{"id":74,"date":"2018-01-11T09:17:24","date_gmt":"2018-01-11T09:17:24","guid":{"rendered":"http:\/\/piratesecurityblog.com\/?p=74"},"modified":"2018-03-11T09:20:00","modified_gmt":"2018-03-11T09:20:00","slug":"kernel-injecting-trojan-was-found-in-the-wild-by-kaspersky-from-securelist-com","status":"publish","type":"post","link":"https:\/\/piratesecurityblog.com\/?p=74","title":{"rendered":"Lamberts Toolkit – kernel injecting trojan was found in the wild by kaspersky (from securelist.com)"},"content":{"rendered":"

post originally taken from here:\u00a0https:\/\/securelist.com\/unraveling-the-lamberts-toolkit\/77990\/<\/p>\n

 <\/p>\n

Yesterday, our colleagues from\u00a0Symantec published their analysis of Longhorn<\/a>, an advanced threat actor that can be easily compared with Regin, ProjectSauron, Equation or Duqu2 in terms of its complexity.<\/p>\n

Longhorn, which we internally refer to as \u201cThe Lamberts\u201d, first came to the attention of the ITSec community in 2014, when our colleagues from\u00a0FireEye discovered an attack using a zero day vulnerability (CVE-2014-4148)<\/a>. The attack leveraged malware we called \u2018BlackLambert\u2019, which was used to target a high profile organization in Europe.<\/p>\n

Since at least 2008, The Lamberts have used multiple sophisticated attack tools against high-profile victims. Their arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools, and wipers. Versions for both Windows and OSX are known at this time, with the latest samples created in 2016.<\/p>\n

Although the operational security displayed by actors using the Lamberts toolkit is very good, one sample includes a PDB path that points to a project named \u201cArchan~1\u201d (perhaps \u2018Archangel\u2019). The root folder on the PDB path is named \u201cHudson\u201d. This is one of the very few mistakes we\u2019ve seen with this threat actor.<\/p>\n

While in most cases the infection vector remains unknown, the high profile attack from 2014 used a very complex Windows TTF zero-day exploit (CVE-2014-4148).<\/p>\n

Kaspersky Lab products successfully detect and eradicate all the known malware from the Lamberts family. For more information please contact:\u00a0intelreports@kasperskycom<\/a><\/p>\n

An Overview of the Lamberts<\/h2>\n

\"\"<\/a><\/p>\n

Figure 1. Lamberts discovery timeline<\/i><\/p>\n

The first time the Lambert family malware was uncovered publicly was in October 2014, when FireEye\u00a0posted<\/a>\u00a0a blog about a zero day exploit (CVE-2014-4148) used in the wild. The vulnerability was patched by Microsoft at the same time. We named the malware involved \u2018Black Lambert\u2019 and described it thoroughly in a private report, available to Kaspersky APT Intel Reports subscribers.<\/p>\n

The authors of Black Lambert included a couple of very interesting details in the sample, which read as the following:\u00a0toolType=wl<\/b>,\u00a0build=132914<\/b>,\u00a0versionName = 2.0.0<\/b>. Looking for similar samples, we were able to identify another generation of related tools which we called White Lambert. While Black Lambert connects directly to its C&C for instructions, White Lambert is a fully passive, network-driven backdoor.<\/p>\n

\n\n\n\n\n\n\n\n
<\/td>\nBlack Lambert<\/td>\nWhite Lambert<\/td>\n<\/tr>\n
Implant type<\/td>\nActive<\/td>\nPassive<\/td>\n<\/tr>\n
toolType<\/td>\nwl<\/td>\naa (\u201cArchAngel\u201d)<\/td>\n<\/tr>\n
build<\/td>\n132914<\/td>\n113140<\/td>\n<\/tr>\n
versionName<\/td>\n2.0.0<\/td>\n5.0.2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

Internal configuration similarities in Black and White Lambert<\/i><\/p>\n

White Lambert runs in kernel mode and intercepts network traffic on infected machines. It decrypts packets crafted in a special format to extract instructions. We named these passive backdoors \u2018White Lambert\u2019 to contrast with the active \u201cBlack Lambert\u201d implants.<\/p>\n

Looking further for any other malware related to White Lambert and Black Lambert, we came by another generation of malware that we called Blue Lambert.<\/p>\n

One of the Blue Lambert samples is interesting because it appears to have been used as second stage malware in a high profile attack, which involved the Black Lambert malware.<\/p>\n

Looking further for malware similar to Blue Lambert, we came by another family of malware we called Green Lambert. Green Lambert is a lighter, more reliable, but older version of Blue Lambert. Interestingly, while most Blue Lambert variants have version numbers in the range of 2.x, Green Lambert is mostly in 3.x versions. This stands in opposition to the data gathered from export timestamps and C&C domain activity that points to Green Lambert being considerably older than the Blue variant. Perhaps both Blue and Green Lamberts have been developed in parallel by two different teams working under the same umbrella, as normal software version iterations, with one seeing earlier deployment than the other.<\/p>\n

