]biz has historically resolved to a large number of unique IP addresses, as to be expected with a No-IP dynamic domain name. Filtering these IP addresses based on the dates of the First Libyan Civil War shows a total of 77 resolutions, of which 53 are to IP addresses registered in Libya.

Of the 53 Libyan IP addresses, all are linked with the General Posts and Telecommunications Company (GPTC) and registered to Libya Telecom & Technology (LTT). The GPTC is the state-owned organisation responsible for overseeing all postal and telecommunication services in Libya, and LTT is a state-owned telecommunications company that dominates the Libyan ISP sector.

Also, open sources provide some other key information:

• RiskIQ shows that this specific No-IP domain was first seen on 30 July 2010.
• A Google search shows that ahmed9909.no-ip[.]biz was previously cited in FBI reporting as linked to the BLACKSHADES RAT.
• Checks with URL categorisation services confirm that ahmed9909.no-ip[.]biz is flagged by cyber security companies as malicious.

So what is it?

At this point, we now have a fairly good idea of what jeel-libya.exe is, and some of its functionality. Before continuing with manual analysis, let’s see if this might be a variant of already known malware. Key information that we know about the file, which might help link this to a specific malware variant, included:

• The malware created multiple IOCs based on the username of the infected user (e.g., the %USERNAME%5 mutex and the file %USERNAME%2.txt).
• The malware used a seemingly pseudorandomly-generated 14 character string in mutexes. This remained consistent between infections, suggesting it was hard-coded in, rather than generated based on victim metadata.
• The malware injects into the running Windows Explorer (explorer.exe) process.
• The malware primarily uses the registry to maintain persistence between reboots.

I also had the information available to me on VirusTotal. While most anti-virus engines had detected the file as a generic malicious file, a few identified this as FSYSNA, SCAR and REBHIP/CYBERGATE.

• FSYSNA was an unlikely candidate as the malware was created in 2011, and FSYSNA was first observed in early 2019.
• SCAR also was also an unlikely candidate given the differences in functionality.
• REBHIP/CYBERGATE seemed far more plausible. Microsoft Security Intelligence’s entry for REBHIP showed multiple similarities between this malware and REBHIP (e.g., IOCs based on the username of the infected user, pseudorandom 14 character mutexes, other similarities with mutex naming conventions, use of specific registry keys for persistence, and information stealing capability). This blog from FireEye also confirmed that REBHIP used multiple anti-analysis techniques, which had been identified previously by Capa.

Is it CYBERGATE?

At this point, it seemed possible that jeel-libya.exe was in fact REBHIP/CYBERGATE, but I wanted to see if I could do any more digging in order to make a better assessment.

Going digging on YouTube

I searched YouTube for CYBERGATE tutorials published shortly prior to the compilation timestamp of jeel-libya.exe, and eventually found this video published on 28 September 2010 showing the use of CYBERGATE version 1.07.5. Notably, this video showed the default CYBERGATE payload configuration, and options available for customising this.

A screenshot from a CYBERGATE tutorial published on YouTube in 2010

This showed a number of similarities between CYBERGATE and jeel-libya.exe:

• jeel-libya.exe installs itself in C:\Program Files (x86)\installs\vip.exe; when creating a CYBERGATE payload, installation in Program Files is a hardcoded option, and installs is the default folder name for installation within this directory.
• jeel-libya.exe uses registry Run and Active Setup keys to achieve persistence; when creating a CYBERGATE payload, these are the available options for persistence.
• jeel-libya.exe uses the same names for registry run keys as the defaults provided when creating a CYBERGATE payload (HKLM, HKCU, Policies, and a pseudorandomly generated GUID).
• jeel-libya.exe creates a 14-character pseudorandom mutex on an infected system; when creating a CYBERGATE payload, the operator is provided with the option to create a “Random” 14-character mutex.
• jeel-libya.exe injects code into explorer.exe to maintain persistence; when creating a CYBERGATE payload, the operator can choose to inject into Other with the default option set to explorer.exe.

Going digging on VirusTotal

As a part of my research, I began pivoting on unique characteristics of jeel-libya.exe to see if I could find other related samples in VirusTotal. I’ll go into more detail on this pivoting (and the broader infrastructure and malware I identified) in a later post, and for now will highlight one “chain” that identified further evidence to support my assessment that the file is likely CYBERGATE.

The first step in pivoting was by searching for ahmed9909.no-ip[.]biz on VirusTotal, to identify if any other files were known to have communicated with this domain. This identified 10 results, one of which was (the already analysed) jeel-libya.exe. Analysing the 9 newly discovered files identified other potentially unique characteristics, which could be used for yet further pivoting.

For example, two files contained the string Copyright © 2012, mohameed r in their metadata. This string is likely to be relatively unique because of the mis-spelling of Mohammed, the inclusion of the first initial, the use of lower case in the name, and the combination of the name, the copyright marking and the year.

Pivoting on this string in VirusTotal identified 14 results, all of which have a compile TimeStamp of 2011–07–24 22:45:14. Of these 14 results, two write a file server.exe to C:\directory\CyberGate\install\:

• a327a02187df24d60a8039bda8d105cb
• b9985afbdcebfbc14400be3e4e7212d4

C:\directory\CyberGate\install\server.exe is an exact match to the default values shown in the CYBERGATE console, which I found in a YouTube tutorial video uploaded around the time of jeel-libya.exe compilation.

Making an assessment

On this basis, I assess thatjeel-libya.exe is highly likely an instance of the CYBERGATE trojan. This is based on the following:

• Anti-virus detections linking jeel-libya.exe to CYBERGATE.
• Similarities between jeel-libya.exe’s assessed functionality and public reporting about CYBERGATE.
• Similarities between jeel-libya.exe’s configuration and default configuration options in the CYBERGATE console.
• Linked files with similar characteristics writing to a directory path of *\CyberGate\*.

With this knowledge, we can now understand the likely functionality of the file in significantly more detail, using already existing publicly available information on CYBERGATE (e.g., as documented by CitizenLab in their analysis).