Dump ShadowBrokers: Understanding the contents of the “swift” directory

    Hello! On Friday, April 14, early in the morning, a new dump of tools and documents of the US National Security Agency stolen by the APT group TheShadowBrokers appeared in the public domain. In this article we will try to figure out what is in the dump swift folder .

    Caution, under the cut a lot of pictures and text.

    Interestingly, this time the group posted a dump on the Steemit service, accompanying the dump with text about how disappointed they were in US President Donald Trump, and entitled it " Lost in translation ". Also interesting is the fact that the dump itself is posted on the Yandex.Disk service. The owner of the file is a user with the nickname yurishitova.

    This archive has been decrypted and posted on GitHub .

    What is contained in the dump?

    The dump consists of three directories: oddjob, swift, windows. Below is a listing of directories.

    ├── Binaries
    │ ├── oddjob_builder
    │ │ ├── bin
    │ │ │ ├── oddjob_v3_x64.dll
    │ │ │ ├── oddjob_v3_x64.exe
    │ │ │ ├── oddjob_v3_x86.dll
    │ │ │ └── oddjob_v3_x86.exe
    │ │ ├── builder
    │ │ │ └── oddjob_config_v3.exe
    │ │ └── ODDJOB_BUilder_v3.hta
    │ └── Payloads
    │ ├── bigpayload.bin
    │ ├── five_minute_beacon.bin
    │ ├── greha_dll_x64.dll
    │ ├── greha_dll_x86.dll
    │ ├── OJ_Deleter_2.4.exe
    │ ├── one_byte_payload.bin
    │ ├── one_minute_beacon.bin
    │ ├── process_list.bin
    │ ├── two_minute_beacon.bin
    │ └── zero_byte_payload.bin
    ├── Not-For-Release
    │ ├── hashes.txt
    │ ├── oddjob_v3_x64.dllstrings.txt
    │ ├── oddjob_v3_x64.exestrings.txt
    │ ├── oddjob_v3_x86.dllstrings.txt
    │ └── oddjob_v3_x86.exestrings.txt
    ├── Testing-Docs
    │ ├── ODDJOB_Testing.docx
    │ └── tungsten_flame.txt
    └── User-Docs
    ├── BITSversions.xlsx
    └── How_to_setup_IIS_7_for_ODDJOB.docx

    8 directories, 25 files

    ├── 00503_0_254.242_2013mar02
    ├── 00546_0_ensbdasa-09aug2013
    ├── 00553_0_ensbdpix3-09aug2013
    ├── 00554_0_ensbdpix4-09aug2013
    ├── 00555_0_ensbdrtr1-2013aug09
    ├── 00557_0_ENSBDVPN1-02AUG2013
    ├── 00558_0_ENSBDVPN2-02AUG2013
    ├── 00559_0_ENSBDVPN5-02AUG2013
    ├── 00560_0_ENSBDVPN6-02AUG2013
    ├── 00562_0_ENSBDSW01-02AUG2013
    ├── 00563_0_ENSBDSW02-02AUG2013
    ├── 00566_0_ENSBPVPN1.txt
    ├── 00566_1_ENSBPVPN2.txt
    ├── 00566_2_FW1-Configuration.txt
    ├── 00566_3_SW1-Configuration.txt
    ├── 00566_4_SW2-Configuration.txt
    ├── 00679_0_ENSBDVPN1-23AUG2013
    ├── 00687_0_ENSBDVPN2-23AUG2013
    ├── 00697_0_ENSBDVPN5-23AUG2013
    ├── 00702_0_ENSBDVPN6-23AUG2013
    ├── 00703_0_ensbdsslvpn1-system-2013aug15.cfg
    ├── 00705_0_254.229-2013sep06.txt
    ├── 00708_0_ensbdasa1-31aug2013
    ├── 00710_0_ensbdfw1-2013sep06
    ├── 00711_0_ensbdfw3-2013sep06
    ├── 00713_0_ensbdfw4-2013sep06
    ├── 00715_0_ensbdfw5-2013sep06
    ├── 00720_0_ensbdpix3-31aug2013
    ├── 00725_0_ensbdpix4-31aug2013
    ├── 00727_0_ensbdpix5-31aug2013
    ├── 00729_0_ensbdrtr1-2013sep06
    ├── 00734_0_ensbdsslvpn1-user-2013aug15.cfg
    ├── DNS Zone Trans 2013_10_11.txt
    ├── DNS Zone Trans 2013_10_17.txt
    ├── DSL1opnotes.txt
    ├── DSL2opnotes.txt
    ├── DSquery Belgium DC.xlsx
    ├── dsquery_Query_computers_from_MAIL001.txt
    ├── DSquey Dubai enDCBACKUP.xlsx
    ├── DSquey Egypt DC.xlsx
    ├── DSquey END boxes and MX servers.xlsx
    ├── DSqueyMain.xlsx
    ├── Eastnets_Huge_Map_05_13_2010.vsd
    ├── Eastnets_UAE_BE_Dec2010.vsd
    ├── Employee.txt
    ├── ~$$EN_DUBAI_ASA.~vsd
    ├── EN_DUBAI_ASA.vsd
    ├── EN_DUBAI_MAIN.vsd
    ├── EN Production net 01 AUG 2013_kdmoore.xlsx
    ├── EN Production net 01 AUG 2013.xlsx
    ├── ENSBDSSL1-2013SEP27.xml
    ├── ENSB DXB Passwords V2.4.xlsx
    ├── ENSBJVPN1_cfg.txt
    ├── ENSB UAE NW Topology V2.0.1339670413.vsd
    ├── FATags.txt
    ├── Important NOTES.txt
    ├── initial_oracle_exploit.sql
    ├── JEEPFLEA_MARKET Implants.xlsx
    ├── JEEPFLEA_MARKET Passwords V2.4.xlsx
    ├── JF_M FIN Exfil.vsd
    ├── JFM_Status.pptx
    ├── Legend.pptx
    ├── list_of_saa_servers_8May2013.xlsx
    ├── NOC_firewall_passwords_30May2013.txt
    ├── Production.txt
    ├── ~$SB JO passwords V 2.docx
    ├── swift_msg_queries_all.sql
    └── VPNFW_Plan.txt