Signatures created for Green Lambert (Windows) have also triggered on an OS X variant of Green Lambert, with a very low version number: 1.2.0. This was uploaded to a multiscanner service in September 2014. The OS X variant of Green Lambert is in many regards functionally identical to the Windows version, however it misses certain functionality such as running plugins directly in memory.<\/p>\n

Kaspersky Lab detections for Blue, Black, and Green Lamberts have been triggered by a relatively small set of victims from around the world. While investigating one of these infections involving White Lambert (network-driven implant) and Blue Lambert (active implant), we found yet another family of tools that appear to be related. We called this new family Pink Lambert.<\/p>\n

The Pink Lambert toolset includes a beaconing implant, a USB-harvesting module and a multi-platform orchestrator framework which can be used to create OS-independent malware. Versions of this particular orchestrator were found on other victims, together with White Lambert samples, indicating a close relationship between the White and Pink Lambert malware families.<\/p>\n

By looking further for other undetected malware on victims of White Lambert, we found yet another apparently related family. The new family, which we called Gray Lambert is the latest iteration of the passive network tools from the Lamberts\u2019 arsenal. The coding style of Gray Lambert is similar to the Pink Lambert USB-harvesting module, however, the functionality mirrors that of White Lambert. Compared to White Lambert, Gray Lambert runs in user mode, without the need for exploiting a vulnerable signed driver to load arbitrary code on 64-bit Windows variants.<\/p>\n

Connecting all these different families by shared code, data formats, C&C servers, and victims, we have arrived at the following overarching picture:<\/p>\n

\"\"<\/a><\/p>\n

Figure 2. An overview of connections between the Lambert families<\/i><\/p>\n

The Lamberts in Brief \u2013 from Black to Gray<\/h2>\n

Below, we provide a small summary of all the Lamberts. A full description of all variants is available to subscribers of Kaspersky APT Reports. Contact\u00a0intelreports@kaspersky.com<\/a><\/p>\n

Black Lambert<\/h3>\n

The only known sample of Black Lambert was dropped by a TTF-exploit zero day (CVE-2014-4148). Its internal configuration included a proxy server which suggests the malware was created to work in a very specific network configuration, inside the victim\u2019s network.<\/p>\n

An internal description of Black Lambert indicates what appears to be a set of markers used by the attackers to denote this particular branch:\u00a0toolType=wl<\/b>,\u00a0build=132914<\/b>,\u00a0versionName = 2.0.0<\/b>.<\/p>\n

\n\n\n\n\n\n
Hash<\/td>\nDescription<\/td>\n<\/tr>\n
683afdef710bf3c96d42e6d9e7275130<\/td>\ngeneric loader (hdmsvc.exe)<\/td>\n<\/tr>\n
79e263f78e69110c09642bbb30f09ace<\/td>\nwinlib.dll, final payload (toolType=wl)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

Blue Lambert<\/h3>\n

The Blue Lambert implants contain what appear to be version numbers in the 2.x range, together with project\/operation codename sets, which may also indicate codenames for the victims or campaigns.<\/p>\n

\"Unraveling<\/a><\/p>\n

Figure 4. Blue Lambert configuration in decrypted form, highlighting internal codenames<\/i><\/p>\n

Known codenames include TRUE CRIME (2.2.0.2), CERVELO YARDBIRD (2.6.1.1), GAI SHU (2.2.0.5), DOUBLESIDED SCOOBYSNACK (2.3.0.2), FUNNELCAKE CARNIVAL (2.5.0.2), PROSPER SPOCK (2.0.0.2), RINGTOSS CARNIVAL (2.4.2.2), COD FISH (2.2.0.0), and INVERTED SHOT (2.6.2.3).<\/p>\n

Green Lambert<\/h3>\n

Green Lambert is a family of tools deeply related to Blue Lambert. The functionality is very similar, both Blue and Green are active implants. The configuration data shares the same style of codenames for victims, operations, or projects.<\/p>\n

\"Unraveling<\/a><\/p>\n

Figure 5. Green Lambert configuration block (decrypted) highlighting internal codenames<\/i><\/p>\n

The Green Lambert family is the only one where non-Windows variants have been found. An old version of Green Lambert, compiled for OS X was uploaded from Russia to a multiscanner service in 2014. Its internal codename is HO BO (1.2.0).<\/p>\n

The Windows versions of Green Lambert have the following code names: BEARD BLUE (2.7.1), GORDON FLASH (3.0), APE ESCAPE (3.0.2), SPOCK LOGICAL (3.0.2), PIZZA ASSAULT (3.0.5), and SNOW BLOWER (3.0.5).<\/p>\n

Interestingly, one of the droppers of Green Lambert abused an ICS software package named \u201cSubway Environmental Simulation Program\u201d or \u201cSES\u201d, which has been available on certain forums visited by engineers working with industrial software. Similar techniques have been observed in the past from other threat groups, for instance, trojanized Oracle installers by the Equation group.<\/p>\n

White Lambert<\/h3>\n

White Lambert is a family of tools that share the same internal description as Black Lambert. Known tool types, builds, and version names include:<\/p>\n