Feed aggregator

Equation APT Group Attack Platform A Study in Stealth

Threatpost for B2B - Wed, 03/11/2015 - 07:00
The EquationDrug cyberespionage platform is a complicated system that is used selectively against only certain target machines, one that can be extended via a collection of 116 malware plug-ins, researchers at Kaspersky Lab said.

Inside the EquationDrug Espionage Platform

Secure List feed for B2B - Wed, 03/11/2015 - 07:00
Introduction

EquationDrug is one of the main espionage platforms used by the Equation Group, a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. (See full report here [PDF]).

EquationDrug, which is still in use, dates back to 2003, although the more modern GrayFish platform is being pushed to new victims.

EquationDrug represents the main espionage platform from the #EquationAPT Group

Tweet

It's important to note that EquationDrug is not just a Trojan, but a full espionage platform, which includes a framework for conducting cyberespionage activities by deploying specific modules on the machines of selected victims. The concept of a cyberespionage platform is neither new nor unique. Other threat actors known to use such sophisticated platforms include Regin and Epic Turla.

The EquationDrug platform can be extended through plugins (or modules). It is pre-built with a default set of plugins supporting a number of basic cyberespionage functions. These include common features such as file collection and the making of screenshots. Sophistication is added by storing stolen data inside a custom-encrypted virtual file system before it is sent to the command and control servers.

The name "EquationDrug" or "Equestre" was assigned to this framework by Kaspersky Lab researchers. The only reference left by the framework developers was a short string "UR", as seen in several string artifacts left in the binaries.

Platform Architecture

The EquationDrug platform includes dozens of executables, configurations and protected storage locations. Putting all the pieces of this puzzle together in the right order may take time for those who are not familiar with the platform.

The platform includes executables, configurations and protected storage locations #EquationAPT

Tweet

The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via a custom message-passing interface. The platform includes a set of drivers, a platform core (orchestrator) and a number of plugins. Every plugin has a unique ID and version number that defines a set of functions it can provide. Some of the plugins depend on others and might not work unless dependencies are resolved.

Similar to popular OS kernel designs, such as on Unix-based systems, some of the essential modules are statically linked to the platform core, while others are loaded on demand.

The hypothesis that these attackers have been active since the 90s seems realistic #EquationAPT

Tweet

The platform is started by the kernel mode driver component ("msndsrv.sys" on Windows 2000 or above and "mssvc32.vxd" on Windows 9x). The driver then waits for the system to start and initiates execution of the user-mode loader "mscfg32.exe". The loader then starts the platform's central module (an orchestrator) from the "mscfg32.dll" module. Additional drivers and libraries may be loaded by different components of the platform, either built-in or auxiliary.

Platform Components

The EquationDrug platform can be as sophisticated as a space station, but it appears to be of no use without its cyberespionage features. This function is provided by plugin modules that are part of the massive framework described above. We discovered dozens of plugins and each is a sophisticated element that can communicate with the core and become aware of the availability of other plugins.

The plugins we discovered probably represent just a fraction of the attackers' potential. Each plugin is assigned a unique plugin ID number (WORD), such as 0x8000, 0x8002, 0x8004, 0x8006, etc. All plugin IDs are even numbers and they all start from byte 0x80. The biggest plugin ID we have seen is 0x80CA. To date, we have found 30 unique plugin IDs in total. Considering the fact that the developers assigned plugin IDs incrementally, and assuming that other plugin IDs were assigned to modules that we have not yet discovered, it's not hard to calculate that 86 modules have yet to be discovered.

86 modules have yet to be discovered #EquationAPT

Tweet

The most interesting modules we have seen contain the following functionality:

  • Network traffic interception for stealing or re-routing.
  • Reverse DNS resolution (DNS PTR records).
  • Computer management:
    • Start/stop processes
    • Load drivers and libraries
    • Manage files and directories
  • System information gathering:
    • OS version
    • Computer name
    • User name
    • Locale
    • Keyboard layout
    • Timezone
    • Process list
  • Browsing network resources and enumerating and accessing shares.
  • WMI information gathering.
  • Collection of cached passwords.
  • Enumeration of processes and other system objects.
  • Monitoring LIVE user activity in web browsers.
  • Low-level NTFS filesystem access based on the popular Sleuthkit framework.
  • Monitoring removable storage drives.
  • Passive network backdoor (runs Equation shellcode from raw traffic).
  • HDD and SSD firmware manipulation.
  • Keylogging and clipboard monitoring.
  • Browser history, cached passwords and form auto-fill data collection.
Code Artifacts

During our research we paid attention to unique identifiers and codenames used by the developers in the malware. Most of this information is carefully protected with obfuscation or encryption algorithms to prevent quick recognition, but anyone who breaks through this layer of encryption may discover some interesting internal strings, as demonstrated below:

Some other interesting text strings include:

SkyhookChow Target
SkyhookChow Payload
Dissecorp
Manual/DRINKPARSLEY/2008-09-30/10:06:46.468-04:00
VTT/82053737/STRAITACID/2008-09-03/10:44:56.361-04:00
VTT/82051410/LUTEUSOBSTOS/2008-07-30/17:27:23.715-04:00
STRAITSHOOTER30.ex_
BACKSNARF_AB25
c:\users\rmgree5\co\standalonegrok_2.1.1.1\gk_driver\gk_sa_driver…
To install: run with no arguments
Attempting to drop
SFCriteria_Check failed!
SFDriver
Error detected! Uninstalling...
Timeout waiting for the "canInstallNow" event from the implant-specific EXE!
Trying to call privilege lib...
Hiding directory
Hiding plugin...
Merging plugin...
Merging old plugin key...
Couldn't reset canInstallNowEvent!
Performing UR-specific pre-install...
Work complete.
Merged transport manager state.
!!SFConfig!!

Some other names, such as kernel object and file names, abbreviations, resource code page and several generic messages, point to English-speaking developers. Due to the limited number of such text strings it's hard to tell reliably if the developers were native English speakers.

Link Timestamp Analysis

We have gathered a reasonably large number of executable samples to which we have been able to apply link timestamp analysis.

A link timestamp is a 4-bytes value stored in an executable file header. This value is automatically set by compiler software when a developer builds a new executable. The value contains a detailed timestamp including minutes and even seconds of compilation time (think of it as the file's moment of birth).

Link timestamp analysis require the collection of the timestamps of all available executables, grouping them according to certain criteria, such as the hour or day of the week, and putting them on a chart. Below are some charts built using this approach.


Can we trust this information? The answer is: not fully, because the link timestamp can be altered by the developer in a way that's not always possible to spot. However, certain indicators such as matching the year on the timestamp with the support of technology popular in that year leads  us to believe that the timestamps were, at the very least, not wholly replaced. Looking at this from the other side, the easiest option for the developer is to wipe the timestamp completely, replacing it with zeroes. This was not found in the case of EquationDrug. In fact, the timestamps look very realistic and match the working days and hours of a well-organized software developer from timezone UTC-3 or UTC-4, if you assume that they come to work at 8 or 9 am.

The timestamps match the working days of software developer from timezone UTC-3 or UTC-4 #EquationAPT

Tweet

And finally, in case you are wondering if the developers work on public holidays, you can check this for yourself against the full list of their working dates:

2001.08.17 2007.12.11 2009.04.16 2011.10.20 2012.08.31 2013.06.11 2001.08.23 2007.12.17 2009.06.05 2011.10.26 2012.09.28 2013.06.26 2003.08.16 2008.01.01 2009.12.15 2012.03.06 2012.10.23 2013.08.09 2003.08.17 2008.01.23 2010.01.22 2012.03.22 2012.11.02 2013.08.28 2005.03.16 2008.01.24 2010.02.19 2012.04.03 2012.11.06 2013.10.16 2005.09.08 2008.01.29 2010.02.22 2012.04.04 2013.01.08 2013.11.04 2006.06.15 2008.01.30 2010.03.27 2012.04.05 2013.02.07 2013.11.26 2006.09.18 2008.04.24 2010.06.15 2012.04.12 2013.02.21 2013.12.04 2006.10.04 2008.05.07 2011.02.09 2012.07.02 2013.02.22 2013.12.05 2006.10.16 2008.05.09 2011.02.23 2012.07.09 2013.02.27 2013.12.13 2007.07.12 2008.06.17 2011.08.08 2012.07.17 2013.04.16 2007.10.02 2008.09.17 2011.08.30 2012.08.02 2013.05.08 2007.10.16 2008.09.24 2011.09.02 2012.08.03 2013.05.14 2007.12.10 2008.12.05 2011.10.04 2012.08.14 2013.05.24 Conclusions

EquationDrug represents the main espionage platform from the Equation Group. It's been in use for over 10 years, replacing EquationLaser until it was replaced itself by the even more sophisticated GrayFish platform.

The EquationDrug case demonstrates an interesting trend: a growth in code sophistication #EquationAPT

Tweet

The EquationDrug case demonstrates an interesting trend that we have been seeing while analyzing supposedly nation-state cyberattack tools: a growth in code sophistication. It is clear that nation-state attackers are looking for better stability, invisibility, reliability and universality in their cyberespionage tools. You can make a basic browser password-stealer or a sniffer within days.  However, nation-states are focused on creating frameworks for wrapping such code into something that can be customized on live systems and provide a reliable way to store all components and data in encrypted  form, inaccessible to normal users. While traditional cybercriminals mass-distribute emails with malicious attachments or infect websites on a large scale, nation-states create automatic systems infecting only selected users. While traditional cybercriminals typically reuse one malicious file for all victims, nation-states prepare malware unique to each victim and even implement restrictions preventing decryption and execution outside of the target computer.

Nation-state attackers create automatic systems infecting only selected users #EquationAPT

Tweet

Sophistication of the framework is what makes this type of actor different from traditional cybercriminals, who prefer to focus on payload and malware capabilities such as implementing a long list of custom third-party software credential database parsers.

The difference in tactics between cybercriminals and nation-state attackers appears to be due to relative resource availability. It's known that cybercriminals attempt to infect as many users as possible and that they can sometimes compromise hundreds of thousands of systems. It would will take many years to check all those machines manually, analyzing who owns them, what data is stored on them, and what custom software they run.

Cybercriminals probably don't even have enough disk space to collect all the potentially interesting data from the victims hit by their large scale infections. That is why cybercriminals prefer to extract tiny chunks of the most important data (credentials, credit card numbers, etc) on the machine of the victim and transfer only few kilobytes from each compromised host. Such data, when combined from all users, normally takes up gigabytes of disk space.

Nation-state attackers have sufficient resources to store as much data as they want. They have access to virtually unlimited data storage. However, they don't need, and often try to avoid, infecting random users, for the obvious reason of avoiding attention and remaining invisible. Implementing custom data format parsers in the malware not only doesn't help them find all the valuable data on the victim's machine, but may also attract extra attention from security software running on the system. They mostly prefer to have a generic remote system management tool that can copy any information they might need even if it causes some redundancy. However, copying large volumes of information might slow down network connection and attract attention, especially in some countries with poorly developed internet infrastructure. To date, nation-state attackers have had to balance between these two poles: copying victims' entire hard drives while stealing only tiny bits of passwords and keys.

Nation-state attackers use a remote system management tool that can copy any information they need #EquationAPT

Tweet

Now, if you wonder why EquationDrug, a powerful cyberespionage platform, doesn't provide all stealing capability as standard in its malware core, the answer is that they prefer to customize the attack for each one of their victims. Only if they have chosen to actively monitor you and the security products on your machines have been disarmed, will you receive a plugin for the live tracking of your conversations or other specific functions related to your activities. We believe modularity and customization will become a unique trademark of nation-state attackers in the future.

Some code paths in EquationDrug modules lead to OS version checks including a test for Windows 95, which is accepted as one of supported platforms. While some other checks will not pass on Windows 95, the presence of this code means that this OS was supported in some earlier variants of the malware. Considering this and the existence of components designed to run on Windows 9x (such as VXD-files), as well as compilation timestamps dating back to early 2000s, the hypothesis  that these attackers have been active since the 90s seems realistic. This makes the current attacker an outstanding actor operating longer than any other in the field.

Technical Details Kernel mode stage 0 (Windows 9x) - mssvc32.vxd MD5 0a5e9b15014733ee7685d8c8be81fb0d Size 6 710 bytes Format Linear Executable (LE)

This VXD driver handles only two control messages: W32_DeviceIoControl and Dynamic_Init. The DeviceIoControl part is not completely implemented and the driver is only able to check for some known control codes.  However it does nothing. This handler looks more like a code stub rather than actual payload.

On the Dynamic_Init event, the driver retrieves the location of the user-mode loader executable from the following registry value:

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] Config

If the value is not present in the registry, it uses the following fallback string hardcoded in the binary:

C:\WINDOWS\SYSTEM\SVCHOST32.EXE

Next, it installs a callback procedure using Windows function _SHELL_CallAtAppyTime. This procedure will be called when CPU is running in ring-3 mode, so that a new executable (loader process) can be started via the traditional way. This is a standard trick that was used by developers in the 90s to initiate a call to DLL export in ring-3 from ring-0 in Windows 9x OS family.

Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys MD5 c4f8671c1f00dab30f5f88d684af1927 Size 105 392 bytes Format PE32 Native Compiled 2008.01.23 14:12:33 (GMT) Location %System32%\drivers\msndsrv.sys

This module can create log files in the following known locations:

%systemroot%\system32\mslog32.dat
%systemroot%\system32\msperf32.dat (default location)

The driver acts as the first stage of the EquationDrug platform on Windows 2000+ and implements rootkit functions for hiding the components of the platform. Additionally, it implements a NDIS driver for filtering network traffic.

When started and initialized, the driver retrieves the location of the user-mode loader executable from the registry value:

[HKLM\System\CurrentControlSet\Services\%driver name%] Config

The %driver name% is not hardcoded and is obtained dynamically from the current module name, which means that different instances may check different registry keys and this may not be a reliable way to check for infection. The sample we analyzed used "msndsrv" as the %driver name%.

Next, it crafts and injects a shellcode in "services.exe" or "winlogon.exe". The shellcode is designed to spawn the loader process from the executable called "mscfg32.exe".

The rootkit code in the driver hooks several Native API functions that lets it hide or protect registry keys, files and running processes. The components of EquationDrug can modify the list of protected objects by sending DeviceIoControl messages to the driver. The driver also maintains a persistent list of protected objects that is stored in the following registry values:

[HKLM\System\CurrentControlSet\Services\%driver name%] 1
[HKLM\System\CurrentControlSet\Services\%driver name%] 2

These values are also protected by the rootkit. They can be revealed by booting Windows in Safe Mode.

The driver contains the following unused strings:

  • \\.\mailslot\dskInfo
  • Dissecorp
User-mode loader - mscfg32.exe, svchost32.exe MD5 c3af66b9ce29efe5ee34e87b6e136e3a Size 22 016 bytes Format PE32 EXE Compiled 2008.01.23 14:26:05 (GMT) Location %System32%\mscfg32.exe

This module opens a unique event named "D0385CB7-B834-45d1-A501-1A1700E6C34E". If the event exists, it waits for 10 seconds and attempts to open a file whose name can be decrypted as "\\.\MSNDSRV". If the device file is successfully opened, the code issues a device request with IOCTL code 0x80000194 and no parameters.

This module uses RC5 in CBC-like mode with a key length of 96-bit for string encryption.

Careful analysis reveals some bits of uninitialized memory found next to encryption key locations. This is unused but partly meaningful memory, because it seems to contain short chunks of strings resembling some local filepaths:

  • "rver\8" (probably part of "Server\8..." string)
  • "LInj" (could be a part of "DLLInjector" or similar)

It's apparent that some parts of the code were designed to run on Windows 9x, for example a call to RegisterServiceProcess Windows API function makes sense only on Windows 9x OS family, because this API function doesn't exist on Windows NT platform.

The module uses a unique algorithm for generating registry value names. The code contains strings, such as "SkyhookChow Target", that are converted to GUID-like strings by calculating SHA1 hash and using its hexadecimal representation as a string. The resulting strings are used as actual registry value names in [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] registry key.

Sample registry value names:

Original String GUID-like registry value name SkyhookChow Target {B6F5CD13-A74D-8B82-A6AA-6FA1BE2484C1-6832DF06} SkyhookChow Payload {F4CF0326-6DCD-EEC8-5323-01CEDB66741A-B55F6F12}

These registry values are encrypted using an RC5 algorithm using a hardcoded 1024-bit key with 24 rounds.

The registry value:

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] {F4CF0326-6DCD-EEC8-5323-01CEDB66741A-B55F6F12} ("SkyhookChow Payload")
should contain the location of the orchestrator DLL file ("mscfg32.dll"). If the value is not present a default value "%SYSTEM%\mscfg32.dll" is used.

The registry value:

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] {B6F5CD13-A74D-8B82-A6AA-6FA1BE2484C1-6832DF06} ("SkyhookChow Target")
may contain the location of the executable file that will be used as a "shell" process for the orchestrator library.

The module attempts to start the "shell" process in suspended mode. If there is no "SkyhookChow Target" value or the specified executable fails to start, the module tries different failsafe locations of the programs that can be used instead:

  1. Default browser set in the registry [HKLM\SOFTWARE\Clients\StartMenuInternet\{current @default value}\shell\open\command]
  2. %SystemRoot%\System32\svchost.exe
  3. %SystemRoot%\System32\lsass.exe
  4. Spoolsv service binary from the [HKLM\SYSTEM\CurrentControlSet\Services\Spooler] ImagePath registry value.
  5. Default html file handler from [HKLM\SOFTWARE\Classes\htmlfile\shell\open\command]registry value.
  6. Internet Explorer path from [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\] IEXPLORE.EXE registry value.

Next, the module injects extra code into a newly started target process. The injected code loads the payload DLL ("mscfg32.dll") into the target process and waits for the parent process to exit. When the parent process quits, it unloads the payload DLL and exits as well. The rest of the logic relies on the loaded DLL in that new process. See the description of the "mscfg32.dll" module below.

The module communicates with the Stage0/Rootkit driver "msndsrv.sys" by sending DeviceIoControl messages to the device "\\.\MSNDSRV". It activates the rootkit for its own process, for the target process holding the orchestrator and for all the files involved.

Platform orchestrator - mscfg32.dll, svchost32.dll MD5 5767b9d851d0c24e13eca1bfd16ea424 Size 249 856 bytes Format PE32 DLL Compiled 2008.01.24 22:11:34 (GMT) Location %System%\mscfg32.dll

Creates mutex: "01C482BA-BD31-4874-A08B-A93EA5BCE511", or terminates if one already exists.

Writes a timestamped log file to one of the following locations:

  • %SystemRoot%\temp\~yh56816.tmp
  • C:\Windows\Temp\~yh56816.tmp
  • %Registry_SystemRoot_Value%\temp\~yh56816.tmp
  • Value of [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] D

The file "~yh56816.tmp" retains the history of execution. It comprises debug records of simple structure:

        Stage: DWORD | DateTimeLow: DWORD | DateTimeHigh: DWORD

Basically, it logs the execution of every stage of the orchestrator and the time of execution. The Stage is an integer number starting from 1.

This module spawns a new thread in the DllMain function which contains the main function body. The procedure disables application error popups shown by the default exception handler. This is probably done only in the "Release" version of the malware, because the following code generates exceptions that are reported to the user if application error popups are not disabled. We assume that the "Debug" version of the code doesn't suppress error popups when exception occurs as this helps with the debugging of the code.

The module checks the OS version and if it encounters an unsupported operating system the code generates an exception which terminates the application. The list of OS versions that pass this test:

  • Windows 95/98/ME
  • Windows NT 4.0 and above.

If the module runs on Win9x, it executes Win9x-specific function RegisterServiceProcess to hide from the Windows Task Manager application. If the module is NOT running on WinNT6.0+, it then attempts to open a virtual device file with one of the following names:

  • \\.\MSSVC32 on Win9x
  • \\.\MSNDSRV on WinNT

If the device file is successfully opened, the module activates a rootkit for its process and for the file location "%SYSTEM%\unilay.dll" local path. This is followed by finding and terminating a process named "winproc.exe" which is the name of another component of the platform. Note that this part of the code is executed only on platforms different from WinNT 6.x (Windows Vista and later).

The module was designed to fetch or update its main configuration data from different places. There are some default values set inside the code, such as some timeout values and the following C&Cs:

  • www.waeservices[.]com
  • 213.198.79.49

These default values can be overwritten later.

Next, it locates a data section called "Share2" in the current module and verifies the starting magic number. If it is 0x63959700, it then decrypts the rest of the data in the section and interprets it as a configuration block. However, data from the next location can override all previous settings. This is a registry value with special name.

The naming of the registry location is the same GUID-like SHA1 value as the one used in the loader ("mscfg32.exe"), and is produced from the source string "Configuration":

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] {42E14DD3-F07A-78F1-7659-26AE141569AC-E0B3EE89}

The configuration block stored in the registry value is encrypted using RC5 with the 1024-bit key. Both the loader and the orchestrator share the same key for encrypting and decrypting the registry values in the "MemSubSys" key.

The decrypted configuration block consists of a series of tagged configuration records in the following format:

        [RecordType:DWORD][RecordSize: DWORD][RecordValue: %RecordSize%]

We retrieved a copy of a configuration block and decrypted and partly interpreted it. We are including the results for one of the configuration blocks:

Time value: 1 year 0 months 1 days 22 hours 6 mins 52 secs. The orchestrator is expected to set this field to the time of initial configuration.
Binaries: 3x1024-bit encryption keys
1b8e7818dad6345c53c2707a2c44648eee700d5cf34fea6a19a3fa0a6a871c72963fdded 91e2703c82b7747b8793e3063700da32cfb8d907dcce1beb36edd575418d1134ef188b 27ec3ce23711a656b0a8bf28921fbf1c39b4c90ad561e4174ed90f26ce11245bb9deb4b 4720403f47ca865ec8bbd3c1df9d93d042ff5b52ec6
05000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000
ed04953f3452068ae6439f04c7904c8be5e98e66e2cd0f267d65240aeed88bd4d3c6105 c99950dd42ccde4bc6bbaf9f6cb1b4e628d943e91f8f97f2aff705fdd25e3af6ba0bc4fd13 d67a2bcb751bb8f21f3d4b66c599f3e572802911394d142f8cf3a299d6d4558f9f0f01634 9afd1888472f4f8c729ffe913f670931f1a227
C&C domain: www[dot]waeservices[dot]com
C&C IP address: 213.198.79.49
C&C port: 443
Timestamp: 2010-12-08 11:35:57
Tool Reference: VTT/82055898/STEALTHFIGHTER/ 2008-10-16/14:59:06.229-04:00
TimeoutA: 25200 sec (7 hours)
TimeoutB: 32400 sec (9 hours)
TimeoutC: 3600 sec (1 hour)
TimeoutD: 172800 sec (48 hours)
+Several Unknown Values

Other configuration blocks we discovered contained similar information, with only some unique values:

Timestamp: 2009-11-23 14:10:15
Tool Reference: Manual/DRINKPARSLEY/2008-09-30/10:06:46.468-04:00
Tool Reference: VTT/82053737/STRAITACID/2008-09-03/10:44:56.361-04:00
Tool Reference: STRAITSHOOTER30.ex_
Tool Reference: VTT/82051410/LUTEUSOBSTOS/2008-07-30/17:27:23.715-04:00
Tool Reference: BACKSNARF_AB25

During the next step, the module obtains PE file version information from the resource section. It loads the version info using hard-coded module names, which are supposed to match the current module name:

  • SVCHOST32.DLL for Windows 9x
  • MSCFG32.DLL for Windows NT

If file version information is available, it gets language-specific values of the PrivateBuild block. The codepage and languages that are verified: Unicode, LANG_NEUTRAL and LANG_ENGLISH_US. When this check passes, the module gets @default registry value from the following location:

  • [HKLM\SOFTWARE\Classes\CLSID\{091FD378-422D-A36E-8487-83B57ADD2109}] TypeLib

If the key is not found, the code checks for registry value TypeLib in the following key:

  • [HKLM\SOFTWARE\Classes\CLSID\{091FD378-422D-A36E-8487-83B57ADD2109}]

If such a value is found, it is then deleted along with the Version value if it exists in the same key.

The string obtained from one of two possible registry values is processed as if this value is a CLSID-like string: the code takes the last 16 hexadecimal digits, splits them in two 8-chars values, converts them to binary form (two DWORDs) and reverses the order of bytes in each DWORD and XORs, the first value with 0x8ED400C0, and the second with 0x4FC2C17B.  Next, the first DWORD value becomes second and the second becomes first. In this order, they are stored in a structure in memory. These two values seem to be very important as they override a few values in the previously known configuration. If they don't exist, values from the current configuration replace them and are stored back in the registry following the reverse procedure:

  1. [HKLM\SOFTWARE\Classes\CLSID\{091FD378-422D-A36E-8487-83B57ADD2109}\Version] is created and @default value is set to version obtained from file version information PrivateBuild field (i.e. 3.04.00.0001). This seems to be used as kit version number.
  2. [HKLM\SOFTWARE\Classes\CLSID\{091FD378-422D-A36E-8487-83B57ADD2109}\Version] is created and @default value is set to a CLSID like string generated from the following:
    • Fixed prefix string: "{8C936AF9-243D-11D0-"
    • Two important DWORD values in the format of "%04X-%04X%08X}" string.

We collected and decrypted several samples of such values. According to the code, they are initialized with values of the Microsoft filetime format. So, we decided to interpret them as filetime values:

20101C04EC2C17B: 1 year(s) 7 month(s) 21 day(s) 23 hour(s) 32 min(s) 1 sec(s)
81E01C04EC2C17B: 1 year(s) 7 month(s) 8 day(s) 12 hour(s) 13 min(s) 5 sec(s)
E0001C04EC2C17B: 1 year(s) 7 month(s) 21 day(s) 1 hour(s) 6 min(s) 15 sec(s)
77101C04EC2C17B: 1 year(s) 5 month(s) 20 day(s) 19 hour(s) 15 min(s) 4 sec(s)
30F01C04EC2C17B: 1 year(s) 8 month(s) 0 day(s) 6 hour(s) 10 min(s) 33 sec(s)
C0901C04EC2C17B: 1 year(s) 8 month(s) 2 day(s) 6 hour(s) 29 min(s) 39 sec(s)
66701C04EC2C17B: 1 year(s) 6 month(s) 9 day(s) 2 hour(s) 10 min(s) 23 sec(s)
F6501C04EC2C17B: 1 year(s) 6 month(s) 6 day(s) 19 hour(s) 53 min(s) 22 sec(s)
01401C04EC2C17B: 1 year(s) 6 month(s) 25 day(s) 23 hour(s) 34 min(s) 13 sec(s)

After that, the module stores current time values in encrypted form in the registry value:

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] {08DAB849-0E1E-A1F0-DCF1-457081E091DB-117DB663} (encoded SHA1 of "StartTime")

The module contains an additional compressed Windows DLL file in the resource section, which is extracted as "unilay.dll" (see below). This DLL exports a number of functions that are just wrappers of the system API used to work with files and the registry, and also start processes and load additional DLL files.

The orchestrator contains several built-in plugins that form the core of the platform. These are initialized in the first place, and then additional plugins are loaded. All the plugins are indexed in a single encrypted registry value:

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] 1

This value has information about all the components of the current kit. It may include Unicode strings with paths to extra DLLs which serve as plugins. Each DLL exports at least four functions which are imported by ordinal numbers from 1 to 4.

The structure of the registry value "1":

[Count:DWORD]{ [Plugin Id:WORD][Plugin Path Length:DWORD][Plugin Path String:VARIABLE] }

Plugins interact with each other and with the orchestrator by exchanging messages of pre-defined format. The message transport is implemented as a global object that contains four communication streams. Every stream contains a pair of kernel synchronization object handles (a semaphore with fixed maximum value defaulted to 1000 and a mutex) and a message queue as an array. A dedicated thread processes messages that appear in the message queues.

A message arrives in a parcel, represented as two DWORD values that contain the size of the message and a pointer to the message data. The message data starts with a DWORD identifying a class of message (a request, reply, etc).

The orchestrator contains the following built-in plugins (listed by internal ID): 8000, 8022, 8024, 803C, 8046, 800A, 8042, 8002, 8004, 8006, 8008, 8070, 808E. Several additional built-in modules have been discovered in newer versions of the orchestrator that was shipped with the GrayFish platform.

EquationDrug Plugins: Plugin ID File name Description 8000 Built-in Core, basic API for other modules 8002 wshcom.dll C&C communication using Windows sockets 8004 Built-in Additional message queue 8006 Built-in Memory allocation / storage 8008 vnetapi32.dll& C&C communication code based on DoubleFantasy, using WinInet API 800A Built-in C&C communication orchestrator 800C perfcom.dll HTTP communication 8022 khlp680w.dll System API: execute processes, load libraries, manipulate files and directories 8024 cmib158w.dll Collects system information: OS version, computer name, user name, locale, keyboard layout, timezone, process lists 8034 cmib456w.dll Management of the VFS backed by encrypted ".FON" files in the "Fonts\Extension" directory. Provides encryption using RC5 for these files 803E nls_874w.dll Network sniffer 803C Built-in Communication with the NDIS filter part of "msndsrv.sys" 8040 khlp807w.dll Network exploration API, share enumeration and access 8042 Built-in Compression library based on Nrv2d / UCL 8046 Built-in Communication with the rootkit part of "msndsrv.sys" 8048 mstkpr.dll Disk forensics and direct NTFS reader based on sources of SleuthKit 8050 khlp760w.dll Additional encryption facilities for the file-backed VFS 8058 khlp733w.dll Collects local system information, WMI information, cached passwords 8070 khlp747w.dll Enumerates processes and system objects 807A mscoreep32.dll Plugins for monitoring Internet Explorer and Mozilla browser activities 808A khlp866w.dll Compression library based on Zlib 808E Built-in Reverse (PTR record) DNS resolver 8094 Built-in In-memory storage 809C Built-in In-memory storage 80AA nls933w.dll HDD / SSD firmware manipulation 80AE wpl913h.dll Keylogger and clipboard monitoring (aka "GROK") 80BE vnetapi.dll C&C communication via WinHTTP API 80C6 webmgr.dll Extracts web history, Mozilla/Internet Explorer-saved form data and cached credentials 80CA wshapi.dll C&C communications interface via Windows sockets Additional components Unilay.DLL

This module provides a compatibility layer for accessing system API functions for Windows 9x. It redirects Unicode ("W") variants of Windows API functions to corresponding ANSI variants by converting Unicode string parameters to multi-byte strings and calling the respective ANSI API.

MD5 EF4405930E6071AE1F7F6FA7D4F3397D Size 9 728 bytes Compiled 2008.01.23 14:23:10 (GMT) Format PE32 DLL, linker version 6.0 (Microsoft Visual C++ 6.0)

Exported functions (redirected to ANSI variants):

  • 100017EF: CopyFileW
  • 10001039: CreateDirectoryW
  • 10001111: CreateFileW
  • 100011B3: CreateProcessW
  • 10001177: DeleteFileW
  • 10001516: FindFirstChangeNotificationW
  • 10001466: FindFirstFileExW
  • 10001300: FindFirstFileW
  • 100014C6: FindNextFileW
  • 10001564: GetCurrentDirectoryW
  • 1000188F: GetFileAttributesW
  • 100016C6: GetStartupInfoW
  • 10001602: GetSystemDirectoryW
  • 10001664: GetWindowsDirectoryW
  • 10001853: LoadLibraryW
  • 1000178B: MoveFileExW
  • 1000172D: MoveFileW
  • 10001913: RegCreateKeyExW
  • 100019F5: RegDeleteKeyW
  • 10001DDF: RegDeleteValueW
  • 10001A39: RegEnumKeyExW
  • 10001BE2: RegEnumValueW
  • 1000199B: RegOpenKeyExW
  • 10001B23: RegQueryInfoKeyW
  • 10001D57: RegSetValueExW
  • 100010D5: RemoveDirectoryW
  • 10001E81: SHGetFileInfoW
  • 100015C6: SetCurrentDirectoryW
  • 100018CB: SetFileAttributesW
  • 10001E23: lstrcmpW
Network-sniffer/patcher - atmdkdrv.sys MD5s 8d87a1845122bf090b3d8656dc9d60a8
214f7a2c95bdc265888fbcd24e3587da Size 41 440, 43 840 bytes Format PE32 Native Compiled 2009.04.16 17:19:30 (GMT)
2008.05.07 19:55:14 (GMT) Version Info
  • FileDescription: Network Services
  • LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
  • InternalName: atmdkdrv.sys

or

  • FileDescription: CineMaster C 1.1 WDM Main Driver
  • LegalCopyright: Copyright 1999 RAVISENT Technologies Inc.
  • InternalName: ATMDKDRV.SYS

Creates a file storage "\SystemRoot\fonts\vgafixa1.fon". Its first word is set to 0x21 at the beginning of the DriverEntry function, and is replaced with 0x20 at the end of DriverEntry.

This driver appears to have been put together in "quick-and-dirty hack" style, using parts of the "mstcp32.sys" sniffer and other unknown drivers. It contains a lot of unused code which is partially broken or disabled. These include a broken "Dynamically disable/enable windows audit logging" subsystem and an incomplete "Patcher mode".

There are three algorithms used for strings encryption - RC5; alphabet encryption like the one used in "mstcp32.sys"; and XOR with a pre-seeded random number generator. Decrypted strings are immediately encrypted back until the next usage to avoid in-memory detection.

The driver's filename and device name differ across the samples. They depend on the name of the registry key that is used to start the driver.

The driver may operate in one of two independent modes - as a network sniffer or as a memory patcher. The mode of operation is selected on startup, based on the "Config2" value of the driver's registry key. By default the driver starts in "sniffer mode".

Sniffer mode

The sniffer code is similar to the one used in the driver's "tdip.sys" and "mstcp32.sys" and uses NT4 NDIS-4, XP NDIS-5 interfaces, targeting incoming traffic on Ethernet and VPN (ndiswanip) interfaces. It captures only directed packets (containing a destination address equal to the station address of the NIC). Packers-filtering engine rules may be set via DeviceIoControl messages. Filtered packets are stored in-memory until requested. Maximum packets storage list length is 128 items per filtering rule.

Patcher mode

Almost broken, it does nothing interesting except, possibly, replace the thread's ServiceTable to an unchanged, clear copy taken from the on-disk image of "ntoskrnl.exe".

Sniffer only IOCTLs:
44038004 - add filtering rule
44038008 - clear stored packet in specified filtering rules list
4403800C - enable specified filtering rule
44038010 - disable specified filtering rule
44038014 - get stored packet from specified filtering rules list
44038018 - process packet like the one received from the wire (filter and store)
4403801C - set maximum rules list length
44038020 - get maximum rules list length
80000004 - enablePacketsFiltering
80000008 - disablePacketsFiltering (PauseSniffer)
800024B4 - send packet to the specified network interface

Common IOCTLs:
80000028 - do nothing (broken/unused part)
80000038 - set external object (broken/unused part)
8000003C - get 4 dwords struct (broken/unused part)
80000040 - copy 260 bytes from the request (broken/unused part)
80000320 - set I/O port mapping (broken/unused part)
80000324 - clear I/O port mapping (broken/unused part)
80000328 - set external PnP Event (broken/unused part)
80000640 - replace specified thread's SDT (ETHREAD.ServiceTable field) to a given copy

Backdoor driven by network sniffer - "mstcp32.sys", "fat32.sys" MD5s 74DE13B5EA68B3DA24ADDC009F84BAEE
B2C7339E87C932C491E34CDCD99FEB07
311D4923909E07D5C703235D83BF4479
21C278C88D8F6FAEA64250DF3BFFD7C6 Size 57 328 - 57 760 bytes Format PE32 Native Compiled 2007.10.02 12:42:14 (GMT)
2001.08.17 20:52:04 (GMT) Version Info
  • FileDescription: TCP/IP driver
  • LegalCopyright: Copyright (C) Microsoft Corp. 1981-1999
  • InternalName: mstcp32.sys

This is a sniffer tool similar to "tdip.sys" and it uses NT4 NDIS-4, XP NDIS-5 interfaces.  It targets incoming traffic on Ethernet and VPN (ndiswanip) interfaces, but instead of dumb packet dumping, it uses received packets as commands for the "process injector" subsystem that is able to extract and execute code from the specially crafted network packets.

Default filtering rules are stored in the "Options" registry value of the driver's registry key. It captures only directed packets (containing a destination address equal to the station address of the NIC).

The driver's filename and device name differ across the samples. They depend on the name of the registry key that is used to start the driver.

Code Patcher

The driver patches OS code to dynamically disable or enable Windows audit logging.

It patches the function "LsapAdtWriteLog" in "lsasrv.dll" module of the "lsass.exe" process.

It searches for pre-defined signatures of the function "LsapAdtWriteLog" of known Windows versions - 4.0, 5.0, 5.1, 5.2 (NT4, Win2000, XP, WinSrv2003).

Then it selects a corresponding offset to replace the opcodes:

  • 'jz' to never taken 'jo' in case of XP
  • jmp over inner logic to procedure epilog in case of Windows Server 2003 so LsapAdtWriteLog skips logging of audit records

The module also patches "SepAdtLogAuditRecord" inside "ntoskrnl.exe" to "retn 4" instead of the first opcode of the function.

The disabled audit can be restored after a timeout or on-event by a dedicated thread.

Expected IOCTL codes:

  • 80000004 - setFilteringRules
  • 80000008 - disablePacketsFiltering (PauseSniffer)
  • 80000028 - do nothing (possible broken GetDriverName)
  • 80000038 - disable_audit
  • 8000003C - enable_audit
Code Injector

The code-builder within this module facilitates exploitation by providing up to four predefined execution templates, which seem to be suitable for generating several code patterns.

Below is a list of the execution templates we found:

  • locate a DLL via PEB structure and resolve exports
  • call single function
  • call four functions
  • call six functions

Using these as a base for the templates, the code-builder inserts parameters and proper offsets to call one of the following code patterns:

  • Locate and call WinExec
  • Locate and call LoadLibraryW, GetProcAddress, call exported procedure, FreeLibrary
  • Locate and call LoadLibraryW, GetProcAddress, call GetModuleHandle, FreeLibrary
  • Locate and call OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, VirtualFreeEx, CloseHandle

The code injection procedure allocates memory via ZwAllocateVirtualMemory in services.exe and copies implanted code. After that it uses KeInsertQueueApc to let the code run and waits 30 seconds for APC to complete.

When the module starts, it reads registry value [HKLM\System\CurrentControlSet\Services\%driver name%] Processes. This value may contain a list of process names that should be started by injected executable code but only after services.exe and winlogon.exe has been started. The injection of code into winlogon.exe and services.exe ensures that the newly started process will have SYSTEM user privileges. During the injection stage Windows Audit Logging is fully disabled to avoid leaving any suspicious records in Windows Logs.

Magic Packet Recognition

All incoming packets are first filtered by BPF-like rules. The filtering rules are located in [HKLM\System\CurrentControlSet\Services\%driver name%] Options registry value or passed via corresponding IOCTL. Packets that passed through the filter are added in the end of processing queue.

Packets from the queue must have valid checksum values. After checking that, the code XOR-decrypts additional data from the end of the packet. The decrypted end of the packet contains another control structure that defines which encryption algorithm is used to decipher packet body. Supported algorithms include RC5 and RSA. There is a 1024-bits RSA public key hardcoded inside the module body, while a 96-bits RC5 key is generated dynamically.

The backdoor command may arrive in a single packet or be split into pieces and come with several packets. There is a procedure for re-assembling pieces together: a multi-packet command is added to a special packet collector which puts all the pieces together before passing it further.

Backdoor command is stored in the first byte of the decrypted request and can be one of the following values:

Command Byte Short Name Description 0 StatusCheck Reply with encrypted DriverName, packet collector keys, "Processes" and "Params" registry values, names of processes for code injection (defaults are "services.exe" and "winlogon.exe"), list of unprocessed commands from packet collector. 1 Panic Disable packet filtering, securely delete driver file, clear related registry keys, set ClearPageFileAtShutdown flag, unbind adapters, delete devices and prepare for unloading. However, the driver cannot unload itself and it remains in the memory until reboot, which means it can be detected via DRIVER_OBJECT structure. 2 CodeInject Injects code implant received from packet body. 3 CallWinExec Disable Windows Audit and start new process via standard code injection in Winlogon.exe. 4 ResetCollector Drop all packets with specific key from packet collector. 5 Unused or disabled 6 GenerateRC5Key Generates RC5 session key. 96-bits RC5 key is generated by taking a SHA1 hash of value from KeTickCount, XOR-encrypt with SHA1 hash of two PerformanceFrequency values, which is followed by nine more additional SHA1 hashing. 7 SetRegProcesses Sets new "Processes" registry value. 8 DeleteRegProcesses Deletes current "Processes" registry value. 9 SetRegParams Sets a universal "Params" registry value which is used for storing any information, i.e. could be a unique victim marker or exploitation stage number. a Unused or disabled b Ping Reply with classic ICMP Echo Response packet. c ChangeInjectTarget Set new target injection processes (defaults are "Winlogon.exe" and "Services.exe"). Effective until reboot.

Note: "mstcp32" is mentioned together with rootkit-like behavior in 2004 here: http://www.pcreview.co.uk/forums/mstcp32-t1445152.html

Network Sniffer - tdip.sys MD5s 20506375665a6a62f7d9dd22d1cc9870
60dab5bb319281747c5863b44c5ac60d Size 22448 - 28800 bytes Format PE32 Native Compiled 2006.10.16 18:42:40 (GMT)
2003.08.17 21:47:33 (GMT)

Supports the following versions of Windows: NT4 using NDIS-4 and XP using NDIS-5. Doesn't use Vista and later NDIS-6 features. However, later NDIS versions are backward-compatible, so the driver is still valid for current versions of Windows.

Version Info:

  • FileDescription: IP Transport Driver
  • LegalCopyright: © Microsoft Corporation. All rights reserved.
  • FileVersion: 5.1.2600.2180
  • InternalName: tdip.sys

This driver is a packet sniffer for incoming-only traffic on Ethernet and VPN (ndiswanip) interfaces or any used with ms_pschedmp as an alternative connection.

It implements a BPF (Berkeley packet filter) style packet-filtering system that is configured from the driver's registry configuration values or from DeviceIoControl messages.

The captured network packets may be written to disk in libpcap format (magic 0xA1B2C3D4 version 2.4) and encrypted with one-byte XOR, key 0xE3.

The driver's configuration is stored in the registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdip]

  • Options - packet filtering rules in BPF format
  • Tag - selector of filtered packet types / Defaults in case of MediumWan to NDIS_PACKET_TYPE_BROADCAST|NDIS_PACKET_TYPE_MULTICAST|NDIS_PACKET_TYPE_DIRECTED;
    (or NDIS_PACKET_TYPE_BROADCAST|NDIS_PACKET_TYPE_DIRECTED in any other case)
  • ImageFile - full path name to the resulting pcap file
  • Duration - used as Length of the original packet in dump file. (default 0xffff)
  • Backup - max size of the pcap file

IOCTLs:

  • 0x80002004 getCurrentState
  • 0x80002008 setFilteringRules
  • 0x8000200C getFilteringRules
  • 0x80002024 getDumpFileSize
  • 0x80002010/0x80002014/0x80002018/0x8000201C pause/resume
  • 0x80002020 getVersion - returns 2.4.0

Driver has three logical parts, and uses an incomplete function pointer table as interface:

  1. Business logic: filtering rules, packet dumping, device ioctl, options
  2. Ndis driver skeleton
  3. Primitives lib: Strings, XORing, registry I/O

The code is of very good quality. It looks more complicated than Winpcap 2.3 (released 28 mar 2002), but less so than Winpcap 3.0 (released by 10 apr 2003). Interestingly, the driver identifies itself as "version 2.4" in the pcap file despite there being no Winpcap version 2.4.

Key/clipboard logger driver - msrtvd.sys MD5s 98dea1bce37bf7087360e1958400589b
bb8f56874189d5dfe9294f0553a49b83
f6bf3ed3bcd466e5fd1cbaf6ba658716 Size 31 488 - 36 736 bytes Format PE32 Native Compiled 2010.02.19 22:45:18 (GMT)
2008.09.17 16:23:54 (GMT) Version Info
  • FileDescription: MSRTvd interface driver
  • LegalCopyright: © Microsoft Corporation. All rights reserved.
  • InternalName: msrtvd.sys

This is a keylogger and clipboard monitoring tool.

On startup, the driver creates a device named "\Device\Gk0" and a symbolic link named "\DosDevices\Gk".

Then it attaches to the csrss.exe process and disassembles user32.dll and ntdll.dll routines to obtain win32k.sys and ntoskrnl.exe SDT services indexes and pointers of needed Nt/Zw APIs.

Then, using a built-in disassembler, it obtains pointers to NtUserPeekMessage, NtUserGetMessage, NtUserGetClipboardData and using the disassembler again selects the parts of the code that will be then hooked by splicing.

The interceptor routines are copied from a special PE section named ".msda". These routines are able to collect key press chains and clipboard text data, add information about current Time, ProcessName, ForegroundWindowText,and UserName related to this event.

A dedicated thread ("dumper") gathers the collected data, compresses the results with LZO appends it every 30 minutes to a file "%system-wide TEMP%\tm154o.da".

Most strings inside are encrypted by XOR with a pre-seeded random number generator.

IOCTLs:

  • 0x22002C -start dumper thread
  • 0x220030 - stop dumper thread
  • 0x220034 - check if the driver has new data to dump
  • 0x220038 - set two external events signaled on dump data availability (it references a plugin possibility)
  • 0x22003C - restart dumper thread
  • 0x220040 - get size of available data
Collector plugin for Volrec - msrstd.sys MD5s 69e7943f3d48233de4a39a924c59ed2c
15d39578460e878dd89e8911180494ff Size 13 696 - 17 408 bytes Format PE32 Native Compiled 2009.06.05 16:21:55 (GMT)
2009.12.15 16:33:52 (GMT) Version Info
  • FileDescription: msrstd driver
  • LegalCopyright: © Microsoft Corporation. All rights reserved.
  • InternalName: msrstd.sys

This driver is a plugin that collects events from the "volrec.sys" driver, and delivers them by sending DeviceIoControl messages. It collects events about file and disk volume operations.

On startup the driver obtains a pointer to "\Device\volrec", then creates a control device "\Device\msrstd0" and a symbolic link to it named "\DosDevices\msrstd"

All strings inside the driver are encrypted by XOR with a pre-seeded random number generator.

For file events the driver collects the filenames, and caches data about read and write operations. For disk volume events it queries disk properties and reads volume labels and disk serial numbers of removable drives (USB, FireWire drives).

IOCTLs:

0x220004 - turn on VolumeEvents collection
0x220008 - turn off VolumeEvents collection
0x22000C - retrieve previously stored VolumeEvent (operationType, deviceTypeFlags, VolumeLabel, volumeSerialNumber, DosDriveLetter)
0x220010 - turn on FileEvents collection
0x220014 - turn off FileEvents collection
0x220018 - retrieve previously stored FileEvent (fileName, deviceTypeFlags, VolumeLabel, volumeSerialNumber, DosDriveLetter)
0x22001C - connect to Volrec.sys (send ioctl 0x220004), enable plugin operation
0x220020 - disconnect from Volrec.sys (send ioctl 0x220008), disable plugin operation

Filesystem filter driver – volrec.sys, scsi2mgr.sys MD5s a6662b8ebca61ca09ce89e1e4f43665d
c17e16a54916d3838f63d208ebab9879 Size 14 464-14 848 byres Format PE32 Native Compiled 2009.06.05 16:21:57 (GMT)
2009.12.15 16:33:57 (GMT) Version Info
  • FileDescription: Volume recognizer driver
  • LegalCopyright: © Microsoft Corporation. All rights reserved.
  • InternalName: volrec.sys

This driver is a generic filesystem filter which feeds system events to user-mode plugins.

On startup the driver creates a control device named "\Device\volrec" and a symbolic link to it named "\DosDevices\volrec0". It then attaches all available filesystem devices.  It is also, able to handle removable storage devices.

All strings inside the driver are encrypted by XOR with a pre-seeded random number generator.

IOCTLs:

  • 0x220004 - setup plugin interface
  • 0x220008 - disable plugin calls

The driver handles the following system events:

  • file opened, created or closed
  • data is read or written to a file
  • new volume is mounted, unmounted
  • new USB or FireWire device attached
HDD/SSD operation helper driver - WIN32M.SYS MD5s 2b444ac5209a8b4140dd6b747a996653
b3487fdd1efd2d1ea1550fef5b749037 Size 19 456 - 26 631 bytes Format PE32 Native, PE32+ Native Compiled 2001.08.23 17:03:19 (GMT)
2013.05.14 15:58:36 (GMT) Description This module will be the subject of a dedicated blogpost. HDD/SSD firmware operation - nls_933w.dll MD5s 11fb08b9126cdb4668b3f5135cf7a6c5
9f3f6f46c67d3fad2479963361cf118b Size 212 480 - 310 272 bytes Format PE32 DLL, PE32+ DLL Compiled 2010.06.15 16:23:37 (GMT)
2013.05.14 16:12:35 (GMT) Version Info (64bit dll only)
  • FileDescription: Windows Networking Library
  • LegalCopyright: Copyright (C) Microsoft Corp. 1981-2001
  • FileVersion: 80AA
  • InternalName: nls_933w.dll
  • OriginalFilename: nls_933w.dll
  • PrivateBuild: 4.0.1.0
  • ProductName: Microsoft(R) Windows (R) 2000 Operating System
  • ProductVersion: 5.0.2074.0
  • Full Version: 1.0.0.1
Description This (80AA) plugin is a HDD firmware flashing tool which includes an API and the ability to read/write arbitrary information into hidden sectors on the disk.
The plugin will be the subject of a separate blogpost.

Patch Tuesday March 2015 - Stuxnet LNK 0day Fixed

Secure List feed for B2B - Tue, 03/10/2015 - 20:05

Wait, what? Wasn't the Stuxnet LNK vulnerability CVE-2010-2568, reported by Sergey Ulasen, patched years ago? Didn't Kim Zetter have enough time to write 448 pages of thoroughly footnoted research on this digital weaponry?

Yes, it was, but MS10-046 didn't completely fix all of the vulnerable code path. And, we just might start to call it the Fanny LNK 0day, after Equation's poorly QA'd USB worm spread across Pakistan exploiting the same LNK vulnerability years earlier than Stuxnet. Now, to be precise, this fix patches the newly generated label CVE-2015-0096, but the flawed functionality still is maintained with LNK handling code used to support custom icons from .cpl files. And, we have not observed a different implementation of this newly report LNK exploit in-the-wild. Yet.

So, machines have remained vulnerable to an actively exploited codebase providing custom icon-loading support since at least 2008. German researcher Michael Heerklotz reported the remaining flaws in January, and an excellent technical writeup describing his findings is posted on the ZDI blog here. Essentially, an attacker has to create a malicious LNK file with a link path of exactly 257 characters containing embedded unescaped spaces, and two "target" files - one with embedded unescaped spaces and one without. This is not difficult on a usb stick, and it bypasses much of the effective defenses Microsoft has developed for years. "Microsoft has gone to a great deal of effort to make exploitation of memory corruption bugs more difficult. This is a classic example of the Defender's Dilemma -- the defender must be strong everywhere, while the attacker needs to find only one mistake." In this case, it's more that the attacker had to chain together a complex series of overlooked steps.

Microsoft's release of thirteen other bulletins includes a large rollup of fixes for RCE across all versions of Internet Explorer, IE6 - IE11. This MS15-018 bulletin is rated critical, and it requires a reboot.

Microsoft Patches Old Stuxnet Bug, FREAK Vulnerability

Threatpost for B2B - Tue, 03/10/2015 - 14:24
Microsoft's March 2015 Patch Tuesday security bulletins include patches for an old Stuxnet LNK vulnerability and the FREAK SSL vulnerability.

Patched Windows Machines Exposed to Stuxnet LNK Flaw All Along

Threatpost for B2B - Tue, 03/10/2015 - 13:00
Microsoft released a new patch for the LNK vulnerability exploited by Stuxnet after it learned original patch from 2010 failed and left Windows machines exposed.

CloudFlare Aims to Defeat Massive DDoS Attacks with Virtual DNS

Threatpost for B2B - Tue, 03/10/2015 - 11:13
DDoS attacks have been a persistent problem for the the better part of 20 years, and as ISPs and enterprises have adjusted their defenses, attackers have adapted their tactics. One of the more effective tools in the attackers’ arsenal now is the use of botnets to generate massive numbers of DNS queries for a target […]

Apple Fixes FREAK Bug, iCloud Flaw in iOS 8.2

Threatpost for B2B - Tue, 03/10/2015 - 10:28
Apple has patched the FREAK SSL vulnerability, along with a nasty bug that could’ve allowed a remote attacker to restart a user’s iPhone via SMS, with the release of iOS 8.2. The new version of Apple’s mobile operating system contains a number of vulnerability fixes, with the FREAK patch being the most prominent among them. […]

OpenSSL Security Audit Ready to Start

Threatpost for B2B - Tue, 03/10/2015 - 09:46
NCC Group Cryptography Services announced it will shortly begin an audit of OpenSSL.

Yahoo Patches Critical eCommerce, Small Business Vulnerabilities

Threatpost for B2B - Tue, 03/10/2015 - 07:17
Yahoo has fixed a handful of vulnerabilities that could have given an attacker free reign over all of its user-run eCommerce websites and caused multiple headaches for small business owners.

SMS Trojan bypasses CAPTCHA

Secure List feed for B2B - Tue, 03/10/2015 - 07:00

Late last year, we encountered an SMS Trojan called Trojan-SMS.AndroidOS.Podec which used a very powerful legitimate system to protect itself against analysis and detection. After we removed the protection, we saw a small SMS Trojan with most of its malicious payload still in development. Before long, though, we intercepted a fully-fledged version of Trojan-SMS.AndroidOS.Podec in early 2015.

The updated version proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system (which notifies users about the price of a service and requires authorization before making the payment). It can also subscribe users to premium-rate services while bypassing CAPTCHA. This is the first time Kaspersky Lab has encountered this kind of capability in any Android-Trojan.

Distribution

This article discusses Trojan-SMS.AndroidOS.Podec, version 1.23 (the version was identified from analyzing its code). The hash sums are:

72ADCF52448B2F7BC8CADA8AF8657EEB
0D5708158B8782F115670BD51833AC5C

This version of the Trojan circulates in Russia and neighboring countries.

Country Number of attempts to infect unique users Russia 3666 Kazakhstan 339 Ukraine 305 Belarus 70 Kyrgyzstan 23

The number of infections over time:

Number of attempts to infect unique users

Sources of Infection

According to statistics collected with the help of Kaspersky Security Network, the main sources from which the Trojan in our study spreads are various domains with imposing names (Apk-downlad3.ru, minergamevip.com, etc.), as well as the servers of the popular Russian social network VKontakte (VK, vk.com) that are used to store users' content.

A pie chart of file infection sources

As we see, in most cases the infection is sourced from the social network's servers. Unfortunately, VK's file storage system is anonymous, so there is no way to analyze how malware emerges from it. However, further research identified a number of communities that distribute Trojan-SMS.AndroidOS.Podec on this social network:

  • http://vk.com/vzlomannye_igry_dlya_android
  • http://vk.com/skachat_minecraft_0_9_0_android
  • http://vk.com/minecraft_pe_0_9
  • http://vk.com/vzlom_igry_android_mody
  • http://vk.com/igry_android_cheats
  • http://vk.com/android_mody_apk
  • http://vk.com/novye_igry_na_android
  • http://vk.com/skachat_hill_climb_racing_bpan
  • http://vk.com/na_android_igry

(The Russian names of these groups refer to cracking Android games in some form)

All the groups listed here were filled with similar content: images, links and messages.

Each group is about one or more cracked games. The cybercriminals seem to be hoping that potential victims will be attracted by the chance to get free access to content that is usually paid-for.

Nearly all messages on the groups' walls are links leading to sites purportedly containing Android games and applications. The same is true for the "Links" section. In reality, the only purpose these sites served was to spread different versions of Trojan-SMS.AndroidOS.Podec.

Eight groups in the social network with similar visual designs

These groups have a lot in common: the way in which they are managed and designed (e.g. using keywords in place of descriptions, an abundance of simple broad-language messages characteristic of bots, etc.), the links they host to fake sites that seem to be copies of one idea. This suggests that black SEO (Search Engine Optimization) specialists were involved in distributing the Trojan. The above practices help bring links to the malicious resources (sites and groups) closer to the top of search engine results, attracting yet more visitors.

All these clone communities have the same administrator, who is a VK user identified as 'kminetti'. These communities are also advertised on that user's personal page. The user's account was created on 12 October 2011; in 2012, the account's wall started hosting links to sites and communities spreading malicious applications for mobile devices.

Examples of messages posted by the administrator of the malicious communities

Earlier, this account was used as a bot hosting links to web resources to increase their citation indexes (CI).

Examples of the posts placed by the communities' administrator to increase CIs of third-party resources

It can be concluded from all of the above that the VKontakte social network is the main vehicle for distributing Trojan-SMS.AndroidOS.Podec.

The Infection Procedure

The mobile Trojan sample that became available for Kaspersky Lab's analysts masquerades as a popular application, 'Minecraft Pocket Edition'. The file is 688 Kbyte in size, which may be an advantage in the eyes of inexperienced users with a slow and/or expensive Internet access. The official Minecraft application is 10 to 13 MB in size.

When launched, the application asks for device administrator privileges. This step makes sure that neither user nor a security solution can subsequently delete the Trojan. If the user rejects the request, the Trojan keeps repeating it until the privilege is granted. This process effectively blocks the normal use of the device.

Privilege escalation request

When Trojan-SMS.AndroidOS.Podec receives the requested escalated privileges, the legitimate Minecrast app is downloaded from a third-party resource and installed on the SD card. This behavior follows the instructions provided in the configuration file that comes alongside with the Trojan; the same file specifies the link to the legitimate APK file. However, the configuration file does not always contain a link to the application; in this case, the Trojan simply stops any activities observable by the user after it receives the requested privilege escalation.

Part of the configuration file containing the link to legitimate Minecraft installation file

Then the Trojan deletes its shortcut from the apps list and replaces it with the real Minecraft shortcut. However, traces of the Trojan's presence remain in the install apps list and in the device administrators' list:

The option of deleting the malicious app is deactivated. If the device user later seeks to de-escalate the Trojan's privileges the machine responds with weird and unsettling behavior: the screen locks, then shuts down for some moments. When the screen comes back on the device displays the configuration menu and there is no evidence of any attempt to strip the malicious app of its admin privileges.

Protection against analysis

The cybercriminals apparently invested serious time and effort into developing Trojan-SMS.AndroidOS.Podec, as demonstrated by the techniques used to prevent code analysis. As well as introducing garbage classes and obfuscation into the code, the cybercriminals used an expensive legitimate code protector which makes it fairly difficult to gain access to the source code of the Android application. This protector provides code integrity control tools, hides calls of all methods and manipulations involving class fields, and encrypts all strings.

Here is an example of protected code:

This is the same code after the protection is removed:

Managing the Trojan

Trojan-SMS.AndroidOS.Podec's activities are managed using C&C servers. The system works like this. First the Trojan contacts a C&C server via an HTTP protocol, and waits for an SMS with instructions. Trojan-SMS.AndroidOS.Podec has a main and a backup list of C&C domain names – a specific C&C server is chosen from the list following a random algorithm. If there is no response from that server within 3 days, a C&C from the backup list is used. This implements an adaptive algorithm to connect to a C&C server, which works even if specific domain names are blocked.

The C&C domain names and the entire traffic (both HTTM and SMS) are encrypted with AES encryption algorithm in CBC/NoPadding mode with a 128 bit key. The encryption key and the initialization vector are originally located in the file fXUt474y1mSeuULsg.kEaS (the name of this file changes from version to version), located in the 'assets' folder of the app source. Most of the file content is junk; useful information is contained between tags, appearing in the form of [a]string[/a].

From the strings between tags, the required encryption parameters (the key and the vector) are obtained in an encrypted form. Then they are decrypted by simply replacing one substring with others.

After decryption the commands form an XML document, in which the tags represent specific commands, and the contents of tags are command parameters. Below is the list of Trojan-SMS.AndroidOS.Podec capabilities implemented via commands:

  1. Collect information about the device (cell phone service provider, IMEI, phone number, interface language, country and city, etc.)
  2. Collect a list of installed applications.
  3. Receive information about USSD.
  4. Send SMS messages.
  5. Set a filter on incoming messages.
  6. Set filters on incoming and outgoing calls.
  7. Display advertisements to the user (display a separate notification, open an advertisement page, start a dialog, and other ways to show commercial content)
  8. Delete messages, as specified
  9. Delete call records, as specified
  10.  Upload the source HTML code of a specified page to the cybercriminals' server.
  11.  Perform a DDoS attack. Ramp up website visitor counters.
  12.  Subscribe the user to paid content.
  13.  Do a self-update.
  14.  Perform an outgoing call.
  15.  Export incoming messages according to conditions specified by C&C.
  16.  Delete an app, as instructed by C&C.

Even a quick analysis of the Trojan's executable code reveals an abundance of ways of working with HTML and HTTP. As well as features regarded as standard for this type of Trojans (e.g. sending and intercepting text messages, placing phone calls, manipulations with SMSs and call logs), Trojan-SMS.AndroidOS.Podec can also configure web page visits and send their code to C&C. However, this Trojan's most interesting feature is its CAPTCHA recognition capability.

A flow chart of Trojan-SMS.AndroidOS.Podec in operation is provided below.

Thus, the web resource's communication capabilities are the source of two different threats:

  1. The Trojan contains functions with which one can launch a simple HTTP Flood DDoS attack. The associated strings in the configuration file are as follows:
  2. The resulting link is loaded; the function sleep() is called with the parameter 'seconds'. This process is repeated as often as the 'limit' parameter specifies.

    The scheme used by the cybercriminals enables them to configure the frequency and number of access attempts; therefore, it can be used to ramp up web site visitor counters, thus generating profits from advertising and from partnership programs.

  3. One of the most dangerous capabilities in Trojan-SMS.AndroidOS.Podec is the use of configurable webpage visit rules, with CAPTCHA recognition supported. With this, the Trojan can subscribe the user to premium-rate subscriptions without the user's knowledge or consent. This capability is unique to this Trojan, so let us review it in more detail.
Paid subscriptions

There are two main models of subscribing to content on a web resource:

  • Pseudo-subscription. In this model, users visit a web resource and enter their phone numbers. An SMS is then sent, asking users to pay for the service by sending a reply message with any text. When users send that message, a certain amount of money is deducted from their phone accounts, depending on the specific service provider's prices. These messages arrive automatically, and users make up their minds each time whether to send the reply message or not. It is for this reason that this model is often referred to as pseudo-subscription.
  • MT subscription. In this model, users enter their mobile phone numbers on a web page and receive an SMS with a validation code. Then users enter that code on the service provider's website, accepting the subscription terms and conditions. After that, the service provider will automatically deduct the sum stipulated in the subscription terms and conditions from the subscriber's account. In the Russian segment of the Internet, a number of partnership contracts are available that can aggregate this type of payments. This means that the cybercriminals do not have to directly deal with the cellular service providers when they create a service to which users can subscribe to paid content; partnership programs will do the agent's job. Under this model, the revenue is lower for the service creators, but the financial transactions are more anonymous.

Subscribing to paid services through a Trojan can be costly for users. In case of pseudo-subscriptions, one reply message may cost between $0.5 and $10. In case of MT subscription, the price in each specific case is agreed directly with the mobile service provider via the partnership program. The most dangerous factors here are that money is deducted 1) covertly and 2) on a regular basis. Users who are subscribed to several such "sources of content" may have to spend a lot of time and effort trying to find out where and how money from their accounts is going.

Example of the Trojan in operation

We were able to intercept Trojan-SMS.AndroidOS.Podec's communication with its C&C server. This communication session unfolded as follows:

  • The RuMaximum.com website was accessed – this site provides online test services for users. To get their results, users have to subscribe to the site.
  • This test in Russian is "What type of dog is most like you?"

  • With a GET request, the Trojan imitates a user taking a test. Then it finishes with a link that looks like http://rumaximum.com/result.php?test=0&reply[1]=0&reply[2]=0&reply[3]=0&reply[4]=0&reply[5]=0&reply[6]=0&reply[7]=0&reply[8]=0&reply[9]=0&reply[10]=0. This URL leads to the following web document:
  • Results of the test "What type of dog are you similar to?"
    "Yes, I am 18 years old or older, and I consent to the Terms and Conditions below.
    Enter your phone number."

  • After the user enters a phone number, a unique "landing page" of the service provider is generated, demanding a CAPTCHA authentication and for a validation code that was sent to the phone by SMS. The Trojan fills out both fields and validates the subscription. Then, the user is redirected to the test results via the e-commerce system totmoney.ru.
  • Results of the test "What type of dog are you similar to?"
    You are a German shepherd, a versatile dog. You can guard the state border or help the blind across the street. You learn things easily and keep your head cool in any circumstances. A good manager too!

The Trojan does all of these actions automatically using the configuration sent from the C&C. The victim, however, has no idea that any of this is happening.

Paid subscription capability

In the XML configuration sent from the C&C server, there is a field which subscribes the user to paid content. It looks like this:

Let's have a closer look at the configuration field:

  1. verify is an array of strings with the separator "-S-". It contains the information required to obtain the CAPTCHA value.
  2. verify[0]: if this field is not equal to zero, CAPTCHA recognition is required, otherwise further processing is done. This may contain the image file in base64 coding (done for processing static images and CAPTCHA), or an image ID;
    verify[1] is the key of the service 'http://antigate.com' used to recognize CAPTCHA and required to login at the service;
    verify[2] is the minimum image length, used for housekeeping purposes;
    verify[3] is the maximum image length, used for housekeeping purposes;
    verify[4] is the language of the symbols in the image.

  3. service is the accessed service;
  4. search is an array of strings with the separator "-S-", used to search for substrings in the link and to take a decision about the appropriate type of subscription depending on the search results;
  5. images is not used in this version;
  6. actions is an array of strings with the separator "-S-". Contains the final links that the services follows to initiate/complete the subscription process;
  7. type is request type;
  8. source indicates whether the webpage's source code should be sent to C&C;
  9. domain: If the page's source code should be sent to C&C, domain indicates the destination C&C.

The Observable interface is used to fetch the code of HTML pages and send it to C&C. The required information is sent to this interface, whenever needed, with the help of JavaScript when the page is loaded.

The webpage source code is required for cybercriminals to analyze the structure and to prepare an appropriate configuration for the paid subscription module. Also, this service provides source codes of webpages to ensure that the page's code is received in a form that can be used to show it to the victim. This makes it easier for the cybercriminals to analyze the page and start the subscription.

The function which completes the subscription to paid content is located in the class CustomWebView, which is inherited from the class WebViewClient. In it, the method onLoadResource was redefined (this method is used to get a link to the image), as was the onPageFinished method,which is used to post-process the loaded web-resource. Post-processing is based on analyzing the configuration and then visiting the required links with the help of the loadUrl function. When required, the CAPTCHA processor is called as well.

Bypassing CAPTCHA

Different partnership programs have different requirements from the design of a web resource where subscription tools will be hosted. For instance, there is often a requirement that for a CAPTCHA module to confirm that the request was not made from a bot. In most cases, the partnership program forwards the browser to the service provider's site where users are prompted to enter a CAPTCHA code to confirm their subscription requests. As explained above, Trojan-SMS.AndroidOS.Podec's key characteristic is that it can bypass CAPTCHA protection systems.

Trojan Podec can subscribe users to premium-rate services while bypassing CAPTCHA

Tweet

The CAPTCHA processor communicates with the service Antigate.com which provides image-to-text manual recognition services. Here is what the service says on its web-page:

Antigate.Com is an online service which provides real-time captcha-to-text decodings. This works easy: your software uploads a captcha to our server and receives text from it within seconds.

Source: antigate.com

In other words, the text from the CAPTCHA image is recognized by a person working for this service. According to the information Antigate.com provides on its website, most of its workers are based in India.

Source: antigate.com

Distribution of Antigate.com employees between countries

The Trojan communicates with Antigate.com via an HTTP API service: a POST request is used to the send the image containing a text to be recognized; then, with the help of GET requests, the recognition status is monitored. The recognized result (if received in reasonable time) is inserted into the links from the 'actions' field of the received configuration. Then the links are opened with the help of the loadUrl()function.

If the subscription mechanism requires SMS validation the Trojan uses the filter set by the cybercriminals to search for the message containing the validation code, and uses regular expressions to extract the code from there.

The general subscription procedure

General flow chart of subscription to paid content

In general, the model of subscribing to paid content consists of the Observer SubscribeService which listens to the events as they occur in the HTMLOUT interface. When data (a downloaded page) is received from there, it is sent to C&C with the help of the class Submitter, which inherits the class AsyncTask. Also, SubscribeService accepts command parameters from the manager routine as input, initializes CustomWebView and starts to process the task with the help of SubscribeTask. SubscribeTask launches CustomWebView in which input parameters are processed, and decision is made about how the subscription should be performed. If required, CaptchaProcessor is launched, which is responsible for communications with the text recognition service and handling the requests that require validation code and the characters from the CAPTCHA image.

Conclusion

From the analysis of Trojan-SMS.AndroidOS.Podec samples that arrived earlier, we can conclude that the Trojan is under ongoing development. The code is being refactored, new capabilities are added, and module architectures are being reworked.

We suspect this Trojan is being developed by a team of Android developers in close cooperation with Black SEO specialists specializing in fraud, illegal monetization and traffic generation. The following evidence supports this theory:

  1. The Trojan is distributed via the VKontakte social network employing social engineering tools;
  2. A commercial protector is used to conceal the malicious code;
  3. The scheme includes a complicated procedure of extorting money from the victim while bypassing CAPTCHA.

Also, there are certain features in the code of the analyzed version of Trojan-SMS.AndroidOS.Podec which have not yet been used but which may reveal the malware writer's further plans. For instance, there is an auxiliary function isRooted(), which helps to check whether the device's owner has super-user privileges. This function is not used in the Trojan's main code, so we can assume that a payload designed to exploit super-user privileges may emerge in future versions of the Trojan.

Users of Kaspersky Lab's products are already secured against all existing versions of Trojan-SMS.AndroidOS.Podec. Nonetheless, we recommend that users only install applications sourced from official stores, such as Google Play. The user should always be alert to cybercriminals' tricks and avoid downloading cracked apps advertised as free of charge. If you download and launch a Trojan, you can potentially lose much more money than you may earn from not paying to purchase legitimate software.

With acknowledgements to Mobile TeleSystems OAO, a GSM cell phone operator in Russia, and specifically to its experts in partnership programs traffic.

Rowhammer Hardware Exploit Poses Threat to DRAM Memory in Many Laptops, PCs

Threatpost for B2B - Tue, 03/10/2015 - 06:00
Software, from web apps, to operating systems to firmware, has been abused and exploited every which way from Sunday for decades by both researchers and attackers. Now, it is hardware’s turn in the spotlight, as researchers have published details of a new method for exploiting a problem with some DRAM memory devices that can allow […]

New Technique Complicates Mutex Malware Analysis

Threatpost for B2B - Mon, 03/09/2015 - 14:26
A recent malware sample dynamically generates the name of a mutex object by using Windows product ID, lessening its predictability and complicating detection.

Seagate Confirms NAS Zero Day, Won’t Patch Until May

Threatpost for B2B - Mon, 03/09/2015 - 10:52
Seagate confirmed a publicly disclosed vulnerability in one of its network attached storage products, but said it won't have a patch available until May.

TextSecure to Drop Support for Encrypted SMS

Threatpost for B2B - Mon, 03/09/2015 - 10:09
Open Whisper Systems is phasing out support for encrypted SMS and MMS messages in its TextSecure messaging product. The move does not spell the end for encrypted messaging for users of the Android app, as the company plans to switch to its own transport protocol to address some of the security and performance issues inherent […]

Understanding the operations of a scam

Secure List feed for B2B - Mon, 03/09/2015 - 05:00

Currently, in Sweden, we're facing a big issue with scammers trying to buy items for sale on various auction websites, but when you initiate contact with the potential buyer things get nasty and you might lose money. This is nothing new, and most of the auction websites have written about this to inform their users, but they do not explain in detail how these scams actually work – their FAQs only advise people to be careful. So I know that there are a lot of questions unanswered for worried users.

Since one of these scammers tried to scam my wife, I decided to follow their scam and document the entire process, so that I could inform not only law enforcement but also our readers on how these scams actually work. When you know how the scam works, it will be much easier to spot them and avoid being scammed.

So, let me give you the background.

Our daughter got a new bike, so we decided to sell the old one on Blocket, the biggest website for personal ads (buying/selling) in Sweden.

After a few days my wife received an SMS (which unfortunately has been deleted). The SMS came from a Polish number, and the person wrote in very good English. They said that they were interested in the bike, but wanted to have more information, and gave my wife an email address. I told her NOT to reply via SMS but to email the person, because sometimes the bad guys send SMS from premium numbers, which means that when you reply to the SMS it will cost you much more than a normal SMS.

I told my wife to be very brief in her answers, which you can see in her initial email response below:

As you can see, the person starts to ask valid questions about the bike, which means that it's not a bot, it's actually someone who manually responded to this ad. I have no idea how they select their victims, but it is obviously a manual process.

We decided to take this even further, to see the next step in the scam, so we replied with the information about the bike – there was also still be a chance that the person was not a scammer and really wanted the bike.

It was after this email that everything started to get nasty. They accepted our offer, but what was so strange was that the person confirmed their Polish identity. Even if you look up the person on social media their identity seems to be Polish. So we decided to continue.

The person asked for our name, PayPal details and the total price, which we obviously sent them. They also said that they were going to cover the shipping cost for the bike, and had already involved a shipping company.

We shared our information, and waited for them to reply. They were VERY fast in replying to all the emails; it almost seemed as though there were a lot of people with access to the same mail account, but we weren't able to confirm this. In the email they sent just before the money transfer they also included an address in Poland. This address hasn't been confirmed, but we are trying to find out who lives at that address which can be found in the screenshot below. Within minutes they just stated that they had completed the transfer, which you can see in the second screenshot.


I did get two emails from something that looked like PayPal, but when you look more closely you can see that the email is not coming from PayPal at all. This is a very clever, but common, trick that is also used in phishing attacks.  When you look at the email you can see that it's actually being sent from service@e-pay-team.com which is hosted on Google Mail.  What is so interesting with this email is that it's most likely created manually too, because it contains details such as the price we asked for the bike.


At this point no money had been transferred to my PayPal account - the emails were just fake. The fraudsters next tried to get me to transfer the shipping cost, in this case 1700 SEK (about $200 USD), from our account to the company "P.S.S Logistics". The process they outlined for transferring the money was to visit a Western Union office, and transfer it to this shipping company; but when you look more closely at the emails they sent, they wanted us to transfer it to a private person. There is a company called "P.S.S Logistics", but its registered in South Africa, the fraudsters started to use this name, but when you transfer the money it goes to an individual named "Bamise Seon" in Nigeria.


At this point I wondered if the scammers were working with hacked accounts, because all of the individuals exist on various social media networks. For example, the person who keeps email using the Polish name "Pawel Dylewski" can be found on Google Plus. And the individual in Nigeria can be found on Facebook. If you look closely on the screen captures I took from Facebook, you can see that there are two identities, one female and one male, and they are both connected to each other by the same name. In the screenshot below you can see that it's written: "Send HER a friend request", which indicates that this profile belongs to a female. You can also see that she has one friend, a person with the same name, but with a profile picture of a man and more information.

I am currently working with PayPal, Western Union, Google and law enforcement, to share the intelligence I have collected, but I also want to share this story. We need to inform everyone who is actively selling/buying things online to keep a close eye on the details. If the deal sounds too good to be true, in most cases it is.

The scheme in bullet points:
  1. You receive an SMS from a potential buyer containing an email for further contact?
  2. In some cases the SMS is sent from a premium number, so when you reply you will be charged for the premium service.
  3. Once the email conversation starts, the buyer wants to pay with an online payment service - for example, PayPal - offering full payment, including shipping.
  4. They send FAKE emails pretending to come from PayPal, stating that their money has been transferred to your account. But the money won't be transferred to your account until you have completed the deal.
  5. The deal can only be completed if you transfer money for the shipping costs to a shipping company - for example, via Western Union.
  6. The shipping company does not exist, it's actually the personal account of the scammer; which means that they want you to transfer a sum from your own pocket in the hope that they will pay the full amount (including the amount for your item) into your PayPal account.
Some useful tips when communicating with strangers over Internet:
  • Please do not use SMS to communicate, because fraudsters might use premium numbers to charge you a lot of money.
  • Please double-check any email address: for example, in this case it did not come from "paypal.com", but "e-pay-team.com".
  • Never transfer any money to anyone; and always make sure you have received payment BEFORE you ship the item you are selling.
  • Never pay with a credit card unless you are 100% sure that the website is legitimate; try to use secure payment methods such as PayPal.

PS: We sold the bike today. To a REAL person

Syndicate content