    0 directories, 70 files

    The windows directory contains a large number of files, I suggest the reader to familiarize themselves with it by clicking on the link above on github. I will only clarify that this directory contains the frameworks for exploitation, exploits and implants used by the NSA for penetration. If there is interest in this topic, a continuation of the article will be published with an analysis of the windows folder and its contents.


    In the process of studying the contents of the directory, the impression was that it was a common project folder where employees put their best practices and project documentation (judging by the code in the scripts from the windows directory, it is assumed that this folder is automatically mounted to the specialist machine). According to the latest dates from various files, it can be assumed that the contents were stolen in September 2013, when the project was still in the status of fully boiling work. Based on text and office files, it can be concluded that the EastNets organization involved in the development of financial software and SWIFT was attacked.

    Description of EastNets from SWIFT
    EastNets Group is an international company specializing in creating software for financial organizations. Since its foundation, EastNets has been closely cooperating with SWIFT, participating in products, solutions and technological platforms development.

    EastNets has created and is developing its core solution for Anti-Money Laundering and financing of terrorism (AML) en.SafeWatch, using its own expertise in secure data transmission, as well in service-oriented applications development.

    EastNets Group offices are located in Brussels, Paris, New York, Los Angeles, Madrid, Hague and Luxembourg. With other regions, company is working via business partners' network. Alliance Factors has been representing EastNets interests In Russia and CIS on an exclusive basis since 2004.

    EastNets solutions users are the largest banks, including ING Bank, ABN Amro Bank, Bank of China, Credit Lyonnais Bank, Raiffeisen Bank, Hypovereinsbank, Nordea Group, Fortis Bank and many others.

    The following files are network equipment configurations, namely:

    Cisco PIX

    Cisco ASA

    Cisco router

    Cisco switch

    Juniper Equipment

    The directory, among others, contains Microsoft Office files, some of them are password-protected, bruteforce on well-known dictionaries did not produce results:

    Files: ENSB DXB Passwords V2.4.xlsx, JEEPFLEA_MARKET Passwords V2.4.xlsx

    There is also a presentation created, apparently, for a report on the current status of the project. Judging by the metadata, the presentation was created on 07/01/2013, the latest changes were made on 08/12/2013. It can be suggested that around this date the report was held.
    File: JFM_Status.pptx

    The third page of the presentation tells us about a certain JEEPFLEA_POWDER, which is no longer mentioned in the archives. It can be assumed that this project is called JEEPFLEA and is divided into stages, of which only MARKET and POWDER are mentioned. Later in the article I will use such conditional separation.

