Category: THE FBI

FBI – Intelligence Division – Cuba – Panama – Secret Warning – Original Document

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

Page 1 of ESP-CUBA-PANAMA; RA-CUBA-PANAMA
Continue reading “FBI – Intelligence Division – Cuba – Panama – Secret Warning – Original Document”

Internal FBI Memo Regarding The Rosseli Murder & Letelier Assassination – Original Document

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

Orlando Letelier
Page 1 of LETELIER ASSASSINATION - ROSSELLI TRACES
Continue reading “Internal FBI Memo Regarding The Rosseli Murder & Letelier Assassination – Original Document”

The FBI Investigation Of Deep Throat And The Devil In Mrs. Jones – Original Document

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

Continue reading “The FBI Investigation Of Deep Throat And The Devil In Mrs. Jones – Original Document”

CISA & FBI – DarkSide Ransomware – Best Practices For Preventing Business Disruption From Ransomware Attacks – Original Document

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

Lazarus Group Brings APT Tactics to Ransomware | Threatpost
Continue reading “CISA & FBI – DarkSide Ransomware – Best Practices For Preventing Business Disruption From Ransomware Attacks – Original Document”

Revealed – FBI Headquarters Backdoors, Washington, DC, US

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

38°53’41.01″ N 77°01’29.50″ W[Image]

[Image]

[Image]

[Image]

[Image]

[Image]

[Image]

[Image]

[Image]Become a Patron!
True Information is the most valuable resource and we ask you to give back.

Unveiled – As done by “GoMoPa” – Cyber Bulletin: Korean Malware Potentially Used in Sony Pictures Attack

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

 

The following bulletin was posted on the document sharing website Scribd by Politico Cybersecurity Editor Shaun Waterman.  The bulletin refers to Korean malware used by “unknown computer network exploitation (CNE) operators” that is believed to have been used in the recent attack on Sony Pictures Entertainment.  These actions ressemble to the “GoMoPa” cyber-attacks. The bulletin was first reported by Reuters on December 1, 2014.

FBI-KoreanMalware

FBI Liaison Alert System #A-000044-mw

  • 5 pages
  • TLP: GREEN
  • December 1, 2014

Download

The FBI is providing the following information with HIGH confidence:

Destructive malware used by unknown computer network exploitation (CNE) operators has been identified. This malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods. Analysis of this malware is presented to provide the computer network defense (CND) community with indicators of this malware.

TECHNICAL DETAILS

The FBI is providing the following information with HIGH confidence:

This group uses some custom tools that should be immediately flagged if detected, reported to FBI CYWATCH, and given highest priority for enhanced mitigation.
The aforementioned actors have used identified domains names and IP addresses as both source and/or destination IPs. The FBI is distributing the indicators associated with this attack to enable network defense activities and reduce the risk of similar attacks in the future. The FBI has high confidence that these indicators are being used by CNE operators for further network exploitation. The FBI recommends that your organization help victims identify and remove the malicious code.

Below are descriptions of malware and associated malware signatures:

The malware has the following characteristics:

File: d1c27ee7ce18675974edf42d4eea25c6.bin
Size: 268579 bytes (262.3 KB)
MD5: D1C27EE7CE18675974EDF42D4EEA25C6
PE Compile Time: 2014-11-22 00:06:54
Language pack of resource section: Korean

The original filename of this file is unknown, but it was likely “diskpartmg16.exe”. This file serves as a dropper. It drops destructive malware, “igfxtrayex.exe”. When the dropper file was executed, it started a second instance of itself with “-i” as an argument, then terminated.

The second instance of the dropper file installed itself as the “WinsSchMgmt” service with “-k” as a command line argument, started the service, then terminated.

The “WinsSchMgmt” service executed the file with “-k” as an argument, which started another instance of the file using “-s” as an argument.

The “-s” instance dropped and executed “igfxtrayex.exe”, created “net_ver.dat”, and began generating network traffic over TCP ports 445 and 139 to victim IP addresses.

