Secure List feed for B2B
Last week, GReAT LatAm had the pleasure of participating in the Fourth Latin American Security Analysts Summit in Cartagena, Colombia. We were joined by 29 journalists from 12 different countries throughout the region and a guest speaker. This is one of our favorite events as it presents a rare opportunity to discuss ongoing research with journalists one-on-one and address security concerns at a regional level. The LatAm focus of the event allows us to examine the 'latin flavor' of cybercrime and cyberespionage originating within our borders.
The Summit was divided into two days. The first day involved presentations ranging from the evolution of the threat landscape to issues involving wearable devices, the disturbing trend of 'camfecting', and new tendencies in Brazilian trojan bankers now aided by cooperation with Eastern European cybercriminals. The second day largely revolved around APTs and cyberespionage campaigns as well as mobile threats affecting integration with the cloud.
The ever-charismatic Fabio Assolini discussed a favorite topic of his, the development of banking trojans in his native Brazil. The country is known for its carder culture and widespread cybercrime. Interesting figures presented included the correlation between the cost of Zeus and Caberp and their infection rates in the region, as we witness an exhorbitant rise in the rate of infection once their respective source codes leak and effectively eliminate the initial investment on the part of the criminals. Fabio also unveiled the link between Brazilian and Eastern European cybercriminals who are now exchanging knowledge through online resources to enhance their crimes.
Our very own Santiago Pontiroli took to the stage to discuss mobile- and cloud-based attack vectors in a presentation rife with Orwellian parallels and forewarnings. Santiago discussed Latin America's proclivity for piracy and pornography as presenting massive opportunities for cybercriminals fully willing to exploit them.
Android, a platform enjoying wide-adoption in the region is also an increasingly appealing target for cybercriminals as evidenced by the fact that 98% of mobile malware detected in 2013 were aimed at Android devices –a number that doubled in the first quarter of 2014! Many of these devices are now integrated with the cloud which breathes new life into old phishing schemes whose pay-off now includes extensive access to personal data, storage, and even real-time location information. Some criminals have gone so far as to misuse manufacturer recovery services to act as pre-installed ransomware.
Roberto Martinez and I took on the topic of wearable technologies, increasingly popular devices that collect all kinds of stats about their users, store personal information, and are designed to be worn continuously. I focused on the Samsung Galaxy Gear 2 smartwatch and the ease with which it can be misused by deviants in the 'creepshots' community, as rooting and executing a handful of commands disables camera alerts and recording limitations. Roberto focused on Google Glass whose integrated wifi capability leaves it susceptible to tried-and-true sniffing to expose some of the traffic being relayed to the device.
Emphasizing that the design itself of wearable devices has a propensity to embolden well-known methods of attack as users have limited access to information regarding altered applications or suspicious connections. As wearable devices function by linking with a mobile device, they can eventually become an interesting means for persistent attacks as they are capable of interacting with the information on our phones without being subject to the security measures of their master devices.
Evolving Threats in Cyberespionage
On the cyberespionage front, we saw two thought-provoking and exciting presentations:
We were joined by Jaime Blasco, Director of Research at Alienvault and a close friend of GReAT. Jaime discussed an overview of APT campaigns over the past decade, the measures developed to understand them, and traits that help categorize the work of recurring nationstate players.
Dmitry Bestuzhev announced GReAT's discovery of the first ever cyberespionage campaign of Latin American origin! The Machete campaign affected military, diplomatic, and governmental institutions in 15 countries, primarily Venezuela, Ecuador, and Colombia. Interestingly, though LatAm has been considered by many as lacking the infrastructure for sustained cyberespionage, research revealed that the campaign has been active since 2010.
Finally, no Kaspersky event would be complete without an active entertainment day for all participants. We retreated to the Cartagena Golf Club for an afternoon of activities ranging from kayaking and beach volleyball to cocktail-making, dance lessons, and guided flower arrangements, as well as a massage area. The evening concluded with a gala dinner accompanied by the traditional music and dances of Colombia and closing words from our thoughtful organizers. I hope you can join us next year!
For more follow me on twitter: @juanandres_gs
Earlier this year, we observed an uptick in the number of attacks against Uyghur and Tibetan supporters using an updated version of the NetTraveler backdoor.
Here's an example of a targeted spear-phishing e-mail directed at Uyghur activists in March 2014.
The e-mail has two attachments, a non-malicious JPG file and a 373 KB Microsoft Word .DOC file.File name "Sabiq sot xadimi gulnar abletning qeyin-Qistaqta olgenliki ashkarilanmaqta.doc" MD5 b2385963d3afece16bd7478b4cf290ce Size 381,667 bytes
The .DOC file, which in reality is a "Single File Web Page" container, also known as "Web archive file", appears to have been created on a system using Microsoft Office - Simplified Chinese.