    Let us dwell on this in more detail.

    First slide

    This slide says a lot about the project as a whole. stage JEEPFLEA_MARKET.

    Stage goal : EastNets offices in Dubai, Belgium and Egypt.

    Received at this stage : 9 SAAs - may mean external systems of the company. Admins - may mean admin access to internal systems.
    It is not known what Quad means in a presentation.

    The slide reports that access to the user network (employee network) has been obtained, and it is also planned to install the ZESTYLEAK tool on the company's VPN firewalls. Based on open sources, ZESTYLEAK is an implant that is part of FEEDTROUGH, developed by the NSA for installation on Juniper network equipment. Mention of this software is in the ANT catalog (documents published by Edward Snowden):

    Third slide

    The third slide of the presentation talks about the plans for the JEEPFLEA_POWDER stage; at the time of editing the presentation, the NSA did not have much success.

    Stage goal : BCG affiliates in Venezuela and Panama. Business Computer Group is a reseller of EastNets in Venezuela and Panama.

    Description of BCG from EastNets
    Founded in 1994, BCG Business Computer Group is the strategic allied of EastNets for Latin America. Based in Panama and with an installed base of customers over 200 institutions distributed along all the Pacific Ocean Coast, BCG proudly renders Consultancy, Marketing, Sales and Support Service on behalf of EastNets. Our customers enjoy the comprehensive suite of products, such as SafeWatch Filtering, SafeWatch Profiling, Reporting, among others in the region.
    Additionally, taking advantage of economy of scales inherited by BCG's Service Bureau PREMIER of SWIFT, small institutions have within their grasp EastNets Portfolio at competitive prices.
    The above reasons made a definitive case for the compliance officers to join EastNets / BCG family of satisfied and happy users.
    Geographical Coverage
    Panama, Venezuela & the whole of Latin America except Brazil

    Stage plans : work is underway to compromise administrators' machines using SECONDDATE and IRONVIPER implants.

    SECONDDATE is an implant for carrying out a man-in-the-middle attack using web protocols.

    A description is available from documents published by Snowden .

    Apparently, the implant may be a kind of BeEF framework .

    We continue to examine the contents of the swift directory .

    The following interesting columns are found in many tables:

    • Implant / Implanted . In these columns the abbreviation of the implant installed on the compromised host is recorded, for example, FLAV - FlewAvenue.
    • The PSP . Host antivirus solution. PSP - Personal Security Products.
    • The Trigger . They contain a string that must be sent to the operator on the compromised host to call the backdoor. This line is set when the payload is compiled with the DanderSpritz framework. This allows you to hide the presence of the implant on the target system and access it upon request.
    • Vulnerable . This column records the abbreviation for the exploit used to compromise. For example, the ESAU is EsteemAudit.

    The directory also contains many tables with the results of queries to the domain controllers of the EastNets corporate network, in which there is information about the host name, installed OS and service packs, surnames and names of employees and other service information.

    The directory contains files similar to project notes, namely:

    • Files with the results of the transfer of the DNS zone from inside the compromised network. Judging by the dates in the file name, the zone transfer was made on 10/11/2013 and 10/17/2013. Files: DNS Zone Trans 2013_10_11.txt, DNS Zone Trans 2013_10_17.txt
    • Notes of employees involved in penetration. They contain implant logs received from compromised hosts, notes on the configuration of implants, and steps to penetrate some hosts are described.
    • Files DSL1opnotes.txt, DSL2opnotes.txt are the logs of the DanderSpritz framework, we can see some penetration operations on them. In them we can see the identifier of the user involved in the penetration work: And here is the log of the DanderSpritz framework:


      Hidden text
      ======================= T2
      --- --- ENSBDSL2
      Win2k8 64 bit R2
      1:25 PM 5/14/2013 PC2 target :
      source :
      final :
      cb : 4378,
      id : 0x100011b3c

      key : jeepflea_market
      ICMP : ICMP 8,0

      Uptime:4 days, 16:6:5
      Auditing:2013-05-14 13:30:17 z0.0.0.12] Security auditing dorked, do not stop command 798 or you will lose your blessing
      PSP: Symantec Endpoint Protection 11

