Feed aggregator

A Nightmare on Malware Street

Secure List feed for B2B - Sat, 11/22/2014 - 11:49

Another ransomware has been spotted in the wild lately, branded as 'CoinVault'. This one involves some interesting details worth mentioning, including the peculiar characteristic of offering the free decryption of one of the hostage files as a sign of good faith.

Technically, the malware writers have taken a lot of measures to slow down the analysis of the sample. Even though it was made with Microsoft's .NET framework, it takes a while to reach the core of their malicious application. Upon opening the initial sample in 'IL Spy', we find that the program starts by using a string key which is passed to a decryption method, which will ultimately get the executable code.

A byte array is also passed as a parameter to the 'EncryptOrDecrypt' method, which in conjunction with the key will output a final byte array with the malware's much needed code.

Implementing these functions in Visual Studio is as easy as copy/paste, so we execute the methods gotten from the source code and set a breakpoint to check what the decryption method is doing. A '77', '90' in decimal tells us we are on the right track since when converting these numbers to hexadecimal we get '4D', '5A', which is the magic number for DOS executable files identified by the ASCII string 'MZ'. We dump all the bytes to an executable file in disk for further analysis.

We get a file called 'SHIELD runner', serving as a 'RunPE' helper application. A 'RunPE' application serves to execute files on the fly, meaning that a memory stream is created from an input and executed directly without first storing the file to disk. This is useful for malware writers that want to avoid leaving traces behind, and as we'll soon see, it's not all this file has to offer.

Although we'll carry on with our investigation into the ransomware code, there's a noteworthy string embedded in the SHIELD runner executable, 'd:\Users\dennis…'.

In the same way as before, a string key and a byte array are used to generate yet another executable file. As you can see, the cybercriminals have gone to great lengths in order to slow down the analysis and hide the malicious payload for as long as possible.

Not only do we have the usual 'RunPE' functions but also a nice additional set of methods that will help the malware detect analysis tools and virtualized environments. It checks for 'Sandboxie', 'Wireshark', 'Winsock Packet Editor' and even checks whether the machine's name is 'MALTEST'. Fortunately, none of these conditions are met in my environment so we are good to go.

But wait…. there's more! The detection of the virtualized environment will cause the execution to stop and the malicious payload to be hidden.

Using PowerShell, we are going to check if the malware can actually detect our environment. Apparently it can, so we'll need to carry out some simple modifications in order to continue the analysis process.

We can fix this easily from VMWare's configuration VMX file, setting the option 'SMBIOS.reflectHost = TRUE'. Running out PowerShell checks again, we witness the good news and are ready to go even further.

Repeating the process of string key and byte array decryption and dumping the memory at just the right time pays off and we finally end up with the set of files that will be used during the infection.

The CoinVault 'Locker' has two main Windows forms: the main one telling us to pay in order to recover the victim's files and 'frmGetFreeDecrypt' which is used to decrypt one of the victim's files as a way to demonstrate that we can in fact recover our precious information if we comply in a timely manner.

However, before the 'Locker' analysis we'll need to deobfuscate it (at least a little bit). The malware writers display some sense of humor here: if the analyst has gone through this much trouble to reach this point it seems he's welcome as suggested by the phrase, 'Your worst nightmare'. Moreover, they are keen enough to leave a banner signaling the obfuscation utility they used. In this case we are dealing with the ever popular 'Confuser', in its version 1.9.0.0.

Certainly, this is confusing… but we can make it better. So, we go from something that resembles a Chinese manuscript to readable source code.

We now can see, amongst the many (many) methods and delegates inside the assembly some relevant code regarding the file encryption. .NET's 'System.Security.Cryptography.RijndaelManaged' namespace is used (amongst others) revealing symmetric encryption functionality.

We can even get a glance at how the PRNG was implemented and some internal details of the malicious application.

When we are finally shown the 'Locker' executable, a connection is made to a dynamic domain. During the analysis, two addresses were present: 'cvredirect.no-ip.net' and 'cvredirect.ddns.net'. They are currently offline and this hampers the 'Locker' functionality, since upon traffic analysis inspection we were able to see that a hardware ID is sent to the C&C in order to use a dynamic file encryption password. I guess now we can understand why the malware is checking for Wireshark in the system. After all, cybercriminals wouldn't want you to take a peek at how their business is getting done.

At this point, if everything went well (for the cybercriminals) your personal documents and files have been encrypted and a payment is demanded in less than 24 hours or the price will rise. The bitcoin address used is dynamic too, making the tracing of the funds a lot more complex than usual.

Is this your worst nightmare? If you don't have an updated anti-malware suite and (just in case) a backup of your most important files, it might just be.

Kaspersky detects this family as 'Trojan-Ransom.Win32.Crypmodadv.cj'. We have already seen similar malicious applications in the past (regarding functionality) such as 'TorrentLocker', and some PowerShell ransomware, but the amount of effort invested in this one in order to protect the code shows that cybercriminals are leveraging already developed libraries and functionality in order to avoid reinventing the wheel.