It contains an exploit for the CVE-2012-0158 vulnerability, detected by Kaspersky Lab products as Exploit.MSWord.CVE-2012-0158.db.
If run on a vulnerable version of Microsoft Office, it drops the main module as "net.exe" (detected by Kaspersky Lab products as Trojan-Dropper.Win32.Agent.lifr), which in turn installs a number of other files. The main C&C module is dumped into "%SystemRoot%\system32\Windowsupdataney.dll", (detected by Kaspersky as Trojan-Spy.Win32.TravNet.qfr).Name WINDOWSUPDATANEY.DLL MD5 c13c79ad874215cfec8d318468e3d116 Size 37,888 bytes
It is registered as a service (named "Windowsupdata") through a Windows Batch file named "DOT.BAT" (detected by Kaspersky Lab products as Trojan.BAT.Tiny.b):
To make sure the malware isn't running multiple times, it uses the mutex "SD_2013 Is Running!" to mark its presence in the system. Other known mutexes used by older and current variants include:
- Boat-12 Is Running!
- DocHunter2012 Is Running!
- Hunter-2012 Is Running!
- NT-2012 Is Running!
- NetTravler Is Running!
- NetTravler2012 Is Running!
- SH-2011 Is Running!
- ShengHai Is Running!
- SD2013 is Running!
The malware configuration file is written to the "SYSTEM" folder (as opposed to SYSTEM32) and has a slightly new format compared to "older" NetTraveler samples:
For the record, here's what an older NetTraveler config file looks like:
Obviously, the developers behind NetTraveler have taken steps to try to hide the malware's configuration. Luckily, the encryption is relatively simple to break.
The algorithm is as follows:
decrypted[i]=encrypted[i] - (i + 0xa);
Once decrypted, the new config looks like this:
One can easily see the command-and-control (C&C) server in the screenshot above, which is "uyghurinfo[.]com".
We identified several samples using this new encryption scheme. A list of all the extracted C&C servers can be found below:C&C server IP IP location Registrar ssdcru[.]com 126.96.36.199 Hong Kong, Albert Heng, Trillion Company SHANGHAI MEICHENG TECHNOLOGY uygurinfo[.]com 188.8.131.52 United States, Los Angeles, Integen Inc TODAYNIC.COM
INC. samedone[.]com 184.108.40.206 Hong Kong, Kowloon, Hongkong Dingfengxinhui Bgp Datacenter SHANGHAI MEICHENG TECHNOLOGY gobackto[.]net 220.127.116.11 Hong Kong, Sun Network (hong Kong) Limited SHANGHAI MEICHENG TECHNOLOGY worksware[.]net N/A N/A SHANGHAI MEICHENG TECHNOLOGY jojomic[.]com was
18.104.22.168 Hong Kong, Sun Network (hong Kong) Limited SHANGHAI MEICHENG TECHNOLOGY angellost[.]net was 22.214.171.124 hong kong hung tai international holdings SHANGHAI MEICHENG TECHNOLOGY husden[.]com was 126.96.36.199 hong kong hung tai international holdings SHANGHAI MEICHENG TECHNOLOGY
We recommend blocking all these hosts in your firewall.Conclusion
This year, the actors behind NetTraveler celebrate 10 years of activity. Although the earliest samples we have seen appear to have been compiled in 2005, there are certain indicators that point to 2004 as the year when their activity started.
For 10 years NetTraveler has been targeting various sectors, with a focus on diplomatic, government and military targets.
NetTraveler victims by industry
Most recently, the main focus of interest for cyber-espionage activities revolved around space exploration, nano-technology, energy production, nuclear power, lasers, medicine and communications.
The targeting of Uyghur and Tibetan activists remains a standard component of their activities and we can assume it will stay this way, perhaps for another 10 years.
The end of each summer always gets me excited, because one of my favorite events is taking place: the Internet Law Summer School organized by ELSA - The European Law Students' Association. This summer school is the perfect opportunity to meet young, smart and talented law students and discuss privacy, security or internet threats with them.
These students will become the lawyers, prosecutors and judges of tomorrow - so it's very important for them to get them in touch with the real world problems of fighting cyber-crime and ensuring the security and privacy of personal data.
Fighting cyber-crime through all means possible has always been our mission here at Kaspersky Lab. But we can't do this alone. Sure, our products and technologies are protecting hundreds of millions of users worldwide, but stopping cyber-crime is something we can not do just by ourselves.
Cyber-crime is a huge problem worldwide and it is always very frustrating to see that those persons responsible for cyber-attacks very rarely have to face the consequences of their actions. In the last 24 hours, we've discovered more than 300.000 new viruses, trojans and worms. How many cyber-criminals have received prison sentences in the same 24 hours period?
The reason why cyber-criminals usually get away with their crimes is that both law enforcement and judicial systems around the world are having a hard time trying to keep up with the evolution of technology, or threats on the internet specifically. This is why it's so important to train law enforcement officers. This is why it's so important to train judges and prosecutors. At the end of the day, they are the ones actually fighting cyber-crime by sending cyber-criminals to jail.
This year, the main focus of the summer school was on freedom of media and private life. I focused on the privacy and security side, of course - with a workshop titled "Private life in cyberspace - securing your personal data online".
My main message? Trust and use encryption in order to thwart prying eyes - but don't forget that no matter how good the encryption you're using is, an insecure operating system will always offer the attacker the chance of accessing your data before it gets encrypted. You can't have privacy without first having good security.
Very often new terms get over-hyped in the IT security industry. At the moment we can find articles about how hackers and researchers find vulnerabilities in for example cars, refrigerators, hotels or home alarm systems. All of these things go under the term IoT (Internet of Things), and it's one of the most hyped topics in the industry. The only problem with this kind of research is that we cannot really relate to it all: it's pretty cool, detailed research, but if you as a reader cannot relate to the attacks, the research is not understood in the proper way.
We often try to predict the future with proactive research, and I think it can be important to try to predict the future and conduct proactive security research. But I think it's even more important to talk about what's relevant, and talk about threats that people can relate to. I started to think about this topic, and figured that if we can't secure ourselves against current threats, what good will it do to identify potential new future threats?
Threats are around us right now, while you're reading this document. As users in a connected digital environment we need to ask ourselves; 'What's the current threat level?' and 'How vulnerable am I?' – Especially when we start building small home office networks. A typical modern home can have around five devices connected to the local network which aren't computers, tablets or cellphones. I'm talking about devices such as a smart TV, printer, game console, network storage device and some kind of media player/satellite receiver.
I decided to start a research project and conduct research which I thought was relevant, trying to identify how easy it would be to hack my own home. Are the devices connected to my network vulnerable? What could an attacker actually do if these devices were compromised? Is my home 'hackable?'. Before I started my research I was pretty sure that my home was pretty secure; I mean, I've been working in the security industry for over 15 years, and I'm quite paranoid when it comes to applying security patches, etc. I reckoned there must be other homes that are much more hackable than mine, because I don't really have a lot of 'hi-tech' kit at home.
During my research I didn't focus on computers, tablets or cellphones, but rather on all the other devices I have connected to my network at home. To my surprise it turns out that I actually have quite a lot of different things connected to my network. Most of them were home entertainment devices: smart TV, satellite receiver, DVD/Blu-ray player, network storage devices and gaming consoles. I'm also at the moment relocating to a new house, and I've been talking with my local security company. They're suggesting I get the latest alarm system, which connects to the network and can be controlled with my mobile device… After this research, I'm not so sure it's a good idea.
Some of the devices on my network were for example:
- Network-attached storage (NAS) from famous vendor #1
- NAS from famous vendor #2
- Smart TV
- Satellite receiver
- Router from my ISP
Before conducting the research I had all devices update with the latest firmware version. During this process I also noticed that not all devices had automated update checks, which made the entire process quite tedious. As a consumer I had to manually download and install the new firmware on some of the devices, which was actually not that simple because the new firmware files were not that easy to find, and the entire update process wasn't very suitable for a normal computer user. Another interesting observation was that most of the products were discontinued more than a year back or simply didn't even have any updates available. This got me thinking… do these home business and entertainment products only 'live' for about a year before they get discontinued?The goal
So what am I trying to prove with this research? Let me explain why I think this is important research. When I started this project I soon noticed that I could take several different approaches to the research, but for me the main goal I wanted to achieve was to see how vulnerable our homes really are, and also identify real, practical and relevant attack vectors to prove just that.
In general we're quite good at protecting our endpoints and use security software to help us do so. We also become aware from newspapers and blogs about how to raise our security level. Most people today know what a computer virus is, that we should have strong passwords, and that it's important to install the latest security patches; but do we really think about all aspects? It's quite common for a security researcher to talk about a locked door on a glass house, and I wanted to have a similar approach with this research. I wanted to demonstrate that even with an IT-security mindset we focus on protecting our endpoints, and tend to forget that there are other devices connected to our networks. We want to prevent people hacking or infecting our computers because we don't want our data to be stolen, but we then go home and do a full backup of our data to a device that's even more vulnerable than our computer.
The audience for this research is not only consumers but also companies. We need to understand that EVERYTHING we connect to the network might be a stepping stone for an attacker, or may even become an attacker's invisible 'base' that he/she will use to regain access to your network after its been compromised. Just imagine a scenario where you notice you've been compromised, you do everything in the book to bring it back to normal again, you backup your data, re-install your devices and make sure that the new installation is protected against malicious code and all updates are installed; but then six months later you get compromised again, and all your new data is stolen again… How would that even be possible?
The attacker might have compromised your network storage device and turned it into a backdoor. The malicious software is undetected because there's no protection against malicious code running on that device, and the malicious software cannot be deleted because you don't have permission to access the file system on the device; not even a factory reset would solve the problem. Or it might be that the attacker actually used your compromised smart TV to regain network access to your corporate network, since the TV is connected to the same network as your employees, and there are no network restrictions for the smart TV.
The goal with my research was to try to be the baddie, to use my home entertainment devices for malicious intentions, to actually compromise them and use them as either stepping stones to launch further attacks or as a backdoor in my own network.
What I did not try to do in this report is bash or criticize any vendor; the devices that were tested during this research were my own personal devices, and that's the reason those devices were chosen for this project. All vulnerabilities have been reported to the respective vendors, and they're working on solutions for these products. I will not disclose all the vulnerabilities that were identified in this research or any technical details about the vulnerabilities because that will only help the bad guys. If you want further technical details regarding the research project feel free to contact us.The impact
So, I had all these different devices connected to my network, but where was I to I start? I decided to begin by defining the different attack scenarios I would include in my research rather than just attacking these devices without any criteria. One or all of the following criteria had to be achieved to consider the test successful:
- To obtain access to the device; for example, to get access to files on the network storage devices;
- To obtain administrative access to the device, not just in the administrative interface, but also at the OS level;
- To be able to transform/modify the device for my personal interest (backdoor, stepping stone, etc.).
There are probably loads of other scenarios that could be useful to test, but my time was limited and I simply needed to prove a point. I started out by just fooling around with the web interfaces for the different devices and to my surprise it didn't take long before I had found remotely exploitable command execution vulnerabilities with full administrative permissions at the OS level on both network storage devices.
At this point I asked myself, 'is it really that easy?' I then thought about the two newly discovered vulnerabilities and realized both were in the administrative interface after authenticating as the administrative user. I needed to have the same preconditions as the attacker. So I tried to find vulnerabilities without using any of my access credentials. At this point it was a little bit harder, but after some poking around I found the main configuration file – it was available remotely to any user on the network. In the configuration file all the password hashes were stored, which made it real easy to obtain the administrative interface again and then use the vulnerabilities I found before to execute system commands on the device.
After further poking around I found more vulnerabilities, which could also be exploited without authentication to execute system commands as root (highest privileges) on the device. At this point it was more or less game over for both of the network storage devices; I didn't just have access to the entire file system of the devices, it was also very easy for me to infect the devices with some Trojan or backdoor that would turn the devices into zombies in a botnet – or give the attacker a backdoor to, for example, carry out further attacks from the device.
Both compromised devices where running a Linux 2.6.x kernel, and a lot of interpreters such as perl and python. One of them also had the GNU C compiler installed, which would make the attackers' life much easier. Since one of my attack scenarios was to transform the compromised device into a backdoor, I simply used one of the public IRC bots as my test case. Within seconds I had turned my network storage device into a zombie in a botnet.
This was extremely easy because the compromised network storage device is used to store files, so I could simply upload my malicious file and place it outside the shared folders somewhere else on the file system, which results in the owner of the device not being able to delete the file without using the same vulnerabilities we used to both upload and execute our IRC Trojan.
After researching the network storage devices I found over 14 vulnerabilities that would allow an attacker to remotely be able to execute system commands with the highest administrative privileges. The two devices did not just have a vulnerable web interface, but the local security on the devices was also very poor. The devices had very weak passwords, a lot of configuration files had incorrect permissions, and they also contained passwords in clear text.
To give you another example on how bad the local security was, I can tell you that on one of the storage devices the administrative root password was '1'. I do understand that these devices are not built with Fort Knox security in mind, but to have a one character-long password is against all reasonable rules.
Due to the poor security, and the fact that I had access to the file system, it was also very simple to identify several scripts which enabled features in the device that weren't documented anywhere. Functions which allowed an external user to enable services and other interesting things on the devices such as remote admin interfaces (telnetd, sshd). I might write more about these 'hidden' features in a different post because I need to conduct deeper research regarding these files.
During the research project I stumbled upon some other devices that had 'hidden' features; one of those devices was my DSL router which was provided by my ISP. After I logged in using the admin credentials I received from the ISP I could navigate around the web interface. The interface was pretty simple to use, and I quickly noticed how the URL changed when I navigated through the menu. Each function in the menu was assigned a number; the first function in the menu had the numeral 0, and then it incremented with one for each option. The interesting thing was that sometimes a function jumped to an unexpected number and a few numbers were missed, but when you then entered the missed numbers in the URL address bar you were prompted with a menu option that didn't exist in the menu list, but the name of that 'hidden' function was displayed in the web interface.
I started to brute force these numbers, and found that there were tons of functions I didn't have access to. I just assume that my ISP or the vendor have FULL CONTROL over the device, and can do anything they want with it and access all these functions I don't have permission to use. By just looking at the 'hidden' function names it seems that the ISP can for example create tunnels so as to connect to any device on the network. Just imagine if these functions fell into the hands of the wrong people? I understand that these functions are most likely supposed to be helping the ISP perform support functions, but when you log in using the administrative account you don't have full control over what you consider is your own device, and thus it becomes quite scary. Especially when some of the names have equally scary names like 'Web Cameras', 'Telephony Expert Configure', 'Access Control', 'WAN-Sensing' and 'Update'.
Below are some screenshots of these hidden functions.
I'm currently still researching these things to see what the functions really do. If I find anything interesting I'm pretty sure there'll be another blog post.
Meantime, I started to examine the other devices connected to my home network; for example, my Dreambox: it still had the default username and password, which was also the administrative root account on the device! The device runs Linux, which would be an easy target for an attacker. Most of the other devices were pretty secure but an entire audit of these kinds of devices would be difficult because you need to find alternative ways to determine if an attack was successful or not since you don't have full access to most of the devices.
After a few days of poking around I still hadn't found anything that would cover the three scenarios – nothing really worth mentioning. The research project was also quite difficult to perform because I was auditing my personal devices, and I didn't want to break anything. I had naturally paid for all these devices out of my own pocket!
I had to take a different approach and at this point I had to get creative. I had to play with the idea that I'm the attacker, and I've already compromised the two network storage devices, and so what can I do next?' My first thought was to see if I could do something with the media players (smart TV and DVD player) because they're most likely reading information from the storage devices (which I'd already compromised). At this point I was researching potential code execution vulnerabilities with the smart TV and DVD player, but due to the high price I paid for the devices I wasn't able to investigate this further. It wasn't only a question of the wasted money if I were to break my brand new LED smart TV, but also I had no idea of how I would explain my wrecking the telly to the kids; how were they going to watch Scooby Doo?
I decided to stop researching them, and spent some time contacting the different vendors to see if the vulnerabilities were actually exploitable and work together with the vendors to verify these potential security issues. It's much easier for them to do it since they have access to the source code and can confirm if the vulnerability is valid or not much quicker (and I guess they don't really care of they break any devices).
At first I had some trouble contacting these vendors because on the websites there's little useful contact information for the engineers or C-level people who would be able to help me get through to the appropriate people. After some lurking around and asking people in my professional network I was finally able to get in contact with the people I needed and they were very grateful for the information I could share regarding the vulnerabilities and research approaches.
We are now trying to identify if we would be able to transform the smart TV and DVD/Blu-ray player into the same type of stepping stone and backdoor as the compromised storage devices. More information will be shared on this topic later since this research project is ongoing.
For the most of my life I was a total security junkie, doing everything from working as a penetration tester to a public speaker and adviser for law enforcement agencies. IT security is really one of my biggest passions in life, but for the last few years I seem to have reached a point in my life where I'm actually quite tired of reading the same security bulletins year after year. It's time we start doing something about the problems, and one thing we can do is start talking about security threats that are relevant, and also in a language that will make everyone understand them. We as security experts need to take more responsibility and talk about threats that are relevant today – threats that affect you and me. We also need to come up with smart and simple suggestions, conclusions and solutions on how to mitigate those threats by using the software and technology that we already have.
I've always been fascinated by new vulnerabilities and exploitation techniques, but to be honest, what good does it do only releasing vulnerability information when we're not making people understand the bigger picture. We think that IT security is all about software vulnerabilities and I know that half of this post is only talking about vulnerabilities, but the goal with this research is not to brag about all the undiscovered vulnerabilities I found, or that there are big security problems in the home entertainment product line. There will always be vulnerabilities, and we need to understand that; however, by understanding I don't mean accepting. What I mean is that we need to actually do something about it; we need to know what the impact is and assume that our devices can be, or are already, compromised. We need to start assuming that products are vulnerable and that attackers can and will gain access to them.
I would like to conclude this research by saying that we as individuals and also companies need to understand the risks with network devices. We also need to understand that our information is not secure just because we have a strong password or are running some protection against malicious code. We also need to understand that there are so many things that we do not have control over, and that we are largely in the hands of the software and hardware vendors. It took me less than 20 minutes to find and verify extremely serious vulnerabilities in a device considered to be secure – a device we trust and on which we store all the information we don't want stolen.
I remember when I proposed this research to my boss; he asked me what I thought the outcome would be. I was not developing new security solutions for home entertainment devices; I was only identifying security problems, so the only answer I could give him was that I wanted to conduct this research to make people aware that there is a problem, and that we as individuals need to try and improve our personal security in different ways to how it was done in the past; we need to change our mindset and the whole game!
I would also like to give some feedback to all the vendors out there: we need to come up with a better way to support and secure your products. It's not really acceptable that a product is considered as discontinued after only 12 months; it's not okay to have one character passwords; and it's not okay to think of these devices just as 'entertainment' devices. It's not okay to have a readable configuration file containing all user credentials – especially on a network storage device.
We need to come up with alternative solutions that can help individuals and companies improve their security. This is not a problem you simply can fix by installing a product or security patch; therefore, I would like to end this post by saying that even though the home entertainment industry might not be focused on security, we at KL do, and with just a few simple tips I think we can raise the security level a little bit higher. Hopefully some of the vendors will read this research and improve their software security; but until then, here are some simple tips from my side:
- Make sure all your devices are up to date with all the latest security and firmware updates. This is a problem for a lot of home business and entertainment devices, but it is still the best thing you can do to avoiding being at the mercy of known vulnerabilities. It also gives you an indication of whether the devices have any updates at all to install, or if it's considered to be a 'dead' product.
- Make sure that the default username and password are changed; this is the first thing an attacker will try when attempting to compromise your device. Remember that even if it's a 'stupid' product such as a satellite receiver or a network hard drive, the administrative interfaces are often vulnerable to serious vulnerabilities.
- Use encryption, even on the files you store in your network storage device. If you do not have access to an encryption tool, you can simply put your files in a password-protected ZIP file; it's still better than not doing anything at all.
- Most home routers and switches have the possibility to set up several different DMZ/VLAN. This means that you can setup your own 'private' network for your network devices, which will restrict network access to and from this device.
- Use common sense and understand that everything can be hacked, even your hardware devices.
- If you're really paranoid you can always monitor the outbound network traffic from these devices to see if there's anything strange going on, but this does require some technical knowledge. Another good tip is to restrict network devices from accessing sites they're not supposed to access, and only allow them to pull updates and nothing else.
Some time ago, a Kaspersky Lab customer in Latin America contacted us to say he had visited China and suspected his machine was infected with an unknown, undetected malware. While assisting the customer, we found a very interesting file in the system that is completely unrelated to China and contained no Chinese coding traces. At first look, it pretends to be a Java related application but after a quick analysis, it was obvious this was something more than just a simple Java file. It was a targeted attack we are calling "Machete".What is "Machete"?
"Machete" is a targeted attack campaign with Spanish speaking roots. We believe this campaign started in 2010 and was renewed with an improved infrastructure in 2012. The operation may be still "active".
The malware is capable of the following cyber-espionage operations:
- Logging keystrokes
- Capturing audio from the computer's microphone
- Capturing screenshots
- Capturing geolocation data
- Taking photos from the computer's web camera
- Copying files to a remote server
- Copying files to a special USB device if inserted
- Hijjacking the clipboard and capturing information from the target machine
Most of the victims are located in, Venezuela, Ecuador, Colombia, Peru, Russia, Cuba, and Spain, among others. In some cases, such as Russia, the target appears to be an embassy from one of the countries of this list.
Targets include high-level profiles, including intelligence services, military, embassies and government institutions.How does "Machete" operate?
The malware is distributed via social engineering techniques, which includes spear-phishing emails and infections via Web by a fake Blog website. We have found no evidence of of exploits targeting zero-day vulnerabilities. Both the attackers and the victims appear to be Spanish-speaking.
During this investigation, we also discovered many other the files installing this cyber-espionage tool in what appears to be a dedicated a spear phishing campaign. These files display a PowerPoint presentation that installs the malware on the target system once the file is opened. These are the names of the PowerPoint attachments:
- Hermosa XXX.pps.rar
- El arte de la guerra.rar
- Hot brazilian XXX.rar
These files are in reality Nullsoft Installer self-extracting archives and have compilation dates going back to 2008.