      | 3756 | 560 | ------D:\Double-Take\DoubleTake.exe

      grep -mask SPFILEACCESS.ORA -path D:\Alliance\Access\Database\database -pattern audit -nocase
      cd c:\$Recycle.bin
      put D:\DSZOPSDisk\Preps\swift_msg_queries_all.1368533247.sql -name C:\$Recycle.Bin\S-1-5-~1\$ICD12FA.txt
      run -command "cmd.exe /q" -redirect
      D:\alliance\access\database\bin\sqlplus.exe saauser/Aetq9f7CQtljCHtAmstCGF64C
      1:59 PM 5/14/2013 -- disconnected when running the command
      1:59 PM 5/14/2013 -- retriggered back on, checking logs


      output file:$ICD12FB.txt

      2:16 PM 5/14/2013 -- getting file
      2:20 PM 5/14/2013 -- clean up
      delete $ICD12FA.txt
      delete $ICD12FB.txt

      monitor packetredirect -listenport 3333 -raw
      redirect -tcp -implantlisten 42316 -target 42316
      dir -mask * -path c:\ -age 30m -recursive

      4:06 PM 5/14/2013 -- BURNED

    • VSD files. These are mainly maps of the network of EastNets branches in various countries.

    Office Docs

    Some files were clearly created in EastNets itself and contain the corresponding corporate notes, while another part of the files was created directly in the NSA, as indicated by notes with the name JEEPFLEA_MARKET. Metadata was found in several of these files, where document authors are disclosed, as well as the time the documents were created and edited. Based on these data, the first document was created on 09/01/2011:

    The NSA-FTS327 tag may indicate Pecoraro Michael’s employee belongs to the Requirements & Targeting unit, which in turn is part of Tailored Access Operations (FTS32 - TAO).

    Recent changes to the JEEPFLEA_MARKET_BE.xls file (information on the EastNets branch in Belgium) were made by a certain Heidbreder Nathan S SSG NSA-F22.

    The NSA-F22 tag may indicate employee affiliation with F22: European Cryptologic Center (ECC), Germany.

    A social account is registered on the LinkedIn social network that matches the characteristics of the employee in question: nathan heidbreder, the specialty is listed as the “Cryptologic Network Warfare Specialist at US Army”. Link .

    A search on Twitter also yielded results: a probable twitter account of this person, registered in 2014, was found. Twitter is empty and is explicitly used only to read a stream of tweets from subscriptions. By subscribing to this twitter, it can be assumed that this twitter account is the account of this person.

    Screenshot twitter.com/NHeidbreder :

    User Subscriptions Twitter:

    LinkedIn nathan heidbreder page screenshot:

    Linkedin and Twitter accounts were deleted during the writing of this article, but the screenshots were saved.

    A Google request for the keywords "nathan heidbreder us army" leads to corpsman.com , where Heidbreder Nathan Scott appears on the list.

    Interesting detail: Twitter Austin Hurlock was the only Twitter follower of @NHeidbreder and the account from which the nathan heidbreder LinkedIn security account was verified.

    At the time of writing, the Austin Hurlock account was available on Linkedin. At the time of the creation of the JEEPFLEA project files, this person worked as a Computer Network Defense Analyst at Marine Corps:


    Among other things, the directory contains files with Oracle SQL commands for extracting NSA information of interest, I will give a few examples ( File initial_oracle_exploit.sql ):

    select '"name","account_status","password","spare4"' from dual;
    select '"'||name||'","'||account_status||'","'||u.password||'","'||spare4||'"' from user$ u, dba_users
    where spare4 is not null
    and username = name;

    select '"SWIFT_Dates_In_Database"' from dual;
    select substr(table_name,6,20) SWIFT_Dates_In_Database
    from all_tables
    where owner = 'SAAOWNER'
    and table_name like 'MESG%'
    and table_name not like '%YYYYMMDD%'
    order by 1 desc


    I am sure that a deeper analysis of the files in this directory can be carried out by experts in forensics and OSINT, which I am not. At the moment, there is no way to confidently assert that all of the above events and alleged performers really existed. There is no clear evidence of the authenticity of the posted files. In addition, it is difficult to conclude whether these people have anything to do with the voiced operations of US intelligence.

    I suggest to habrayuzer to participate in discussion in comments.

    Andrey Rogozhkin

    UPD: Colleagues suggested that the abbreviation SAA could mean Swift Alliance Access , a client-side messaging suite. Those. perhaps during the project 9 SAAs were compromisedEastNets customers .

    Also popular now: