Feed aggregator

Trey Ford on Mapping the Internet with Project Sonar

Threatpost for B2B - Fri, 02/20/2015 - 11:28
Trey Ford from Project Sonar describes the group's initiative at Kaspersky's Security Analyst Summit. The Rapid 7 service scans public-facing networks for apps, software, and hardware, then analyzes that cache of information to gain insight to trends and common vulnerabilities.

Costin Raiu on the Equation Group APT

Threatpost for B2B - Fri, 02/20/2015 - 09:22
Dennis Fisher talks with Costin Raiu of the Kaspersky Lab GReAT team about the researcher behind the Equation Group campaign, the group's capabilities and why they seem to have gone dark now.

Lenovo Superfish Certificate Password Cracked

Threatpost for B2B - Thu, 02/19/2015 - 13:07
Researcher Rob Graham has cracked the certificate password for Superfish adware pre-installed on Lenovo laptops.

TrueCrypt Audit Stirs Back To Life

Threatpost for B2B - Thu, 02/19/2015 - 12:15
The organizers of the TrueCrypt audit expect the cryptanalysis of the open source encryption software to begin shortly; phase two will be handled by NCC Group's Cryptography Services practice.

‘Yes, Your Car Wash Is On Facebook’

Threatpost for B2B - Thu, 02/19/2015 - 07:47
Looking in one of the more obscure corners of the web, Billy Rios discovered how to hack automated car wash equipment.

Equation Group: from Houston with love

Secure List feed for B2B - Thu, 02/19/2015 - 04:00

In 2009, an international scientific conference was held in Houston, USA. Leading scientists from several countries were invited to attend. As is traditional for such events, the organizers sent out a post-meeting CDROM containing a presentation with the best photos from the event. It is unlikely that any of the recipients expected that while they were enjoying the beautiful pictures and memories a nation-state sponsored Trojan Horse was activating silently in the background.

Photo slideshow played from the CD

Interestingly, it looks as if most of the attendees brought pens and paper instead of laptops.

Self-elevating Autorun

The disk contains two files in the root folder, an autorun.inf and autorun.exe. This is typical of many CDROMs. The autorun.inf simply executes the main EXE from root.  Here's what it looks like:

[AutoRun] open=Autorun.exe
icon=Presentation\Show.exe,0

More interesting is the autorun.exe binary, which has the following attributes:

Date of compilation 2009.12.23 13:37:33 (GMT) Size 62464 bytes MD5 6fe6c03b938580ebf9b82f3b9cd4c4aa

The program starts by checking the current user's privileges. If the current user has no administrative rights, it tries to elevate privileges using three different exploits for vulnerabilities in the Windows kernel. These vulnerabilities were patched by the following Microsoft patches:

  • MS09-025
  • MS12-034
  • MS13-081

Considering the date the CDROM was shipped, it means that two of the exploits were zero-days. It's notable that the code attempts different variants of kernel exploits, and does so in a loop, one by one, until one of them succeeds. The exploit set from the sample on the CDROM includes only three exploits, but this exploitation package supports the running of up to 10 different exploits, one after another. It's not clear whether this means that there is also a malware with 10 EoP exploits in it, or whether it's just a logical limitation.

The code has separate payloads for Windows NT 4.0, 2000, XP, Vista and Windows 2008, including variations for certain service pack versions. In fact, it runs twice: firstly, to temporarily elevate privileges, then to add the current user to the local administrators group on the machine, for privilege elevation persistence.

Such attacks were crafted only for important victims who couldn't otherwise be reached #EquationAPT #TheSAS2015

Tweet

If these actions are successful, the module starts another executable from the disk, rendering the photo slideshow with pictures from the Houston conference.

At the end, just before exiting, the code runs an additional procedure that does some special tests. If the date of execution fell before 1 July 2010 and it detects no presence of Bitdefender Total Security 2009/2010 or any Comodo products, it loads an additional DLL file from the disk named "show.dll", waits for seven seconds, unloads the DLL and exits.

If the date fell after 1 July 2010, or any of the above products are installed, it drops execution immediately.

The "Show" Begins – introducing DoubleFantasy

The main loader and privilege escalation tool, "autorun.exe" fires up a special dropper, which is actually an Equation Group DoubleFantasy implant installer. The installer is stored as "show.dll" in the "Presentation" folder of the CDROM.

The DLL file has the following attributes:

Date of compilation 2009.03.20 17:42:21 (GMT) Size 151'552 bytes MD5 ef40fcf419954226d8c029aac8540d5a Filename show.dll Short Description DoubleFantasy installer

First it locates data in the resource section, unpacks (UCL) and XOR-decrypts configuration data from one of the resources.

Next it creates the following registry keys:

  • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}
  • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\Version

After that it sets the (Default) value for "Version" subkey as "008.002.000.003", which identifies the implant version.

It also attempts to self-delete on the next reboot, which fails if it's started from the CD.

When run by the exploitation package "Autorun.exe", the program already has administrative privileges from one of the three exploits. However, the code checks again if it's running with administrative privileges, and attempts to elevate using just two kernel vulnerabilities:

  • MS09-025
  • MS12-034

This indicates that the DoubleFantasy installer has been designed to run independently from the disk from Houston with its "Autorun.exe".  In fact, we've observed the independent use of the DoubleFantasy installer in other cases as well.

The installer checks for security software using a list of registry keys and values stored in the resource section. The keys are checked in quite a delicate "non-alarming" way using key enumeration instead of direct key access. List of top level keys checked:

  • HKLM\Software\KasperskyLab\protected\AVP7\profiles\Behavior_Blocking\profiles\pdm\settings
  • HKLM\Software\KasperskyLab\AVP6\profiles\Behavior_Blocking\profiles\pdm\settings
  • HKLM\Software\Agnitum\Outpost Firewall
  • HKLM\Software\PWI, Inc.
  • HKLM\Software\Network Ice\BlackIce
  • HKLM\Software\S.N.Safe&Software
  • HKLM\Software\PCTools\ThreatFire
  • HKLM\Software\ProSecurity
  • HKLM\Software\Diamond Computer Systems
  • HKLM\Software\GentleSecurity\GeSWall

If any of them exist, the installer will mark the system by setting a special registry key:  HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\MiscStatus

The mark will be in the form of {CE0F7387-0BB5-E60B-xxxx-xxxxxxxxxxxx} for the (Default) value data and will then exit.

If no security software is identified, it will unpack (UCL) and XOR-decrypt the main payload, which is extracted into %system%\ee.dll.

Remarkably, it loads the DLL using its own custom loader instead of using standard system LoadLibrary API call.

The module looks as if it was built using a set of components or libraries that perform:

  • Privilege escalation (it seems to be an early version of the same lib used in autorun.exe)
  • Security software detection
  • Resource parsing and unpacking
  • Loading of PE files

This library code supports Win9x and the Windows NT family from NT4.0 to NT6.x. It should be mentioned that these libraries are not very well merged together. For instance, some parts of the code are unused.

Here's what the DoubleFantasy decoded configuration block looks like:

Decoded DoubleFantasy configuration block

Some of the C&Cs from DoubleFantasy configuration:

  • 81.31.34.175 (Czech Republic)
  • 195.128.235.231 (Italy)

The DoubleFantasy malware copied into the victim's machine has the following properties:

Date of compilation 2009.03.31 15:32:42 (GMT) Size 69'632 bytes MD5 b8c0eb946de83fe8440fefbacf7de4a2 Filename ee.dll Short Description DoubleFantasy implant

It should be noted that both the installer and the malware appear to have been compiled several months before "autorun.exe" from the CDROM, suggesting that they are more or less generic implants. It also suggests that the "autorun.exe" was probably compiled specially for the CDROM-based attack.

The DoubleFantasy Malware is the first step in the infection of a victim by the #EquationAPT Group #TheSAS2015

Tweet

The Equation Group's DoubleFantasy implant is a validator-style Trojan which sends basic information about the system to the attackers. It also allows them to upload a more sophisticated Trojan platform, such as EquationDrug or GrayFish. In general, after one of these sophisticated platforms are installed, the attackers remove the DoubleFantasy implant. In case the victim doesn't check out, for example, if they are a researcher analysing the malware, the attackers can simply choose to uninstall the DoubleFantasy implant and clean up the victim's machine.

In fact, there are several known versions of the DoubleFantasy payload. The disk from Houston used version 8.2.0.3; while other versions were mostly delivered using web-exploits.

Decrypting configuration blocks from all known DoubleFantasy samples, we obtained the following internal version numbers:

  • 8.1.0.4 (MSREGSTR.EXE)
  • 008.002.000.006
  • 008.002.001.001
  • 008.002.001.004
  • 008.002.001.04A (subversion "IMIL3.4.0-IMB1.8.0")
  • 008.002.002.000
  • 008.002.003.000
  • 008.002.005.000
  • 008.002.006.000
  • 011.000.001.001
  • 012.001.000.000
  • 012.001.001.000
  • 012.002.000.001
  • 012.003.001.000
  • 012.003.004.000
  • 012.003.004.001
  • 013.000.000.000

Interestingly, the most popular versions are 8 and 12:

We will describe some of the versions that we managed to discover including 8.2.0.3, 8.1.0.4 and 12.2.0.1.

DoubleFantasy Payload v.8.2.0.3 Md5 b8c0eb946de83fe8440fefbacf7de4a2 Size 69'632 bytes Type Win32 GUI DLL Timestamp Tue Mar 31 14:32:42 2009 (GMT) Filenames ee.dll, actxprxy32.dll

This module uses a technique known as DLL COM hijacking which provides a capability to load the code in different processes.

Initialization

First of all, it checks if the running module is named "ee.dll" and, if so, will undertake the final installation steps:

  • Try to find configuration settings in registry key HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\TypeLib, in value "DigitalProductId". If this value exists it decodes it using base64 and decrypts using RC6 (with a 16-bytes HEX key: 66 39 71 3C 0F 85 99 81 20 19 35 43 FE 9A 84 11).
  • If the key was not found in the registry, it loads configuration from a resource.
  • It copies itself to one of the two variants of filenames. Then it substitutes one of the system components by renaming and replacing the original.
Original File Registry Key Registry Value New Value
(Variant 1)
New Value
(Variant 2)
linkinfo.dll HKLM\System\CurrentControlSet\ Control\SessionManager\KnownDLLs LINKINFO LI.DLL LINK32.DLL hgfs1.dll HKLM\SYSTEM\CurrentControlSet\ Services\hgfs\networkprovider ProviderPath hgfs32.dll hgfspath.dll midimap.dll HKLM\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Drivers32 midimapper midimapper.dll midimap32.dll actxprxy.dll HKCR\CLSID\ {C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\ InProcServer32 (Default) actxprxy32.dll actxprxyserv.dll
  • Set 64-bit value from config to (Default) value of HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\TypeLib key in form of {8C936AF9-243D-11D0-xxxx-xxxxxxxxxxxx}, it seems to be used later as victim ID when connecting to C&C server.
  • Set (Default) value of HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\Version to "008.002.000.003" string.
  • Upon the creation of a key it performs additional steps to set KEY_ALL_ACCESS rights for Everyone.
  • Update start time, encode and write back config to registry value HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\DigitalProductId

If an error occurs, it sets HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\MiscStatus\(Default) value to "0". Registry value {CE0F7387-0BB5-E60B-8B4E-xxxxxxxxxxxx} then contains xor-encrypted error code.

If there is an initialization error, if the hosting process is "explorer.exe" or "avp.exe", it supresses any exceptions and continues execution. This could indicate that if there were any errors in these processes they must not be shut down because of them.

To correctly hijack the replaced COM objects, the code exports a set of functions bound to original DLL files.

CompareLinkInfoReferents = linkinfo.CompareLinkInfoReferents
CompareLinkInfoVolumes = linkinfo.CompareLinkInfoVolumes
CreateLinkInfo = linkinfo.CreateLinkInfo
DestroyLinkInfo = linkinfo.DestroyLinkInfo
DisconnectLinkInfo = linkinfo.DisconnectLinkInfo
DllCanUnloadNow = actxprxy.DllCanUnloadNow
DllGetClassObject = actxprxy.DllGetClassObject
DllRegisterServer = actxprxy.DllRegisterServer
DllUnregisterServer = actxprxy.DllUnregisterServer
DriverProc = midimap.DriverProc
GetCanonicalPathInfo = linkinfo.GetCanonicalPathInfo
GetLinkInfoData = linkinfo.GetLinkInfoData
GetProxyDllInfo = actxprxy.GetProxyDllInfo
IsValidLinkInfo = linkinfo.IsValidLinkInfo
NPAddConncection = hgfs1.NPAddConncection
NPAddConncection3 = hgfs1.NPAddConncection3
NPCancelConncection = hgfs1.NPCancelConncection
NPCloseEnum = hgfs1.NPCloseEnum
NPEnumResource = hgfs1.NPEnumResource
NPFormatNetworkName = hgfs1.NPFormatNetworkName
NPGetCaps = hgfs1.NPGetCaps
NPGetConnection = hgfs1.NPGetConnection
NPGetResourceInformation = hgfs1.NPGetResourceInformation
NPGetResourceParent = hgfs1.NPGetResourceParent
NPOpenEnum = hgfs1.NPOpenEnum
ResolveLinkInfo = linkinfo.ResolveLinkInfo
modMessage = midimap.modMessage
modmCallback = midimap.modmCallback

The implants periodically run checks against a special file defined in config. If that file has changed since the last check, or at least a week has passed since the last check, it does the following:

  • Perform a connectivity check via public domains (specified in config, i.e. "www.microsoft.com" and "www.yahoo.com") using HTTP POST requests.
  • If Internet access is available, connect to one of two C&C IPs or hostnames (specified in config: i.e. 81.31.34.175 and 195.128.235.23). Standard HTTP/HTTPS ports 80 and 443 are probed.
  • Send a POST request to the C&C with additional headers "EIag: 0d1975bfXXXXXXXX9c:eac',0Dh,0Ah" – where XXXX XXXX – is part of victim ID
  • Request additional data: victim ID, version, MAC address. The data is encrypted using RC6 and encoded using Base64. (RC6 key: 8B 4C 25 04 56 85 C9 75 06 33 C0 5E C2 08 31 F6).

The C&C communication code performs the following:

  • Received data is decoded using Base64 and decrypted using RC6. The result is interpreted as a backdoor command.
  • Results of the command execution are sent back to the C&C. It then attempts to fetch the next command from the server.
  • Uninstalls itself if it can't connect to the C&C server within 180 days (configurable).

The following commands are supported by the backdoor:

Cmd code Command Name Description Download&Run Group J (0x4a) Create File Create an empty file; if file already exists get its size. D (0x44) Append File Append chunk of data to a file (created by the "J" cmd). V (0x56) Run or Copy Check CRC16 of file received via D command, delete it if the check fails.
Depending on the commands flag:
  • Copy file to a new location
  • Load file as a DLL
  • Start file as a new process
  • Load DLL using custom built-in loader and call "dll_u" export.
Upload Group K (0x4b) Get File Size Get file size. S (0x53) Read File Read file specified by 'K' command, send it to C&C. It can delete the file after transfer (under some condition). Service Group ` (0x60) Get Info Collect info (IP and MAC addresses, implant version, system proxy server, Windows Registered Owner and Organization, Windows version and ProductID, Locale/Language and Country, Windows directory path, connection type, list of all HKLM\Software subkeys). p (0x70) Set Victim ID Prepare to change Victim ID. u (0x75) Set Interval Change C&C connection interval (seven days by default). v (0x76) Set C&C IP Change primary C&C IP address. x (0x78) Set File Path Change path and name of File-under-inspection. (0x80) Read File Delete file specified in command. B (0x42) Reset Victim ID Change Victim ID to the one set by Set Victim ID command:
Subcmd 0 – reconnect to C&C
Subcmd 1 – reset RC6 context
Subcmd 2 – uninstall DoubleFantasy Payload v.8.1.0.4 Location %System%\MSREGSTR.EXE MD5 9245184228af33d3d97863daecc8597e Size 31'089 Type Win32 GUI EXE Timestamp Wed Mar 22 18:25:55 2006 (GMT) Version Info FileDescription  Registration Software
LegalCopyright  Copyright © Microsoft Corp. 1993-1995
CompanyName  Microsoft Corporation
FileVersion        4.00.950
InternalName    MSREGSTR
OriginalFilename  MSREGSTR.EXE

Compared to version 8.2, version 8.1 implements the same tasks slightly differently.

Differences:

  • This is an EXE file running as a service process.
  • Configuration data stored in the overlay of the file, instead of in resources.
  • Other registry keys are used as a config storage – set of subkeys under HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\Common
  • RC6 encryption and Base64 encoding is not used. The network traffic data is sent in plaintext or simply XOR-encrypted.
  • The number of supported remote commands is only four.
  • The command encoding type is different.
  • Supports Windows 9x family.
DoubleFantasy Payload v.12.2.0.1 Location %System%\actxprxy32.dll MD5 562be0b1930fe5de684c2c530619d659
769d099781220004540a8f6697a9cef1 Size 151552 Type Win32 GUI DLL Timestamp Wed Aug 04 07:55:07 2004 (GMT), probably fake

The implementation of version 12.2 is similar to version 8.2, although it is twice the size due to the addition of a big new library.

The main purpose of this new library to steal user names and passwords from:

  • live running Internet Explorer or Firefox browser memory
  • Internet Explorer proxy configuration, stored in the Windows registry
  • Windows protected storage (up to Windows XP)
  • Windows authentication subsystem (Vista+)

In addition to browsers, the library can also inject malicious code and read the memory of other processes in order to obtain and decrypt users' passwords. The same library is also used inside the main EQUATIONDRUG orchestrator and TRIPLEFANTASY modules.

The library gathers stolen credentials and then probes them when accessing proxy server while connecting to the Internet, and, if a probe was successful, the valid credentials are encrypted with RC6 and encoded with BASE64 to be used later.

In this version the data encryption RC6 key is:
66 39 71 3C 0F 85 99 81 20 19 35 43 FE 9A 84 11

The traffic encryption RC6 key is:
32 EC 89 D8 0A 78 47 22 BD 58 2B A9 7F 12 AB 0C

The stolen user data is stored in the Windows registry as @WriteHeader value, inside two random keys in the   HKLM\SOFTWARE\Classes\CLSID\{77032DAA-B7F2-101B-A1F0-01C29183BCA1}\Containers node

Summary

The disk used in the Houston attack represents a rare and unusual operation for the Equation Group. We presume that such attacks were crafted only for important victims who couldn't otherwise be reached, for instance, through a web-based attack vector. This is confirmed by the fact that the exploitation library had three exploits inside, two of which were zero-days at the time.

The DoubleFantasy Malware is usually the first step in the infection of a victim by the Equation Group. Once the victim has been confirmed by communicating with the backdoor and checking various system parameters, a more sophisticated malware system is deployed, such as EquationDrug or Grayfish.

During the upcoming blogposts, we will continue to describe the more sophisticated malware families used by the Equation Group: EquationDrug and GrayFish.

Christofer Hoff on Mixed Martial Arts, Active Defense, and Security

Threatpost for B2B - Wed, 02/18/2015 - 11:10
In a talk Monday Christofer Hoff stressed that in security and martial arts alike, it's hard to be a skilled defender if you don't understand how your adversaries pull off the attacks.

BE2 extraordinary plugins, Siemens targeting, dev fails

Secure List feed for B2B - Tue, 02/17/2015 - 18:37

Our November post introducing our BlackEnergy2 (BE2) research described new findings on the group's activity. We presented both details on their plugins and significant findings about some of their targets and victims. In this post, let's examine several additional plugins more closely, targeting details around BE2 Siemens exploitation, and some of their unusual coding failures.

We previously introduced an unknown set of plugins and functionality for the linux platform, six in total. For the windows platform, we collected 17 plugins. The last post noted the difficulty in collecting on this group. We finish descriptions for our set in this post.

bs
cert
dstr
fs
grc
jn
kl
prx
ps
rd
scan
sn
ss
tv
upd
usb
vsnet

We also collected plugins for the MIPS/ARM architectures, as noted in the previous BE2 post.

weap
ps
nm
snif
hook
uper

Extraordinary Functionality

Let's first examine some of the newest and most surprising Windows plugins. It's interesting that all of these plugins use a custom "FindByHash" function to evade detection schemes and to slow analysis...

The "Destroy" plugin, dstr Name dstr.dll MD5 8a0a9166cd1bc665d965575d32dfa972 Type Win32 DLL Size 26,474 bytes CompiledOn 2014.06.17 08:42:43

The most troubling plugin in the list is the "dstr" plugin. It is a Windows-only plugin. It was used to overwrite data by the BE2 actor, destroying data stored on hard drives by overwriting file contents. While its use may be intended to cover their tracks, it is heavy handed to use this type of tool to cover one's tracks in a network. Most likely it is a tool of sabotage, much like the Destover wiper seen on Sony Pictures Entertainment's networks. However, it's interesting that the BE2 developers created wiper code different from the Destover and Shamoon wiper malware we saw in the Saudi Aramco and SPE attacks. Instead of re-using the commercial EldoS RawDisk drivers in their malware, the BE2 developers wrote their own low-level disk and file destruction routines. It's also a much more chilling deployment of wipers - instead of a poorly defended media studio, it was delivered to ICS environments.

In order to overwrite stored data on all Windows versions, the dstr plugin supports both user-mode and kernel-mode wiper functionality, which is somewhat surprising. The component maintains both an embedded win32 library and win64 driver modules for its kernel mode functionality. They are rc4 encrypted.

User-mode functionality

The plugin identifies device id's for the system's HDD and creates a handle to the system's physical drive, with "GENERIC_READ or GENERIC_WRITE" access. Several calls to DeviceIoControl collects data on the physical location of the volume, and the size and properties of this disk. It uses DeviceIoControl with the IOCTL_DISK_GET_DRIVE_GEOMETRY control code in order to retrieve Bytes Per Sector value. dstr then wipes out all open handles to the disk by dismounting it with the FSCTL_DISMOUNT_VOLUME control code.

This routine prepares the system for overwrite and ensures no conflicts for plugin file I/O. Then it makes multiple WriteFile calls to write a zeroed out buffer to disk.

The dstr plugin maintains code for unlocking and deleting the BE2 driver from disk, furthering the group's goal of keeping their traces hidden from researchers. And notice the FindByHash set of calls above, this sfc_os call disables Windows File Protection for a minute while an application can delete or modify the locked file. So this plugin and its call can proceed and delete the driver.

The plugin looks over all the services in the %system32%\drivers folder and checks the write permission. If access is provided, it unlocks the file, rewrites the embedded driver under the existing driver name and launches it.

Drivers and kernel mode functionality

Decrypted 32-bit driver

Name driver.sys MD5 c4426555b1f04ea7f2e71cf18b0e5b6c Type Win32 driver Size 5,120 bytes CompiledOn 2014.06.10 13:12:22 GMT

Decrypted 64-bit driver

Name driver.sys MD5 2cde6f8423e5c01da27316a9d1fe8510 Type Win64 driver Size 9,136 bytes CompiledOn 2014.06.10 13:12:04 GMT

The 32-bit and 64-bit drivers are identical and compiled from the same source code. These small Windows drivers are supposed to support FAT32 and NTFS file systems, and contain two large code implementation mistakes. In spite of these flaws, it is clear that the author's goal was to parse a file system and then write random data across files.

Extraordinary Fails

These coding fails are unique to this dstr plugin, suggesting a development team effort behind the plugin set code.

Fail #1: The authors reversed the routines for FAT32 and NTFS data wiping when checking the presence of the "FAT32" string in the first 1024-bytes of the system drive.

Fail #2: In the FAT32 routine the Root Directory Sector Number is calculated and is dealt as the absolute offset inside the file rather than next multiplying this number by the bytes per sector

In comparison, there is no such mistake in the NTFS routine and the calculation of the MFT offset is implemented properly:

Goal - File Content Corruption

Apart from that, it is interesting that the authors implement NTFS wiping in an unusual way with strange logic compared to FAT32 'straightforward' wiping. The plugin accomplishes checks for FILE records and at first skips them. Then under certain conditions it rewrites non-FILE record sectors with random buffer which probably corresponds to some file contents and proceeds looping. Then it ends up rewriting the first sectors of MFT and MFT mirror.

grc, plus.google.com replacement communications plugin Name grc.dll MD5 ee735c244a22b4308ea5d36afee026ab Type Win32 DLL Size 15,873 bytes CompiledOn 2013.09.25 07:19:31

This plugin creates a backup communications channel to yet another legitimate service. Most likely this backup channel is used to cloak outbound communications on monitored networks. We have seen APT using everything from Twitter to Google Docs to hide communications in plain sight, and this time the abused service is Google Plus.

This plugin implements the standard Windows HTTP services to interact with Google Plus over https, seeking to find a png file.

The plugin is provided with a specific Google Plus id to connect with, and uses the OLE stream Windows structured storage API along with the GDI+ bitmap functions to handle and parse this png file. This png file content is actually encrypted data containing the new BE configuration file just as it was obtained using 'normal' C&C communication.  It is encrypted with RC4, just like the embedded dstr drivers. But unlike to the 'typical' RC4 BE decryption scheme that uses RC4 once, here it uses RC4 three times: once with hardcoded key found in the grc binary, the second time using the key extracted from the previous decrypted result, and the third time using the 'id' machine's identifier that is normally served as the encryption key during the C&C communication.

Universal serial bus data collection plugin, usb Name usb.dll MD5 0d4de21a2140f0ca3670e406c4a3b6a9 Type Win32 DLL Size 34,816 bytes CompiledOn 2014.03.21 07:02:48

The usb plugin collects all available information on connected USB drives, and writes out all of these details to a text file, packs it, provides to the main BlackEnergy code, which communicates to a c2.

It uses multiple api calls to collect information on multiple types of connected usb storage devices. It enumerates all usb storage devices connected to the system and retrieves data from all, including SCSI mass storage devices. And, most interestingly, it may be the first implementation of BadUSB-related techniques in APT re-purposed COTS malware that we have seen in the wild.

The code queries scsi devices directly and sends them two types of SCSI commands. The first command with the opcode 0x1A which corresponds to MODE SENSE may result just in the logging of the failed call ('SendSCSICommand return false' message).

The second type of SCSI command remains mysterious. It uses undefined opcode 0xf0 and there is no direct evidence of its purpose as it is stated to be vendor specific. This mysterious opcode is referenced around the same time frame of the plugin development in BadUSB offensive research http://algorithmics.bu.edu/twiki/bin/view/EC521/SectionA1/Group5FinalReport. Here, it is noticed in the USB traffic generated by an SMI controller tool. To be specific, there are two calls with the opcode 0xf0 in the code, each passed its own parameters. One of the parameters, 0x2A, is mentioned in the paper to return the string containing the firmware version, NAND flash ID, and controller part number. But this returned information is not logged anywhere.

Also the code loops to retrieve detailed physical data about every attached storage device:

  • number of cylinders
  • media type (floppy, fixed hard drive, removable media, etc)
  • number of tracks per cylinder
  • sectors per track
  • number of bytes per sector
  • physical disk size in bytes
  • Device Instance ID

Motherboard and firmware data collection plugin, bios Name bs.dll MD5 4747376b00a5dd2a787ba4e926f901f4 Type Win32 DLL Size 210,432 bytes CompiledOn 2014.07.29 00:40:53

The bios plugin gathers low level host system information:

  • BIOS
  • motherboard
  • processor
  • OS

It uses several techniques to gather this information:

  • WMI
  • CPUID
  • win32 api

As a Windows Management Instrumentation (WMI) client application, it initializes COM and connects to the \\root\cimv2 namespace to use the IWbemServices pointer and make WMI requests. The code executes wql queries ("wql" is "sql for wmi", a subset of sql) to gather victim host details, like the query "SELECT Description, Manufacturer, Name, ProcessorId FROM Win32_Processor". Here are several queries from the BlackEnergy2 plugin code:

  • SELECT Description, Manufacturer, Name, ProcessorId FROM Win32_Processor
  • SELECT Product, Manufacturer, Version FROM Win32_BaseBoard
  • SELECT Name, OSArchitecture, Version, BuildNumber FROM Win32_OperatingSystem
  • SELECT SerialNumber, Description, Manufacturer, SMBIOSBIOSVersion FROM Win32_BIOS

These wql calls provide the attacker with the data like the lines below:

Description=Intel64 Family 6 Model 60 Stepping 3
Manufacturer=GenuineIntel
Name=Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz
ProcessorId=1FEAFBCF000116A9

Product=7MPXM1
Manufacturer=AsusTek
Version=??

Name=Microsoft Windows 8.1 Pro
OSArchitecture=64-bit
Version=6.3.9600
BuildNumber=9600

SerialNumber=7DTLG45
Description=A12
Manufacturer=AsusTek
SMBIOSBIOSVersion=A12

This selectivity is fairly usual. And the plugin does not modify its own behavior based the collected values. What can we infer about the selection of only these values, as they are only being collected and sent back to the attackers? Here are some possibilities:

  • the attackers want to evade sandbox and honeypot/decoy environments, and use this collected data to id the host system.
  • the attackers have prior knowledge of the environment they are attempting to penetrate, down to the equipment make. Or, they have an idea of the types of hardware they would expect or want to see. In ICS and SCADA environments, these details could be very valuable for an attacker setting up shop. These details could aid in establishing persistence, evaluating true resource capacity and capabilities, tracking down the source of the equipment, or aiding further lateral movement
  • the attackers know nothing about the network they are penetrating. They are collecting this information to better understand where this plugin really is running in the victim environment and planning their next moves

When using standard win32 api, the application implements calls to retrieve information on system locales. Oddly, there is special handling for one nordic locale in this particular plugin, "Norwegian-Nynorsk".

The CPU data collection functionality first calls the Intel cpuid instruction directly. It also directly handles multi-cpu systems and each of their feature sets. This SMP support is hard coded into the plugin.

Additional BE2 Siemens Exploitation Details

Targeting details for BE2 actor events are interesting. When focusing on research sites and energy engineering facilities, the group remotely exploited Siemens' Simatic WinCC systems. In these events, the attackers attempted to force the ccprojectmgr.exe process to download and execute a specific BlackEnergy2 payload. Let's examine a couple of example targets here. Based on the different delays for return, the attacks were possibly not automated.

Target A:

The first exploit attempt ksn recorded was March 2014. The attackers returned with a second failed attempt to exploit that same research system on April 2014, approximately 30 days, 2 hours later.

Target B:

The BE2 actor then attacked a new target system in May 2014 and failed, and returned with an exploit attempt on that same system in July 2014.

So it looks like there may be a timing cycle to their visits, but the volumes here are too low to be significant.

In all four of these attempts on two different targets, the attackers tried to download their payload from hxxp://94.185.85(dot)122/favicon.ico. The payload changed slightly from March 2014 to the very end of July 2014, presenting the following md5(s). All of these droppers are BE2 malware, modify an existing kernel driver service like "ACPIEC" and start it to load the BE2 kernel module. Note that the attackers planned on re-using the same c2 for the first target, but changed the callback c2 for the second target. None of these components are signed:

fda6f18cf72e479570e8205b0103a0d3 → drops df84ff928709401c8ad44f322ec91392, driver, debug string:"xxxxxxxx.pdb". C2: 144.76.119.48 (DE, Hetzner Online AG, AS24940)

fe6295c647e40f8481a16a14c1dfb222 → drops 39835e790f8d9421d0a6279398bb76dc, driver, debug string:"xxxxxxxx.pdb". C2: 144.76.119.48 (DE, Hetzner Online AG, AS24940)

ac1a265be63be7122b94c63aabcc9a66 → drops b973daa1510b6d8e4adea3fb7af05870, driver. C2: 95.143.193.131 (SE, Internetport Sweden AB, AS49770)

8e42fd3f9d5aac43d69ca740feb38f97 → drops f4b9eb3ddcab6fd5d88d188bc682d21d, driver. C2: 46.165.222.6 (DE, Leaseweb Germany GmbH, AS16265)

 

Tracking Malware That Uses DNS for Exfiltration

Threatpost for B2B - Tue, 02/17/2015 - 16:59
Attackers have long used distributed denial of service attacks to knock domain-name servers offline but over the last several months malware creators have taken to using DNS requests to tunnel stolen data.

BadUSB Vulnerabilities Live in ICS Gear Too

Threatpost for B2B - Tue, 02/17/2015 - 15:24
BadUSB-style attacks against industrial control systems are theoretically possible, but bear watching according to Michael Toecker today at the Security Analyst Summit.

Indexing the Dark Web One Hacking Forum At A Time

Threatpost for B2B - Tue, 02/17/2015 - 14:27
Staffan Truve spoke Monday at the Kaspersky Analyst Summit about the efforts his company Recorded Future is taking to index the dark web, or what he called the underbelly.

The Desert Falcons targeted attacks

Secure List feed for B2B - Tue, 02/17/2015 - 13:00

Download Full Report PDF

The Desert Falcons are a new group of Cyber Mercenaries operating in the Middle East and carrying out Cyber Espionage across that region. The group uses an arsenal of homemade malware tools and techniques to execute and conceal its campaigns on PC and Mobile OS.

#FalconsAPT is the 1st known campaign to be fully developed by Arabic #hackers to target the Middle East #TheSAS2015

Tweet

The first Desert Falcons operations were seen in 2011 and the group made its first infections in 2013. By the end of 2014 and beginning of 2015 the group was very active.

Full report

The full report can be found here.

FAQ Where are the Victims Located?

There are more than 3,000 victims in 50+ countries. Most of them are found in Palestine, Egypt, Israel and Jordan, but others have been discovered in Saudi Arabia, the UAE, the US, South Korea, Morocco, Qatar and others.

Who are the Victims?

The attacks targeted several classes of victim, including Military and Government organizations, employees responsible for health organizations, combating money laundering, economic and financial institutions, leading media entities, research and educational institutions, energy and utilities providers, activists and political leaders, physical security companies and other targets that have access to important geopolitical information.

How are the victims infected?

Malware writers use a variety of technical and social engineering methods to deliver their files and encourage victims to run them, creating an effective infection vector. Examples include a fake website that promises to publish censored political information and asks users to download a plugin to view a video (the plugin contains the malware). Another example involves the use of spear phishing emails or social network messages to deliver malicious files using an extension override (e.g. malicious files ending with .fdp.scr would appear .rcs.pdf).

Sample of documents and videos used in spear phishing

What are the goals of the operations?

The attackers are looking for sensitive intelligence information that could help them in further operations or even extortion. The victims are targeted for the secrets in their possession or intelligence information relating to their positions in governments or important organizations.

More than 1 million files were stolen from victims. Stolen files include diplomatic communications from embassies, military plans and documents, financial documents, VIP and Media contact lists and files.

Who are the attackers and what do we know about them?

The Desert Falcons operators are native Arabic speakers. There are about 30 of them working in three teams. Some of their identities are already known. The attackers are running three campaigns to target different types of victim.

Where are the attackers based?

The attackers are based in Palestine, Egypt and Turkey.

Which malware do they use to infect their victims?

There are three main backdoors used to infect victim devices:

Computer backdoors

  • The Main Falcons Trojan
  • The DHS* Spyware Trojan

Computer Backdoors give the attackers full scope to use keyloggers and screenshotters, access files and even make audio recordings. DHS naming is used by the attackers to describe the nickname initials of one of the developers (D** H*** Spyware).

Mobile Backdoor

  • A mobile backdoor targeting Android devices.
    Mobile Backdoors give attackers access to Call and SMS logs

How did you become aware of this threat? Who reported it?

We became aware of the threat during an incident investigation in the Middle East.

Is it still active?

The operation is very active and is currently in peak condition. We are continuously identifying new samples and victims for all related campaigns.

How is this different from any other Cyber espionage attacks?

Desert Falcons are the first known Cyber espionage attacks to be fully developed and operated by Arabic speakers to target the Middle East. It has affected a stunning range of victims, stealing more than 1 million special files.

Is this a nation-state sponsored attack?

The profiles of the targeted victims and the apparent political motives behind the attacks make it possible that Desert Falcons operations could be nation state sponsored. At present, though, this cannot be confirmed.

Why this name?

The falcon is a rare bird that has been highly prized for a centuries in desert countries in the Arab world.  It is a symbol of hunting and sharp vision. The Desert Falcons are proficient cyberhunters with carefully chosen targets, all of whom are thoroughly investigated before the attack and closely watched after being infected.

How can users protect themselves?

Kaspersky Lab products detect and block all variants of the malware used in this campaign:

     Trojan.Win32.DesertFalcons
     Trojan-Spy.Win32.Agent.cncc
     Trojan-Spy.Win32.Agent.ctcr
     Trojan-Spy.Win32.Agent.ctcv
     Trojan-Spy.Win32.Agent.ctcx
     Trojan-Spy.Win32.Agent.cree
     Trojan-Spy.Win32.Agent.ctbz
     Trojan-Spy.Win32.Agent.comn
     Trojan.Win32.Bazon.a

Encryption and Silence Can be Targets’ Best Assets

Threatpost for B2B - Tue, 02/17/2015 - 11:45
CANCUN–Things are getting real these days for executives, researchers, journalists and others involved in the security community. Targeted surveillance is a reality for many in the community, and researchers and activists are trying now to help them assess and address that threat to their privacy and security. Secure communications among researchers who know one another […]

First Arabic Cyberespionage Operation Uncovered

Threatpost for B2B - Tue, 02/17/2015 - 11:40
The Desert Falcons gang is the first Arabic APT group, according to researchers at Kaspersky Lab.

Inside nls_933w.dll, the Equation APT Persistence Module

Threatpost for B2B - Tue, 02/17/2015 - 11:01
The persistence module used by the Equation APT Group uncovered by researchers at Kaspersky Lab has been called the ultimate cyberattack tool.

APT Groups Emerging in Middle East

Threatpost for B2B - Tue, 02/17/2015 - 10:22
CANCUN–Since security researchers and vendors began exposing the inner workings of APT groups a few years ago, virtually all of the operations that have been made public have been the work of attackers in Europe, Asia or North America. But recently, groups in the Middle East have joined the game as well. In 2013, Adrian […]
Syndicate content