A consequence of the embedded Python code inside the executables is that these installers include all the necessary Python libraries as well as the PowerPoint file shown to the victim during the installation. The result is extremely large files, over 3MB.
Here are some screnshots of the mentioned files:
A technical relevant fact about this campaign is the use of Python embedded into Windows executables of the malware. This is very unusual and does not have any advantage for the attackers except ease of coding. There is no multi-platform support as the code is heavily Windows-oriented (use of libraries). However, we discovered several clues that the attackers prepared the infrastructure for Mac OS X and Unix victims as well. In addition to Windows components, we also found a mobile (Android) component.
Both attackers and victims speak Spanish natively, as we see it consistently in the source code of the client side and in the Python code.Indicators of Compromise Web infections
The following code snippets were found into the HTML of websites used to infect victims:
Note: Thanks to Tyler Hudak from Korelogic who noticed that the above HTML is copy pasted from SET, The Social Engineering Toolkit.
Also the following link to one known infection artifact:
The following are domains found during the infection campaign. Any communication with them must be considered extremely suspicious
blogwhereyou.com (sinkholed by Kaspersky Lab)
grannegral.com (sinkholed by Kaspersky Lab)
Creates the file Java Update.lnk pointing to appdata/Jre6/java.exe
Malware is installed in appdata/ MicroDes/
Running processes Creates Task Microsoft_upHuman part of "Machete" Language
The first evidence is the language used, both for the victims and attackers, is Spanish.
The victims are all Spanish speaking according to the filenames of the stolen documents.
The language is also Spanish for the operators of the campaign, we can find all the server side code written in this language: reportes, ingresar, peso, etc.Conclusion
The "Machete" discovery shows there are many regional players in the world of targeted attacks. Unfortunately, such attacks became a part of the cyber arsenal of many nations located over the world. We can be sure there are other parallel targeted attacks running now in Latin America and other regions.
Kaspersky Lab products detect malicious samples related to this targeted attack as Trojan-Spy.Python.Ragua.
Note: A full analysis of the Machete attacks is available to the Kaspersky Intelligent Services customers. Contact: firstname.lastname@example.org
In recent times we've been seeing a lot of file-encrypting ransomware activity.
One of the new ones we've seen pop up in the last couple weeks is called ZeroLocker. There's indication the C&C configuration contains some errors which would prevent successful decryption. This is why we urge people not to pay up even more so than normal.
So far we've observed a limited amount of detections through our Kaspersky Security Network. The actors behind ZeroLocker are initially asking $300 worth of BTC for decrypting the files. This goes up to $500 and $1000 as time passes:
ZeroLocker adds a .encrypt extension to all files it encrypts. Unlike most other ransomware ZeroLocker encrypts virtually all files on the system, rather than using a set of pre-defined filetypes to encrypt. It doesn't encrypt files larger than 20MB in size, or files located in directories containing the words "Windows", "WINDOWS", "Program Files", "ZeroLocker" or "Desktop". The malware gets executed at boot from C:\ZeroLocker\ZeroRescue.exe.
Though there's a Bitcoin wallet hardcoded inside the binary the malware tries to fetch a new wallet address from the C&C. This is most likely done to make it more difficult to trace how successful the operation is and where the money goes.
We've gathered several Bitcoin wallet addresses and at the time of writing none had any transactions associated with them. As the C&C server is providing the Bitcoin wallet information it's possible the attackers are able to use a unique wallet for each victim.
The malware generates one random 160-bit AES key to encrypt all the files with. Due to the way the key is generated the key space is somewhat limited, though still large enough to make general brute forcing unfeasible. After encryption the malware runs the cipher.exe utility to remove all unused data from the drive, making file recovery much harder. The encryption key, together with a CRC32 of the computer's MAC address, and the associated Bitcoin wallet is sent to the server.
Interestingly enough, the encryption key along with the other information is sent through a GET request, rather than a POST. This results in a 404 on the server. This could mean that the server is not storing this information. That means victims who pay up may likely not see their files restored.
Several other URLs that the malware tries to get result in 404s as well, which indicates this particular operation may still be in its infancy. When those errors are fixed we may see ZeroLocker deployed on a larger scale. These operations rely on people paying up. Don't do it. Make sure you have backups instead.
We detect current ZeroLocker samples as Trojan-Ransom.MSIL.Agent.uh.
The geopolitical conflicts in the Middle East have deepened in the last few years. Syria is no exception, with the crisis there taking many forms, and the cyberspace conflict is intensifying as sides try to tilt the struggle in their favor by exploiting cyber intelligence and using distortion.
