Desperate Iranian Ideas For Social Media Control

Mohammad-Ali Movahedi Kermani: not liking the Internet

In the latest desperate attempt to subvert the freedom of Iranian expression, the regime wants to enforce permits for foreign social network applications, such as Telegram and Instagram, with membership of 5000 or more users. The desire for such control also extends to other domestic platforms including Salam Up, Soroush, BisPhone, Cloob and Syna, along with advertising, news and entertainment channels on social media networks.

The cleric Mohammad-Ali Movahedi Kermani thinks that the Internet is a threat to Islam, because the Internet is full of rampant "tele-sex" and in his eyes is ultimately "immoral". So concerned is Movahedi Kermani, that he puts the importance of subverting such "evil" as being above electoral issues or other pressing concerns, such as use of the Hijab.

Mahmoud Vaezi: deluded

Telecommunications Minister Mahmoud Vaezi thinks that channels with 5000 or more members should require permits so that the poor naive Iranian population can be assured such channels will not be fooling them with false information. Vaezi has been involved in Iran's "filternet", after Ahmadinejad's attempts in 2007 to "control" the Internet, and now the replacement "national-Internet" or Shoma, is vainly trying to do the same thing. Badly.

The Deputy Culture Minister for Communications Technology and Digital Media, Ali-Akbar Shirkavand, also wants a website that will soon be launched for administrators of such “channels” to register and continue their activities after authentication. The fear is, such controls by the regime could affect the opinions of journalists, artists and celebrities.

Cyber Police (FATA): Losing the plot

FATA chief, Brigadier General Kamal Hadianfar said that Telegram is the main platform for cybercrimes among mobile social networks. “The platform for 66% of the crimes is Telegram, while Instagram accounts for 20% and less than 2% is observed on WhatsApp,”  he said, without clarifying what "cybercrimes" were being committed via such applications... perhaps they include (according to Shirkavand anyway) copyright infringement and the sale of "immoral" goods on such channels. 

Kamal Hadianfar: battling the "evils" of social networks

A reality check: discord and feasibility

The regime's desire to crack-down on Internet freedoms is at odds with an overtly more liberal stance on such technology by Hassan Rouhani; Rouhani calls for more freedom of expression, but everyone else wants to suppress it #awkward. For example, Attorney General Hojjatoleslam Mohammad-Jafar Montazeri wants to shut down what he calls "anti-religion" networks and said of them: “Down with the freedom that is destroying everything...this is absolute enslavement”.

There is also the minor issue (conveniently overlooked by the regime) of Iran's inability to see the encrypted communications of platforms such as Telegram, and vain requests to get access to servers that must be placed in Iran are naive, at best. Also, what are the sentences to be expected by such "cybercriminals" who would dare to use such platforms? The whole thing is a joke and everyone knows it (even the regime).

Iranian "Shamoon" Attacks Saudi Targets. Again.

It's back! It appears that the Shamoon malware aka "Shamoon 2" is targeting Saudi computers. Back in 2012, malware known as Disttrack , under the name of Shamoon, targeted computers in Saudi Arabia, with Iran being the previous culprit. It is believed that Iran had been skilled in malware development after attacks against Iran in the form of Stuxnet in 2010. Iran may have adapted malware such as Stuxnet and Wiper to fire back against their targets. In 2012, Iran destroyed over 30,000 systems in the Saudi Aramco and RasGas Co Ltd. company networks, taking down Saudi Aramco for over one week.

The Shamoon malware, heavily based on Wiper, wipes the hard drives of Windows systems, and is relatively rare (other recent malware e.g. Mamba ransomware, will hold users to ransom to have their systems un-encrypted). Previous famous occasions involving disk-wiping software such as Shamoon include in 2012 the Dark Seoul Attack and in 2014 the attack on Sony Corporation Hollywood studios and the Sands Casino in Las Vegas. 

The 2012 Shamoon attacks against Saudi Aramco & RasGas Co Ltd. computers showed images of a burning U.S. flag and in the latest Shamoon 2 attack, a distasteful image of the body of the drowned child, Syrian refugee Alan Kurdi was used (the Iranian state blame Saudi for the situation in Syria).

Shamoon 2 was triggered to start wiping the hard drives of infected machines from 17 November 2016. This time, the Saudi targets included the administrative systems of the Saudi civil aviation and transportation ministries along with the Saudi central bank. Shamoon 2 also, after staring to wipe the hard drive, disables computers’ boot functions so it cannot recover its operating system. Similar to the attacks in 2012, Shamoon 2 was timed to detonate when most employees would be off work during a holiday(their work week is from Sunday to Thursdays), so the malware had potentially the entire weekend to spread. The Shamoon 2 attacks took place on Lailat al Qadr, the holiest night of the year for Muslims.

How Shamoon and Disttrack works

Disttrack is comprised of a dropper, communications and wiper parts. The Disttrack executable dropper extracts more tools and coordinates when to save and execute when needed. Disttrack has a component responsible for communicating with a C2 server (C&C or command and control server) and another unit used to wiping the hard drives.

