Secure List feed for B2B
On August 2, the Chinese Valentine's Day, an Android SMS worm struck China. It is called XXshenqi.apk. In the space of six hours, it infected about 500,000 devices. It has received widespread coverage in the local media. It's not just an SMS worm, containing two malicious modules: XXshenqi.apk and its asset Trogoogle.apk.
The function of XXshenqi.apk is to send SMS to spread itself and to drop another backdoor on the victim device. It is detected as Trojan.AndroidOS.Xshqi.a by Kaspersky Lab.
After installation, it sends an SMS to all the names on the victim's contact lists to get them to install the Trojan as well.
Then it probes whether or not com.android.Trogoogle.apk is present on the mobile device. If not, it displays a dialog window to prompt the user to install Trogoogle.apk.
Trogoogle.apk is a resource file in the assets folder of XXshenqi.apk.
After that, it asks the user to register the app. The Trojan will steal the user's personal ID and name and send them to those controlling the malware.
Trogoogle.apk contains more malicious functions. It is a backdoor and detected as Backdoor.AndroidOS.Trogle.a by Kaspersky Lab. It hides its icon after installation so the user is unaware of its presence. It will then respond to commands to perform malicious activity. The commands include:
It also monitors the victim's text messages and sends them to the malware owner by email or SMS.
The fact that this Trojan combintion appeared on the Chinese Valentine's Day is premeditated, taking advantage of user credulity on this special day. And it uses social engineering techniques to spread as much as possible and infect more devices. This Trojan is a good example of why it's always worth thinking twice about trusting a link received on your mobile phone. No matter who sends it, it could still be a malicious program.
After going out of fashion for a number of years, malicious macros inside Office files have recently experienced a revival. And why not, especially if they are a lot cheaper than exploits and capable of doing the same job?
Yes, that's right, cybercriminals are busily recycling this old technique, introducing new obfuscation forms to make it more effective. Let's look at two examples.Sample 1
This is an excel file with malicious embedded macros. However if you use standard Office tools to look at the macros, depending on the version, you will not see anything malicious at all or you won't be allowed to see the macros itself:
That is because the sample all strings in macros are obfuscated with a base64 encoding technique.
After de-obfuscation you can see clearly the URLs used to download the payloads:
This is a very simple technique but it is effective against simple heuristics that use string analysis of all incoming email attachments, and this is reflected in a very low VT detection https://www.virustotal.com/en/file/c916540dcab796e7c034bfd948c54d9b87665c62334d8fea8d3724d9b1e9cfc9/analysis/1403955807/
This particular sample is also interesting since in some Excel versions it is able to run macros automatically without prompting the user, enabling it. Once it has run, it drops a password-stealing Trojan directly onto the victim's system.Sample 2
This another example is a fake Aeromexico ticket.
There is no obfuscation but the URL is written from right to left, which again it might be quite useful against simple GREP analysis techniques:
It is interesting to note that the first sample was found in the wild in Venezuela, the second in Mexico and then the third in Brazil:
This one drops a ChePro banker. All three malicious samples drop only Trojans that steal financial data, but the same technique can be easily used to drop any type of malware.
So does it mean that only Latin American cybercriminals use this technique? The answer is no, not really. Our relative user's infections statistics show that actually the countries with the most attempted infections using this kind of malware are Germany and then Poland.
However, the technique is seen elsewhere, including Spain, Mexico, Brazil and others.
While analyzing malicious macro office files, you can see that the original document is created by one user and then somebody else (another criminal) assists in embedding the malicious macros.
The same technique can be easily used to drop any kind of malware in any country since this is all about social engineering and it will easily pass through email gateway security because it is basically an office document, and security email policies allow those.
You may follow me on twitter: @dimitribest
At Kaspersky Lab we regularly conduct threat studies dedicated to a particular type of cyber threat. This summer we decided to look closely at what versions of Windows Operating System are most popular among our users and also at what kind of vulnerabilities are used in cyber-attacks involving exploits. As a result we prepared a study called "Windows usage and vulnerabilities'. Some of its results were rather predictable – but some were really surprising.
The summer of 2010 saw the appearance of Stuxnet, a computer worm which, as it turned out later, had been designed specifically to sabotage the uranium enrichment process at several factories in Iran. Stuxnet was a real sensation which demonstrated what malware was capable of when precisely targeted and rigorously prepared. To proliferate, the worm used an exploit for the CVE-2010-2568 vulnerability. It is an error in processing tags in Windows OS enabling the download of the random dynamic library without the user's awareness. The vulnerability affected Windows XP, Vista, and Windows 7 as well as Windows Server 2003 and 2008.
The first malware exploiting this vulnerability was registered in July 2010. The worm Sality uses this vulnerability to distribute its own code: Sality generates vulnerable tags and distributes them through the LAN. If a user opens a folder containing one of these vulnerable tags, the malicious program immediately begins to launch. After Sality and Stuxnet this vulnerability was used by the well-known Flame and Gauss spyware.
In autumn 2010, Microsoft released a security update which patches this vulnerability. Despite this, Kaspersky Lab detection systems are still registering tens of millions of detections of CVE-2010-2568 exploits. Over the study period, more than 50 million detections on more than 19 million computers worldwide were recorded.
It's worth noting the distribution of computer operating systems on which detections of the exploit for LNK vulnerability were registered. The lion's share of detections (64.19%) registered over the last eight months involved XP and only 27.99% were on Windows 7. Kaspersky Lab products protecting Windows Server 2003 and 2008 also regularly report detection of these exploits (3.99% and 1.58% detections respectively). The large number of detections coming from XP users suggests that most of these computers either don't have an installed security solution or use a vulnerable version of Windows - or both. The detections coming from server systems prove the presence of malicious tags exploiting the CVE-2010-2568 vulnerability on network folders with open access.
The geographical distribution of all registered CVE-2010-2568 detections is also interesting.
CVE-2010-2568 detections, country distribution Nov 2013 - June 2014
Vietnam (42.45%), India (11.7%) and Algeria (5.52%) are among the leaders for the number of Kaspersky Lab detections of one of the most dangerous Windows vulnerabilities currently known. Interestingly, according our research, the outdated XP OS is also widely used in all these countries. Here are the top countries for XP use in June 2014:Vietnam 38.79% China 27.35% India 26.88% Algeria 24.25% Italy 20.31% Spain 19.26% Russian Federation 17.40% France 12.04% Germany 8.54% United States 4.52%
Top 10 countries with largest share of Windows XP users
in overall volume of users of Kaspersky Lab products.
It's not surprising that CVE-2010-2568 exploits are still popular in some of these countries. So many users of outdated versions of Windows mean these exploits are effective even though almost four years have passed since the disclosure and patching of the vulnerability.
Other findings from this research are available in the full report.
- According to KSN data, Kaspersky Lab products detected and neutralized a total of 995,534,410 threats in the second quarter of 2014.
- Kaspersky Lab solutions repelled 354,453,992 attacks launched from online resources located all over the world.
- Kaspersky Lab's web antivirus detected 57,133,492 unique malicious objects: scripts, web pages, exploits, executable files, etc.
- 145,386,473 unique URLs were recognized as malicious by web antivirus.
- 39% of web attacks neutralized by Kaspersky Lab products were carried out using malicious web resources located in the US and Germany.
- Kaspersky Lab's antivirus solutions detected 528,799,591 virus attacks on users' computers. A total of 114,984,065 unique malicious and potentially unwanted objects were identified in these incidents.
- In Q2 2014, 927,568 computers running Kaspersky Lab products were attacked by banking malware.
- A total of 3,455,530 notifications about attempts to infect those computers with financial malware were received.
In April, we reported a new Flash Player zero-day that we believe was used in watering-hole attacks from a compromised Syrian web site. The site (http://jpic.gov.sy), launched in 2011 by the Syrian Ministry of Justice, was designed to enable citizens to complain about law and order violations. We believe that this attack was developed to target Syrian dissidents complaining about the government.
We analyzed two new SWF exploits (both detected proactively by Kaspersky Lab products) in mid-April that didn't use any vulnerabilities that we already knew about – the vulnerability was later confirmed by Adobe as a new zero-day (CVE-2014-0515). This was located in the Pixel Bender component (no longer supported by Adobe) used for video and image processing. While the first exploit is fairly standard and was able to infect practically any unprotected computer, the second functions only on computers where the Adobe Flash Player 12 ActiveX and Cisco MeetingPlace Express add-ins are installed. The authors were counting on the developers not finding a vulnerability in that component in the hope that the exploit would remain active for longer. This suggests that the attackers were not targeting victims en masse.
It seems likely that victims were redirected to the exploits by means of an iframe or a script on the compromised site. When we published our blog on this zero-day, we had seen more than 30 detections on the computers of seven different people – all of them located in Syria.
We believe that this attack was carefully planned by high-caliber attackers, as evidenced by the use of professionally-written zero-day exploits used to compromise a single resource.
Technical details on the exploits can be found here.The Italian (and Turkish) job
In June we reported on our research into an attack against the clients of a large European bank that resulted in the theft of half a million euros in just one week.
The campaign targeted customers of a single bank. Although we were unable to obtain the malware used to infect the victims, we believe the criminals used a banking Trojan that performed 'Man-in-the-Browser' operations to steal the victims' credentials through a malicious web injection. Based on the information available in some of the log files, the malware stole usernames, passwords and one-time passcodes (OTP) in real time.
Such injections are common in all variants of Zeus (Citadel, SpyEye, IceIX, etc.). We weren't able to identify the infection vector but banking Trojans use a variety of methods to infect victims, including spam and drive-by downloads. Following the publication of our post, researchers at Fox-IT InTELL sent us information potentially related to this campaign. This data indicated that the Luuuk server could be related to the ZeusP2P (aka Murofet), as we had originally suspected. However there was no definitive proof of this since the injected code couldn't be found on the server when we performed our analysis.
The attackers used stolen credentials to check the victim's account balance and perform malicious transactions automatically, probably operating in the background of a legitimate banking session. This is consistent with one of the malicious artefacts (a VNC server) that we found bound to the malicious server used by the attackers.
The stolen money was then transferred automatically to preset money mule accounts. The classification of pre-defined money mules used by the attackers was very interesting. There were four different money mule groups, each defined by the amount of money the mules in the group could accept – probably a reflection of the level of trust between them.
We identified 190 victims in total, most of them located in Italy and Turkey. The sums stolen from each victim ranged from €1,700 to €39,000 and amounted to €500,000.
The attackers removed all the sensitive components on 22 January, two days after our investigation started. Based on the transaction activity, we believe that this represents an infrastructure change rather than a complete shutdown of the operation. Our analysis of attack indicates that the cybercriminals behind the campaign are highly professional and very active. They have also shown proactive operational security activities, changing tactics and removing traces when discovered.
When we first found the C2 server, we reported the matter to the bank concerned and to the appropriate law enforcement agencies. We are maintaining our contact with these agencies and continue to investigate the attack.'Legal' spyware goes mobile
In June, we published the results of our latest research into the 'legal' software called Remote Control System (RCS) developed by the Italian company HackingTeam. It's not the first time we've focused on this company's software. However, there have been significant developments since our previous article on RCS.
First, we discovered a feature that can be used to fingerprint the RCS command-and-control (C2) servers. When a special request is sent to an RCS server, it responds with the following error message:
We were able to use this method to scan the entire IPv4 space, which enabled us to find all the IP addresses of RCS C2 servers across the globe. We found 326 in total, most of them located in the US, Kazakhstan and Ecuador. You can see the list here. Several IPs were identified as 'government'-related, based on their WHOIS information. Of course, we can't be sure that the servers located in a specific country are being used by law enforcement agencies in that country, but this would make sense: after all, it would avoid cross-border legal problems and avoid the risk of servers being seized by others.
Second, we discovered a number of mobile malware modules for Android, iOS, Windows Mobile and BlackBerry coming from HackingTeam. They are all controlled using the same configuration type – a good indication that they are related and belong to the same product family. Unsurprisingly, we were particularly interested in those relating to Android and iOS, because of the popularity of those platforms.
The modules are installed using infectors – special executables for either Windows or Mac OS that run on already-infected computers. The iOS module supports only jailbroken devices. This does limit its ability to spread, but the method of infection used by RCS means that an attacker can run a jailbreaking tool (such as Evasi0n) from an infected computer to which the phone is connected – as long as the device isn't locked.
The iOS module allows an attacker to access data on the device (including e-mail, contacts, call history, cached web pages), to secretly activate the microphone and to take regular camera shots. This gives complete control over the whole environment in and around a victim's computer.
The Android module is protected by the DexGuard optimiser/obfuscator, so it was difficult to analyse. But we were able to determine that it matches the functionality of the iOS module, plus offering support for hijacking information from the following applications: 'com.tencent.mm', 'com.google.android.gm', 'android.calendar', 'com.facebook', 'jp.naver.line.android' and 'com.google.android.talk'.
You can find the full list of functions here.
This new data highlights the sophistication of such surveillance tools. Kaspersky Lab's policy in relation to such tools is very clear. We seek to detect and remediate any malware attack, regardless of its origin or purpose. For us, there's no such thing as 'right' or 'wrong' malware; and we've issued public warnings about the risks of so-called 'legal' spyware in the past. It's imperative that these surveillance tools don't fall into the wrong hands – that's why the IT security industry can't make exceptions when it comes to detecting malware.MiniDuke re-loaded
The beginning of 2014 saw the re-activation of MiniDuke, an APT campaign from early 2013. The original campaign stood out for several reasons. It included a custom backdoor written in the 'old school' Assembler programming language. The attack was managed using an unusual command-and-control (C2) infrastructure: it made use of multiple redundancy paths, including Twitter accounts. The developers transferred their updated executables hidden inside GIF files.
The targets of the new MiniDuke operation (known also as TinyBaron and CosmicDuke) include government, diplomatic, energy, military and telecom operators. But unusually, the list of victims includes those involved in the trafficking and reselling of illegal substances, including steroids and hormones. The reason for this isn't clear. It's possible that the customizable backdoor is available as so-called 'legal spyware'. But it may simply be that it's available in the underground market and has been purchased by various competitors in the pharmaceutical business to spy on each other.
The campaign targets countries across the world, including Australia, Belgium, France, Germany, Hungary, the Netherlands, Spain, Ukraine, and the USA.
One of the servers we analyzed contained a long list of victims dating back to April 2012. There were 265 different identifiers on the server, assigned to victims from 139 unique IPs: the geographical distribution of the victims included Georgia, Russia, the USA, the UK, Kazakhstan, India, Belarus, Cyprus, Ukraine and Lithuania.
Our analysis revealed that the attackers were expanding their field of operations, scanning IP ranges and servers in Azerbaijan, Ukraine and Greece.
The malware spoofs popular applications designed to run in the background - including file information, icons and even file size. The backdoor itself is compiled using 'BotGenStudio', a customizable framework that allows the attackers to enable and disable components when the bot is constructed. The malware's components can be categorized according to their functions.
(1) Persistence. The malware is able to start via Windows Task Scheduler at a specific time, or when the screensaver is activated.
(2) Reconnaissance. The malware not only steals files with specific extensions, but also harvests passwords, history, network information, address books, information displayed on the screen (screenshots are made every five minutes) and other sensitive data.
Each victim is assigned a unique ID, making it possible to push specific updates to an individual victim. The malware is protected with a custom obfuscated loader which heavily consumes CPU resources for three to five minutes before executing the payload. This makes it hard to analyze. But it also drains the resources that security software needs to emulate the execution of the malware. On top of its own obfuscator, the malware makes heavy use of encryption and compression based on the RC4 and LZRW algorithms. They are implemented slightly differently to the standard versions - we believe that this has been done deliberately to mislead researchers.
One of the more technically advanced parts of the malware relates to data storage. The internal configuration of the malware is encrypted, compressed and serialized as a complicated registry-like structure, which has various record types including strings, integers and internal references.
(3) Exfiltration. The malware implements several methods to transfer stolen data, including upload via FTP and three types of HTTP-based communication. When a file is uploaded to the C2 server it is split into small chunks (of around 3KB), which are compressed, encrypted and placed in a container to be uploaded to the server. If it's a large file, it may be placed into several hundred different containers that are all uploaded independently. It's likely that these data chunks are parsed, decrypted, unpacked, extracted and reassembled on the attacker's side. While this method might be an overhead, the layers of additional processing ensures that very few researchers will get to the original data, and offers increased reliability against network errors.
As is the case with any APT, attribution is virtually impossible. While the attackers use English in several places, there are indications that it's not their native language. We found strings in a block of memory appended to the malware component used for persistence that suggest they may be Russian. This was true also of the use of Codepage 1251 in the webshell used by the attackers to compromise the C2 hosts - this is commonly used to render Cyrillic characters. The same webshell was observed in the operations of another APT – Turla, Snake or Uroburos).Online fraudsters – their [World] Cup runneth over!
Fraudsters are always on the lookout for opportunities to make money off the back of major sporting events and the FIFA World Cup is no different. In the run up to the tournament, we highlighted the various ways in which the scammers were trying to take advantage of unwary visitors to Brazil for football's major showcase event.
One obvious way for scammers to cash-in is through phishing attacks. It's common for phishers to compromise a legitimate site and host their page there. But Brazilian phishers have gone the extra mile to stage attacks that are very difficult for ordinary people to spot. They registered domains using the names of well-known local brands – including credit card companies, banks and online stores. However, the cybercriminals went one mile further still. Not only were the sites very professionally designed – they gave their sites an even greater feel of authenticity by buying SSL certificates from Certification Authorities such as Comodo, EssentialSSL, Starfield, Register.com and others. Clearly, a site with a 'legitimate' SSL certificate is likely to fool even security conscious consumers.
They are also taking advantage of how easy it is to buy certificates in order to distribute digitally-signed malware. They start by sending messages offering free World Cup tickets, with a link that leads to a banking Trojan:
Some of these e-mails contain personal details, stolen from a breached database, to add credibility to the bogus offer.
However, Brazilian cybercriminals aren't restricting their activities to phishing alone. We also reported how they were using malware installed on Point-of-Sale and PIN-pad devices in order to capture credit card data. These devices are connected to a computer via USB or serial port, to communicate with electronic funds transfer (EFT) software. The Trojans they use infect the computer and sniff the data transmitted through these ports. These PIN-pads are equipped with security features to ensure that security keys are erased if someone tries to tamper with the device. The PIN is encrypted as soon as it's entered – commonly using triple DES encryption. But Track 1 data (credit card number, expiry data, service code and CVV) and public CHIP data aren't encrypted on old, outdated devices – instead, they're sent in plain text to the computer via USB or serial port. This gives the cybercriminals all they need to clone the card.
Cybercriminals also take advantage of our desire to stay connected wherever we go – to share our pictures, to update our social network accounts, to find out the latest news or to locate the best places to eat, shop or stay. Unfortunately, mobile roaming charges can be very high, so often people look for the nearest Wi-Fi access point. This is dangerous, as we described in our report on Wi-Fi in Brazil. Data sent and received over open Wi-Fi networks can be intercepted. So passwords, PINs and other sensitive data can be stolen easily. On top of this, cybercriminals also install fake access points, configured to direct all traffic through a host that can be used to control it – even functioning as a 'man-in-the-middle' device that is able to intercept and read encrypted traffic.
Our report also highlighted the dangers of charging a mobile device using a USB port installed in a public place. Malicious AC/DC chargers can charge your device's battery, but they can also silently steal data from your device – or even install malware.
There's another way the fraudsters can make money from people, even if they're not looking for World Cup tickets. With a big audience all over the world, often in distant time zones, fans can find themselves away from their TV at the time they want to watch the game. That's when they start looking for a live online stream of the action. Unfortunately, searching for live broadcasts on the Internet can prove to be very expensive or result in your computer getting infected. That's because some of the advertisements you find when you search lead to fraudulent or malicious content. When you go to the web site, it asks you to download a special plugin so you can watch the online broadcast. But it turns out to be an adware program that may show you nothing, but will drain your computer's resources. Adware straddles the thin line between cybercrime and legitimate software. So it's little wonder that our statistics show ongoing detections of this type of software. You can find our full report here.
Phishers don't just try to exploit major sporting events. They also base the campaigns around more mundane aspects of life. In May, many people in Colombia received an e-mail accusing them of tax evasion and fraud. To add a further 'edge' to the communication, the cybercriminals claimed that this was the third notification about the matter. The e-mail contained a link that led to an infected Word document. Microsoft Office blocks embedded macros, so the attackers included instructions on how the victim should enable macros.
If the victim clicks on the document, another malicious file is downloaded to their computer, from a hacked server in Ecuador. This is designed to steal passwords for online games, PayPal, file-sharing systems, social networks (including Facebook and Twitter), online bank accounts and more.
The use of scare tactics in general, and fake communications from tax authorities in particular, are common methods used by phishers around the world.
When malware writers are developing their code one of their key objectives is to load their malicious content as early as possible in the boot process. This gains the maximum possible control over the system. Bootkits represent the most advanced technology in this area, allowing malicious code to start before the operating system itself loads. This technology has been implemented in numerous malicious programs. Notable examples include XPAJ and TDSS, but there are many others, including targeted attack campaigns such as The Mask.
Bootkits have evolved over the years from proof-of-concept to mass distribution, as we explained here. They have now effectively become open-source software, thanks to the publication of the source-code for the Carberp banking Trojan – the Cidox bootkit was used to protect Carberp and its source-code was published alongside that of Carberp.
It's clear that the evolution of bootkits must be seen within the overall context of the cat-and-mouse battle between malware writers and anti-malware researchers. They are always looking for new ways to evade detection; we're continually investigating ways to make protection of our customer more effective. Our report also looks at the security benefits offered by UEFI (Unified Extensible Firmware Interface), as well as how malware writers might try to subvert it.Web security and data breaches: Windows XP – unsupported, but still out there
Support for Windows XP ended on 8 April: this means no new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. Sadly, there are still a lot of people running Windows XP – our data for the period since 8 April 2014 indicate that about 18 per cent of infections are on machines running Windows XP. This is a lot of people wide open to attack now that security patches have dried up: effectively, every vulnerability discovered since then is a zero-day vulnerability – that is, one for which there is no chance of a patch.
This problem will be compounded as application vendors stop developing updates for Windows XP. Every un-patched application will become yet another potential point of compromise, further increasing the potential attack surface. In fact, this process has already started: the latest version of Java doesn't support Windows XP.
Switching to a newer operating system might seem like a straightforward decision. But although Microsoft gave plenty of notice about the end of support, it's not so difficult to see why migration to a new operating system might be problematic for some businesses. On top of the cost of switching, it may also mean investing in new hardware and even trying to replace a bespoke application developed specifically for the company – one that will not run on a later operating system. So it's no surprise see some organizations paying for continued support for XP.
So if you don't switch right now, can you stay secure? Will your anti-virus software protect you?
Certainly it will provide protection. But this only holds good if by 'anti-virus' we mean a comprehensive Internet security product that makes use of proactive technology to defend against new, unknown threats – in particular, functionality to prevent the use of exploits. A basic anti-virus product, based largely on signature-based scanning for known malware, is insufficient. Remember too that, as times goes by, security vendors will implement new protection technologies that may well not be Windows XP-compatible.
At best, you should see this as a stop-gap, while you finalize your migration strategy. Malware writers will undoubtedly target Windows XP while significant numbers of people continue to run it, since an un-patched operating system will offer them a much bigger window of opportunity. Any Windows XP-based computer on a network offers a weak point that can be exploited in a targeted attack on the company. If compromised this will become a stepping-stone into the wider network.
There's no question that switching to a newer operating system is inconvenient and costly for individuals and businesses alike. But the potential risk of using an increasingly insecure operating system is likely to outweigh the inconvenience and cost.Mobile threats The quarter in figures
In the second quarter of 2014 the following were detected:
- 727,790 installation packages;
- 65,118 new malicious mobile programs;
- 2,033 mobile banking Trojans.
The sum total of malicious mobile objects detected was 1.7 times lower than in the first quarter. We link this with the start of the holiday season. In June we noticed a reduction in attempts to infect mobile devices using Trojans.Mobile banking Trojans
Although the total number of threats decreased in the second quarter, we detected 2033 mobile banking Trojans in this period, 1.7 times more than last quarter. From the beginning of 2014 the number of banking Trojans has increased by almost a factor of four, and over a year (from July 2012) - 14.5 times.
This growth reflects two factors:
- the interest of cybercriminals in "big" money;
- active countermeasures from antivirus companies.
We note that the geography of infection by mobile banking Trojans has changed:
The top 10 countries attacked by banking TrojansCountry Number of attacks % of all attacks 1 Russia 13800 91.7% 2 USA 792 5.3% 3 Ukraine 136 0.9% 4 Italy 83 0.6% 5 Belarus 68 0.5% 6 Republic of Korea 30 0.2% 7 Kazakhstan 25 0.2% 8 China 19 0.1% 9 United Kingdom 17 0.1% 10 Germany 12 0.1%
As before, Russia is in the first place in the rating but in the second place is the USA, and by a big margin over all other countries. Kazakhstan, which was in second place in this rating in the first quarter, is now in seventh place.New developments from the virus writers First mobile encryptor
In the middle of May an announcement appeared on one of the virus writing forums offering a unique Trojan-encryptor for sale at $5000, working on the Android OS. On 18 May we detected the first mobile encryptor in the wild. This malware was detected by Kaspersky Lab as Trojan-Ransom.AndroidOS.Pletor.a.
After the Trojan is started it uses the AES encryption algorithm to encrypt the contents of the memory card of the smartphone, including media files and documents. Immediately after the start of the encryption Pletor displays a ransom demand on the screen. To receive money from the user the QIWI VISA WALLET, MoneXy system or standard transfer of money to a telephone number are used.
By the end of the second quarter we had managed to identify more than 47 versions of the Trojan. They all contain the key necessary to decipher all the files.
For communication with the cybercriminals one version of the Trojan uses the TOR network, others HTTP and SMS. Trojans from this second group show the user a video image of himself in the window with the demand for money, transmitted in real time using the frontal camera of the smartphone.
We note that the virus writers use the same social engineering mechanisms as the creators of early encryptors for Windows: the telephone is supposedly blocked for accessing prohibited pornographic content and all the photos and videos on the phone are "transferred for examination". In addition for non-payment of the "fine" the blackmailers threaten to send all the data to "public sources".
Pletor is targeted at citizens of Russia and Ukraine and the messages are in Russian and the ransom is demanded in rubles or hryvnia (the sum is the equivalent of about 300 euros). However we have found instances of this malware in 13 countries - mostly on the territory of the former USSR.Disabler evolution
In terms of attack technique there is a clear tendency towards development of ransom-disablers. Here also cybercriminals are adopting methods of frightening their victims that were used by the creators of Windows malware.
The first version of the Svpeng mobile malware, which has Trojan-ransom capability, was detected at the beginning of 2014. The Trojan blocks the phone, allegedly because its owner has viewed child pornography. To unblock the mobile device the cybercriminals demand payment of a "fine" of 500 dollars.
In early June we discovered a new version of Svpeng aimed mostly at users in the USA. However users in the UK, Switzerland, Germany, India and Russia were also attacked.
This version of Svpeng completely blocks the mobile device so that the user can not even access the switch off/reboot menu. The smartphone can only be turned off by a long push on the off button but the Trojan starts immediately after it is switched on again.
At the same time the cybercriminals have used a time-tested social engineering trick. When it starts the Trojan imitates the scanning of the telephone and apparently finds forbidden content. To frighten the user the window announcing the "find" bears the FBI logo.
The Trojan blocks the phone and demands the payment of 200 dollars to unblock it. The creators of the Trojan use MoneyPak vouchers to receive the money.
In this window Svpeng shows a photograph of the user, taken using the frontal camera, which is reminiscent of Trojan-Ransom.AndroidOS.Pletor.a which we discussed above, except that Pletor transmits a video image.
By the end of the second quarter we had managed to find 64 versions of the new Svpeng. Each version mentions the Cryptor class, although no use of this class was detected. Perhaps the criminals intend in future to use the malware to encrypt users' data and demand a ransom for decrypting it.Not only Android
As earlier, the main target of cybercriminals is the Android platform. More than 99% of new mobile malware is aimed at Android.
However this doesn't mean we can forget about other mobile platforms. Thus, in the second quarter of 2014 new malware objects appeared for the Apple iOS platform (but only for "jailbroken" devices). Along with their malware cybercriminals have used the protective functions of iOS for evil aims. An attack on Apple ID allowed the wrongdoers to completely block a device and demand money from their victim to restore its functionality.
The exposure of Hacking Team also came with a sting in the tail, as it was revealed that their arsenal contained modules for attacking "jailbroken" iOS devices.
The platform Windows Phone was not left out either. Here the virus writers had not come up with any technical innovations but took the route of inserting false applications without any useful function whatsoever in the official paid app store. And our brand was not unscathed: the crooks also used the trademark and logo of Kaspersky Lab.
In this way two vulnerabilities were revealed in the Windows Phone Store at once:
- the lack of checks that brand names are being properly used;
- the lack of checks of functionality.
The same publishers' false apps also appeared on Google Play.Mobile threats: statistics
The sum total of malicious mobile objects detected was 1.7 times lower than in the first quarter: 727,790 installation packages, 65,118 new mobile malware programs, 2033 mobile banking Trojans. Probably the reduction in activity is down to the start of the holiday season.Distribution of mobile threats by type
The rating of malware objects for mobile devices for the second quarter of 2014 was headed by potentially unwanted advertising applications (27%). Holding on to their position are SMS-Trojans with 22%. Whilst the figures for these two types of mobile threats have more or less remained unchanged over the quarter RiskTool has risen from fifth to third place, its share in the flow of mobile malware detected has risen from 8.6% to 18%. These are legal applications that are potentially dangerous for the user - careless use by the smartphone user or a malicious attacker could lead to financial loss.TOP 20 malicious mobile programs Name % of attacks* 1 Trojan-SMS.AndroidOS.Stealer.a 25.42% 2 RiskTool.AndroidOS.SMSreg.gc 6.37% 3 RiskTool.AndroidOS.SMSreg.hg 4.82% 4 Trojan-SMS.AndroidOS.FakeInst.a 4.57% 5 Trojan-SMS.AndroidOS.Agent.ao 3.39% 6 AdWare.AndroidOS.Viser.a 3.27% 7 Trojan-SMS.AndroidOS.Opfake.a 2.89% 8 Trojan-SMS.AndroidOS.Erop.a 2.76% 9 Trojan-SMS.AndroidOS.FakeInst.ff 2.76% 10 Trojan-SMS.AndroidOS.Agent.en 2.51% 11 Trojan-SMS.AndroidOS.Agent.ev 2.43% 12 RiskTool.AndroidOS.SMSreg.eh 2.41% 13 Trojan-SMS.AndroidOS.Opfake.bw 1.96% 14 Trojan-SMS.AndroidOS.Opfake.bo 1.53% 15 RiskTool.AndroidOS.MimobSMS.a 1.48% 16 Trojan-SMS.AndroidOS.Skanik.a 1.35% 17 Trojan-SMS.AndroidOS.Agent.mw 1.33% 18 RiskTool.AndroidOS.SMSreg.ey 1.31% 19 Trojan-SMS.AndroidOS.Agent.ks 1.24% 20 Trojan-SMS.AndroidOS.Agent.ay 1.21%
* The percentage of all attacks recorded on the mobile devices of unique users.
In the TOP 20 detected threats SMS Trojans dominate as before, these malicious programs occupied 15 places in the rating.
Throughout the second quarter, against a background of a reduced number of attacks, we observed a steady growth in attempts to attack users with the Trojan Trojan-SMS.AndroidOS.Stealer.a. This malware took first place in the rating with over 25% of all attacks. The wrongdoers were especially active in April, when attempts at Stealer infection were almost twice as frequent as in May or March. And in June the attempts at infection with this Trojan were 7 times more frequent than those of its nearest competitor.The goegraphy of threats
There have been some slight changes in the territorial distribution of attacks. And so we see Germany in the second place, while India, which was in the second place in the first quarter, has fallen out of the TOP 10 altogether. Kazakhstan hung on to third place and Ukraine moved from fourth to fifth to make way for Poland, which climbed from tenth into fourth place.
TOP 10 attacked countries:Country % of attacks 1 Russia 46.96% 2 Germany 6.08% 3 Kazakhstan 5.41% 4 Poland 5.02% 5 Ukraine 3.72% 6 Malaysia 2.89% 7 Vietnam 2.74% 8 France 2.32% 9 Spain 2.28% 10 Mexico 2.02%
Users install a lot of apps on their mobile devices and it should be noted that in different countries the percentage of malicious apps among the apps installed by users varies.
TOP 10 countries by risk of infectionCountry* % of malicious apps 1 Vietnam 2.31% 2 Greece 1.89% 3 Poland 1.89% 4 Kazakhstan 1.73% 5 Uzbekistan 1.51% 6 Armenia 1.24% 7 Serbia 1.15% 8 Morocco 1.09% 9 Czech Republic 1.03% 10 Romania 1.02%
*We have excluded countries where there were less than 100,000 downloads
Although Russia takes first place in terms of recorded attacks it is not the country with the greatest chance of infection with mobile malware. In this respect Vietnam is in the lead; there 2.31% of all apps that users attempted to install were malicious.
Below for comparison we show the risk levels of infection for another 15 countries from various regions of the world:Country % of malicious apps China 0.94% France 0.85% Russia 0.74% Mexico 0.58% Spain 0.55% India 0.41% Germany 0.19% UK 0.18% Argentina 0.13% Brazil 0.12% Italy 0.11% USA 0.09% Peru 0.07% Hong Kong 0.06% Japan 0.02%
In France 0.85% of apps that users were interested in turned out to be malicious, in Russia 0.74%, in Germany 0.19%, in the UK 0.18%, in the USA 0.09% and in Japan only 0.02%.Statistics
All statistics used in this report were obtained using a distributed antivirus network Kaspersky Security Network (KSN) as a result of the work performed by various anti-malware protection components. The information was collected from KSN users who agreed to transfer the data. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in the global exchange of information related to malicious activity.Online threats in the banking sector Key events in Q2
One of the biggest events in Q2 was the appearance of the OpenSSL vulnerability capable of providing unauthorized access to users' secret keys, names and passwords as well as content that is transferred in an encrypted form.
The Heartbleed vulnerability is exploited in the OpenSSL cryptographic library used in various software products including banking software. It took several hours for an official patch to emerge, and then there was a long installation procedure, leading to leakage of customer payment data and other valuable information in various spheres of business. Following the spread of this information and those subsequent leaks, we can expect a spike in the number of fraudulent transactions. This is yet another wake-up call, highlighting the need for financial organizations and their customers to stay on top of security for all e-payment data.
The second quarter of 2014 saw the appearance of a new banking Trojan, Pandemiya, which uses commonly seen malware methods like a web-inject attack to steal payment information.
Not surprisingly the 2014 World Cup in Brazil attracted the attention of fraudsters. According to this quarter's results, Brazilian users were attacked by banking malware more frequently than in other countries. Malicious content was detected, for instance, that spread in the guise of adverts and exploited the excitement surrounding this summer's main sporting event.The number of computers attacked by financial malware
During the reporting period, Kaspersky Lab solutions blocked 927,568 attacks on user computers attempting to launch malware capable of stealing money from online banking accounts. This figure represents a 36.6% increase compared to April.
A total of 3,455,530 notifications of malicious activity by programs designed to steal money via online access to bank accounts were registered by Kaspersky Lab security solutions in Q2 2014.The geography of attacks
The Top 20 countries by the number of attacked users:Country Number of users 1 Brazil 159,597 2 Russia 50,003 3 Italy 43,938 4 Germany 36,102 5 USA 34,539 6 India 27,447 7 UK 25,039 8 Austria 16,307 9 Vietnam 14,589 10 Algeria 9,337
Brazil traditionally tops the rating of the countries where users are attacked by banking malware most often.
Brazil is often at the top of this list because financial malware has always been widely used by criminals here. In Q2 2014, the FIFA World Cup generated even more opportunities for attacks: thousands of fans visited the country and used online banking systems while they were there. Kaspersky Lab experts have examined the security of Wi-Fi networks and made a list of recommendations for those who do not want to risk compromising their payment information in Brazil.The Top 10 banking malware families
The table below shows the programs most commonly used in Q2 2014 to attack online banking users, based on the number of reported infection attempts:Verdict* Number of users Number of notifications 1 Trojan-Spy.Win32.Zbot 559,988 2,353,816 2 Trojan-Banker.Win32.Lohmys 121,675 378,687 3 Trojan-Banker.Win32.ChePro 97,399 247,467 4 Trojan-Spy.Win32.Spyeyes 35,758 99,303 5 Trojan-Banker.Win32.Agent 31,234 64,496 6 Trojan-Banker.Win32.Banbra 21,604 60,380 7 Trojan-Banker.Win32.Banker 22,497 53,829 8 Trojan-Banker.Win32.Shiotob 13,786 49,274 9 Backdoor.Win32.Clampi 11,763 27,389 10 Backdoor.Win32.Shiz 6,485 17,268
Zeus (Trojan-Spy.Win32.Zbot) remained the most widespread banking Trojan. According to Kaspersky Lab's research, the program was involved in 53% of malware attacks affecting online banking clients.
Nine out of 10 malware families represented in the table work by injecting a random HTML code in the web page displayed by the browser and intercepting any payment data entered by the user in the original or inserted web forms. As well as web injections, four of the 10 entries also make use of keylogging technology, which suggests this method of stealing information is still effective when carrying out attacks on online banking customers.
Financial threats are not restricted to banking malware that attacks the customers of online banking.
As well as banking Trojans that modify HTML pages in the browser, there are other methods of stealing e-money, such as Bitcoin wallet theft. Fraudsters are also happy to use computing resources to generate crypto currency: Bitcoin miners account for 14% of all financial attacks. Criminals also use keyloggers to collect user credentials for online banking and payment systems in another bid to access bank accounts.Vulnerable applications used by fraudsters
The rating of vulnerable applications below is based on information about the exploits blocked by our products. These exploits were used by hackers in both Internet attacks and when compromising local applications, including those installed on mobile devices.
Of all registered attempts to use vulnerabilities, 53% involved vulnerabilities in browsers. Almost every exploit pack includes an exploit for Internet Explorer.
Java exploits are in second place. Java vulnerabilities are used in drive-by attacks via the Internet and new Java exploits are part of many exploit packs. In 2013, 90.5% all of registered attempts to use vulnerabilities exploited vulnerabilities in Oracle Java. At the beginning of 2014 the popularity of Java exploits began to decrease. In Q1 of this year, 54% of attempts to use vulnerabilities targeted Java; in the second quarter the figure was just 29%. This decline in popularity may reflect the fact that no new Java vulnerabilities have been made public for almost a year.
Next come Adobe Reader exploits. These vulnerabilities are also exploited in drive-by attacks via the Internet and PDF exploits are part of many exploit packs.
65.35% of KSN participants use various versions of Windows 7 and 12.5% use Windows XP.Online threats (Web-based attacks)
The statistics in this section were derived from web antivirus components that protect users when malicious code attempts to download from a malicious/infected website. Malicious websites are deliberately created by malicious users; infected sites include those with user-contributed content (such as forums) as well as legitimate resources that have been hacked.The Top 20 malicious objects detected online
In the second quarter of 2014, Kaspersky Lab's web antivirus detected 57,133,492 unique malicious objects: scripts, web pages, exploits, executable files, etc.
We identified the 20 most active malicious programs involved in online attacks launched against user computers. These 20 accounted for 97% of all attacks on the Internet.
The Top 20 malicious objects detected onlineName* % of all attacks** 1 Malicious URL 72.94% 2 Trojan.Script.Generic 11.86% 3 Trojan-Downloader.Script.Generic 5.71% 4 Trojan.Script.Iframer 2.08% 5 Adware.Win32.Amonetize.heur 1.00% 6 AdWare.Script.Generic 0.88% 7 AdWare.Win32.Agent.aiyc 0.76% 8 AdWare.Win32.Yotoon.heur 0.25% 9 Trojan.Win32.AntiFW.b 0.23% 10 AdWare.Win32.Agent.allm 0.19% 11 AdWare.Win32.AirAdInstaller.aldw 0.17% 12 Trojan.Win32.Generic 0.15% 13 Trojan-Downloader.Win32.Generic 0.14% 14 Trojan.Win32.Vague.cg 0.11% 15 Trojan.Win32.Invader 0.11% 16 AdWare.Win32.BetterSurf.b 0.10% 17 AdWare.Win32.Lollipop.qp 0.08% 18 Exploit.Script.Blocker 0.08% 19 AdWare.Win32.Lollipop.agzn 0.08% 20 Trojan.JS.Small.aq 0.07%
* These statistics represent detection verdicts of the web antivirus module. Information was provided by users of Kaspersky Lab products who consented to share their local data.
** The percentage of all web attacks recorded on the computers of unique users.
As is often the case, the Top 20 mostly comprises verdicts assigned to objects used in drive-by attacks and to adware programs. The number of positions occupied by adware verdicts rose from nine to 11 in the second quarter of 2014.
The Trojan.JS.Small.aq verdict is in twentieth place. This is assigned to a script that a malicious browser extension inserts in web pages of specific sites in order to display intrusive advertising.Top 10 countries where online resources are seeded with malware
The following stats are based on the physical location of the online resources that were used in attacks and blocked by antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host might become a source of one or more web attacks.
In order to determine the geographical source of web-based attacks, a method was used by which domain names are matched up against actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In Q2 2014, Kaspersky Lab solutions blocked 354,453,992 attacks launched from web resources located in various countries around the world. 88.3% of the online resources used to spread malicious programs are located in 10 countries. This is 4.9 percentage points more than in the previous quarter.
The Top 10 rating of countries where online resources are seeded with malware remained largely unchanged from the previous quarter although there was some movement within that group. Germany rose from fourth to first place: its share increased by almost 12 percentage points. Russia dropped from second to fourth following a decline in its share of 2.5 percentage points. Canada climbed from tenth to fifth after its contribution grew by 6.29 percentage points.Countries where users face the greatest risk of online infection
In order to assess in which countries users face cyber threats most often, we calculated how often Kaspersky users encountered detection verdicts on their machines in each country. The resulting data characterizes the risk of infection that computers are exposed to in different countries across the globe, providing an indicator of the aggressiveness of the environment in which computers work in different countries.Country* % of unique users ** 1 Russia 46.53% 2 Kazakhstan 45.35% 3 Armenia 42.26% 4 Ukraine 41.11% 5 Azerbaijan 40.94% 6 Vietnam 39.59% 7 Belorussia 37.71% 8 Moldova 36.65% 9 Mongolia 33.86% 10 Kyrgyzstan 33.71% 11 Algeria 32.62% 12 Tajikistan 32.44% 13 Georgia 31.38% 14 Croatia 29.46% 15 Turkey 29.31% 16 Uzbekistan 29.20% 17 Qatar 28.76% 18 Tunisia 28.67% 19 Iran 28.35% 20 Spain 28.05%
These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
*We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.
In Q2 2014, Vietnam was replaced at the top of the rating by Russia. Tunisia (18th place) and Iran (19th place) were newcomers to the rating. Lithuania and Greece dropped out of the Top 20.
The countries with the safest online surfing environments are Singapore (10.4%), Sweden (12.8%), Japan (13.3%), Finland (16.3%), South Africa (16.9%), Ecuador (17.1%), Norway (17.5%), the Netherlands (17.5%), Hong Kong (17.7%) and Argentina (17.9%).
On average, 29.5% of computers connected to the Internet were subjected to at least one web attack during the past three months.Local threats
Local infection statistics for user computers are a very important indicator. This data points to threats that have penetrated a computer system through something other than the Internet, email, or network ports.
This section contains an analysis of the statistical data obtained based on the operation of the antivirus which scans files on the hard drive at the moment they are created or accessed, and the results of scanning various removable data storages.
In Q2 2014, Kaspersky Lab's antivirus solutions successfully blocked 528,799,591 malware attacks on user computers. In these incidents, a total of 114,984,065 unique malicious and potentially unwanted objects were detected.The Top 20 malicious objects detected on user computers Name* % of unique attacked users ** 1 DangerousObject.Multi.Generic 17.69% 2 Trojan.Win32.Generic 15.59% 3 AdWare.Win32.Agent.ahbx 14.81% 4 Adware.Win32.Amonetize.heur 13.31% 5 Trojan.Win32.AutoRun.gen 6.13% 6 Worm.VBS.Dinihou.r 5.95% 7 Virus.Win32.Sality.gen 4.94% 8 AdWare.Win32.BetterSurf.b 4.29% 9 AdWare.Win32.Yotoon.heur 4.01% 10 AdWare.Win32.Agent.aknu 3.64% 11 AdWare.Win32.Agent.aljb 3.57% 12 Worm.Win32.Debris.a 3.29% 13 AdWare.Win32.Skyli.a 2.90% 14 Trojan.Win32.Starter.lgb 2.74% 15 AdWare.Win32.Agent.heur 2.64% 16 AdWare.Win32.Agent.aljt 2.30% 17 Trojan.Win32.AntiFW.b 2.27% 18 AdWare.JS.MultiPlug.c 2.21% 19 Worm.Script.Generic 1.99% 20 Virus.Win32.Nimnul.a 1.89%
* These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products that have consented to submit their statistical data.
** The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a malicious program was detected.
This ranking usually includes verdicts given to adware programs, worms spreading on removable media, and viruses.
The proportion of viruses in this Top 20 continues to decline slowly, but steadily. In Q2 2014, viruses were represented by the verdicts Virus.Win32.Sality.gen and Virus.Win32.Nimnul.a, with a total share of 6.83%. In Q1 2014, that figure was 8%.Countries where users face the highest risk of local infection Country % unique users* 1 Vietnam 58.42% 2 Mongolia 55.02% 3 Algeria 52.05% 4 Yemen 51.65% 5 Bangladesh 51.12% 6 Pakistan 50.69% 7 Nepal 50.36% 8 Afghanistan 50.06% 9 Iraq 49.92% 10 Egypt 49.59% 11 Tunisia 46.75% 12 Syria 46.29% 13 Saudi Arabia 46.01% 14 Ethiopia 45.94% 15 Iran 45.40% 16 Laos 45.20% 17 Turkey 44.98% 18 India 44.73% 19 Cambodia 44.53% 20 Djibouti 44.52%
These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data includes detections of malicious programs located on users' computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
* When calculating, we excluded countries where there are fewer than 10,000 Kaspersky Lab users.
** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.
The Top 20 in this category continues to be dominated by countries in Africa, the Middle East, and South East Asia. Vietnam ranks first, as was the case in Q1 2014, while Mongolia remains in second. Nepal fell to seventh place. Saudi Arabia, Ethiopia, and Turkey are new entries in this ranking. Morocco, Myanmar and Sudan dropped out of the top 20.
The safest countries in terms of local infection risks are: Japan (11%), Sweden (13.8%), Denmark (15.3%), Finland (16.4%), Singapore (16.8%), the Netherlands (17.1%), the Czech Republic (18.3%), Norway (19.1%) and Hong Kong (19.2%).
An average of 32.8% of computers were subjected to at least one local threat during the past year.
Recently I stumbled upon some spam-ads on Facebook, which didn't look very unusual at first glance.
It's common for spammers to rely on social engineering techniques. They typically creating fake profiles, joining random open (or closed) groups and share links to shady e-commerce sites or survey-scams - always with catchy claims to lure the readers to click on the advertised link.
In this particular case, things are a bit different. The spammers created fake profiles featuring a nice profile photo of a young woman. But when you take a closer look at the About-page of "her" profile, you'll notice she's residing in the beautiful village of Ernersdorf in Bavaria (which is actually not far away from the Kaspersky Lab local office). I was somewhat surprised by this, because Addison is a very unusual name for a person living in such a small Bavarian village. And, according to her profile, she's actually male and was born in September 1978. So I took a closer look.
It seems the spammers strategically chose this Bavarian Village and began to send out friend-requests to several people from that region. And since I grew up in this region, some of my friends on Facebook were successfully lured into accepting the fake friend requests.
Then nothing happened for several months. A few days ago, these spammers, now equipped which a level of credibility, started posting photos advertising an online-shop for sunglasses from a big brand - most likely fake versions. And finally, to improve spreading of the picture-ads, the spammers tagged their new "friends" from nearby.
To prevent other people from using your profile for spamming all of your friends with that "technique", you can adjust your Facebook settings for "Timeline and Tagging" like I did.
Also, please keep in mind that you don't necessarily have to fall into this "nearby friends" trap to get you and your friends spammed like that. If spammers steals your real friends' account-credentials somehow, it also could happen like in this case.
Energetic Bear/Crouching Yeti is an actor involved in several advanced persistent threat (APT) campaigns that has been active going back to at least the end of 2010. Targeted sectors include:
- Information technology
Most of the victims we identified fall into the industrial / machinery building sector, indicating this is of special interest.
To infect the victims, the attackers rely on three methods:
- Spearphishing using PDF documents embedded with a flash exploit (CVE-2011-0611)
- Trojanized software installers
- Waterhole attacks using a variety of re-used exploits
During the attacks, the Crouching Yeti team uses several types of malware or Trojan, all of which only infect Windows systems:
- Havex Trojan
- Sysmain Trojan
- The ClientX backdoor
- Karagany backdoor and related stealers
- Lateral movement and second stage tools
For command and control, these connect to a large network of hacked websites. The hacked sites host malware modules and victim information as well as serving commands to infected systems.
The dozens of known Yeti exploit sites and their referrer sites were legitimate, compromised sites. They ran vulnerable content management systems or vulnerable web applications. None of the exploits used to compromise the servers were known to be zero-day. None of the client side exploits re-used from the open source metasploit framework were zero-day.
Overall, we observed about 2,800 victims worldwide, the most prevalent attack tool being the Havex trojan.
We believe this group is highly determined and focused on a very specific industrial sector of vital interest. It uses a variety of ways to infect its victims and exfiltrate strategic information. The analyzed data seems to suggest the following points:
- Country of origin cannot be determined at this point
- Attackers' global focus is much broader than power producers
- Stable toolset over time
- Managed, minimal, methodical approach to sustained operation
- Appropriate use of encryption (symmetric key protected with attackers public key for encrypted log file exfiltration)
You can read the full report here.FAQ What is Yeti/Energetic Bear?
Energetic Bear/Yeti is an actor involved in different campaigns dating back to at least the end of 2010. It uses different techniques to spread its malware, most notably the repackaging of legitimate software installers and waterhole attacks. The victims, from several different sectors, are infected with backdoors.What are the malicious purposes of this campaign?
We believe this is an information stealing campaign. Given the heterogeneous profile of the victims it seems than the attackers were interested in different topics and decided to target some of the most prominent institutions and companies in the world to get latest information.Why do you think it is significant?
In our opinion, this campaign has some of remarkable characteristics: the artifacts used for the infection and exfiltration are not particularly interesting, but they are effective; they are very persistent, successfully infecting a significant number of companies and institutions around the world for a long period of time; they have a set of tools of choice that help us identify the group through their TTPs. In this last characteristic, it is interesting that they use the LightsOut Exploit Kit to infect users through waterhole attacks.Why not Energetic Bear? Why did you give it a new name?
Energetic Bear was the initial name given to this campaign by Crowd Strike according to their nomenclature. After analyzing the data we obtained we can confirm that victims are not limited to the energy sector but to many other ones. The Bear tag reflects Crowd Strike's belief that this campaign has a Russian origin. We couldn´t confirm this point, so we decided to give it a new name. Yetis have something in common with Bears, but have a mysterious originWhen did the campaign start? Is this attack still active?
Based in some artifacts, we believe the campaign originated at the end of 2010. The campaign is still alive and getting new daily victims.How was the malware distributed?
The malware is distributed using three methods:
- Spearphishing using PDF documents embedded with a flash exploit (CVE-2011-0611)
- Trojanized software installers
- Waterhole attacks using a variety of re-used exploits
Additional modules can be installed by the attackers once a machine has been compromised.
The most prevalent attack tool is the Havex Trojan; we identified 27 different versions.What is the potential impact for victims?
Given the nature of the known victims, the disclosure of very sensitive information such as commercial secrets and know-how are the main impact for the victims.Who are the attackers? What countries are they from?
There simply is no one piece or set of data that would lead to a conclusion regarding the origin of this threat actor.Who are the victims? What is the scale of the attack?
Overall, we observed about 2,800 victims worldwide.
Most of the victims we identified fall into the industrial / machinery building sector.
Targeted sectors include:
- Information technology
The most targeted countries are: United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland and China.How are users (both home and corporate) protected against this type of attack?
Our products detect and eliminate all variants of the malware used in this campaign including but
not limited to:
All the exploits are also detected and detailed in the report.
At the beginning of May 2014 a security researcher named Kaffeine made the first public mention of Trojan.AndroidOS.Koler.a, a ransomware program that blocks the screen of an infected device and requests a ransom of between $100 and $300 in order to unlock the device. It doesn't encrypt any files or perform any kind of advanced blocking of the target device other than blocking the screen.
The malware displays a localized message from the police!
It has customized messages for the following countries:Australia
As of July 23, the mobile part of the campaign has been disrupted and the Command and Control server has started sending an "Uninstall" request to victims.
In this post, instead of focusing on the mobile application itself – we highlight some details at the end – we want to shed light on its distribution infrastructure. An entire network of malicious porn sites linked to a traffic direction system that redirects the victim to different payloads targeting not only mobile devices but any other visitor. That includes redirections to browser-based ransomware and what we think is an "Angler" exploit kit distribution network.
The diagram below illustrates the bigger picture of the infrastructure used.
The main findings can be summarized as follows:
- Distribution: TDS (Traffic Distribution System)
- Main controller: video-sartex.us (TDS Controller)
- Malicious porn sites (redirector): 49 domains detected
- Exploit kit websites: 700+ URLs (200+ domains)
- Browser-based screen-lock domains: 49 domains detected
- Mobile infection domain: video-porno-gratuit.eu
- Mobile Current C2: policemobile.biz.
- Traffic: almost 200,000 visitors to the mobile infection domain
- 80% of visitors from the US
The use of a pornographic network for this "police" ransomware is no coincidence: the victims are more likely to feel guilty about browsing such content and pay the alleged fine from the authorities. This psychological factor can be the difference between a failed campaign and a successful one.
With regards to the malicious mobile application, we have found different APKs with the same behavior. Some of them (not yet distributed through this malicious network) have interesting names such as PronHub.com.Apk, whatsapp.apk or updateflash.apk.
This suggests the attackers could expand their campaign in the near future.Mobile payload distribution
The mobile infection is triggered when the user visits specific pornographic sites from an Android device. Those sites are part of the distribution network created for this campaign and will redirect the victims to a landing page that contains an APK file called animalporn.apk.
All the porn sites in the campaign redirect their traffic to the same server: hxxp://video-porno-gratuit.eu. This domain hosts the malicious APK.
When visited, the website automatically redirects the user to the malicious application. The user still has to confirm the download and installation of the application on their device.
We were able to obtain the statistics showing the geographical distribution of visitors to this malicious site:
According to the same stats, we see that the campaign started and reached peak activity in April 2014.Redirectors: The malicious porn network
The pornographic sites of the network are not compromised sites. They all look the same, have the same HTML infrastructure and don´t provide their own pornographic material.
We identified a total of 48 domains in this porn redirecting network.
Almost all the websites used in this infrastructure were created using the same template – in many cases using templates from the legitimate site Tubewizardpro and Webloader for the external resources.
All the content (mainly videos and pictures) on these porn sites is loaded from external sources using Webloader.
Basically, all the porn sites redirect to the "controller" domain videosartex.us.
Videosartex.us then performs a redirect based on the parameter in the URL, the referrer, the user agent and the geographical location of the visitor's IP.
If the IP belongs to any of the 30 affected countries and the user-agent belongs to an Android device, the visitor is redirected to the APK at video-porno-gratuit.eu.
In other cases, the user is either redirected to a porn site on the network, to a screen-locker or to an exploit kit. The attackers use Keitaro TDS (Traffic Distribution System) to redirect users.Non-mobile payloads
During our analysis we noticed that some domains showed ransomware-themed pop-ups to non-mobile victims. These additional servers are used when the controller (videosartex) detects the following two conditions:
- The request contains no Internet Explorer user agent.
- The request is from one of the 30 affected countries, but it doesn't contain an Android user agent.
In this case, the victim is redirected to any of the browser ransomware websites, while a blocking screen identical to the one used for mobiles is displayed on the victim's computer. There is no infection in this case, just a pop-up showing a blocking template.
The following images are examples of the headers used in the ransomware pop-ups:
The redirection infrastructure used in this campaign contained one final surprise; redirecting visitors using Internet Explorer to sites hosting the Angler exploit kit, which has exploits for Silverlight, Adobe Flash and Java.
The following is an example of such a redirection:
We detected more than 200 domains used for hosting this exploit kit.
During our analysis, the exploit code was not fully functional and it didn´t deliver any payload.Conclusions
Ransomware for mobile devices appeared on almost every prediction list for 2014. We are not dealing with the most advanced families here such as cryptolocker for Windows. The ransomware is fairly basic, but sufficient to annoy the victim.
Of most interest is the distribution network used in the campaign. Dozens of automatically generated websites redirect traffic to a central hub where users are redirected again. Depending on a number of conditions, this second redirection could be to a malicious Android application, to browser-based ransomware or to a website with the Angler Exploit Kit.
We believe this infrastructure demonstrates just how well organized and dangerous these campaigns are that are currently targeting, but not limited to, Android users. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways for monetizing their campaign income in a truly multi-device scheme.
A couple weeks ago, my colleague Mikhail K posted on the "versatile linux DDoS trojan", with analysis of several bots, including a bot implementing some extraordinary DNS amplification DDoS functionality. Operators of these bots are currently active, and we observe new variants of the trojan building bigger botnets.
Let's explore some additional offensive details of this crew's activity, and details of the overall situation, in the past week. In general, the DDoS trojans are being distributed to fire on victim profiles that seem to indicate purely cybercrime activity. The compromised hosts used to run the bots we observed have been running Amazon EC2 instances, but of course, this platform is not the only one being attacked and mis-used. It's also interesting that operators of this botnet apparently have no problem working with CN sites, as demonstrated by their use of the site hosting their tools since late 2013. Seven of their eight tools hosted here were uploaded in the past couple of weeks, coinciding with their updated attack activity. Their repository includes recent (cve-2014-0196) and older (cve-2012-0056) Linux escalation of privilege exploit source code, likely compiled on the compromised hosts only when higher privileges are necessary, along with compiled offensive sql tools (Backdoor.Linux.Ganiw.a), multiple webshell (Backdoor.Perl.RShell.c and Backdoor.Java.JSP.k) and two new variants of the "versatile bots" (Backdoor.Linux.Mayday.g), the udp-only "xudp" code being the newer of the two:
But first, how are they getting in to EC2 instances and running their linux DDoS bots from the cloud? They are actively exploiting a known, recent elasticsearch vulnerability in all versions 1.1.x (cve-2014-3120), which happens to still be in active commercial deployment for some organizations. If you are still running 1.1.x, upgrade to the latest 1.2 or 1.3 release, which was released a couple of days ago. Dynamic scripting is disabled by default, and other features added to help ease the migration. From a couple of incidents on Amazon EC2 customers whose instances were compromised by these attackers, we were able to capture very early stages of the attacks. The attackers re-purpose known cve-2014-3120 proof-of-concept exploit code to deliver a perl webshell that Kaspersky products detect as Backdoor.Perl.RShell.c. Linux admins can scan for these malicious components with our server product.
Gaining this foothold presents the attacker with bash shell access on the server. The script "pack.pl" is fetched with wget and saved from the web host above to /tmp/zerl and run from there, providing the bash shell access to the attacker. Events in your index logs may suggest your server has fallen to this attack:
Hosted on the same remote server and fetched via the perl webshell are the DDoS bots maintaining new encrypted c2 strings, detected as Backdoor.Linux.Mayday.g. One of the variants includes the DNS amplification functionality described in Mikhail's previous post. But the one in use on compromised EC2 instances oddly enough were flooding sites with UDP traffic only. The flow is strong enough that the DDoS'd victims were forced to move from their normal hosting operations ip addresses to those of an anti-DDoS solution. The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers. The situation is probably similar at other cloud providers. The list of the DDoS victims include a large regional US bank and a large electronics maker and service provider in Japan, indicating the perpetrators are likely your standard financially driven cybercrime ilk.
Ransomware is now one of the fastest growing classes of malicious software. In the last few years it has evolved from simple screen blockers demanding payments to something far more dangerous.
The Ransomware class is now based on so-called encryptors – Trojans that encrypt every kind of data that may be of value to the user without his or her knowledge. The data can include personal photos, archives, documents, databases (e.g., databases used in 1C:Enterprise software intended for automation of business activities), diagrams, etc. In order to decrypt these files the criminals demand a payment – often a significant sum. CryptoLocker, CryptoDefence (and its successor CryptoWall), ACCDFISA, and GpCode are some of the most notorious examples. There are also lots of lesser-known families that have spread in Russia and the CIS.
At the end of June 2014 Kaspersky Lab detected a new encryptor. Analysis showed that the Trojan had nothing in common with other known families and a number of features that suggested it was a completely new creation. Its name? CTB-Locker.
This new family is detected by Kaspersky Lab as Trojan-Ransom.Win32.Onion.
This encryption malware belongs to a new generation of ransomware. Its developers used both proven techniques 'tested' on its predecessors (such as demanding that ransom be paid in Bitcoin) and solutions that are completely new for this class of malware. Specifically, hiding the command and control servers in Tor anonymity network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. All this makes Trojan-Ransom.Win32.Onion a highly dangerous threat and one of the most technologically advanced encryptors out there.Description
The high-level algorithm used by the malicious encryptor is quite ordinary and is as follows:
- after launching, the malware copies its body to (CSIDL_COMMON_APPDATA) and adds the task to launch the file to the Task Scheduler;
- search all the fixed, removable and network drives for files matching a list of extensions (see Figure 1);
- encrypt the files found;
- display a window demanding ransom and containing a list of files that have been encrypted. The cybercriminals demand that the user pay ransom in Bitcoins (Figures 2, 3);
- set an image named AllFilesAreLocked.bmp as desktop wallpaper. The wallpaper informs the user that data on the computer has been encrypted (Figure 4).
So what sets this Trojan apart from dozens of similar malicious programs?The command server is located within the Tor anonymity network
The sample analyzed has a single static command server address, which belongs to the .onion domain zone.
However, this is a new development for ransomware. Although some of the ransom Trojans from families detected earlier demanded that the victim visit a certain site on the Tor network, the malware discussed here supports full interaction with Tor without the victim's input, setting it apart from the others.
This brings us to another feature, which is unique among known malware.Unusual technical implementation of access to the Tor network
All the previously detected malware, if it communicated to the Tor network at all, did this in an unsophisticated manner: it launched (sometimes by injecting code into other processes) the legitimate file tor.exe, which is available for download on the network's official website.
Trojan-Ransom.Win32.Onion does not use the existing file tor.exe. Instead, all the code needed to implement interaction with the anonymity network is statically linked to the malicious program's executable file (i.e., is implemented as part of the malicious code) and is launched in a separate thread.
Figure 5. Pseudocode showing how launching the tor proxy thread is implemented
The code contained inside the thread_tor_proxy procedure is nearly all taken from open sources (Tor is an open-source project).
When connection to Tor has been established and a local tor proxy server has been set up at IP 127.0.0.1 (the port number varies from one infected machine to another and depends on the MachineGuid parameter), the global flag can_complete_circuit is set, which is later checked in the thread thread_post_unlock_data.
As soon as this happens, the malware establishes network communication with this local address, as shown in Figure 6.
Figure 6. Pseudocode showing how network communication with the tor proxy is implemented
A request sent by the malware to the server contains protected data required to decrypt the victim's files.
In response, the server returns data about the cost of unblocking the user's files in bitcoins and US dollars, as well as the address of the wallet to which the payment is to be made.
Compressing files before encryption
Figure 8. Data returned by the command server
None of the encryptors known before used compression technologies (with the exception of ACCDFISA, which simply adds files to a password-protected rar-sfx archive; however, in this case encryption and compression is not functionality implemented in a malicious program but simply utilization of a ready-made product – WinRAR).
In this aspect of its operation, Trojan-Ransom.Win32.Onion also shows considerable originality. Here is what it does:
- moves the victim's file to a temporary file using the MoveFileEx API function;
- reads temporary file from disk block-by-block;
- each block is compressed using Zlib, a freely distributed library (procedure deflate());
- after compression, each block is encrypted and written to disk;
- service information required for decryption is placed at the beginning of the resulting file;
- the encrypted file is given the .ctbl extension.
Cryptomalware most commonly uses a cryptographic scheme based on the AES+RSA combination. In this scheme, the server generates a pair of keys – rsa-public + rsa-private – for RSA, which is an asymmetric encryption algorithm. The private key, rsa-private, remains on the server, while rsa-public is sent to the malware. Next, the malware generates a new key – aes-key – for each of the victim's files, to be used by AES, a symmetric-key block algorithm. Each file is encrypted using AES, then its aes-key is encrypted using RSA (using the rsa-public key) and saved to the file.
Since the scheme uses asymmetric encryption, nobody can decrypt the file without having the rsa-private key, which never left the cybercriminals' server.
However, Trojan-Ransom.Win32.Onion has used an unusual approach yet again!
The sample uses the asymmetric cryptographic protocol known as ECDH – Elliptic curve Diffie–Hellman.Elliptic curve Diffie-Hellman
The original Diffie-Hellman algorithm (the so-called key exchange method or shared-secret protocol) was developed some time ago and published in 1976 by famed cryptographers Whitfield Diffie and Martin Hellman. A modification of the algorithm which uses elliptic curves was published later in 2000, in a Certicom Research article, Standards for efficient cryptography, SEC 1: Elliptic Curve Cryptography.
A detailed description of the protocol is beyond the scope of this publication, so we are going to drop the details and describe the main principles that will be helpful in understanding how the malware operates.
- A pair of keys – private and public can be generated.
- The so-called shared secret can be generated from your private key and the other party's public key.
- If the two parties have exchanged public keys (the private keys are not exchanged!) and each has independently calculated the shared secret from the other party's public key and its own private key, both parties will get the same value.
- The resulting shared secret can be used as a key for any symmetric encryption algorithm.
The authors of Trojan-Ransom.Win32.Onion used an existing implementation of this cryptographic algorithm, a description of which is available on the Internet.
The high-level cryptographic scheme used by Trojan-Ransom.Win32.Onion is as follows.
- the malware generates the pair master-public (public key) + master-private (private key);
- master-private is sent to the server securely along with other data. It is not saved on the client (fact I);
- for each file to be encrypted, a new key pair is generated – session-public + session-private;
- the shared secret is calculated: session-shared = ECDH(master-public, session-private).
Encrypting a file belonging to the victim
- the file is compressed using the Zlib library;
- after being compressed with Zlib, each file is encrypted using AES, with the hash SHA256 (session-shared) used as the key;
- after encryption, the session-public key is saved in the file (fact II), while session-private is not saved (fact III);
- the shared secret calculated – session-shared – is not saved, either (fact IV).
Decrypting a file belonging to the victim
The Diffie-Hellman protocol is designed in such a way that the following equality is true:
ECDH(master-public, session-private) = session-shared = ECDH(master-private, session-public) (fact V)
The above equality defines the underlying principle on which the operation of Trojan-Ransom.Win32.Onion is based.
Provided that the Trojan has not saved session-private (see. fact III) and session-shared (see. fact IV), only one decryption method remains – calculating ECDH(master-private, session-public). This requires the master-private key (sent to the cybercriminals' server, see fact I) and session-public key (saved in the beginning of the encrypted file, see fact II). There are no other ways to decrypt the file, which means that the file cannot be decrypted without the master-private key.Securing connection with the command server
The key sent to the server might be intercepted, but unfortunately, this would not be sufficient to decrypt the victim's files. This is because the malware writers have used the same asymmetric protocol, ECDH, to protect their traffic, albeit with a separate, dedicated set of keys.
- the malicious program's body contains the public key, network-server-public;
- when establishing a connection, the malware generates a new pair of keys: network-client-public + network-client-private;
- the malware calculates the shared secret network-shared = ECDH(network-client-private, network-server-public);
- the malware encrypts the data being sent using AES with SHA256(network-shared) used as the key;
- the public key network-client-public is sent to the server in an unprotected form (fact VI);
- the client keys, network-client-public + network-client-private, as well as the shared secret network-shared, are not saved (fact VII).
The cybercriminals have the key network-server-private and receive the key network-client-public from the client (see fact VI). As a result, they can decrypt the data received. To do this, they have to calculate network-shared = ECDH(network-client-public, network-server-private).
Without having network-server-private, this value cannot be calculated (see fact VII). As a result, unfortunately, intercepting traffic will not provide master-private, without which the victim's file cannot be decrypted.Propagation
The creators of the early versions of Trojan-Ransom.Win32.Onion had English-speaking users in view as their primary targets, so English was the only supported GUI language.
In the more recent versions, however, Russian also came to be supported in the Trojan's GUI along with English. The piece of malware also underwent some visual refurbishments, such as a countdown displayed to intimidate the user. The new Russian GUI and, more specifically, certain strings within the Trojans' body give us ground to assume that its creators are Russian speakers.
The analysis of how Trojan-Ransom.Win32.Onion penetrates victim computers has shown that it is different (once again) in this respect from most other encryptors that are active today. For many known ransomware programs, the main propagation vectors are spam messages with malware in an attachment, or brute forcing weak passwords and launching a file via remote administration tools.The propagation method
We established that the bot Andromeda (detected as Backdoor.Win32.Androm by Kaspersky Lab products) receives a command to download and run another malicious program from the Email-Worm.Win32.Joleee family to the victim computer. The latter is primarily a malicious tool for sending spam emails, but it can also execute a number of commands from the cybercriminals, including the command to download and launch an executable file. It is actually Joleee that downloads the encryptor to the infected computer.
Trojan-Ransom.Win32.Onion's propagation procedure is presented in the following flowchart.
Figure 9. Trojan-Ransom.Win32.Onion's propagation scheme
Below are the infection statistics as of July 20, 2014. Most attempted infections took place in the CIS, while there were individual cases recorded in Germany, Bulgaria, Israel, the United Arab Emirates and Libya.
Trojan-Ransom.Win32.Onion was detected in the following countries:Country Number of users attacked Russia 24 Ukraine 19 Kazakhstan 7 Belarus 9 Georgia 1 Germany 1 Bulgaria 1 Turkey 1 United Arab Emirates 1 Libya 1
Please note that the above numbers are provided for the verdict "Trojan-Ransom.Win32.Onion" only. The number of users attacked by the encryptor is in fact greater, as malicious packers with different verdicts are used to spread the malware. Unknown samples of the encryptor are also proactively detected by Kaspersky Lab products as "PDM:Trojan.Win32.Generic". This data is not included into the statistics above.Recommendations for staying safe Backup copies of important files
The best way to ensure the safety of critical data is a consistent backup schedule. Backup should be performed regularly and, moreover, copies need to be created on a storage device that is accessible only during this process (e.g., a removable storage device that disconnects immediately after backup). Failure to follow these recommendations will result in the backed-up files being attacked and encrypted by the ransomware in the same way as the original file versions.
Backup procedures must be in place for any systems containing files of any appreciable importance. Even if no malware threats arise, remember – no one is completely secured against a commonplace hardware failure.Security solutions
Your security solution should be turned on at all times and all its components should be active. The solution's databases should also be up to date.
Kaspersky Lab products detect this threat based on its signature with the verdict Trojan-Ransom.Win32.Onion.*. Unknown modifications are detected heuristically with the verdict HEUR:Trojan.Win32.Generic, or proactively with the verdict PDM:Trojan.Win32.Generic.
In addition, Kaspersky Lab products incorporate the Cryptomalware Countermeasures technology which is capable of protecting user data even from unknown encryptors for which there are still no signatures or cloud-based data available. This technology is based on the principle of creating protected backup copies of personal files as soon as a suspicious program attempts to access them. The technology will automatically restore the file even if it is encrypted by malware. For this technology to operate, the System Watcher component must be enabled in the Kaspersky Lab product settings.
Over the past decade, APT have intensely targeted organizations and individuals across India. Its developing base of technology, its geographical location and bounds, its inclusive and riotous political energy, and its growing economic weight makes it a special place of interest for badly intentioned cyber attackers. The list of APT groups targeting Indian organizations is unfortunately quite long. A few interesting mentions include Gh0stNet, Shadownet, an Enfal actor, Red October, NetTraveler, the LuckyCat actor, the Turla APT, a Mirage actor, and the Naikon crew. There are many more. And, in unique cases, we have seen unusual new techniques, some for infiltrating mobile devices by the Chuli attackers, the Sabpub attackers' focus on Apple's OS X devices, various effective watering holes, and the generally noisy, targeted activity we would expect from most of these actors.
More recently in March, we saw a pickup in offensive activity on Indian organizations invested in environmental, economic and government policy. This crew has been targeting organizations for a few years now with an unusual offensive WMI technique that continues to be effective. The components have been called WMIGhost or Shadow. These attackers, like others currently active, are generally re-using current headline geopolitical event spearphishing themes to establish a foothold in target organizations. For example, in a March 2014 attack, this actor used an upcoming meeting between national energy labs and the Departments of Energy as their spearphishing lure, filename mis-spellings and all, "India US strategic dialouge press release.doc" (000150415302D7898F56D89C610DE4A9).
From there, the dropper and component chain is the same they have used in the past. Successful exploitation drops "dw20.exe" (803e8f531989abd5c11b424d8890b407) --> "gupdate.exe" (481f8320b016d7f57997c8d9f200fe18) and "~tmpinst.js" (6a279a35141e9a7c73a8b25f23470d80). The script instantiates WMI objects for communications complete with their Comment Crew-like encoded wordpress site instructions that redirect the backdoor to the appropriate command and control server for further instruction.
Along with other groups, WMIGhost attackers are actively hitting Indian targets. In another recent WMIGhost campaign this year, a spoofed unclassified military document was sent simultaneously to several Indian targets with the consistent WMIGhost toolchain, "united states air force unmanned aircraft systems flight plan 2009-2047.doc".
We observe more of these current attacks occurring throughout the country on government and military agencies, NGOs, subcontractors and technology developers, with an expanding scope of targets.
Of these groups to date, NetTraveler was the most prolific, and in many ways the most successful at exfiltrating large volumes of information. The NetTraveler crew spent a disproportionate amount of effort and attention on extracting data from Indian organizations overall. NetTraveler is stealing GB of data from victims all over the globe, including the many victims in India. An example of their past spearphish decoys deployed to India is displayed here. The content encompasses Indian political issues, current at the time of delivery:
Meanwhile, other actors are currently working to exfiltrate more data out of India. Multiple levels of Indian organizations are frightfully pounded with spearphish and webserver attacks with no end in sight.
In June, high-profile news events such as the FIFA World Cup and the situation in Ukraine were exploited by fraudsters to extract money and financial information from Internet users.
In the run-up to the Muslim holiday of Ramadan and Father's Day, English-language holiday-related spam offered a variety of themed products and services. The leading spam themes in June were adverts for various online dating services as well as offer for fuel cards and jewelry.The World Cup
In June, football fans around the world finally saw the World Cup get underway. Popular sporting events like the World Cup attract the attention not only of millions of spectators but also spammers and phishers. This year, the first fraudulent mailings exploiting the World Cup theme were first registered back in November, long before it began. In June, the attackers sent out phishing emails in Portuguese offering the chance to win tickets to the opening ceremony and other World Cup matches. To do this, the user was required to click a link (which was of course fraudulent) and enter his registration data and credit card information. The fake link was directly attached to a graphic file that was displayed when the user opened the message. The phishing pages were located on the free .tk domain – the national top-level domain for the Tokelau Islands (New Zealand). To convince the user that the email was legitimate, the spammers used the domains of the Visa payment system and FIFA in the sender address.
English-language spam in June was dominated by Father's Day, celebrated on the third Sunday of the month. The spammers sent out adverts for e-gadgets, replicas of designer goods and weapons from various ages trying to attract the recipient's attention with discounts, sales and low prices. In order to bypass spam filters, spammers inserted junk text at the end of the message – a quote from a literary work. They also used a popular short link service to mask the real address and redirect users to a spammer site. The name of the holiday was mentioned in the subject and text field of the email.
More secular holidays are exploited in spam than religious ones, but spammers never forget to provide users with appropriate promotional offers. The name of the Muslim holy Ramadan appears in spam traffic every year. This year was no exception: in June, we came across adverts for restaurants that contained references to Ramadan (as well as an invitation to come and watch broadcasts of World Cup matches). We also registered offers of IT services and services for sending out promotional text messages. Ramadan will continue until the end of July, and we expect the spammers will continue spreading messages exploiting this holiday.
The political events in Ukraine were again used by "Nigerian" scams for luring money from credulous users. This time, the author of the email presented himself as a personal assistant to a Ukrainian female politician who was among the first victims of the clashes in Kiev. As is usual with these types of letter, the deceased has left her assistant millions of dollars that have to be urgently transferred from Ukraine to the account of a foreign recipient. The assistant is promised a reward and a certain amount of money to cover any fees that may arise when transferring the money.
The same "Nigerian" scam is used from year to year, only the details change. However, we would like to remind you that all "Nigerian" offers to make you rich quick are merely scams to lure money from users.Online dating
A significant part of June's spam was adverts for dating services targeting different social and ethnic groups, including Muslims, Christians as well as elderly and married people.
In June, we registered emails and mass mailings spread on behalf of people who wanted to get acquainted, via the Internet, "for serious relationships or marriage". The offers involved not only traditional but also same-sex relations. Some "senders" had attached their photo and provided their email address or a link to their page on a dating service site (which was often a veiled advertisement of such services and the emails were most probably sent on behalf of non-existent members as bait). The senders described their appearance and interests and said they wanted to start correspondence. It was often stated that the recipient's address had been provided by a mutual friend or found on a social networking site or on another dating site, which was not necessarily true.
Spammers also sent out emails promising a partner that met absolutely any criteria (age, skin color, interests and so on) within three minutes of using their "Soulmate database". To use the service, the recipient had to send a text message to a short number. In addition to the money taken from the user's mobile account the spammers got access to his contact information, in particular to his phone number.
For those more interested in meeting people in person the spammers offered lessons in seducing women ("24 laws of attracting women"), and other tips for successful relationships.
One of the mailings contained an advert for a dating spam service. The spammers offered their assistance in creating and promoting (of course, with the help of mass mailings) a new dating site which would include users from many countries. The message included an email address and an ICQ number for communication.
There were a lot of jewelry-themed offers in June. Most of them were promotional and bonus offers from small jewelry stores, jewelry manufacturers and firms engaged in the production and cutting of diamonds. They offered the spam recipients the chance to participate in their business and provided the price list for their products.
Yet another popular theme in English-language spam was fuel cards for automatic payments at gas stations. This payment method is quite convenient for transportation companies with lots of vehicles routes that find it difficult to control the fueling process. Spam "middlemen" offer the recipients the chance to compare prices, choose the most favorable fueling company and sign a contract for a special fuel card. A specific feature of this sort of spam mass mailing was the fact that the links in the emails led to sites registered on recently created domains. And the sites are intended for calculating quotes only.
The percentage of spam in email traffic averaged 64.8%, which is 5 percentage points less than in May. The highest spam levels were seen during the second week of the month (65.8%), and the lowest levels were seen in the third week (63.5%).The geographical distribution of spam sources
Previously our statistical data on the sources of spam by country was based on the information received from spam traps in different countries. However, the spam from the traps differs from the spam received by common users. For example, spam targeting specialized companies does not reach the traps. That is why we have changed the data source and now with KSN (Kaspersky Security Network) we draw statistical reports on spam based on the messages that the users of our products receive worldwide. Since the information for the statistical report in June was received from a different source, comparing the results with the statistics for the previous month would be incorrect.
At the end of June 2014, the top three sources of spam around the world included the US (13.2%), Russia (7%) and China (5.6%).
Vietnam was in fourth place (5.3%) followed by Argentina (4.1%), Germany (3.7%), Spain (3.6%), Ukraine (3.2%) and Italy (2.9%).
The Top 10 was rounded off by India, which accounted for 2.8% of the world spam.Malicious attachments in email
The graph below shows the Top 10 malicious programs spread by email in June.
As is now traditional, the list of malware spread by email is topped by Trojan-Spy.HTML.Fraud.gen. This threat appears as an HTML phishing website and sends email disguised as an important notification from banks, online stores, and other services.
Second in June was Trojan-Downloader.MSWord.Agent.z. This malicious program appears in the form of the *.doc file with the embedded macros written in Visual Basic for Applications (VBA) which is executed on opening the document. The macro itself downloads and runs the malicious program.
In June, representatives of the Bublik family occupied third, fourth, fifth and seventh places. Their main functionality is the unauthorized download and installation of new versions of malware onto victim computers.
Backdoor.Win32.Androm.elwa took sixth place. This malicious program is the modification of Andromeda – Gamarue, a universal modular bot which is a basis for building a botnet with a variety of features. The functionality of the bot is expanded using a system of plugins that are loaded by the criminals in the necessary amount at any time.
The Email-Worm.Win32.Bagle.gt worm, which ranked eighth in June, sends itself to all of the email addresses it can find on the computer. Its main objective is to download and launch files from the Internet without the victims noticing. To spread infected messages, Worm.Win32.Bagle.gt uses its own SMTP library.
Trojan-Banker.Win32.ChePro.ilc. ended the month in ninth position. This downloader appears in the form of a CPL applet (a component of the control panel) and, as is typical for this type of malware, it downloads Trojans developed to steal bank information and passwords. These banking Trojans mainly target online customers of Brazilian and Portuguese banks.
Rounding off the Top 10 was Email-Worm.Win32.Mydoom.l, a network worm with backdoor functionality that is spread as an email attachment via file sharing services and writable network resources. It harvests email addresses from infected computers so they can be used for further mass mailings. The worm also connects directly to the recipient's SMTP server.
In June, Germany saw a big surge in the number of antivirus detections and topped the rating (+8.17 percentage points) having pushed the UK off top spot.
Russian reentered the Top 20 at 13th place with 2.03% of all antivirus detections.
The UAE (+0.96 percentage points) bypassed Australia, Hong Kong and Vietnam in terms of antivirus detections, while Switzerland dropped out of the Top 20.
The percentage of email antivirus detections in other countries did not change much in June.Special features of malicious spam
The vacation season is gaining momentum: many people are still thinking over their holiday plans while those who have already decided where to go often self-book flight tickets and hotel accommodation. Besides the traditional seasonal increase of holiday spam, we have seen a growth in the number of fraudulent messages sent on behalf of various booking services, including international ones. These fake notifications appear in the form of a booking confirmation and usually contain malicious attachments imitating bills for a hotel reservation. Generally, the email includes the order number, the date of arrival/departure and the cost of the order. One of the most popular malicious programs used in the holiday spam in June was Trojan-Spy.Win32.Ursnif. This Trojan steals confidential data and sends it to a remote server. It can listen for network traffic, download and run other malicious programs, as well as disable some system applications such as the firewall.
In order to send malicious attachments, the fraudsters use not only fake notifications from major booking services, banks or online hypermarkets but also shops with more narrow specialization. For example, last month we came across a malicious mailing spread on behalf of an online pet store. The recipient was asked to download and print out the invoice for purchased goods. Should he have any questions, the email read, he could contact the support service of the pet store by clicking the link on its official website. Instead of the promised PDF file with the information about the purchase, the archive contained Trojan-Banker.Win32.Shiotob.c. This malware steals system information, user names and passwords from FTP and various sites when the user logins on to them.
Email search sites (32.1%) again topped the rating of organizations most frequently targeted by phishers in June, with a slight drop of 0.2 percentage points from the previous month. Second came Social networks (27.7%), having increased their contribution by 3.7 percentage points from May. Financial and payment organizations (11.6%) and Online stores (10.6%) declined by 1.2 and 1.5 percentage points respectively. The percentage of attacks targeting Telephone and Internet service providers fell by 0.1 percentage points leaving this category in fifth place in the rating.
The ranking is based on Kaspersky Lab's anti-phishing component detections that are triggered every time a user attempts to click on a phishing link, regardless of whether the link is in a spam email or on a web page.
In June, the scammers sent out fake notices on behalf of the US corporation Electronic Arts that produces and sells video games. The phishers tried to access users' personal accounts in the online store Origin owned by the company. To deceive their victims, the attackers used an old trick of sending out an email saying the online store was going to enhance protection for their customer accounts and asked the recipients to confirm they were the owner of the account. In order to make the email look legitimate the fraudsters used the Origin logo, links to the official website of the company and the usual warning not to give the password from a personal account to anybody.
The proportion of spam in global email traffic in June dropped 5 percentage points and averaged 64.8%. This may be a seasonal decline as summer business activity decreases and many spam bots are disabled for the vacation season.
In June, high-profile political and sporting events were used by scammers to trick users. In the run-up to the FIFA World Cup, a huge event for football fans, phishers were trying to obtain banking information from users by asking them to participate in the competition to win tickets. "Nigerian" scammers again exploited the situation in Ukraine and asked for help to transfer non-existent millions.
In June, Email search sites (32.1%) again topped the rating of organizations most frequently targeted by phishers. Second came Social networks (27.7%), having increased their contribution by 3.7 percentage points from May. This can be explained by the traditional growth in the activity of schoolchildren and students during the holidays, which is of course used by the fraudsters. Financial and payment organizations (11.6%) rounded off the Top 3 organizations most frequently targeted by phishers.
As is now traditional, the list of malware spread by email is topped by Trojan-Spy.HTML.Fraud.gen imitating notifications from banks and online stores. The holiday season has brought an increase in the number of fake notifications from various booking services containing malicious attachments. Germany (16.4%) was the country with the highest proportion of email antivirus detections.
Recently Kaspersky Lab has contributed to an alliance of law enforcement and industry organizations, to undertake measures against the internet domains and servers that form the core of an advanced cybercriminal infrastructure that uses the Shylock Trojan to attack online banking systems around the globe.
Shylock is a banking Trojan that was first discovered in 2011. It utilizes man-in-the-browser attacks designed to pilfer banking login credentials from the PCs of clients of a predetermined list of target organizations. Most of these organizations are banks, located in different countries.
Kaspersky Lab products detect the Shylock malware as Backdoor.Win32.Caphaw and Trojan-Spy.Win32.Shylock.
We detected this malware generically from the end of August 2011, as Backdoor.Win32.Bifrose.fly. Specific detection of this separate family was added in February 2012. Since then we have observed a very few detections – approximately 24,000 attempts to infect PCs protected by Kaspersky Lab products worldwide.
These are very modest numbers, especially in comparison with other infamous banking malware such as ZeuS, SpyEye, Carberp which have generated (and, in the case of some of them, such as ZeuS , still generate) tens or hundreds of thousands of detections. Of course, these numbers don't tell us everything about how widespread or effective Shylock is, because Kaspersky Lab "sees" only a part of the total number of PC users - only those who use our products.
Low popularity doesn't make Shylock less dangerous though. The set of malicious techniques it utilizes is no less dangerous than that used by other similar malware. It is able to inject its body in multiple running processes, has tools to avoid detection by anti-malware software, uses several plugins which add additional malicious functions aimed at bypassing anti-malware software, collects passwords for ftp-servers, spreads itself via messengers and servers, provides remote access to the infected machine, video grabbing and of course web injection.
This last function is used to steal online banking credentials by injecting fake data entry fields into the web page loaded in the victim's browser.
During the entire period we've seen two relatively big peaks in detection rate for this malware.
The first one was in November 2012 and the second one was in December 2013.
The geography of the November 2012 peak was as follows:United Kingdom Italy Poland Russian Federation Mexico Thailand Iran Turkey India Spain
The table above shows the top 10 countries wheremost attacks using the Shylock malware were registered. A little more than a year later, in December 2013, the picture had changed dramatically.Brazil Russian federation Vietnam Italy Ukraine India United Kingdom Belarus Turkey Taiwan
As these tables show, the criminals behind this malware definitely stopped paying so much attention to the developed e-money markets of the UK, Italy and Poland in favor of the actively developing markets of Brazil, Russia and Vietnam. It's slso interesting that both peaks happened in the late autumn to early winter period, a traditional high retail season in many countries around the world.
According to Europol data, this malware has infected more than 30,000 PCs worldwide. This is a big enough scale to cause huge financial damage, so the disruption of the Shylock backbone infrastructure is very good news.
And even better news is that the recent operation, coordinated by the UK's National Crime Agency (NCA), brought together partners from the law enforcement and the private sector, including – besides Kaspersky Lab – Europol, the FBI, BAE Systems Applied Intelligence, Dell SecureWorks and the UK's GCHQ (Government Communications Headquarters), to jointly combat the threat. We at Kaspersky Lab were glad to add our modest contribution to this operation. Global action brings positive results – an example being the operation targeting the Shylock malware.
Looking past the 23 Critical Internet Explorer remote code execution vulnerabilities being patched this month by MS14-037 that require immediate attention, most interesting is CVE-2014-2783, the Internet Explorer "Extended Validation (EV) Certificate Security Feature Bypass Vulnerability". The vulnerability itself, reported by Eric Lawrence of "Fiddler" fame, is applicable in a "corner case" situation and can lead to man-in-the-middle (MiTM) attacks.
Let's narrow down the complexity of the issue for everyone's sake. What is an "EV" certificate? Well, it's a special certificate that an organization or individual would pay extra money to a certificate authority like Verisign to create and then use to "secure" their communications. Sites using them are usually handled in a special manner by the major web browsers. The address bar turns green, a special rectangle is set around the address, or some other visual image assures the user that the connection is with the right web site and encrypted. Here is an example of a web browser presenting the green bar EV visualization, please click on the image for a closeup:
The related flaw being patched this month is a tricky one. Internet Explorer versions 7 through 11 all allow for wildcard subdomains with EV Certificates, which should never be allowed. Neither Certificate Authorities nor web browsers should allow for such a flaw, but their compliance is questionable. In the past, CAs like Diginotar, Comodo, Trustwave, TurkTrust, and currently the National Informatics Centre in India, all maintained incidents of major improprieties at the CA level.
So, coupled with this flaw in IE 7,8,9,10 and 11, attackers (whether or not they are state sponsored or more traditional cybercrime organizations) could set up sites with wildcard EV certs to spoof major web properties like at google, twitter, facebook and elsewhere, and steal data from sensitive communications there. The Certificate Authority infrastructure trust model continues to show major cracks as a flawed trust model, and this "corner case" simply enables more situations like it. Potential solutions like Convergence have not been seriously pushed. At the same time, cheers to Microsoft for patching and reporting on the two current issues.
Unfortunately, these sorts of issues find their way into software products all the time. Partly, they are very tricky to understand by QA teams and developers certainly need to narrow the scope of their projects. You can't automate this sort of test, and even if it is found, it is not assigned a severity of 5 or "showstopper" because it doesn't immediately disrupt operation of the product. So they can sit unaddressed in a product for four or five versions or more even if privately known. Only an exposure because of a security researcher's work or a major public incident might push it to the front of the priority list.
All of this discussion of corner cases lays down groundwork for further discussion of the "Internet of Things". Whenever there are cross-disciplinary approaches (like heavy mathematics and communications, or internal network computing and automobiles) to solutions, there is an elevated risk of incident because of practical and theoretical issues. As the industry progresses, and as the startups generating IoT solution code are dealing with their own corner case issues, and as adoption and acquisitions move forward, IoT technologies will demonstrate on a larger scale that we are not learning from past mistakes.
Cybercriminals around the world have already started to point their guns and attacks at the new gTLDs, the 'generic Top Level Domains' approved by ICANN and offered by registrars to people interested in buying a new domain name. Recently we found malicious activities including malware and phishing pages registered in the top level domains .club, .berlin, .blue, .computer, .camera, .futbol, .link, .pink, .report, .travel, .vacations and .xyz.
The new gTDLS were recently approved by ICANN and registrars are already offering them as a solution to those bored with the traditional .com or .org and who want more possibilities when registering internet domains. You should be prepared to see websites like"funny.dance"or "joe.dentist"or even "my.creditcard".
According nTLDStats.com, more than 1.4 million domains have already been registered using these new gTLDs:
There are now more than 322 new top level domains granted by ICANN, among these the most popular are .xyz (designated at Feb. 2014), .berlin and .club (both designated in January 2014):
Brazilian phishers and domains squatters are particularly interested in these new gTLDs, already having registered several new domains using names of local brands such as banks, online stores, and credit card companies. For example:
These domains were registered with the intention of being used for phishing campaigns, so it comes as no surprise that the data registered in the respective "whois" databases is completely fake:
Malware is also involved. We're aware of bad guys hosting their exploit kits in such domains – the Nuclear Exploit Pack is currently using the .blue, .pink, .futbol, and .report gTLDs, as pointed out by security researcher Frank Denis.
But Brazilian bad guys aren't the only ones interested in the new gTLDs as English-speakers have showcased similar interests by already starting a fraudulent domain that sells coins for online games such as Fifa '14 and others.
Other phishers already started their phishing campaigns, even using older TLDs such as .travel (started in 2005). As you can see in the following abused domain that hosts a phishing page aimed at a Brazilian bank:
If you're a regular user, be aware of such links appearing in email messages or in social networks – they can be just as dangerous as others links. If you're a company, it's a great idea to start a brand monitoring process to insure that your company name or brand aren't being used in campaigns involving these new TLDs.
Kaspersky users are protected against all of these attacks.
In February 2014, an article was published on a popular Russian IT website under a curious title - Studying the BillGates Linux Botnet. It described a Trojan with sufficiently versatile DDoS functionality. The capability that we found the most interesting was the Trojan's ability to conduct DNS Amplification-type attacks. In addition, it followed from the article that the Trojan had a sophisticated modular structure, something we had not seen in the world of Linux malware before.
The article also provided a link for downloading all of the Trojan's files (taken directly from an infected machine) - which is what we did.
The archive that we downloaded contained the following files, which, according to the author of the article, were all modules of the same Trojan:
The files cupsdd and cupsddh are detected by Kaspersky Lab products as Backdoor.Linux.Ganiw.a; atddd and the remaining files are detected as Backdoor.Linux.Mayday.f.
The archive with the files also contained a configuration file for cron - the Linux task scheduler. In this case, the utility is used by the Trojan as a means of getting a foothold in the system. The Trojan uses cron to perform the following tasks:
- Once a minute - terminate the processes of all applications that can interfere with its operation: .IptabLes, nfsd4, profild.key, nfsd, DDosl, lengchao32, b26, codelove, node24
- Approximately once in ninety minutes - terminate all of its processes: kysapd, atdd, skysapd, xfsdx, ksapd
- Approximately once in two hours - download all of its components to the /etc folder from http://www.dgnfd564sdf.com:8080/[module_name] (module_name = name of the Trojan's module, e.g., cupsdd), after deleting these files from the /etc folder
- Once in ninety minutes - relaunch all of its modules
- Every minute - purge system logs and bash command history and execute chmod 7777 [module_name]
During subsequent analysis of the files, we did not find any code responsible for saving the config file for cron. Most likely, the file was manually downloaded to the victim machine by a cybercriminal after gaining remote access to the system.Backdoor.Linux.Mayday.f (atddd)
The file atddd is a backdoor designed to conduct various types of DDoS attacks against the servers specified. As mentioned above, Kaspersky Lab products detect it as Backdoor.Linux.Mayday.f. The files kysapdd, skysapdd, xfsdxd, ksapdd are almost exact copies of atddd - with one exception, which is discussed later in the text.
The backdoor starts its operation by calling the function daemon(1, 0), continuing to run in the background and redirecting standard input, output and errors to /dev/null
Next, atddd collects relevant information about the system, including:
- system version (by calling uname())
- number of CPU cores and their clock rates (taken from /proc/cpuinfo)
- CPU load (taken from /proc/stat)
- network load (data for interfaces with the "eth" prefix taken from /proc/net/dev)
The information listed above is stored in the g_statBase structure.
After this, the backdoor decrypts strings defining the C&C server's IP address and port number. The encryption algorithm used is very simple: an encrypted string is taken character-by-character, with 1 added to the ASCII code of a character if its number is odd and subtracted from it if the character's number is even. As a result, the string "3/3-2/4-269-85" yields the IP-адрес "184.108.40.206", while "2/:82" stands for port number "10991".
After this, atddd reads configuration file fwke.cfg, which is located in the same folder with the malicious program. Information from the config file is saved in the g_fakeCfg structure. If the file does not exist, the backdoor attempts to create it and store the following information in it:
1st line: 0 //flag, if 1 then begin attack, if 0 then terminate attack
2nd line: 127.0.0.1:127.0.0.1 //range of outgoing IP addresses
3rd line: 10000:60000 //outgoing port range for an attack
4th line: an empty line //domain name in the case of DNS flood (see below)
This information is subsequently sent to the C&C server and can be updated with a command from the C&C.
Next, the backdoor creates a new thread, CThreadTaskManager::ProcessMain(), in which commands to begin an attack and terminate an attack are put into the execution queue. After this, a new thread is created - CThreadHostStatus::ProcessMain(). In this thread, data on CPU and network load is updated every second and can subsequently be sent to the C&C server if requested.
After this, 20 threads are created, which read information from the task queue and, depending on the information read, launch an attack or terminate it. However, some of the threads may not be used in an attack if the relevant C&C command has a parameter (the number of threads to be used).
Then the malware enters an endless loop of processing messages from the C&C. After a connection with the C&C is established, information about system version and CPU clock rate, as well as data from the g_fakeCfg structure, is sent to the C&C every 30 seconds.
In response, the server should send 4 bytes, the first of which is the serial number of a command - from 1 to 4.
Next, if the command has parameters, the C&C sends another 4 bytes defining the amount of data that will be sent (i.e., the parameters). Then the parameters themselves are sent; their size should match the number from the previous C&C response.
About each command in greater detail:
- 0x01. Command to launch an attack. Parameters define the attack's type and the number of threads to be used. The attack type is defined by a byte which can take values from 0x80 to 0x84. This means that 5 attack types are possible:
- 0x80 - TCP flood. The destination port number is sent by the C&C in its response as a parameter. The source port range is defined in fwke.cfg. Each new request is sent from a new port within the range defined, in the ascending order of port numbers. The destination IP address is also defined in parameters.
- 0x81 - UDP flood. The same as 0x80, but UDP is used as the transport layer protocol.
- 0x82 - ICMP flood. Same as above, but via ICMP.
- 0x83, 0x84 - two DNS flood attacks. The only difference is the domain name sent in the DNS request. In the former case, the name is generated randomly, in the second, it is defined in a parameter (the fourth line in fwke.cfg). Essentially, both attacks are similar to 0x81, except that port 53 (the default port for the DNS service) is used as destination port.
- 0x02. Command to terminate an attack. The value in the first line of fwke.cfg is changed to 0 and the attack is terminated.
- 0x03. Command to update the file fwke.cfg. The response also includes a structure similar to g_fakeCfg, data from which is used to create the new fwke.cfg file.
- 0x04. Command to send the current command's execution status to the C&C server.
In addition to the above, the backdoor includes several empty methods (without any code), which have curious names: CThreadAttack::EmptyConnectionAtk, CThreadAttack::FakeUserAtk, CThreadAttack::HttpAtk. Apparently, the malware writer had plans to extend the malicious program's functionality, and this is a test version rather than a final version. The file cupsdd, which is discussed below, provides a confirmation of this.
The files kysapdd, skysapdd, xfsdxd, ksapdd are almost identical copies of atddd, with the exception that they contain different C&C server addresses: 220.127.116.11:10991, 18.104.22.168:10991, 22.214.171.124:10991 and 126.96.36.199:10991, respectively. The names of their configuration files are also different: fsfe.cfg, btgw.cfg, fake.cfg, xcke.cfg, respectively.
This means that, contrary to our expectations, the files atddd, kysapdd, skysapdd, xfsdxd, ksapdd are not modules of a single piece of malware but rather different copies of the same Trojan, each connecting to its own C&C server. However, this is not the most curious part of it by far.Backdoor.Linux.Ganiw.a (cupsdd)
Like the files described above, this file is a backdoor designed to carry out various types of DDoS attacks. However, cupsdd is significantly more feature-rich and sophisticated than its 'colleagues', although in places its code is very similar to that found in atddd.
The backdoor starts its operation by initializing the variables it needs from the string "188.8.131.52:30000:1:1:h:578856:579372:579888" (separator - ":"), which it first decrypts using the RSA algorithm. The string contains the following variables:
g_strConnTgt=184.108.40.206 - C&C server's IP address
g_iGatsPort=30000 - C&C server's port
g_iGatsIsFx=1 and g_iIsService=1 - flags used later
g_strBillTail=h - postfix for the name of the file that will be dropped (see below)
g_strCryptStart=578856, g_strDStart=579372, g_strNStart=579888 - pointers to RSA data (encrypted string and key)
Next, the malware drops and executes a file, which is located at offset 0xb1728 from the beginning of the original file and is 335872 bytes in size, provided that the file is not already running. The malware checks whether the file is running by trying to bind a socket to 127.0.0.1:10808. If the attempt is successful, it means that the file is not running, and it needs to be dropped and executed.
If the file is already running, its process, whose PID can be found in the file /tmp/bill.lock, is terminated (kill(pid, 9)). Then the file is dropped anyway, replacing the existing copy.
The name of the file that is dropped is generated from the name of the current file that is running + postfix from the variable g_strBillTail. In our case, the file was named cupsddh and was located in the same folder with the dropper.
After this, the current process forks and the child process calls the function system("/path/to/cupsddh"), which executes the file dropped.
Next, the function daemon(1, 0) is called, for the same purpose as in the case of the sample described above (atddd).
After this, the malware handles the situation if cupsdd was executed earlier and is currently active. For this purpose, it checks whether the file /tmp/gates.lock exists. If it does exist, the current process is terminated (exit(0)). If not, the file (/tmp/gates.lock) is created and the PID of the current process is written to it.
Then, if flag g_iIsService == 1, the backdoor sets itself to run at system startup by creating the following script named DbSecuritySpt in /etc/init.d/:
The malware also creates symbolic links to the script in /etc/rc[1-5].1/S97DbSecuritySpt
Next, the malware reads the configuration file conf.n (if it exists) from the same folder as the one in which cupsdd is located. The first 4 bytes of the file define the size of the data which follows. All the data is stored in the structure g_cnfgDoing.
Then the malware reads the file containing commands - cmd.n. The format is the same as in conf.n. The data is stored in the structure g_cmdDoing.
After this, the malware obtains all the necessary information about the system, including:
- The operating system's name and kernel version (e.g., Linux 3.11.0-15-generic), by calling uname()
- CPU clock rate, taken from /proc/cpuinfo
- Number of CPU cores, taken from /proc/cpuinfo, and CPU load, taken from /proc/stat
- Network load, taken from /proc/net/dev
- Hard drive size in megabytes, taken from /proc/meminfo
- Information about network interfaces, taken from /proc/net/dev
All the data is stored in the structure g_statBase.
Next, a new stream, CThreadTaskGates::ProcessMain, is created, in which the following commands are processed:
- 0x03. DoConfigCommand(). Update the configuration file conf.n.
- 0x05. DoUpdateCommand(). Start a new thread, CThreadUpdate::ProcessMain, in which update one of its components. The command accepts a number from 1 to 3 as a parameter. Each of the numbers is associated with one of the following strings:
1 - "Alib" - the file /usr/lib/libamplify.so
2 - "Bill" - the dropped module (cupsddh)
3 - "Gates" - the dropper (cupsdd)
Depending on the parameter, one of the malicious program's components is updated. An update is launched by sending 6 bytes containing the string "EF76#^" to the C&C server, followed by one of the strings described above (depending on the parameter).
The C&C responds by sending 4 bytes containing the length (in bytes) of the file that will be transferred next. Then the C&C transfers the file itself in 1024-byte packets.
First, the file is saved in the /tmp folder under a random name consisting of digits. Then, depending on the file that was received, the existing file cupsdd (or cupsddh) is replaced or the file is copied to /usr/lib/libamplify.so
Next, the temporary file is deleted from /tmp, and the chmod command is used to set 755 permissions for the resulting file. After this, in the case of updating cupsddh, the active process is terminated and the new file is launched. In the case of updating cupsdd, the final stage (starting from copying a file from /tmp) is carried out by cupsddh, to which the relevant command is sent.
- 0x07. DoCommandCommand(). Write a new command to cmd.n.
- 0x02. StopUpdate(). Close the current connection, which was established in order to update modules.
Next, the backdoor starts several threads, in which it simultaneously performs several additional operations:
- CThreadClientStatus updates the data on CPU and network load in the g_statBase structure every second.
- CThreadRecycle removes completed tasks from the queue.
- CThreadConnSender reads commands from the queue and passes them to the cupsddh module via a TCP connection with 127.0.0.1 on port 10808. In response it receives the status of their execution.
- CThreadMonBill checks whether the module cupsddh is running once every minute. If not, it drops and executes it again.
- CThreadLoopCmd reads commands from g_cmdDoing (the file cmd.n) and executes them using the call system(cmd).
Next, the main thread enters the loop of receiving and processing commands from the C&C server. There are two possibilities in this case, depending on the g_iGatsIsFx flag:
- If the flag is set (==1), the malware simply uses the new thread to send information about the system and the current configuration from g_cnfgDoing to the C&C and waits to receive commands in response, like the sample (atddd) described above;
- If the flag is not set, then the communication session is initiated by the C&C. In other words, the malware waits for the C&C to connect and begins to transfer the data mentioned above only when a connection has been established.
Commands received from the C&C are divided into two queues: either for execution in the current module (in the thread CThreadTaskGates described above) or for passing to the cupsddh module (thread CThreadConnSender).Backdoor.Linux.Ganiw.a (cupsddh)
The file is packed with UPX. After being unpacked, it calls daemon(1,0). It creates the file /tmp/bill.lock, in which it stores the PID of the current process. cupsddh stores system data in the structure g_statBase, which is identical to that used by cupsdd.
Next, it populates the structure g_provinceDns with the IP addresses of DNS servers converted to binary data in network byte order using the function inet_addr(), taking data from the string array g_sProvinceDns (offset in unpacked file: 0x8f44с, size 4608 bytes).
cupsddh executes command "insmod /usr/lib/xpacket.ko" in an attempt to load the kernel module into the kernel. However, the file is not present on 'clean' systems, and the malware does not make any attempt to download it or obtain it in any other way.
Next, data from the file /usr/libamplify.so (as it turns out, this is not a library but one more config file) is loaded into the structure g_AmpResource. The file has the following format: 1st dword is the number of dwords that follow. Apparently, it contains the list of IP addresses for DNS servers that are currently relevant, i.e., those suitable for DNS Amplification type DDoS attacks.
After this, the module creates two threads: CThreadTask and CThreadRecycle. The former executes commands from a queue comprising commands which came from the cupsdd module. The latter removes commands that have been executed. Next, the main thread binds a socket to 127.0.0.1:10808 and enters an endless loop, receiving commands from the cupsdd module and putting the commands received into the above queue.
The following commands are possible:
- 0x01. Start an attack according to the parameters received. See a more detailed description below.
- 0x02. Terminate the current attack, setting the relevant flag.
- 0x03. Update the current configuration in the g_cnfgDoing structure, which is used during an attack. Also, update the current local MAC address, as well as the MAC and IP address of the current gateway in the structure g_statBase.
- 0x05. The final stage of updating the cupsdd module (described above).
Two main attack modes are possible: normal mode and kernel mode.Kernel mode
This mode uses pktgen, a kernel-level packet generator built into Linux. Its advantage to the attacker is that traffic is generated with the greatest speed possible for the given network interface. In addition, the packets generated in this way cannot be detected using ordinary sniffers, e.g., the standard tcpdump, since packets are generated at kernel level.
The packet generator is controlled using a set of scripts/configs in the /proc/net/pktgen folder, but the module pktgen must first be loaded into the kernel by calling the command "modprobe pktgen". However, I did not find any such calls. Apparently, the call "insmod /usr/lib/xpacket.ko" is used instead, although, as mentioned above, the file is absent from the system by default. As a result, kernel mode is not operational in this version of the malware.
Nevertheless, the malware attempts to write several files to the /proc/net/pktgen folder, namely:
- the file /proc/net/pktgen/kpktgend_%d for each CPU core, where %d is the core number, beginning from 0. The file's contents is as follows:
- the file /proc/net/pktgen/eth%d for each CPU core, where %d is the core number, beginning from 0. The file's contents is as follows:
dst_mac %02x:%02x:%02x:%02x:%02x:%02x //MAC address of the gateway from g_statBase
multi_dst %s //if there are several addresses to be used in an attack (i.e., if the value in the previous line is not equal to 0), they are set in these lines, the number of which matches the previous parameter
The values of most pktgen parameters are passed from cupsdd via command parameters.
- the file /proc/net/pktgen/pgctrl, which contains the string "start".
As in the case of atddd, normal attack mode uses raw sockets.
The following attack types are possible in this mode:
- CAttackSyn - TCP-SYN flood.
- CAttackUdp - UDP flood (as in the case of atddd)
- CAttackDns - DNS flood (as in the case of atddd)
- CAttackIcmp - ICMP flood (as in the case of atddd)
- CAttackCc - HTTP flood.
- CAttackAmp - DNS Amplification.
The last attack type on the list above is different in that packets are sent to vulnerable DNS servers, with the attack target specified as the sender's IP address. As a result, the cybercriminal sends a small packet with a DNS request and the DNS server responds to the attack target with a significantly larger packet. The list of vulnerable DNS servers is stored in the file libamplify.so, which is written to disk following the relevant command from the C&C.
Post Scriptum. BillGates v1.5
This version of the Trojan appeared a little later and is probably currently the latest. Essentially, this is the same cupsdd, only a little 'shaped up'. Overall, there is more logic in the code, plus there are a couple of new functions.
The most significant changes were made to the Gates module, i.e., the file cupsdd. Now it has three operating modes. The choice of mode is based on the folder from which the file is launched. Specifically, if it is launched from /usr/bin/pojie, then monitoring mode is enabled, otherwise the module operates in installation and updating mode, which is later superseded by the mode in which it controls the Bill module.
- Installation and updating mode.
First, the module terminates its process working in monitoring mode, if it exists. Its PID is kept in the file /tmp/moni.lock.
Next, it reinstalls and re-launches the Bill module.
Next, if a process working in the 'controlling the Bill module' mode exists, that process is terminated. Its PID is kept in the file /tmp/gates.lock.
If the flag g_iIsService is set (it is defined in the same way as in the previous version), the module sets itself to run at system startup in the same way as before (in the previous version).
Next, the module writes its path to the file /tmp/notify.file and then copies itself to the file /usr/bin/pojie. After this, it launches its copy, which is, obviously, set to run in monitoring mode, and then changes its own operating mode to controlling the Bill module.
- Monitoring mode.
Writes the PID of the current process to the file /tmp/moni.lock. Next, it starts two threads - one to monitor the Bill module and the other to monitor the Gates module operating in controlling Bill mode. If one of these processes is currently not running, the relevant file is created and launched again.
- Controlling the Bill module mode.
The actions of the Gates module are exactly the same as they were in the previous version of the Trojan (after installing the Bill module and initializing the relevant variables and structures of the Trojan).
To summarize, in the new version of the Trojan its authors have added a little 'robustness' without making any significant functionality changes.
It is also worth noting that the hard-coded IP address of the C&C server has remained the same (220.127.116.11) in this version, but the port number has changed - it is now 36008 instead of 30000 in the previous version.
The most popular uses of cloud services include: storing image scans of passports and other personal documents; synchronization of password, contact list, and email/message databases; creating sites; storing versions of source codes, etc. When cloud-based data storage service Dropbox announced a patched vulnerability in its link generator, it once again sparked online discussions about how important it is to encrypt confidential data before uploading it to an online storage, even a private one. Well, File encryption (FLE) does indeed protect confidential information stored in the cloud, even if there are vulnerabilities in controlling access to user documents with certain cloud storage services.
It's tempting to think that you can secure yourself against all possible risks by encrypting your data before you upload it to a cloud storage service, or by foregoing cloud services altogether. But is that really true? As it turns out, no, it isn't.
The Internet is full of recommendations on how to "effectively use cloud-based storage services" including advice on how to remotely control a PC, monitor your computer while you are away, manage your torrent downloads, and many other things. In other words, users create all types of loopholes all by themselves. These loopholes can then be easily exploited by a Trojan, a worm, not to mention a cybercriminal, especially in targeted attacks.
So we asked ourselves: how likely is it that a corporate network can be infected via a cloud service?
At the Black Hat 2013 conference, Jacob Williams, Chief Scientist at CSRgroup Computer Security Consultants, gave a presentation on using Dropbox to penetrate a corporate network. While conducting a trial penetration test (pen test), Jacob used the Dropbox thin client installed on a laptop located outside of a corporate network to spread malware to devices within that network.
Jacob first used phishing to infect an employee's computer, then embedded malicious scripts into documents stored in the laptop's cloud-hosted folder. Dropbox automatically updated (synchronized) the infected documents on all the devices attached to the user's account. Dropbox is not unique in this respect: all applications providing access to popular cloud file services have an automatic synchronization feature, including Onedrive (aka Skydrive), Google Disk, Yandex Disk, etc.
When the user opened the infected document on a workstation located within the corporate network, the malicious scripts embedded in the document installed the backdoor DropSmack on that workstation - it was specifically crafted by Jacob for this pen test. As its name suggests, DropSmack's main feature is that it uses the Dropbox cloud file storage service as a channel to manage the backdoor and leak corporate documents through the corporate firewall.
In the pen test, Jacob used a stunningly simple method to penetrate the corporate network - it is an obvious loophole!
We also decided to check if cybercriminals are using Dropbox, OneDrive, Yandex Disk or Google Disk to spread malware for real. We collected information from KSN about instances of malware detected in cloud-based folders belonging to Kaspersky Lab product users, and found out infections like these were detected for very few users: in May this year, only 8,700 people encountered an infection in their cloud-based folder. Among Kaspersky Lab's home product users, such instances account for only 0.42% of all malware detection cases, and 0.24% for corporate product users.
We should point out one important detail: if a piece of malware is uploaded from one device, all clients connected to the infected account will download it to their devices, and they will do so via HTTPS. Even if a security solution detects the malware in the synchronization folder and deletes it, the cloud client will keep downloading it from the cloud in an endless loop.
According to the data we collected, some 30% of malware detected in cloud folders on home computers had penetrated to these computers via synchronization mechanisms. For corporate users this number reaches 50%. Thus, the infection mechanism demonstrated by Jacob Williams in his demonstration malware, does cause infections in real life. Fortunately, we have not (yet) detected targeted attacks launched using cloud-based data storage services.
If we look into the malware we detected in the cloud folders on users' computers, files for Win32, MSIL, VBS, PHP, JS, Excel, Word and Java dominate. It should be noted that there is a small difference between corporate and home users: for corporate users, infected MS Office files occur more often, while home users also face unique threats on their lists in the form of malicious Android applications.
TOP 10 verdicts:
Consumer Corporate 1 Email-Worm.Win32.Runouce.b Email-Worm.Win32.Brontok.dam.a 2 Email-Worm.Win32.Brontok.q Virus.Win32.Sality.gen 3 not-a-virus:AdWare.Win32.RivalGame.kr Virus.Win32.Tenga.a 4 Virus.Win32.Nimnul.a Trojan-Dropper.VBS.Agent.bp 5 Trojan-Clicker.HTML.IFrame.aga Trojan.Win32.Agent.ada 6 Exploit.Win32.CVE-2010-2568.gen Trojan.Win32.MicroFake.ba 7 Virus.Win32.Sality.gen Exploit.Win32.CVE-2010-2568.gen 8 Worm.Win32.AutoRun.dtbv Worm.Win32.AutoRun.dtbv 9 Trojan-Dropper.VBS.Agent.bp Trojan.Win32.Qhost.afes 10 Trojan.Win32.Genome.vqzz Virus.Win32.Nimnul.a
More often than not, virus writers use cloud storage as a place to host their malware rather than a platform to spread them. During the research, we did not encounter a single worm or backdoor (except DropSmack) specifically targeting cloud-based file storages. Naturally, these services try to counter malware which takes up storage room in the cloud. In addition hosting malware affects the service's reputation, although cloud services are not formally responsible for what files their clients upload to the storage. Regular scans of all files contained in the cloud will obviously require a lot of resources that the services would rather use to store data.
As a result of this research, we concluded that there is a relatively low risk of a corporate network being infected via cloud storage: over a period of a year, just 1 out of 1,000 corporate users using cloud services risks infection. It should be remembered, however, that in some cases even a single infected computer in a corporate network can lead to substantial damage.
Here are some measures that can be used to protect corporate networks:
- Tighten up Firewall/IDS security settings, block access to popular online storage services. The big disadvantage this approach has is that it requires constant and close monitoring of new blacklist candidates as they emerge online.
- Install a multi-purpose Security Suite. It must incorporate a heuristic and behavior-based antivirus, access restriction features (HIPS), a tool to control the functioning of the operating system (System Watcher or Hypervisor), and a tool to prevent exploitation of vulnerabilities, etc. Once installed, the product must be carefully configured.
- Remember that even the most sophisticated Security Suite can miss an APT attack. Therefore, attention should be paid to Application Control (it should be configured at Default deny). This is perhaps one of the most reliable tools that will block any unknown software, including malware spread during a targeted attack. The most difficult task arising while deploying Application Control is to configure appropriate rules so that all permitted applications can be launched and updated without problems. To this end, the manufacturers of products which include the Application Control feature have developed dedicated tools: software updates via trusted update programs, preset software whitelists including all possible system and user files, access to huge cloud services and information databases about the entire diversity of whitelisted software.
- In special cases, Application control should be used to restrict the use of cloud clients within the corporate network. Only trusted employees should be allowed to launch the applications with which to synchronize cloud folders.
As for networks with the most rigorous security requirements, such as those managing power plant operations and water supplies, which guard state secrets or control defense facilities - for all of these we thoroughly recommend not using cloud-based file storage services at all.
At the end of last week we came across a curious method of distributing links to a phishing page that collects users’ personal data.
The FIFA World Cup in Brazil is attracting not only football fans in all parts of the world, but cybercriminals too. The phishing page is designed to imitate the FIFA website. Visitors are asked to sign a petition in defense of Luis Alberto Suárez, a forward for the Uruguayan national team. (On June 24, in a last group stage match between Uruguay and Italy, Suarez bit Italy defender Giorgio Chiellini on the shoulder. As a result, Suarez was disqualified for nine official matches for the national team and banned from all football-related activity for four months. He was also slapped with a fine).
To sign the petition, the user needs to fill out a form, entering his or her name, country of residence, mobile phone number and email address:
The phishing page matches the design of the official website and all links on it redirect users to FIFA’s official site, fifa.com. The phishing domain was created on June 27, 2014. According to the whois database, it was registered in the name of a person residing in London. The data collection form was developed by the phishers using Google.Docs. Personal data obtained from the form can be used to send spam, phishing and SMS messages, as well as malicious apps. In addition, armed with users’ email addresses and telephone numbers the cybercriminals can conduct targeted attacks involving banking Trojans for computers and mobile devices. This technique is used to get round two-factor authentication in online banking systems in cases when a one-time password is sent via SMS.
After filling out the ‘petition’ form, victims were encouraged to share a link to the page with their friends on Facebook:
Unsuspecting fans shared links to the fake petition on their Facebook pages. This enabled the phishing link to spread widely across Facebook in a matter of days.
Messages with links to the phishing page were also seen on dedicated forums, from which users probably reached the phishing page originally.
In 2013, together with our partner CrySyS Lab, we announced our research on a new APT actor we dubbed "Miniduke". It stood out from the "APT bunch" for several reasons, including:
- Its use of a customized backdoor written in Assembler (who still writes in Assembler in the age of Java and .NET?)
- A unique command and control mechanism that uses multiple redundancy paths, including Twitter accounts
- Stealthy transfer of updates as executables hidden inside GIF files (a form of steganography)
We have pointed out that this threat actor used malware developed using "old-school" virus writing techniques and habits.
Our analysis was continued later by researchers from CIRCL/Luxembourg and several other AV companies. Recently, we became aware of an F-Secure publication on the same topic (under the name "CosmicDuke").
In the wake of our publications from 2013, the Miniduke campaigns have stopped or at least decreased in intensity. However, in the beginning of 2014 they resumed attacks in full force, once again grabbing our attention.
We believe it's time to uncover more information on their operations."Old" Miniduke in 2014
The old style Miniduke implants from 2013 are still around and being used during the current campaigns.
It still relies on Twitter accounts which contain a hardcoded C&C URL pointing to the command and control server. One such account was the following, observed in February 2014:
Although the format of the C&C URL was changed from previous variants, the encoding algorithm is the same. The line above can be decoded into the full C&C URL:
This decoded URL was an active C&C, from which several updates have been collected:
Update 1:MD5 93382e0b2db1a1283dbed5d9866c7bf2 Size 705536 bytes Compilation Sat Dec 14 18:44:11 2013
This Trojan is a large package, due to the use of a custom packer. The bundle has a specific debug string inside:
The package executes a smaller Trojan module:MD5 b80232f25dbceb6953994e45fb7ff749 Size 27648 bytes Compilation timestamp Wed Mar 05 09:44:36 2014 C&C hxxp://rtproductionsusa.com/wp-includes/images/smilies/icon_gif.php
Another update that has been observed on the C&C server was:
Update 2:MD5 7fcf05f7773dc3714ebad1a9b28ea8b9 Size 28160 bytes Compilation timestamp Fri Mar 07 10:04:58 2014 C&C hxxp://tangentialreality.com/cache/template/yoo_cache.php
We have observed another similar Trojan, although not on the C&Cs directly:MD5 edf7a81dab0bf0520bfb8204a010b730,
ba57f95eba99722ebdeae433fc168d72 (dropped) Size 700K, 28160 (dropped) Compilation timestamps Sat Dec 14 18:44:11 2013 (top)
Fri Jan 10 12:59:36 2014 (dropped) C&C hxxp://store.extremesportsevents.net/index.php?i=62B...[snip]
The use of the Nemesis Gemina packer in the Miniduke payloads made us look for further samples in our collection. This led us to several new findings.The "New" Miniduke Malware (the "CosmicDuke")
After the 2013 exposure, the actor behind Miniduke appears to have switched to using another custom backdoor, capable of stealing various types of information.
The malware spoofs popular applications designed to run in the background, including file information, icons and even file size:
The main "new" Miniduke backdoor (aka TinyBaron or CosmicDuke) is compiled using a customizable framework called "BotGenStudio", which has flexibility to enable/disable components when the bot is constructed.
The components can be divided into 3 groups
Miniduke/CosmicDuke is capable of starting via Windows Task Scheduler, via a customized service binary that spawns a new process set in the special registry key, or is launched when the user is away and the screensaver is activated.Reconnaissance
The malware can steal a variety of information, including files based on extensions and file name keywords:
Note: we believe the "*sifr*" and "*sifer*" keywords above refer to the transliteration of the English word "Cypher" in some languages.
Also, the backdoor has many other capabilities including:
- Skype password stealer
- General network information harvester
- Screen grabber (grabs images every 5 minutes)
- Clipboard grabber (grabs clipboard contents every 30 seconds)
- Microsoft Outlook, Windows Address Book stealer
- Google Chrome password stealer
- Google Talk password stealer
- Opera password stealer
- TheBat! password stealer
- Firefox, Thunderbird password stealer
- Drives/location/locale/installed software harvester
- WiFi network/adapter information harvester
- LSA secrets harvester
- Protected Storage secrets harvester
- Certificate/private keys exporter
- URL History harvester
- InteliForms secrets harvester
- IE Autocomplete, Outlook Express secrets harvester
- and more...
The malware implements several methods to exfiltrate information, including uploading data via FTP and three variants of HTTP-based communication mechanisms. A number of different HTTP connectors act as helpers, trying various methods in case one of them is restricted by local security policies or security software. These three methods are:
- Direct TCP connection and HTTP session via Winsock library
- HTTP session via Urlmon.dll
- HTTP session via invisible instance of Internet Explorer as OLE object
Each victim is assigned a unique ID, making it possible to push specific updates to an individual victim. As we noted, Miniduke/CosmicDuke is protected with a custom obfuscated loader which heavily consumes CPU resources for 3-5 minutes before passing execution to the payload. This not only complicates analysis of the malware but is also used to drain resources reserved for execution in emulators integrated in security software. Besides its own obfuscator, it makes heavy use of encryption and compression based on the RC4 and LZRW algorithms respectively. Implementations of these algorithms have tiny differences from the standardized code which perhaps looks like a mistake in the code. Nevertheless, we believe that these changes were introduced on purpose to mislead researchers.
One of the more technically advanced parts of Miniduke is the data storage. The internal configuration of the malware is encrypted, compressed and serialized as a complicated registry-like structure which has various record types including strings, integers and internal references.
In addition, Miniduke uses an unusual method to store the exfiltrated data. When a file is uploaded to the C&C server it is split into small chunks (~3KB), which are compressed, encrypted and placed in a container to be uploaded to the server. If the source file is large enough it may be placed into several hundred different containers that are uploaded independently. These data chunks are probably parsed, decrypted, unpacked, extracted and reassembled on the attacker' side. This method is used to upload screenshots made on the victim's machine. Creating such a complicated storage might be an overhead; however, all those layers of additional processing guarantees that very few researchers will get to the original data while offering an increased reliability against network errors.Victim geography and profiles
Based on our analysis, the victims of Miniduke and CosmicDuke fall into these categories:
- telecom operators
- military, including military contractors
- individuals involved in the traffic and selling of illegal and controlled substances
From one of the old style Miniduke servers we were able to extract a list of victims and their corresponding countries. We were able to identify victims in three of these countries which belonged to the "government" category. Here's the list of countries affected:
- United States
One of the CosmicDuke servers we analyzed had a long list of victims dating back to April 2012. This server had 265 unique identifiers assigned to victims from 139 unique IPs. Geographical distribution of the victims was as follows (top10):84 Georgia 61 Russia 34 United States 14 United Kingdom 9 Kazakhstan 8 India 8 Belarus 6 Cyprus 4 Ukraine 4 Lithuania
According to our analysis, the attackers were more interested in expanding their operations and scanned IP ranges and servers in Azerbaijan, Greece and Ukraine.Command and control server analysis and hacking tools
During the analysis, we were able to obtain a copy of one of the CosmicDuke command and control servers. It appears it was also used for other operations by the group members, including hacking into other servers on the internet.
The attackers have deployed a number of publicly available hacking tools on this server in order to scan and compromise websites of victim organizations as well as collect information for future targeted attacks.
Here is the list of hacking tools found on the server:
Hydra: "A very fast network logon cracker which support many different services"
Fierce2: "A semi-lightweight enumeration scanner that helps penetration testers locate non-contiguous IP space and hostnames for a specified domains using things like DNS, Whois and ARIN"
The Harvester: "The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database"
RitX: "A Reverse IP Lookup Tool that will allows you to use an IP address or domain name to identify all currently domains hosted on a server using multiple services and various techniques"
Joomscan: "OWASP Joomla! Vulnerability Scanner"
Ncrack: "High-speed network authentication cracking tool. It allows for rapid, yet reliable large-scale auditing of multiple hosts"
Sqlmap: "An open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers"
WPScan: "A black box WordPress vulnerability scanner"
Note: tool descriptions were copied from their public websitesAttribution and Artifacts, connections with other campaigns
Although the attackers use English in several places, indicating knowledge of this language, there are certain indicators to suggest they are not native English speakers.
The following strings were discovered in a block of memory appended to the malware component used for persistence:
c:\documents and settings\владимир\local settings\...
The C&C hosts appear to have been compromised by the attackers, which uploaded a specific webshell.
For the webshell, it is interesting to point to the use of Codepage 1251, which is commonly used to render Cyrillic characters. The password used to protect the shell, is checked against the MD5 hash "35c7c2d1fe03f0eeaa4630332c242a36". (BTW: can you crack it? It took us some days to solve it!)
Perhaps it is noteworthy to say that the same webshell has been observed in the operations of another advanced threat actor known as Turla, Snake or Uroburos.
Another interesting aspect is the debug path strings from the malware, which indicate several build environments or groups of "users" of the "Bot Gen Studio", "NITRO" and "Nemesis Gemina":
Based on the compilation timestamps, we were able to put together the following chart indicating the activity of the Miniduke/CosmicDuke attackers on a 'Day of the Week' basis:
It appears the attackers follow the Mon-Fri work week, however, they do work on the weekends from time to time.
In terms of activity hours, the attackers appear to be working between 6am and 7pm GMT. Most of the work is done between 6am and 4pm though.
Although they stopped or at least decreased in intensity following our announcement last year, the Miniduke attacks are now back in force. The old style Miniduke malware is still being used, deploying previously known stages packed with a new obfuscator observed with the mysterious "Bot Gen Studio" for the "NITRO" and "Nemesis Gemina" projects.
While the old style Miniduke implants were used to target mostly government victims, the new style CosmicDuke implants have a somehow different typology of victims. The most unusual is the targeting of individuals that appear to be involved in the traffic and reselling of controlled and illegal substances, such as steroids and hormones. These victims in the NITRO project have been observed only in Russia. One possibility is that "Bot Gen Studio" is a malware platform also available as a so-called "legal spyware" tool, similar to others, such as HackingTeam's RCS, widely used by law enforcement agencies. Another possibility is that it's simply available in the underground and purchased by various competitors in the pharmaceutical business to spy on each other.
At the same time, the "Nemesis Gemina" project focuses on government, diplomatic, energy, military and telecom operators.
One of the big questions here is: Are the Miniduke attackers still "elite"? Though the old malware is still in use, the new malware is no longer pure assembler; instead, it's written in C/C++.
The new samples of Miniduke/CosmicDuke use a powerful obfuscator. For almost all of the samples we analyzed, it jumps to the beginning of dynamic PE loader - always from the same "l33t" address (if memory layout allowed it during the bot construction):
Hence, you could say that CosmicDuke is still "l33t"!
NO-IP is one of the many Dynamic DNS providers out there, which can be used for free to register a subdomain on top of popular names such as servepics.com or servebeer.com . For a long time, this has been a favorite method for cybercriminals who wanted to register easy to update hostnames to control their malware implants. Yesterday, Microsoft moved against NO-IP and seized 22 of their domains. They also filed a civil case against Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software harming Microsoft, its customers and the public at large.
Interestingly, Microsoft cited two specific malware families which were used to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware . These have been used by multiple cybercriminal and activist groups to target users, including the (in-)famous Syrian Electronic Army. (stay tuned for a more detailed blog on that soon)
In addition to these, the takedown disrupted many other APT operations, which used NO-IP for their C&C infrastructure. These include:
- Turla/Snake/Uroburos, including Epic
- HackingTeam RCS customers
Based on our statistics, the shutdown has affected in some form at least 25% of the APT groups we are tracking. Some of these hosts that were previously used in large and sophisticated cyberespionage operations are now pointing to what appears to be a Microsoft sinkhole, at 18.104.22.168.
Some top level domains that have been taken away from Vitalwerks and now use Microsoft's DNS infrastructure include:
In the meantime, NO-IP / Vitalwerks have published their answer online:
Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft s attempt to remediate hostnames associated with a few bad actors.
We think yesterday s events have dealt a major blow to many cybercriminal and APT operations around the world.
In the future, we can assume these groups will be more careful on using Dynamic DNS providers and rely more often on hacked websites and direct IP addresses to manage their C&C infrastructure.
Since the publication of our blogpost, many people have contacted us and complained about disruption of their otherwise clean hosts due to the Microsoft takedown. In fact, two hosts previously used in APT attacks that we were sinkholing were also taken away from us. We were using the logs from these, together with other data from our sinkhole to notify victims in many different countries.
Update (2014-07-04): NO-IP just sent a note to their customers that all 23 domains that were seized by Microsoft are now back in their control. This appears to be true, with Microsoft DNS servers no longer controlling the domains.
Have you been affected about the NO-IP takedown? Please let us know by sharing your comments below.