Cedric PERNET - Threat Intel, APT & Cybercrime

Hi all,

I have written this blog post in collab with my good friends Kenney and Lenart... ;-)

Available HERE.

Hi folks,

I've published a new blog post today on Trend Micro's blog. This is once again about some APT campaign, this time showing some of the new modus operandi from a threat actor named Winnti.

It is available here.

New blog post being released, entitled "The French Dark Net Is Looking for Grammar Police". Hope you will enjoy it ;-)

The french cybercrime underground is definitely surprising... ;-)

Last week one of my new blog post got released here. I hope you will enjoy it, especially the french ones interested in cybercrime ;-)

Cheers !

Hello,

Petit post blog pour faire un peu ma promo, j'avais oublié de signaler certaines publications ici...

MISC 85 : un article "APT - Qui sont les attaquants" qui décrit un peu les différents types de profils présents dans les équipes d'attaquants APT.

MISC 86 : un article "Simulation d'attaque APT", qui décrit pourquoi et comment mettre en oeuvre des simulations d'attaques APT. Ces simulations sont souvent bien plus efficaces pour sensibiliser une population en entreprise.

Je viens de finir d'écrire un nouvel article pour MISC, et tenez-vous bien, il ne parlera pas d'APT cette fois-ci ;-)

La suite en Septembre donc, pour ce qui est des articles MISC en tout cas ;-)

Following my first research paper about the Rocket Kitten APT threat actor, I have released another one, this time as a collaboration work with one researcher from ClearSky.

The blog post is here: Rocket Kitten Spies Target Iranian Lecturer and InfoSec Researchers in New Modus

The full paper is here: The Spy Kittens Are Back : Rocket Kitten 2

Un petit post rapide pour vous signaler que j'ai publié dans le dernier numéro de MISC Magazine un article intitulé "APT 101" qui présente les notions de base des attaques APT. L'exercice n'était pas forcément facile après avoir écrit un livre sur le sujet...

Le numéro 79 de MISC est présenté ici, sur le site de l'éditeur.

A noter au passage que ce numéro contient 4 articles sur les attaques APT, dont un excellent article de David Bizeul & Xavier Creff (Threat Intelligence et APT), un article sur le tristement célèbre malware PlugX écrit par Fabien Perigaud, ainsi qu'un article "APT au combat : stratégie numérique en réseau d'entreprise" écrit par William Dupuy & Nicolas Guillermin.

Un numéro à lire de toute urgence ! :-)

Hi all,

Here is my first research paper done for my new employer, Trend Micro.

I hope you'll enjoy it ! :-)

The blog summary I wrote about the paper is here, while the complete paper can be found here.

C'est avec un plaisir non dissimulé que je blogge ici pour vous faire part de la publication de mon premier ouvrage aux Editions Eyrolles, intitulé "Sécurité et espionnage informatique - Connaissance de la menace APT et du cyberespionnage".

Le livre est disponible en précommande sur le site d'Amazon.fr, et sera publié et disponible en FNAC à compter du 12 décembre.

Il m'aura fallu pas loin d'un an et demi de travail de nuit et le soutien de nombreuses personnes pour mener ce projet à son terme. Je remercie chaleureusement tous les gens qui m'ont aidé et soutenu, la liste serait trop longue mais ils sont remerciés en détail dans le livre ;-)

J'espère donc que cet ouvrage vous sera utile, que sa lecture vous sera agréable, et que vous me ferez un petit feedback ?

Merci à tous/toutes ! :-)

Cédric.

Well, as you probably know, I am french. Some of my friends do not agree, and say that I am not a real french, because I do not like strong cheese, I do not like eating ducks (in any way), and all wine tastes the same for me, in opposite to beer. Also, I hate european football, but loooooove american football, my favorite team being the Patriots from New England.

On the other hand, I must admit I have a little kink for american football team's jerseys. I already have one from the Patriots, yet I wanted one from the Miami Dolphins.

So here I am, googling to find a new jersey at an attractive price, in french language.

