• ✨Always Use Forum Private Messages PM For Deal With Vendors✨

    Admin Contacts Jabber: megiddo@jabber.sk Telegram: @Megiddo1

The Expert Identified Another Group Mentioned In The Dump Of The Shadow Brokers

✨ Megiddo

✨ President ✨
Staff member
Joined
May 15, 2016
Messages
4,020
Likes
2,572
Points
1,730
In 2016, The Shadow Brokers stole hacking tools from the US National Security Agency (NSA). Then the hackers explained that earlier these tools belonged to the Equation Group - a hacker group that security experts had long been directly associated with the NSA. For a long time, hackers tried to sell the stolen government malware, but in the end they did not find buyers. As a result, in the spring of 2017, hackers decided to publish the dump “Translation Lost” (Lost in Translation) for free, in the public domain.

Among the tools released by The Shadow Brokers were the DoublePulsar backdoor and the EternalBlue exploit, notorious for the fact that it was with their help that the malware WannaCry and NotPetya spread around the world.

However, The Shadow Brokers dump contained not only these famous tools, but also a lot of other interesting information. So, the sigs.py file was very interested in the information security community from the very beginning, since it represents a real gold mine of data on cyber spy operations and intelligence of security threats.

It is believed that this file is the simplest malvari scanner that NSA operators used on hacked computers to detect traces of the activity of various "competing" hacker groups. Sigs.py contains 44 signatures for detecting files (hacking tools) deployed by other crackers. The signatures were numbered from 1 to 45, but number 42 was missing.

Many experts noticed that the file contains much more groupings than are known to the IB community and large companies specializing in security. And even now, three years after the publication, 15 signatures from sigs.py are still unidentified, that is, the NSA still understands foreign hacker operations better than many cybersecurity providers.

This week, as part of the OPCDE virtual cybersecurity summit, researcher Juan Andrés Guerrero-Saade said he discovered a group that was hiding in the mentioned file at number 37. More precisely, the researcher corrected incorrect attribution, as it was previously assumed that number 37 implies Chinese APT Iron Tiger.

Juan Andres Guerrero-Saade is a former employee of Kaspersky Lab and Google. He said that signature number 37 was designed to track a hacker group, which, in his opinion, could be based in Iran. The expert gave the group the name Nazar APT (based on the string found in the Malvari code). He says that the activity of this group is not associated with any of the publicly known APTs, and refers to 2008. Although in general, the group seems to have been the most active between 2010 and 2013.

The expert claims that with the help of his own anonymous sources he was able to identify the victims of the Nazar APT attacks, which are still infected with the malware by signature number 37. According to him, the victims are located exclusively in Iran.

“It is interesting (and I mention this because the malware is very old and aimed at such old versions of Windows as Windows XP and below) that this APT still has victims who are in Iran. Whenever Iran is talked about as an attacking side, we immediately think about the victims in the West <...>, but when it comes to attacks on Iran itself, we tend to suspect Western APTs, says Guerrero-Saade. “In this case, if we take the entire attribution literally, it’s a kind of challenge to this generally accepted opinion, since the Iranian cluster of activity under consideration is aimed exclusively at targets within Iran itself.”
 
Top Bottom