User Guide

Synapse-ORKL User Guide

Synapse-ORKL adds new Storm commands to allow you to query the ORKL API.

Getting Started

Check with your Admin to enable permissions.

Examples

Search for reports by a query string

Search for reports and yield the results:

> orkl.report.search graphiron --size 1 --yield
fileparser parsing sha256: ea10fd8c4838658ccc50af6dbaa08a84caf9cc3fe994213cc6f77810e8708240
WARNING: pdftotext library unavailable, cannot parse PDF for text content
media:news=e045ad39fedf2bda722fb9effa71630e
        .created = 2024/12/20 18:11:34.548
        :ext:id = 2715ceef-a68f-46e2-80e4-ea1bdb5ee039
        :file = sha256:ea10fd8c4838658ccc50af6dbaa08a84caf9cc3fe994213cc6f77810e8708240
        :published = 2023/03/04 02:06:34.540
        :publisher:name = orkl
        :summary = Graphiron: New Russian Information Stealing Malware Deployed Against
                   Ukraine
                   symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer

                   Russia-linked Nodaria group has deployed a new threat designed to steal a wide range
                   of information from infected computers.
                   The Nodaria espionage group (aka UAC-0056) is using a new piece of information stealing malware against targets in
                   Ukraine. The malware (Infostealer.Graphiron) is written in Go and is designed to harvest a wide range of information
                   from the infected computer, including system information, credentials, screenshots, and files.
                   The earliest evidence of Graphiron dates from October 2022. It continued to be used until at least mid-January 2023
                   and it is reasonable to assume that it remains part of the Nodaria toolkit.

                   Graphiron functionality
                   Graphiron is a two-stage threat consisting of a downloader (Downloader.Graphiron) and a payload
                   (Infostealer.Graphiron).
                   The downloader contains hardcoded command-and-control (C&C) server addresses. When executed, it will check
                   against a blacklist of malware analysis tools by checking for running processes with the names listed in Table 1.
                   Process names
                   BurpSuite, BurpSuiteFree, CFF Explorer, Charles, DumpIt, Fiddler, HTTPDebuggerSVC, HTTPDebuggerUI,
                   HookExplorer, Immunity, ImportREC, LordPE, MegaDumper, NetworkMiner, PEToolW, Proxifier, RAMMap,
                   RAMMap64, ResourceHacker, SysInspector, WSockExpert, WinDump, Wireshar, agent.py, autoruns, autoruns,
                   dbgview, disassembly, dumpcap, filemon, httpdebugger, httpsMon, ida,idag, idag64, idaq, idaq64, idau, idau64,
                   idaw, idaw64, joeboxcontrol, joeboxserver, mitmdump, mitmweb, ollydbg, pestudio, proc_analyzer, processhacker,
                   procexp, procexp64, procmon, procmon64, protection_id, pslist, reconstructor, regmon, reshacker, rpcapd, scylla,
                   scylla_64, scylla_86, smsniff, sniff_hit, tcpvcon, tcpview, tshark, vmmat, windbg, x32dbg, x64dbg, x96dbg
                   Table 1: Graphiron checks against a blacklist of malware analysis tools by checking for running processes with
                   specific names
                   If no blacklisted processes are found, it will connect to a C&C server and download and decrypt the payload before
                   adding it to autorun.
                   The downloader is configured to run just once. If it fails to download and install the payload it won’t make further
                   attempts nor send a heartbeat.
                   Graphiron uses AES encryption with hardcoded keys. It creates temporary files with the ".lock" and ".trash"
                   extensions. It uses hardcoded file names designed to masquerade as Microsoft office executables: OfficeTemplate.exe
                   and MicrosoftOfficeDashboard.exe
                   The payload is capable of carrying out the following tasks:
                   Reads MachineGuid
                   Obtains the IP address from https://checkip.amazonaws.com
                   Retrieves the hostname, system info, and user info
                   Steals data from Firefox and Thunderbird
                   Steals private keys from MobaXTerm.
                   Steals SSH known hosts
                   Steals data from PuTTY

