Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
May 23, 2017, Masashi Nishihata
The Citizen Lab is an interdisciplinary research group at the Munk School of Global Affairs, University of Toronto, that investigates targeted digital espionage operations against civil society groups. We are dependent on the generous support of companies, like RiskIQ, to help us access and work with threat intelligence products for our research.
Citizen Lab has been making key discoveries with RiskIQ PassiveTotal since the beginning of the service in May 2014. PassiveTotal is essential to our investigative and research workflow, and recently, a search using PassiveTotal led to the discovery of NSO Group’s Pegasus malware and iOS 0day delivery infrastructure, as well as other malware, phishing, and disinformation campaigns in the Middle East, Latin America, and the Tibetan community.
Fig-1 The Million Dollar Dissident, a Citizen Lab report based on an investigation of NSO Group’s Pegasus malware and iOS 0day delivery infrastructure, which hinged on a PassiveTotal search
Million Dollar Dissident: A RiskiQ PassiveTotal Jackpot
While investigating the Stealth Falcon operation, a threat actor targeting UAE dissidents, we ran a series of IP addresses through RiskIQ PassiveTotal. It returned to us a domain, as well as an email address that looked different from the Stealth Falcon infrastructure we were familiar with.
Pivoting out from these data points, we connected the email and domain to a domain that was registered to the NSO Group. Suspecting that these domains were part of an exploit delivery infrastructure, we began seeking evidence of messages containing links to the network:
Fig-2 A look inside RiskIQ PassiveTotal of the NSO Group-linked pieces of Exploit Infrastructure that led to the discovery of the iOS zero-day (as it appears today, note the flags to Citizen Lab research, NSO Group, and targeting of Civil Society and Human Rights groups)
A few months later, human rights defender Ahmed Mansoor shared two text messages with us that contained links we had identified as part of the exploit infrastructure. We were able to successfully trigger the exploit infrastructure to fire against a device and captured the payload.
Fig-3 Text messages containing links to the NSO-group exploit infrastructure, which we first discovered with a RiskIQ PassiveTotal search
This lead to the discovery of a remote jailbreak, using a string of zero-days. The report that we wrote received international attention, and illustrated the dangers associated with the proliferation of government-exclusive malware.
View the Stealth Falcon Public Project here: https://passivetotal.org/projects/a24e1b09-1dda-63e5-3bee-96422af0dc9c
Our investigations often begin with a single domain, IP address, or piece of malware. RiskIQ PassiveTotal, either when used via the web interface or Maltego, enables us to quickly identify other potentially linked indicators.
When we identified a string of phishing e-mails in Latin America that targeted human rights defenders and journalists, we were able to connect the phishing infrastructure to both malware command and control servers, as well as a pattern of fake news websites.
Fig-4 mgoogle[.]us, the original phishing domain, as it appeared during the PackRat campaign
Using RiskIQ PassiveTotal, we connected the domain registration information from an initial phishing e-mail to a range of other malicious and fake news websites:
Fig-5 Data from RiskIQ PassiveTotal showing some of the malicious and fake news websites associated with PackRat
RiskIQ PassiveTotal helped us characterize and make sense of a campaign that contained a vast array of elements, including phishing, malware, fake news, and fake organizations:
Fig-6 Fake news website as it appeared during the investigation of PackRat. It was first identified through a RiskIQ PassiveTotal query
Ultimately, with the help of data pulled from RiskIQ PassiveTotal, we were able to characterize the Packrat group, an eight-year long malware campaign targeting civil society groups throughout Latin America.
View the PackRat Public Project here: https://passivetotal.org/projects/d4db582a-bb38-4004-e7e8-2d4d57356e05
In the report Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans, The Citizen Lab tracked a technical shift in tactics from a threat actor, called Scarlet Mimic, previously reported by Palo Alto Networks. The report found that Scarlet Mimic repurposed parts of their malware command and control infrastructure to serve phishing attacks that mimic popular online providers, like Google.
The investigation started when Tibetan groups sent us emails with links to fake Google login pages designed to steal credentials. Through a RiskIQ PassiveTotal search, we uncovered overlap between domains used to host the Google phishing pages and command and control infrastructure associated with previous Scarlett Mimic malware campaigns:
Fig-7 Results from a RiskIQ PassiveTotal search showing infrastructure associated with Scarlet Mimic
We mapped out the infrastructure in Maltego using the RiskIQ PassiveTotal Transform:
Fig-8 Domains linked to Scarlet Mimic identified with a RiskIQ PassiveTotal search graphed in Maltego
With RiskIQ PassiveTotal, we were able to track the activities of Scarlett Mimic over time and enrich our analysis of the group showing a shift in technical tactics from targeted malware campaigns to conventional phishing. This change in tactics may have been a response to defensive measures taken on by Tibetan groups, including avoiding sending and receiving file attachments by email.
View the Scarlet Mimic Public Project here: https://passivetotal.org/projects/8a7a2a68-9c77-c513-1b18-26fd2f8f1789
Tools like RiskIQ PassiveTotal help Citizen Lab researchers punch above our weight. RiskIQ PassiveTotal’s support of Citizen Lab is an excellent example of how a threat intelligence product can be used to support investigations that contribute to the public good. View the Citizen Lab case study here.