Using a simple request like "jersey miami dolphins pas cher" which means "jersey miami dolphins cheap" in Google, I get the following as first result:

As you can see, the first results are from "Google Shopping" and do provide links to legitimate websites like nike.com.

Then, more interestingly, I get results from Google Image. The first image shown, on which my mouse pointer is, leads to a domain named maillot-foot-nfl-nba.com.

Following this link, I get a nice page from an online store showing me the jersey of my dreams:

At this point, there are several little details which should raise suspicion for anyone:

• At the top of the web page, there's a line "Vente de DIR_WS_SEO_KEYWORD" which looks very ugly and unprofessional. Would a real seller really keep this ugly line up there ? Probably not.
• Look at the price !!! 69% discount on that product !!! It brings the price from 99€ (which is quite the usual price for that product) down to 30.99€.
• Bad language. I am writing this blog post in english and showing french stuff, ok, but I can tell you that if you go to any page of the web site, you'll see loads of spelling mistakes and even sentences which do not mean anything. The "general conditions" page is a must-read for french people, it is full of language problems.

Clicking on some of the general pages of the web site is quite instructive. In the middle of the description for shipping, written in french, some spanish can be seen: "Aceptamos Visa, Mastercard, Paypal y tarjeta de crédito!" ...

There can only be one conclusion to all of this: this website is fraudulent, selling counterfeit products, and no one should buy products there.

Now if I come back to my Google research, and look at the Google image links on the right of the one I followed, the domains are:

• www.boutiquesprofr.com
• www.forschungsinfo.de
• www.giacche.eu

By carefully watching these websites (except for forschungsinfo.de, which to clarify is a real site which has just hosted links to a fraudulent one, and the link has been removed), we could come to the same conclusion: counterfeit products are sold there.

Now one might think that these websites are build up by isolated fraudsters looking for easy money. The reality is a bit different, and that's why I am blogging, I wanted to bring some more insight to this kind of fraud and raise some awareness for people on Internet.

For starters, once again if you look carefully at all pages from such a website, you can find something more interesting than spelling mistakes: links to other websites.

Reading the "shipping info" from boutiquesprofr.com for example, the first line mentions that "sacmiumiu.com offre la livraison gratuite" , which means that "sacmiumiu.com offers free shipping".

Why the hell is a website called sacmiumiu.com mentioned in the shipping info of boutiquesprofr.com (which by the way means "prostorefr.com") ?

Well, the reason for that is that fraudsters do not build a single website to sell counterfeit products. They do build LOADS of different websites. You might think it takes a lot of time to do it, but it takes less than one or two hours to do. These fraudsters do use websites templates, which they just slightly modify from one site to the other. From the single sentence found on boutiquesprofr.com, we can expect it to use almost the same template as sacmiumiu.com.

sacmiumiu.com does not exist anymore, yet just by googling this name you would find interesting stuff : ads for it in guestbooks showing links to other counterfeit products websites, etc... Looking for it on archive.org, a website which shows past versions of websites, you would even find that the website has indeed been transfered by judge decision to Louis Vuitton because it was selling counterfeit products.

So, with few googling and wise use of archive.org, we already found out that our guys from "boutiquesprofr.com" were somehow connected to "sacmiumiu.com".

What else can be found ?

Let's go back to the first website I found, maillot-foot-nfl-nba.com.

At the top left part of the website, a logo from the company "NEW ERA" is visible. Let's be a bit clever and use it to find other websites which contain the exact same logo. To do that, we can save the logo from maillot-foot-nfl-nba.com and then submit it to a Google Image search. By doing that, Google will show us all referenced websites which contain the same picture :

Note: what you do not see in the screenshot is the fact that Google Image offers results showing images which are "close" to the image you submit. We need to focus on the exact same image, to avoid false positives. Moreover, if the fraudsters took the image from a legitimate website and did not modify it, we will get false positives we need to remove from the analysis.

Once again, the results are quite interesting: we easily fall on several fake products sellers.

This provides us a very easy method to group fake websites.

Ok, what do we know now ? We know that there are hundreds of websites selling fake products, using more or less the same templates and techniques.

How about having a look at the people who register these domain names ?

Let's have a look at the Whois information for our favorite website, maillot-foot-nfl-nba.com.

Registrant Name: mingsheng zheng
Registrant Organization: zhengxiansheng
Registrant Street: haikoulu10
Registrant City: haikou
Registrant State/Province: hainan
Registrant Postal Code: 570100
Registrant Country: CN
Registrant Phone: +86.13800000000
Registrant Phone Ext: 
Registrant Fax: +86.13800000000
Registrant Fax Ext: 
Registrant Email: registrar@mail.zgsj.com
Admin Name: mingsheng zheng
Admin Organization: 
Admin Street: haikoulu10
Admin City: haikou
Admin State/Province: hainan
Admin Postal Code: 570100
Admin Country: CN
Admin Phone: +86.13800000000
Admin Phone Ext: 
Admin Fax: +86.13800000000
Admin Fax Ext: 
Admin Email: capsshopnet@gmail.com

Once again, this really does not look like Whois information a legitimate merchant would use: the phone numbers seems to be fake, and the e-mail address is on gmail.com, yet this is very interesting for us in terms of investigation.

So, by doing some reverse whois researches, we can find 23 domains, additionally to maillot-foot-nfl-nba.com, which have been registered by capsshopnet@gmail.com :

Oh my, our friend "capsshopnet" has counterfeit stuff in french, spanish, and german, what a great linguist, this might explain all the spelling mistakes on these websites ;-)

What about the hosting ? Well, maillot-foot-nfl-nba.com is currently hosted on 223.26.62.200, which belongs to:

inetnum:        223.26.62.0 - 223.26.62.255
netname:        SUN-HK
descr:          Sun Network - DataCenter Service
                TRANS ASIA CENTER, KWAI CHUNG
country:        HK
admin-c:        DA179-AP

Let's look at some Passive DNS information. Which other domains have lead to this precise IP address currently or in the past ?

The results are other counterfeit products websites (except for kkk345.com which is about pornographic stuff)

kkk345.com
www.kkk345.com
www.gorras-obey.com
gorrasbaratas.com
www.gorrasbaratas.com
maillot-pascher.com
www.maillot-pascher.com
zapatos-baratas.com
www.zapatos-baratas.com
www.maillot-foot-nfl-nba.com
www.kkk3.org

Now let me please represent all this data in a structured form (click to enlarge):

I will end this blog post here. I just wanted people to be a bit aware that the underground of counterfeit products is huge, and that few minutes of investigation can lead to the discovery of a complex web of Internet websites run by fraudsters.

One might wonder about the number of people involved in that kind of fraud. There are probably several people to register the websites, several people to build the content (and we can be pretty sure some other people are selling the web pages templates), to handle the orders, to manufacture the products (probably hundreds/thousands of people here), etc.

I stopped my investigation at this point, because it was done on a rainy night at home. A lot is uncovered here: I did not look for every domain whois, I did not look for all the hosting data and IP ranges, I did not really search for any real person attribution.

By digging more on all these data, we could probably find much more fake products websites and persons involved, but once again, my goal here was just to raise awareness on a kind of fraud and describe it a bit.

So what have we learned here ?

• There are people probably working fulltime on registering websites, building websites (and people making/selling templates), having them indexed on Google and other places (black SEO), to sell counterfeit products coming mostly from China (that's what you discover when you order something), all of this in several different languages.
• Dozens of websites are handled by the same people
• These people do sell every kind of products you can think of: fake jerseys, fake tshirts, fake caps, fake shoes, fake handbags, fake sunglasses ... (you can guess it looking at the domain names from the previous image)
• The fraud is obvious when you take the time to really analyze the content a bit. You should NEVER BUY A PRODUCT WHICH LOOKS AMAZINGLY CHEAP, or from a website with loads of spelling mistakes.

Thank you for your reading, this was some kind of fun post blog I've done in a hurry last night. See you soon ! :-)