Mars Rover: Code Used for Espionage

Tuesday, March 1, 2016 @ 05:03 PM gHale


Malware that has a connection to Mars?

It is possible as open source libraries used in Mars Rover software are a part of a cyber espionage campaign.

RELATED STORIES
Multi-APT’s Linked to One Attack Group
ICS-CERT BlackEnergy Report
BlackEnergy in other Ukraine Systems
Ukraine Power Outage Exposes Risk

India has been a business partner of Afghanistan, helping the embattled country build its new Parliament complex, the Salma Dam, along with transportation, energy and infrastructure projects.

Because of the collaboration between the two countries, other entities, be they nations or interest groups, have a keen interest in what is going on.

Then it may not be just a coincidence that on December 24 India’s Ambassador to Afghanistan received a spear-phishing email that contained a new malware variant, which, if downloaded and installed, would have opened a backdoor on the official’s computer, said researchers at Palo Alto Networks.

The email was spoofed and made to look like it was coming from India’s Defense Minister, Manohar Parrikar. Attached to the email was an RTF file.

The file contained malicious code to exploit the CVE-2010-3333 Office XP vulnerability, resulting in the download of a file named “file.exe” from the newsumbrealla[.]net domain, researchers said.

This file automatically launched into execution and was a simple malware payload dropper’ whose job it was to download the real threat, a Trojan researchers named Rover.

The software relied on the OpenCV and OpenAL open source libraries, both used in the software deployed with the Mars Rover exploration robot.

OpenCV is a library used in computer vision applications and image processing while OpenAL is a cross-platform library for working with multichannel audio data.

The Rover malware needed these two libraries because its main role was to spy on infected targets. Its capabilities included the ability to take screenshots of the desktop in BMP format and send them to the C&C server every 60 minutes, logging keystrokes and uploading the data to the C&C server every 10 seconds, and scanning for Office files and uploading them to the C&C server every 60 minutes.

Additionally, there was also a backdoor component that allowed attackers to send commands from the C&C server and tell Rover to take screenshots or start recording video (via webcam) and audio (via microphone) whenever the attacker wanted to.

“Though ‘Rover’ is an unsophisticated malware lacking modern malware features, it seems to be successful in bypassing traditional security systems and fulfilling the objectives of the threat actor behind the campaign in exfiltrating information from the targeted victim,” Palo Alto researchers said.

Rover is largely undetected by today’s antivirus engines, and despite not coming with that many features, it is successful at keeping a low profile, exactly what cyber espionage groups are looking for.