Disttrack tries spreading to other computer networks using previously obtained administrator credentials, similar to the 2012 Shamoon attacks, where previously compromised credentials were hard coded into the malware.

The Dropper component

The dropper's job involves disabling User Access Control (UAC) remote restrictions on an infected computer, logs into the remote system, and uses an administrator’s stolen credentials. The payload is written to the location: \system32 folder. The kernel driver is from the RawDisk product by EldoS Corporation; this gives the malware direct access to files, disks and partitions.

The Communications component

This component interacts with Disttrack’s command and control (C&C) server and using HTTP requests. The communications modules in both the x86 and x64 variants of Disttrack do not use an operational Disttrack C2 server. The lack of an operational C2 server means the Iranian attackers had no need to remotely access the targeted computers; instead the intention was to destroy the target computers.

If Disttrack were configured with an operational C2 server, the module would issue an HTTP GET request that starts with GET http://server/category/page.php?shinu=ja1p9/...

This is perhaps additional evidence of Iranian involvement, because "shinu" may refer to the name of a village in NW Iran.

The Wiper component

The wiper component installs a kernel driver that allows it to begin writing to protected parts of the system. Those include the Master Boot Record (MBR) and partition tables of storage volumes.
After overwriting the target had drives, Disttrack instructs the target computer to restart. The computer shuts down, but because the malware has overwritten the partition tables, the machine cannot boot again. All system and user data is lost and the system has to be formatted and reinstalled.

Indicators of Compromise

Disttrack Droppers

47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34 (x64)
394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b (x86)

Communication Components

772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5 (x64)
61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842 (x86)

Wiper Components

c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a (x64)
128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd (x86)

EldoS RawDisk

5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a (x64)
4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6 (x86)

Iranian Hackers Using "Mamba" Ransomware?

Are Iranian hackers involved in using the "Mamba" ransomware (or possibly be behind the ransomware)? It seems unclear but an article in November by Brian Krebs indicate there could be a connection.

What is Mamba?

According to Sophos, the Mamba ransomware scrambles every disk sector, including the Master File Table (MFT), the operating system, all applications, files and all personal data. Mamba installs the DiskCryptor Full Disk Encryption (FDE) tool (this type of software asks for a password at bootup, and decrypts every sector as it is read/encrypts every sector as it is written).

The details

The infection vector Mamba uses is not exactly known, but probably uses social engineering in the form of an email link for a user to click on. 

If a user does stupidly cause the Mamba ransomware to be downloaded, then on Windows system they would see the user account control (UAC) window appear asking to install MAMBA.EXE (!) What happens next if the software is allowed to install is:

• Mamba installs itself as a Windows service (called DefragmentationService) using the local SYSTEM privileges.
• The computer then reboots.
• After reboot, Mamba then installs DiskCryptor and is located in the directory C:\DC22.
• At this stage, the user could recover their computer (the encryption is not complete): using the utility DCRYPT and selecting the Decrypt option, the user can see in plaintext, the file called log_file.txt will contain the password! However, if the user allows the computer to reboot beforehand, then the computer will be encrypted and the user has no way to know the password.

On older Windows system using Master Boot Records (MBR) on the hard drive, you will see something similar to what the Petya ransomware uses; on newer Windows systems, you wont see the message. In both cases, your only option is to wipe your hard drive; all data is gone.

The link with Iran

The blog of Brian Krebs(krebsonsecurity.com) shows that Iranians may have used Mamba against targets, including the San Francisco Municipal Transportation Agency (SFMTA). Fare station terminals displayed the message, “You are Hacked. ALL Data Encrypted.” The messaged showed that the contact for the key to decrypt the computers could be obtained by contacting the email address cryptom27@yandex.com

According to Krebs, the email address of cryptom27@yandex.com was hacked by another hacker, who found the same credentials worked for the crytom2016@yandex email account. A server identified used in association with the user of the cryptom2016 account was used to scan for various vulnerabilities on the Internet, including for Oracle products, especially "Weblogic unserialize exploit" and the Primavera project portfolio management software.

The server used to launch the Oracle vulnerability scans had detailed logs about the date, time and Internet address of each login. A review of the more than 300 Internet addresses used to administer the server revealed that it has been controlled almost exclusively from Internet addresses in Iran. 

The attack server logs also included web links or IP addresses of each victim server, listing the hacked credentials and having notes made next to each victim by the attacker. The notes appeared to be transliterated Farsi...

User account names on the attack server held other clues of Iranian involvement, such as names like “Alireza,” “Mokhi.” Alireza may pertain to Ali Reza, the seventh descendant of the prophet Muhammad. However... these are common names in and around Iran and could also indicate surrounding countries of origin (such names is also popular in Turkey and the Arab world). 

I would say, knowing what my country is capable of, that the Iranian state or Iranian cyber criminals ARE involved in using Mamba ransomware to extort money to further other cyber activities.