by Kent Backman and Kevin Stear, RSA Research
If a sophisticated exploitation campaign is broad enough, it will attract the attention of multiple threat researchers. Such is the case of the malicious, multi-faceted exploitation campaign and botnet RSA Research has dubbed "Schoolbell." In this blog, RSA will build on existing industry research and dig deeper to describe notable aspects of the Schoolbell botnet. It is unusual to observe a botnet of this size being operated by advanced threat actors, typically known for their targeted campaigns. However, based on the data uncovered in our investigation, we propose a possible purpose behind the harvesting and utilization of the Schoolbell botnet by a known advanced threat actor hereafter referenced as simply "the actor."
RSA Research has long been tracking this threat activity and, in particular, the code and tools used in past compromises of various industries and organizations. Our research became more focused when, in April of 2016, a senior researcher discovered an interesting zero-detection Trojan (Figure 1). The investigation led our team to investigate and sinkhole google-dash[.]com, primary command and control (C2) for this malware. It's important to note threat actors often use domains which look like popular, well known domains - but they have no link to the legitimate domain or company, as is the case throughout this research.
Figure 1. "Zero detection" malware sample
Once google-dash[.]com was sinkholed, our investigation diversified into botnet related malcode, infrastructure, and other suspect domains. By the end of April 2016, RSA had sinkholed six Schoolbell-related C2 domains, and identified malware calling back to these domains to include Rekaf, CustomTCP, and PGV_PVID Trojans as well as a Bergard Remote Access Trojan (RAT). Much of this malware was zero detection on VirusTotal (VT) at the time of initial infection, and for several months afterwards.
Dating back to March 2015, the Schoolbell campaign appears to be part of a larger endeavor for wholesale retooling and infrastructure harvesting by the actor. The rough backstory of Schoolbell's malware and domains is captured in Figure 2.
Figure 2. Schoolbell Timeline
It is important to note that no sound research exists in a vacuum, and we want to ensure credit is given to our industry colleagues at Palo Alto Unit 42[i], Proofpoint[ii], and Cisco Talos[iii] who each laid vital groundwork for much of the Schoolbell botnet research. In particular, the work of both Unit 42 and Proofpoint were extremely useful in the analysis of malware associated with the Schoolbell botnet (and previous potentially-related campaigns). Our peers at Talos aptly identified a separate campaign from different actors using JSP webshells instead of Windows malware. The principal infection vertical, academia, was the reason why we called this campaign Schoolbell. It and quite a few targets did, in fact, overlap between the different campaigns because of common vulnerabilities that were exploited by the different actors.
Since the registration of the first domains in early 2015, Schoolbell has been an active botnet. At peak traffic, prior to initial subject notification and remediation efforts, RSA Research identified nearly two thousand unique infections in the Schoolbell infrastructure. A global map of Schoolbell infections is shown in Figure 3.
Figure 3. Global map of Schoolbell malware infections
While it is sometimes challenging to identify the infected organizations calling back to a sinkhole, RSA confirmed and notified a significant number of affected academic institutions where Schoolbell appears to have been particularly adept at infecting a multitude of hosts. Specifically noted in the victimology were a large number of K-12 and municipal libraries, as well as institutions of higher education spanning the United States and Western Europe. One major university in Western Europe had 25 different servers across multiple campuses infected with Schoolbell malware prior to notification from RSA.
Research to date reveals no direct evidence that Schoolbell actors specifically targeted academic institutions, and yet, the campaign most likely benefitted from the compromise of academic infrastructure. Network visibility and security are generally more relaxed in many of these environments, especially when compared to typical commercial enterprises of similar size. This offers both a soft target and potential for improved longevity for undetected operations. Additionally, the perceived benign nature of academic networks could successfully obscure malicious activity from traditional network defense capabilities. In short, if actors purposed Schoolbell to be operational relay/staging infrastructure, academic institutions may represent an ideal target vertical.
Indeed, further analysis showed a specific JBOSS-powered application to be in use at more than two hundred of Schoolbell's victims. Forensic analysis demonstrated that this application was subject to Java object deserialization vulnerabilities not only exposed in JBOSS, but also other Java web containers such as GlassFish and Jenkins that used the Apache Commons library[iv]. These web application servers were noted in the infected systems calling back to the Schoolbell malware sinkhole. RSA Research's observation is that exploitation of deserialization vulnerabilities may have been a primary attack vector for Schoolbell, and correlates with observations from Proofpoint in the campaign they dubbed Bassos[v].
Analysis of victim callbacks to RSA sinkholes also showed the prevalence of victim infrastructure at various levels of government across the globe. These data indicate that the Schoolbell campaign has also been successful in infecting a wide berth of victims ranging from small municipalities across North and South America, all the way to national/federal level organizations in Asia and Europe.
The Shadow Botnet
A significant design aspect of the Schoolbell campaign is the actor's employment of Tox peer-to-peer (P2P) tools that leverage NaCl (or salt) encryption. NaCl is "a new easy-to-use high-speed software library for network communication, encryption, decryption, signatures, etc."[vi] which effectively protects the privacy of all activity carried under the Tox protocol. In forensic investigation of a sample of Schoolbell compromised systems, RSA Research observed that a TXER Tox RAT was installed on every one of the systems examined.
More significantly, we also noted the presence of several underlying TXER RAT plugins, which provide the actors robust capabilities to operate under the protection of Tox's strong encryption. RSA Research believes that these custom coded TXER plugins help to explain the utility of the Schoolbell infrastructure to the actors. One TXER plugin named "Mail" was designed for proxying email and other Internet client/server traffic. Another plugin, named "FileDown", was designed for file transfer, and finally the third, "DDoS", was designed to launch Denial of Service attacks. This is the first time we have seen this actor employ any DoS capabilities.
