PassiveTotal: Part of the Citizen Lab's Core Workflow

RiskIQ PassiveTotal: Part of the Citizen Lab’s Core Workflow

May 23, 2017, Masashi Nishihata

The Citizen Lab is an interdisciplinary research group at the Munk School of Global Affairs, University of Toronto, that investigates targeted digital espionage operations against civil society groups. We are dependent on the generous support of companies, like RiskIQ, to help us access and work with threat intelligence products for our research.

Citizen Lab has been making key discoveries with RiskIQ PassiveTotal since the beginning of the service in May 2014. PassiveTotal is essential to our investigative and research workflow, and recently, a search using PassiveTotal led to the discovery of NSO Group’s Pegasus malware and iOS 0day delivery infrastructure, as well as other malware, phishing, and disinformation campaigns in the Middle East, Latin America, and the Tibetan community.

RiskIQ PassiveTotal is essential to the Citizen Lab's investigative and research workflow, helping us make several key discoveries.

Fig-1 The Million Dollar Dissident, a Citizen Lab report based on an investigation of NSO Group’s Pegasus malware and iOS 0day delivery infrastructure, which hinged on a PassiveTotal search

Million Dollar Dissident: A RiskiQ PassiveTotal Jackpot

While investigating the Stealth Falcon operation, a threat actor targeting UAE dissidents, we ran a series of IP addresses through RiskIQ PassiveTotal. It returned to us a domain, as well as an email address that looked different from the Stealth Falcon infrastructure we were familiar with.

Pivoting out from these data points, we connected the email and domain to a domain that was registered to the NSO Group. Suspecting that these domains were part of an exploit delivery infrastructure, we began seeking evidence of messages containing links to the network:

RiskIQ PassiveTotal is essential to the Citizen Lab's investigative and research workflow, helping us make several key discoveries.

Fig-2 A look inside RiskIQ PassiveTotal of the NSO Group-linked pieces of Exploit Infrastructure that led to the discovery of the iOS zero-day (as it appears today, note the flags to Citizen Lab research, NSO Group, and targeting of Civil Society and Human Rights groups)

A few months later, human rights defender Ahmed Mansoor shared two text messages with us that contained links we had identified as part of the exploit infrastructure. We were able to successfully trigger the exploit infrastructure to fire against a device and captured the payload.

RiskIQ PassiveTotal is essential to the Citizen Lab's investigative and research workflow, helping us make several key discoveries.

Fig-3 Text messages containing links to the NSO-group exploit infrastructure, which we first discovered with a RiskIQ PassiveTotal search

This lead to the discovery of a remote jailbreak, using a string of zero-days. The report that we wrote received international attention, and illustrated the dangers associated with the proliferation of government-exclusive malware.

View the Stealth Falcon Public Project here: https://passivetotal.org/projects/a24e1b09-1dda-63e5-3bee-96422af0dc9c

Investigating PackRat

Our investigations often begin with a single domain, IP address, or piece of malware. RiskIQ PassiveTotal, either when used via the web interface or Maltego, enables us to quickly identify other potentially linked indicators.

When we identified a string of phishing e-mails in Latin America that targeted human rights defenders and journalists, we were able to connect the phishing infrastructure to both malware command and control servers, as well as a pattern of fake news websites.

RiskIQ PassiveTotal is essential to the Citizen Lab's investigative and research workflow, helping us make several key discoveries.

Fig-4 mgoogle[.]us, the original phishing domain, as it appeared during the PackRat campaign

Using RiskIQ PassiveTotal, we connected the domain registration information from an initial phishing e-mail to a range of other malicious and fake news websites:

RiskIQ PassiveTotal is essential to the Citizen Lab's investigative and research workflow, helping us make several key discoveries.

Fig-5 Data from RiskIQ PassiveTotal showing some of the malicious and fake news websites associated with PackRat

RiskIQ PassiveTotal helped us characterize and make sense of a campaign that contained a vast array of elements, including phishing, malware, fake news, and fake organizations:

Fig-6 Fake news website as it appeared during the investigation of PackRat. It was first identified through a RiskIQ PassiveTotal query

Ultimately, with the help of data pulled from RiskIQ PassiveTotal, we were able to characterize the Packrat group, an eight-year long malware campaign targeting civil society groups throughout Latin America.

View the PackRat Public Project here: https://passivetotal.org/projects/d4db582a-bb38-4004-e7e8-2d4d57356e05

Tracking Operations against the Tibetan Community

In the report Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans, The Citizen Lab tracked a technical shift in tactics from a threat actor, called Scarlet Mimic, previously reported by Palo Alto Networks. The report found that Scarlet Mimic repurposed parts of their malware command and control infrastructure to serve phishing attacks that mimic popular online providers, like Google.

The investigation started when Tibetan groups sent us emails with links to fake Google login pages designed to steal credentials. Through a RiskIQ PassiveTotal search, we uncovered overlap between domains used to host the Google phishing pages and command and control infrastructure associated with previous Scarlett Mimic malware campaigns:

RiskIQ PassiveTotal is essential to the Citizen Lab's investigative and research workflow, helping us make several key discoveries.

Fig-7 Results from a RiskIQ PassiveTotal search showing infrastructure associated with Scarlet Mimic

We mapped out the infrastructure in Maltego using the RiskIQ PassiveTotal Transform:

RiskIQ PassiveTotal is essential to the Citizen Lab's investigative and research workflow, helping us make several key discoveries.

Fig-8 Domains linked to Scarlet Mimic identified with a RiskIQ PassiveTotal search graphed in Maltego

With RiskIQ PassiveTotal, we were able to track the activities of Scarlett Mimic over time and enrich our analysis of the group showing a shift in technical tactics from targeted malware campaigns to conventional phishing. This change in tactics may have been a response to defensive measures taken on by Tibetan groups, including avoiding sending and receiving file attachments by email.

View the Scarlet Mimic Public Project here: https://passivetotal.org/projects/8a7a2a68-9c77-c513-1b18-26fd2f8f1789

The Power of Collaboration

Tools like RiskIQ PassiveTotal help Citizen Lab researchers punch above our weight. RiskIQ PassiveTotal’s support of Citizen Lab is an excellent example of how a threat intelligence product can be used to support investigations that contribute to the public good. View the Citizen Lab case study here.

Share: