Initial Look at FireEye's Saffron Rose Report

Tue 13 May 2014 by Wesley

FireEye just posted a new report, Operation Saffron Rose on a likely-Iranian-based hacker group, Ajax Security Team. It's always interesting to read reports like this as they come out, and try to see what you can find on Google and various malware-related sites before all of the search results get polluted by folk discussing the report itself. This post will document a couple of the things I have found on my initial glance at the Saffron Rose report.

I do this frequently to get samples with interesting back-story for my reverse engineering classes. Often, you can't find the exact samples they discuss, but frequently you can play around with the information given to find variants. Sometimes the samples have been sitting in VirusShare for some time, just waiting for the attention!

On page 13 of the report, there's a diagram of Ajax Security Team's phishing infrastructure, with a number of domain names partially redacted. If those names are of interest to you, many of them are listed in full on the following VirusTotal page:

An IP address on page 14 has a number of hits on VirusTotal as well. This one's notable since, at least at this moment, some of the phishing sites hosted there are still active.

I had less luck than usual finding samples of the Ajax Security Team malware discussed in the report, but I may have tracked down one sample of the "Stealer" implant (though well short of finding the Stealer Builder, nice job FireEye). The following sample on malwr has an exact match for a PDB string ("f:\Projects\C#\Stealer\source\Stealer\Stealer\obj\x86\Release\Stealer.pdb") discussed in the report:

Thankfully, unlike many super-secret-squirrel samples found on malwr, the uploader of that one kindly left it such that we can download the sample. I have yet to do any further analysis to confirm similarities (or to further the published analysis), but I wanted to share it for other malware enthusiasts to go ahead and start picking at.