FTC Shutters $120 Million Tech Support, Bogus Software Scam

Threatpost for B2B - Fri, 11/21/2014 - 16:09
The FTC and a Florida federal court issued temporary restraining orders against a number of organizations and individuals involved in a massive telemarketing operating selling bogus software and support.

Threatpost News Wrap, November 21, 2014

Threatpost for B2B - Fri, 11/21/2014 - 13:20
In this week's news wrap podcast, Threatpost editors discuss an out-of-band Microsoft patch, the compromised Joomla and WordPress plug-inattack campaign and the Detekt anti-surveillance tool.​

Buffer Overflow Haunts Advantech WebAccess SCADA Product

Threatpost for B2B - Fri, 11/21/2014 - 11:00
The ICS-CERT is warning users about a stack buffer overflow in the Advantech WebAccess SCADA product that could lead to arbitrary code execution. Advantech WebAccess is a SCADA and human-machine interface product that’s accessible over the Web. It’s used in a variety of industries, including energy, manufacturing, government and the commercial sector. The vulnerability affects […]

WordPress 4.0.1 Update Patches Critical XSS Vulnerability

Threatpost for B2B - Fri, 11/21/2014 - 09:52
The latest version of WordPress, 4.0.1, patches a critical cross-site scripting vulnerability in comment fields that enables admin-level control over a website.

Most Targeted Attacks Exploit Privileged Accounts

Threatpost for B2B - Thu, 11/20/2014 - 16:51
Most targeted attacks exploit privileged account access according to a new report commissioned by the security firm CyberArk.

Detekt Tool Puts Surveillance Spyware on Notice

Threatpost for B2B - Thu, 11/20/2014 - 14:08
Civil rights activists and hacker Claudio Guarnieri along with partners such as the EFF and Amnesty International released Detekt, open source security software targeting activists and oppressed people that scans Windows machines for dangerous spyware.

Attackers Using Compromised Web Plug-Ins in CryptoPHP Blackhat SEO Campaign

Threatpost for B2B - Thu, 11/20/2014 - 10:54
Researchers have discovered a group of attackers who have published a variety of compromised WordPress themes and plug-ins on legitimate-looking sites, tricking developers into downloading and installing them on their own sites. The components then give the attackers remote control of the compromised sites and researchers say the attack may have been ongoing since September 2013. […]

Drupal Patches Denial of Service Vulnerability; Details Disclosed

Threatpost for B2B - Thu, 11/20/2014 - 10:03
Drupal has released a patched a denial of service and account hijacking vulnerability, details of which were disclosed by the researchers who discovered the issue.

Angler Exploit Kit Adds New Flash Exploit for CVE-2014-8440

Threatpost for B2B - Thu, 11/20/2014 - 08:02
Exploit kit authors are nothing if not opportunistic, and they know a prime opportunity when they see one. Adobe Flash bugs fit that description nicely, and the people behind the Angler exploit kit already are exploiting one of the Flash bugs patched last week in the kit’s arsenal. This is a common tactic for exploit […]

AVAR 2014 - Australia

Secure List feed for B2B - Thu, 11/20/2014 - 05:50

This year's 17th Association of anti-Virus Asia Researchers international conference, "AVAR 2014" came back to Sydney, Australia with the theme "Security Down-Under". The event was held here also in 2003.

The arrival hall at Sydney airport did indeed look like this:

More than 170 attendees related to the anti-virus industry, CERTs, law enforcement and academia from around the world had plenty of opportunities to network and exchange thoughts and ideas.

The keynote, delivered by Graham Cluley, included a part where everybody was invited to join in singing "The anti-virus industry song".

The presentations covered subjects like the current global anti-malware ecosystem, the mobile cybercriminal underground market in a certain country, details about the Dragonfly threat actor and much more (see the link below for more information).

Kaspersky Lab's Roman Unuchek did present his research about Android banking botnets.

Colleagues from ESET did a great job organizing not only the conference but also an entertaining gala dinner at the "Power House Museum".

Another highlight was the "after party" in a Bavarian Beer Cafe. That turned into a kind of power house as well when some attendees of the AVAR 2014 got on stage and rocked the place.

Last but not least there was also an opportunity to see a bit of Sydney's scenery and wild life during a tour.

We are looking forward to the next AVAR in 2015, which will be held in Vietnam.

Event site: http://www.avar2014.com/ehome/index.php?eventid=83858&

Citadel Variant Targets Password Managers

Threatpost for B2B - Wed, 11/19/2014 - 14:54
Some Citadel-infected computers have received a new configuration file, a keylogger triggered to go after the master passwords from three leading password management tools.

FREEDOM Act Rejection Should Keep ‘Encrypt Everything’ Bandwagon Rolling

Threatpost for B2B - Wed, 11/19/2014 - 13:11
The U.S. Senate failed to pass the USA FREEDOM Act last night, but that should matter little to security and technology companies rolling out encryption everywhere.

Nasty Security Bug Fixed in Android Lollipop 5.0

Threatpost for B2B - Wed, 11/19/2014 - 10:54
A bug was recently fixed in Android Lollipop that could allow an attacker to bypass ASLR and run arbitrary code on a target device under certain circumstances.
Syndicate content