According to the FireEye Malware Intelligence Lab, Sanny is targeting Russian space research, information, education and telecom targets, stealing different kinds of passwords/credentials from the victim’s machine as well as credentials that Firefox remembers for different online services like Hotmail and Facebook. It also profiles the victims, collecting location, region and other relevant information.
“Looking at the human aspect of offensive cyber operations is one of the most interesting parts of a malware analyst’s day,” explain FireEye researchers Alex Lanstein and Ali Islam, in a blog post. “Malware that was generated by an algorithm, such as a polymorphic PDF, is a little boring because you know you aren’t fighting against a human on the other side of the keyboard. However, when dealing with nation-state sponsored intrusions, or at least deliberate attacks against a specific group of people, it’s interesting to look at the different stages of the attack, from victim selection, to attack method, to what kind of data is exfiltrated.”
This particular attack is initiated by a malicious Microsoft Word document sample – a fairly standard exploit vector. “One thing that is true in nearly all targeted attacks is that there is an aspect baked in which the cybercriminal gives the victim a decoy document,” the researchers explained. “As a result, the victim is dissuaded from calling the computer helpdesk, thinking he/she got legitimate content. This attack is no different. To be clear, this clean, legitimate document is embedded inside the malicious document, and launched after the exploit is successful.”
In Sanny’s case, the document is clearly targeting users whose language is in the Cyrillic character set.
“Interesting targets, for sure,” said Lanstein and Islam. “We went through the full list of IPs scraped from the victim logs. Some of them are AV companies or security researchers, but the majority, we believe, are real victims in Russia.”
As to who is responsible, the command and control (C&C) channel is embedded on a legitimate page in a Korean message board called "nboard.net." The fonts Batang and "KP CheongPong" used in the document are Korean, and the malware also contains a fallback mechanism so that if the message board is unavailable, it tries to check mail connectivity via a Korean Yahoo mail server.
“Though we don’t have full concrete evidence, we have identified many indicators leading to Korea as a possible origin of attack,” the researchers said. South Korea in general may have some bad blood with the Russians, but the researchers may have narrowed it down even further: Some searching on "jbaksanny" (the Yahoo email used) leads to a Korean Wikipedia page created by the user named Jbaksan, they noted. The page is auto-filled and has nothing in the edit history except the creation of this user. It’s not much, but it’s a lead.
For now, FireEye found that the attacker is continuously monitoring the C&C to check new victims and their stolen data. “It looks like the attacker has a two-day cycle, i.e., after every two days, he/she collects the stolen data and deletes it from the C&C server,” they noted. “In the last five days, the attacker collected and deleted the data three times approximately after every two days.”