While investigating an apparent Schoolbell operational hub on a compromised academic server within the Txer shadow infrastructure, RSA Research discovered an extremely capable, modular exploit toolkit deployed by the Schoolbell actors. This toolkit had previously been discovered by the Center for Cybersecurity (CFCS) in the Danish Defense Intelligence Service. The Danish CFCS reverse engineered the toolkit, concluding:
"The malware is an embedded Python interpreter wrapped in a command line tool able to load and execute Python modules from an embedded and packed sqlite3 database. It is speculated that this tool is the main attack tool used by an actor in a wave of JBoss server attacks."[vii]
The robust capabilities of these TXER plugins, the high degree of anonymity granted by the Tox P2P network, and the sophisticated, carefully protected exploitation toolset we believe together illustrate a higher level of sophistication and are possibly indicative of newer generation development efforts by this actor.
In spite of this anonymity, there are several artifacts from the Tox distributed hash tables (DHT) bootstrapping process that can be leveraged to successfully identify Tox P2P activity. During this process, Tox applications also require connectivity out to known public Tox supernodes[viii] (Figure 4).
Figure 4 TXER-RAT connections to Tox supernodes as observed in RSA NetWitness Logs and Packets (Formerly known as Security Analytics)
Infrastructure reuse from other Espionage campaigns
Microsoft-cache[.]com[ix], another Schoolbell domain was previously used to target a U.S. Healthcare Provider with Bergard RAT. A third Schoolbell domain, office365e[.]com[x], was used as C2 in a zero detection PGV_PVID RAT during a May 2015 campaign against a large international media corporation. Some two months later, a domain once owned by that same media firm (but allowed to expire), was registered by the actors and may have been part of the Schoolbell actor's ongoing espionage campaign.
Yet another Schoolbell infrastructure-tied domain closely mimics (.net instead of .com) the public domain used by a manufacturer in Hong Kong.
Notable in some of the Schoolbell malware is what looks to be common code shared with the Kingslayer backdoor: a supply chain targeting attack that is featured in a related publication. Figure 5 shows nearly identical code section in a Kingslayer helper DLL, and Schoolbell-related malware, a Bergard Trojan DLL.
Figure 5 Code overlaps between Kingslayer and Schoolbell malware. Decompiled code screenshot courtesy Darien Huss of Proofpoint
This is additional evidence that the actors behind the Kingslayer software supply chain attack and Schoolbell infrastructure harvesting share a common malware development source, or are one and the same.
Schoolbell as operations infrastructure
Widespread infrastructure harvesting does represent a departure from the previous tactics, techniques and procedures (TTPs) employed by this actor. RSA Research's ongoing forensic and intrusion analysis of Schoolbell victims, aided by telemetry from SecureWorks, a Dell Technologies affiliate, is fairly conclusive. The existence of TXER RAT plugins for mail/proxy, file transfer, and DDoS is evidence that the botnet is being utilized for operational relay. RSA Research assesses the botnet's main purpose is, in fact, to opportunistically harvest IP space in order to obfuscate future, targeted actor operations.
As for current operations, multiple Schoolbell botnet systems were previously observed scanning and launching both manual and automated exploit attempts against SecureWorks clients. This gives us some confidence that the botnet is still recently active and in routine use. However, the actor has likely decommissioned most of the known malware that used sinkholed domains for C2; it is also likely that the group is now more heavily relying on the near bulletproof TXER Tox RAT and plugin capabilities. The TXER botnet is for true shadow operations from within Schoolbell.
Such a sustained level of operations seems at odds with an era of "perceived decline" from this actor[xi]. In contrast, RSA Research believes this actor has been actively engaged in reinventing their tradecraft, and that the Schoolbell botnet is significant evidence to that end. It's time to shatter the illusion of decline in this group's activity; Mr. John Costello, Congressional Innovation Fellow, New America, said it well during a Hearing before the 114th U.S. Congress Second Session on 9 June 2016:
"Do I think the threat has gone down? Absolutely not. The thing about a...[centrally coordinated] model of cyber sort of espionage is that the overall number of intrusions will likely go down, but the sophistication and impact of those intrusions will go up dramatically"[xii].
If the purpose of Schoolbell is to provide benign IP-space from which to conduct actor operations, then wouldn't we also expect to see the botnet supporting more sophisticated and targeted attacks? RSA Research has identified just such targeted operations leveraging the Schoolbell infrastructure; Kingslayer is a supply chain attack that targets trusted tools for enterprise system administrators ... to conduct espionage. You can read more about Kingslayer.
Detection via Live content using RSA NetWitness® Platform
The RSA Research team has used its findings to help enable customers of the RSA NetWitness Platform to identify if they are affected by Schoolbell. The domains and IP addresses from the IOCs have already been added to the FirstWatch APT Domains and FirstWatch APT IPs feeds, respectfully, in RSA Live. Matches can be found in RSA NetWitness for Packets using this pivot (Figure 6):
threat.desc = 'schoolbell'
Figure 6 threat.desc = 'schoolbell'
There is also Parser content for several pieces of the malware associated with this campaign including Rekaf (Figure 7), CustomTCP, and PGV_PVID. To utilize these Parsers, make sure you have subscribed to the following pieces of Live content:
Figure 7 Rekaf Parser
Figure 8 CustomTCP Parser
Figure 9. PGV_PVID Parser
The following screenshots show examples of traffic from the Rekaf (Figure 10), CustomTCP (Figure 11) and PGV_PVID (Figure 12) parsers.
Figure 10 Rekaf Parser match
Figure 11. CustomTCP Parser match
Figure 12 PGV_PVID parser match
Christian Roylo, SecureWorks
Darien Huss, Proofpoint