The following files were added:
C:\Documents and Settings\User\Desktop\igfxtrayex.exe
C:\WINDOWS\system32\net_ver.dat

The following strings of interest were in this dropper file:

– – – BEGIN STRINGS – – –
recdiscm32.exe
taskhosts64.exe
taskchg16.exe
rdpshellex32.exe
mobsynclm64.exe
comon32.exe
diskpartmg16.exe
dpnsvr16.exe
expandmn32.exe
hwrcompsvc64.exe
cmd.exe /q /c net share shared$ /delete
\\%\admin$\syswow64
\\%s\admin$\system32
cmd.exe /q /c net share shared$=%SystemRoot%
cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone, FULL
RasSecurity
RasMgrp
cmd.exe /c wmic.exe /node: ”%s” /password: “%s” PROCESS CALL CREATE “%s” >
%s
WinsSchMgmt
Windows Schedule Management Service
– – -END STRINGS – – –

File: net_ver.dat
Size: 4572 bytes (4.5 KB)
MD5: 93BC819011B2B3DA8487F964F29EB934

This is a configuration file containing what appear to be hostnames, IP addresses, and the number 2. Entries in the file have the structure “HOSTNAME | IP Address | 2”. The victim IP addresses in this file correspond with the victim IP addresses listed under the file with MD5 hash D1C27EE7CE18675974EDF42D4EEA25C6 (noted above).

File: igfxtrayex.exe
Size: 249856 bytes (244.0 KB)
MD5: 760c35a80d758f032d02cf4db12d3e55
PE Compile Time: 2014-11-24 04:11:08
Language pack of resource section: Korean

This file is destructive malware: a disk wiper with network beacon capabilities. If “igfxtrayex.exe” is run with no parameters, it creates and starts a copy of itself with the “–i” argument. After 10 minutes, the “igfxtrayex.exe” makes three copies of itself and places them in the same directory it was executed from. These copies are named according to the format “taskhostXX.exe” (where X is a randomly generated ASCII character). These copies are then executed, each with a different argument (one being “-m”, one being “-d” and the other “-w”). Network connection attempts are made to one of three hard-coded IP addresses in a random order to either port 8080 or 8000. If a connection to the IP address cannot be made, it attempts to connect to another of the three IP addresses, until connections to all three IP addresses have been attempted. The following command-line string is then executed: “cmd.exe /c net stop MSExchangeIS /y”. A 120 minute (2 hour) sleep command is issued after which the computer is shutdown and rebooted.

File: iissvr.exe
Size: 114688 bytes (112.0 KB)
MD5: e1864a55d5ccb76af4bf7a0ae16279ba
PE Compile Time: 2014-11-13 02:05:35
Language pack of resource section: Korean

This file when executed starts a listener on localhost port 80. It has 3 files contained in the resource section, all xor’d with 0x63.

File: usbdrv3_32bit.sys
Size: 24280 bytes (23.7 KB)
MD5: 6AEAC618E29980B69721158044C2E544
PE Compile Time: 2009-08-21 06:05:32

This SYS file is a commercially available tool that allows read/write access to files and raw disk sectors for user mode applications in Windows 2000, XP, 2003, Vista, 2008 (32-bit). It is dropped from resource ID 0x81 of “igfxtrayex.exe”.

File usbdrv3_64bit.sys
Size: 28120 bytes (27.5 KB)
MD5: 86E212B7FC20FC406C692400294073FF
PE Compile Time: 2009-08-21 06:05:35

This SYS file is a also a commercially available tool that allows read/write access to files and raw disk sectors for user mode applications in Windows 2000, XP, 2003, Vista, 2008 (64-bit). It is dropped from resource ID 0x83 of “igfxtrayex.exe”.

RECOMMENDED STEPS FOR INITIAL MITIGATION

The following Snort signature can be used to detect the beacon traffic, though by the time the beacons occur, the destructive process of wiping the files has begun:

Alert tcp any any – > [88.53.215.64, 217.96.33.164, 203.131.222.102] [8080, 8000] (msg: “wiper_callout”; dsize:42; content: “|ff ff ff ff|”; offset: 26; depth: 4; sid: 314;)

The following YARA signatures will detect this malware on the host:

rule unknown_wiper_str{

meta: unique string in wiper malware

strings:

$STR1 = “#99E2428CCA4309C68AAF8C616EF3306582A64513E55C786A864BC83DAFE0C78585B692047273B0E55275102C66” fullword nocase

$MZ = “MZ”

condition:

$MZ at 0 and $STR1

}

rule unknown_wiper_IPs{

meta: unique IPs in wiper malware

strings:

$IP1 = “203.131.222.102” fullword nocase
$IP2 = “217.96.33.164” fullword nocase
$IP3 = “88.53.215.64” fullword nocase
$MZ = “MZ”

condition:

$MZ at 0 and all of them

}

rule unknown_wiper_error_strings{

meta: unique custom error debug strings discovered in the wiper malware

strings:

$ERR1 = “$MFT Record read failed.” fullword nocase
$ERR2 = “Drive Boot Sector read failed.” fullword nocase
$ERR3 = “SetFilePointer failed.” fullword nocase
$MZ = “MZ”

condition:

$MZ at 0 and all of them

}

Reporting Notice

The FBI encourages recipients who identify the use of tool(s) or techniques discussed in this document to report information to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at http://www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at 855-292-3937 or by e-mail at CyWatch@ic.fbi.gov. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact.

Korean Malware, North Korea Malware, South Korea Malware Attack, South Korea Malware Attack, North Korea Malware, South Korea Malware Attack,

 

Cybercrime – FBI Blackshades Remote Access Tool Private Sector Bulletins and Domain List

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

FBI Private Industry Notification: FBI led takedown of “Blackshades Remote Access Tool” purchasers, developers Download
FBI Liaison Alert System #R-000029-MW Download
Blackshades Domain List Download XLSView TXT

(U) On 13 May 2014, FBI NY initiated a coordinated takedown focusing on individuals who purchased the Blackshades malware. Field offices across the United States, as well as foreign partners, engaged in subject interviews, searches, hardware seizures, and arrests. The FBI seized the primary domain utilized to purchase Blackshades products.

(U) Impact

(U) Blackshades has several products marketed for $5 to $40 USD, most of which are malware. These products include Blackshades Remote Access Tool (RAT), Blackshades Password Recovery, Blackshades Stealth, Blackshades Fusion, Blackshades Commander, Blackshades Crypter, and Blackshades Virtual Private Network (VPN). The most popular and versatile product sold by Blackshades is the Blackshades RAT. These are purchased as “off the shelf” products with a wide variety of features that allow a cyber criminal to use as they desire. Once the victim computer is infected, common uses for Blackshades include: access to victims’ computers; theft of passwords and credentials; key-logging ability; and Distributed Denial of Service attacks.

(U) Prior to the coordinated actions, two subjects associated with the Blackshades organization were arrested. Alex Yucel was identified as the developer of the Blackshades malware. Yucel not only wrote software code behind the malware, but also was responsible for improvements and updates to the malware and control of the Blackshades server. Yucel was arrested by Moldovan authorities in November 2013 and is currently awaiting extradition to the United States. Michael Hogue, a known seller and “customer service advisor” in the Blackshades organization was arrested in June 2012 and subsequently pled guilty to the charges against him.

(U) How Blackshades Connects to Victim’s Computers:

(U) In order for a connection to be established, the malware on a victim computer must know the IP address and listening port on the command and control computer. Given that many users have a dynamic IP address controlled and assigned by their Internet Service Provider, the malware is programmed to call to a unique domain names created by the Blackshades user. The Blackshades user associated this name with their IP address using any domain hosting service of their choice. In this manner, when the malware calls to the established domain, standard DNS protocols will route the malware to the Blackshades user’s IP address.

(U) The FBI is providing approximately 13,600 domains used by Blackshades users, which have been observed receiving status updates or have participated in previous attacks. These URLs are located within the United States and worldwide. The FBI is distributing these indicators to enable identification of Blackshades infections on their networks. The FBI has high confidence that these indicators were involved in past Blackshades related activity. The FBI recommends that your organization help victims identify and remove the malicious code.

Notes on Domain List: Computers infected with Blackshades may make DNS queries for these domains and attempt to connect to the corresponding IP addresses (usually on destination port 3080, 3333 or 4444). Disclaimer: these domains may be used for legit traffic.

FBI-BlackshadesAlert-1

DHS-FBI-NCTC: Building Security Measures May Hinder Emergency Response Efforts

Building Security Measures May Impact Emergency Response to Attacks by Violent Extremists

  • 1 page
  • For Official Use Only
  • December 6, 2013

Download

(U//FOUO) Facility security measures, such as interior control points or exterior barriers, may require first responders to adjust normal protocols and procedures to operate rapidly during emergencies. The timeline below is an overview of attacks and plots against US-based facilities with varying levels of security. The diversity of tactics and targets used underscores the need for interagency exercises and training that incorporates multiple scenarios to account for building security measures likely to be encountered.

(U) First Responder Response Considerations:

(U//FOUO) Conducting periodic exercises with building authorities and interagency partners will help responders tailor a coordinated response to the unique security characteristics of the site
and increase efficiency during an emergency. Engagement with partners may address a number of issues including:

»» (U//FOUO) Building emergency response plans that identify the key staff members to assist and advise first responders as well as their roles and responsibilities during crisis;
»» (U//FOUO) Interior building control points which may limit responder access to areas and affect the rapid deployment of tools and equipment;
»» (U//FOUO) Building access control systems: the availability of master keys or swipe cards to provide full access and/or entry into restricted areas;
»» (U//FOUO) The existence of exterior building security measures which may affect the placement of response vehicles or the ability to ventilate building and rescue victims;
»» (U//FOUO) Closed circuit television (CCTV) monitors to maintain situational awareness and to assist with accountability and evacuation of building occupants; and
»» (U//FOUO) Suspicious activity reporting training to building staff and tenants to help identify and disrupt potential preoperational activity or actual attacks.

Video-Anthology – J.EDGAR HOOVER.BLACKMAILING,LURID CROSS-DRESSING QUEEN!

Clip concerning Hoover seeking a psychiatrist regarding his sexuality. Anthony Summers comments. Later comments on several people who had seen the Hoover photograph,

Joseph Shimon of the Washington Police comments on ‘sexparties with no girls’.

Lansky had obtained photographs of Hoover in a ‘compromising’ position.

Gordon Novel claims to have seen the photograph, and also claims Carlos Marcello had seen it, and in fact used it to control Hoover.

Peter Pitchess,former FBI agent comments on the non existant mafia. Also does former FBI agent Neil Welch and William Turner.

Clip with Robert Kennedy and a statement regarding the mafia. More on his take at the mafia in a clip with their take on Hoffa. Comments by Robert Blakey.

Clip from questioning of mob-informant Joe Valacci. Robert Kennedy took upon the mafia when Hoover had refused to even acknowledge its existence.

From ‘Evidence of Revision’ – Conspiratus Ubiquitus

Unveiled – FBI “Ghost Stories” Russian Spies Surveillance Videos

The following ten videos were released by the FBI in relation to their investigation of the so-called “Illegals Program”, a network of accused Russian spies operating unofficially in the U.S. from the late 1990s to 2010.

FBI “Ghost Stories” Russian Spies Surveillance Videos

CONFIDENTIAL-Taiwanese Violating U.S. Laws to Prevent Proliferation of Weapons of Mass Destruction

CHICAGO—A resident of Taiwan whom the U.S. government has linked to the supply of weapons machinery to North Korea, and his son, who resides in suburban Chicago, are facing federal charges here for allegedly conspiring to violate U.S. laws designed to thwart the proliferation of weapons of mass destruction, federal law enforcement officials announced today.

Hsien Tai Tsai, also known as “Alex Tsai,” who is believed to reside in Taiwan, was arrested last Wednesday in Tallinn, Estonia, while his son, Yueh-Hsun Tsai, also known as “Gary Tsai,” who is from Taiwan and is a legal permanent resident in the United States, was arrested the same day at his home in Glenview, Illinios.

Gary Tsai, 36, was ordered held in custody pending a detention hearing at 1:30 p.m. today before Magistrate Judge Susan Cox in U.S. District Court in Chicago. Alex Tsai, 67, remains in custody in Estonia pending proceedings to extradite him to the United States.

Both men were charged in federal court in Chicago with three identical offenses in separate complaints that were filed previously and unsealed following their arrests. Each was charged with one count of conspiring to defraud the United States in its enforcement of laws and regulations prohibiting the proliferation of weapons of mass destruction, one count of conspiracy to violate the International Emergency Economic Powers Act (IEEPA) by conspiring to evade the restrictions imposed on Alex Tsai and two of his companies by the U.S. Treasury Department, and one count of money laundering.

The arrests and charges were announced by Gary S. Shapiro, U.S. Attorney for the Northern District of Illinois; Cory B. Nelson, Special Agent in Charge of the Chicago Office of the FBI; Gary Hartwig, Special Agent in Charge of Homeland Security Investigations in Chicago; and Ronald B. Orzel, Special Agent in Charge of the U.S. Department of Commerce, Bureau of Industry and Security, Office of Export Enforcement, Chicago Field Office. The Justice Department’s National Security Division and Office of International Affairs assisted with the investigation. U.S. officials thanked the Estonian Internal Security Service and the Estonian Prosecutor’s Office for their cooperation.

According to both complaint affidavits, agents have been investigating Alex and Gary Tsai, as well as Individual A (a Taiwanese associate of Alex Tsai) and a network of companies engaged in the export of U.S. origin goods and machinery that could be used to produce weapons of mass destruction. The investigation has revealed that Alex and Gary Tsai and Individual A are associated with at least three companies based in Taiwan—Global Interface Company Inc., Trans Merits Co. Ltd., and Trans Multi Mechanics Co. Ltd.—that have purchased and then exported, and attempted to purchase and then export, from the United States machinery used to fabricate metals and other materials with a high degree of precision.

On January 16, 2009, under Executive Order 13382, which sanctions proliferators of weapons of mass destruction and their supporters, the Treasury Department’s Office of Foreign Assets Control (OFAC) designated Alex Tsai, Global Interface, and Trans Merits as proliferators of weapons of mass destruction, isolating them from the U.S. financial and commercial systems and prohibiting any person or company in the United States from knowingly engaging in any transaction or dealing with Alex Tsai and the two Taiwanese companies.

In announcing the January 2009 OFAC order, the Treasury Department said that Alex Tsai was designated for providing, or attempting to provide, financial, technological, or other support for, or goods or services in support of the Korea Mining Development Trading Corporation (KOMID), which was designated as a proliferator by President George W. Bush in June 2005. The Treasury Department asserted that Alex Tsai “has been supplying goods with weapons production capabilities to KOMID and its subordinates since the late 1990s, and he has been involved in shipping items to North Korea that could be used to support North Korea’s advanced weapons program.” The Treasury Department further said that Global Interface was designated “for being owned or controlled by Tsai,” who is a shareholder of the company and acts as its president. Tsai is also the general manager of Trans Merits Co. Ltd., which was designated for being a subsidiary owned or controlled by Global Interface Company Inc.

After the OFAC designations, Alex and Gary Tsai and Individual A allegedly continued to conduct business together but attempted to hide Alex Tsai’s and Trans Merit’s involvement in those transactions by conducting business under different company names, including Trans Multi Mechanics. For example, by August 2009—approximately eight months after the OFAC designations—Alex and Gary Tsai, Individual A, and others allegedly began using Trans Multi Mechanics to purchase and export machinery on behalf of Trans Merits and Alex Tsai. Specifically, the charges allege that in September 2009, they purchased a Bryant center hole grinder from a U.S. company based in suburban Chicago and exported it to Taiwan using the company Trans Multi Mechanics. A Bryant center hole grinder is a machine tool used to grind a center hole, with precisely smooth sides, through the length of a material.

The charges further allege that by at least September 2009, Gary Tsai had formed a machine tool company named Factory Direct Machine Tools in Glenview, Illinois, which was in the business of importing and exporting machine tools, parts, and other items to and from the United States. However, the charges allege that Alex Tsai and Trans Merits were active partners in Factory Direct Machine Tools, in some instances procuring the goods for import to the United States for Factory Direct Machine Tool customers.

Violating IEEPA carries a maximum penalty of 20 years in prison and a $1 million fine; money laundering carries a maximum penalty of 20 years in prison and a $500,000 fine; and conspiracy to defraud the United States carries a maximum penalty of five years in prison and a $250,000 fine. If convicted, the court must impose a reasonable sentence under federal statutes and the advisory U.S. Sentencing Guidelines. The government is being represented by Assistant U.S. Attorneys Patrick Pope and Brian Hayes.

The public is reminded that a complaint is not evidence of guilt. The defendants are presumed innocent and are entitled to a fair trial at which the government has the burden of proving guilt beyond a reasonable doubt.