                   1/3

                   Steals stored passwords
                   Takes screenshots
                   Creates a directory
                   Lists a directory
                   Runs a shell command
                   Steals an arbitrary file
                   Password theft is carried out using the following PowerShell command:
                   [void]
                   [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];$vault
                   = New-Object Windows.Security.Credentials.PasswordVault;$vault.RetrieveAll() | % { $_.RetrievePassw
                   ord();$_} | Select UserName, Resource, Password | Format-Table –HideTableHeaders
                   The following command was used to export the list of PuTTY sessions:
                   "CSIDL_SYSTEM\reg.exe" query HKCU\Software\SimonTatham\Putty\Sessions

                   Similarity to older tools
                   Graphiron has some similarities with older Nodaria tools such as GraphSteel and GrimPlant. GraphSteel is designed
                   to exfiltrate files along with system information and credentials stolen from the password vault using PowerShell.
                   Graphiron has similar functionality but can exfiltrate much more, such as screenshots and SSH keys.
                   In addition to this, as with earlier malware, Graphiron communicates with the C&C server using port 443 and
                   communications are encrypted using the AES cipher.

                   Malware

                   Go
                   version

                   Internal
                   name

                   Obfuscation

                   Libraries used

                   Infostealer.Graphiron

                   1.18

                   n/a

                   yes

                   jcmturner/aescts, buger/jsonparser, golang/protobuf,
                   kbinani/screenshot, lxn/win, mattn/go-sqlite,
                   tidwall/gjson, anmitsu/go-shlex

                   Downloader.Graphiron

                   1.18

                   n/a

                   yes

                   jcmturner/aescts

                   GraphSteel

                   1.16

                   Elephant

                   no

                   buger/jsonparser, aglyzov/charmap,
                   denisbrodbeck/machineid, gorilla/websocket,
                   jcmturner/aescts, matn/go-sqlite, tidwall/gjson

                   GrimPlant

                   1.16

                   Elephant

                   no

                   jcmturner/aescts, denisbrodbeck/machineid,
                   golang/protobuf, kbinani/screenshot, lxn/win,
                   anmitsu/go-shlex

                   Table 2: Comparison between Graphiron and older Nodaria tools (GraphSteel and GrimPlant)

                   Nodaria
                   Nodaria has been active since at least March 2021 and appears to be mainly involved in targeting organizations in
                   Ukraine. There is also limited evidence to suggest that the group has been involved in attacks on targets in Kyrgyzstan.
                   Third-party reporting has also linked the group to attacks on Georgia.
                   The group sprang to public attention when it was linked to the WhisperGate wiper attacks that hit multiple Ukrainian
                   government computers and websites in January 2022. When WhisperGate was initially loaded onto a system, the
                   malware would overwrite the portion of the hard drive responsible for launching the operating system when the
                   machine is booted up with a ransom note demanding $10,000 in Bitcoin. However, this was just a decoy as the
                   WhisperGate malware destroys data on an infected machine and it cannot be recovered, even if a ransom is paid.
                   2/3

                   The group’s usual infection vector is spear-phishing emails, which are then used to deliver a range of payloads to
                   targets. Custom tools used by the group to date include:
                   Elephant Dropper: A dropper
                   Elephant Downloader: A downloader
                   SaintBot: A downloader
                   OutSteel: Information stealer
                   GrimPlant (aka Elephant Implant): Collects system information and maintains persistence
                   GraphSteel (aka Elephant Client): Information stealer
                   Like Graphiron, many of Nodaria’s earlier tools were written in Go. Graphiron appears to be the latest piece of
                   malware authored by the same developers, likely in response to a need for additional functionality. While GraphSteel
                   and GrimPlant used Go version 1.16, Graphiron uses version 1.18, confirming it is a more recent development.
                   While Nodaria was relatively unknown prior to the Russian invasion of Ukraine, the group’s high-level activity over
                   the past year suggests that it is now one of the key players in Russia’s ongoing cyber campaigns against Ukraine.

                   Protection/Mitigation
                   For the latest protection updates, please visit the Symantec Protection Bulletin.

                   Indicators of Compromise
                   If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.
                   SHA-256:
                   0d0a675516f1ff9247f74df31e90f06b0fea160953e5e3bada5d1c8304cfbe63 — Downloader.Graphiron
                   878450da2e44f5c89ce1af91479b9a9491fe45211fee312354dfe69e967622db — Downloader.Graphiron
                   80e6a9079deffd6837363709f230f6ab3b2fe80af5ad30e46f6470a0c73e75a7 — Infostealer.Graphiron
                   eee1d29a425231d981efbc25b6d87fdb9ca9c0e4e3eb393472d5967f7649a1e6 — Infostealer.Graphiron
                   f0fd55b743a2e8f995820884e6e684f1150e7a6369712afe9edb57ffd09ad4c1 — Infostealer.Graphiron
                   f86db0c0880bb81dbfe5ea0b087c2d17fab7b8eefb6841d15916ae9442dd0cce — Infostealer.Graphiron
                   Network:
                   208.67.104[.]95 — C&C server

                   3/3
        :title = graphiron: new russian information stealing malware deployed against ukraine
        :updated = 2023/03/10 02:19:32.582
        :url = https://orkl.eu/libraryEntry/2715ceef-a68f-46e2-80e4-ea1bdb5ee039
        :url:fqdn = orkl.eu
        #rep.orkl.3p.aptnotes

Pivot to referenced threat actors and tools

> it:exec:query:text=graphiron -(found)> media:news -(refs)> risk:threat tee { } { -(uses)> risk:tool:software }
risk:threat=e80bfad1a7e2f68ff54933c4a9d41969
        .created = 2024/12/20 18:11:36.708
        :org:name = saintbear
        :org:names = ['frozenvista', 'nascent ursa', 'nodaria', 'ta471', 'uac-0056', 'unc2589']
        :reporter = 7ac03807fc31f6741f3490ec44f7c03b
        :reporter:name = mispgalaxy
risk:threat=de795c8ce5565246b5d721fab4f6f9f9
        .created = 2024/12/20 18:11:34.794
        :org:name = saintbear
        :org:names = ['ember bear', 'lorec53', 'nodaria', 'saintbear', 'ta471', 'uac-0056', 'unc2589']
        :reporter = c40557e1ba6bef185ded544fe46b46aa
        :reporter:name = etda
risk:tool:software=1049a9be3fa5ef8b933ad554e0c74006
        .created = 2024/12/20 18:11:35.352
        :reporter = c40557e1ba6bef185ded544fe46b46aa
        :reporter:name = etda
        :soft:name = elephant implant
risk:tool:software=f6752f00466d19659d22e0d075397489
        .created = 2024/12/20 18:11:35.676
        :reporter = c40557e1ba6bef185ded544fe46b46aa
        :reporter:name = etda
        :soft:name = grimplant
risk:tool:software=f270f557c25683d16cce19fd8ce898cf
        .created = 2024/12/20 18:11:34.915
        :reporter = c40557e1ba6bef185ded544fe46b46aa
        :reporter:name = etda
        :soft:name = agentemis
risk:tool:software=0c44a5eed65c8fc6fe0021847c14bb53
        .created = 2024/12/20 18:11:35.783
        :reporter = c40557e1ba6bef185ded544fe46b46aa
        :reporter:name = etda
        :soft:name = outsteel
risk:tool:software=aad83d8886a43a19b080e2ceb1dca55e
        .created = 2024/12/20 18:11:35.566
        :reporter = c40557e1ba6bef185ded544fe46b46aa
        :reporter:name = etda
        :soft:name = graphiron
risk:tool:software=86ed72e056925c30b7259ca41de8ad46
        .created = 2024/12/20 18:11:35.135
        :reporter = c40557e1ba6bef185ded544fe46b46aa
        :reporter:name = etda
        :soft:name = cobaltstrike
risk:tool:software=b04e7fd2578b41b61729e4d7c2a9c4e5
        .created = 2024/12/20 18:11:35.026
        :reporter = c40557e1ba6bef185ded544fe46b46aa
        :reporter:name = etda
        :soft:name = cobalt strike
risk:tool:software=13e6e238c95fe82412eb1a5c37175438
        .created = 2024/12/20 18:11:35.244
        :reporter = c40557e1ba6bef185ded544fe46b46aa
        :reporter:name = etda
        :soft:name = elephant client
risk:tool:software=6728c8a8a781f183aae4a38efebddf38
        .created = 2024/12/20 18:11:36.110
        :reporter = c40557e1ba6bef185ded544fe46b46aa
        :reporter:name = etda
        :soft:name = cobeacon
risk:tool:software=3cd7e36f3de8558852edd7f5dad40a0e
        .created = 2024/12/20 18:11:35.459
        :reporter = c40557e1ba6bef185ded544fe46b46aa
        :reporter:name = etda
        :soft:name = graphsteel
risk:tool:software=c8adc8d1195c936b374a6cc7f35d7c33
        .created = 2024/12/20 18:11:36.000
        :reporter = c40557e1ba6bef185ded544fe46b46aa
        :reporter:name = etda
        :soft:name = saintbot
risk:tool:software=004be6861434653776b016212a61c3c8
        .created = 2024/12/20 18:11:35.891
        :reporter = c40557e1ba6bef185ded544fe46b46aa
        :reporter:name = etda
        :soft:name = saint bot
risk:threat=c65979ba60576929f54a8a603f69e13a
        .created = 2024/12/20 18:11:36.240
        :org:name = ember bear
        :org:names = ['bleeding bear', 'ember bear', 'lorec bear', 'lorec53', 'saint bear', 'uac-0056', 'unc2589']
        :reporter = fa0e470ba9852ccbef6477e9663394f9
        :reporter:name = mitre
risk:tool:software=1378caad4f754d3ca0c4e416b2cb77c5
        .created = 2024/12/20 18:11:36.361
        :reporter = fa0e470ba9852ccbef6477e9663394f9
        :reporter:name = mitre
        :soft:name = outsteel
risk:tool:software=dddc2749c73cbbea998e35258cbf958e
        .created = 2024/12/20 18:11:36.579
        :reporter = fa0e470ba9852ccbef6477e9663394f9
        :reporter:name = mitre
        :soft:name = whispergate
risk:tool:software=316f184574a4366e3bd0489f53561557
        .created = 2024/12/20 18:11:36.472
        :reporter = fa0e470ba9852ccbef6477e9663394f9
        :reporter:name = mitre
        :soft:name = saint bot

Create a cron job to ingest the report feed

> cron.add --name orkl.report.feed --hour 3 { orkl.report.feed }
Created cron job: 3e452d11517581a60df6aae4a6e1f2e8

Use of meta:source nodes

Synapse-ORKL uses a meta:source node and -(seen)> light weight edges to track nodes observed from the ORKL API.

> meta:source=c80b79d58c39c3ba357145fab5331f65
meta:source=c80b79d58c39c3ba357145fab5331f65
        .created = 2024/12/20 18:11:34.391
        :name = orkl api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-ORKL. The following example shows how to filter the results of a query to include only results observed by Synapse-ORKL:

> it:exec:query:text=graphiron +{ <(seen)- meta:source=c80b79d58c39c3ba357145fab5331f65 }
it:exec:query=ab27a3599bb198a19e5779cde27fa0df
        .created = 2024/12/20 18:11:34.517
        :api:url = https://orkl.eu/api/v1/library/search
        :opts = {'full': True}
        :text = graphiron
        :time = 2024/12/20 18:11:34.499