The Global Research & Analysis Team (GReAT) at Kaspersky Lab has discovered new malware attacks in Syria, using some techniques to hide and operate malware, in addition to proficient social engineering tricks to deliver malware by tricking and tempting victims to open and launch malicious files. The malware files were found on activist sites and social networking forums, some other files were also reported by local organizations like CyberArabs and Technicians for Freedom.
The full report detailing the attacks and related activities can be found here.A glance at what was discovered
The number of attacks and malicious files being distributed is constantly increasing as the attackers become more organized and proficient. The samples are all based on Remote Administration Trojan Tools (RATs)
The number of malicious files found: 110
The number of domains linked to the attacks: 20
The number of IP addresses linked to the attacks: 47
Masquerading as a reportedly "Government leaked program" that has the names of all wanted people in Syria, the National Security Program conceals a full featured RAT client to steal all sorts of information under one of its buttons.
برنامج الأمن الوطني.exe (The national security program)Using shockingly disturbing videos to distribute malware
A disturbing video showing injured victims of recent bombings was used on YouTube to appeal to people's fear and prompt them to download a malicious application available on a public file sharing website. After initial analysis, the file named "فضائح.exe" (Scandals.exe) proved to be heavily obfuscated with the commercial utility "MaxToCode" for .NET in order to avoid early detection by antivirus solutions.
If you thought the era of fake antiviruses was over, here comes this newly developed Syrian sample to challenge your beliefs. With the innocent title of "Ammazon Internet Security", this malicious application tries to mimic a security scanner, even including a quite thorough graphical user interface and some interactive functionality.
Total Network Monitor (which is a legitimate application) is inside another sample found, being used with embedded malware for spying purposes. Offering security applications to protect against surveillance is one of the many techniques used by malware writing groups to get users desperate for privacy to execute these dubious programs.
It's also the case with other samples, where social engineering does all the heavy work. Instant messaging applications for desktop operating systems have been used in the past to spread malware and it seems Syrian malware authors have jumped on the bandwagon.
Another of the attacks using social engineering tricks, the sample named Kimawi.exe (Arabic for Chemicals) with a JPG icon, is a RAT file bound to the image Kimawi.jpg. The picture is a previously leaked paper supposedly from the regime in Syria warning military units to prepare for Chemical Attacks. The file is being sent by email to selected victims.
The threat actors are becoming more organized, the number of attacks is increasing and the samples being used are becoming more sophisticated, while also relying extensively on powerful social engineering tricks that many people fall for.Where are the victims and the attackers?
The victims infected when accessing the hacked forums and social networking sites tend to be ordinary users or activistshey were, or specific targets if they receive the malware via email, Skype, or messages on social networking sites.
The victims are also located outside Syria. We have seen victims of Syrian-based malware in:
- Saudi Arabia
- United Arab Emirates
- United States
The attackers' command and control centers were tracked to IP addresses in Syria, Russia, Lebanon, the US and Brazil.How many have fallen victim?
We believe the number of victims exceeds 10,000, with some of the files being downloaded more than 2000 times.
The attackers' malware samples and variations have increased dramatically from only a few in Q1 2013 to around 40 in Q2 2014.What is the impact on victims?
Remote Administration Trojans tools are used to fully compromise the system on victim devices. RATs are capable of stealing user credentials in addition to activating camera and microphone functionalities...Are users protected?
Kaspersky detects and blocks all the samples that have been found. They are detected as follows:
More details and analysis of the attacks and malware samples can be found in the full report here.
- The Internet is Back in Syria and So is Malware Targeting Syrian Activists
- A Call to Harm: New Malware Attacks Target the Syrian Opposition
- Syrian Activists Targeted with BlackShades Spy Software
- How to Find and Protect Yourself Against the Pro-Syrian-Government Malware on Your Computer
- Fake YouTube Site Targets Syrian Activists With Malware
- Quantum of Surveillance: Familiar Actors and Possible False Flags in Syrian Malware Campaigns
I'm sure you've read or heard about the malware attacking boletos – the popular Brazilian payment system – and how lots of malicious code is able to modify it, redirecting the amount paid to an account owned by criminals. Despite the fact that some numbers were overestimated by some companies and media outlets, these attacks are of particular interest and the Brazilian bad guys are quickly developing and adopting new techniques. Trust me: everything you read about boleto malware was only the tip of the iceberg; our complete research into this topic will be presented at the next Virus Bulletin conference.
The boleto malware campaigns combine several new tricks to infect and steal from more users. One of the most recent is the use of non-executable and encrypted malware payloads XORed with a 32-bit key and compressed by ZLIB. It's no coincidence that a very similar technique was used by ZeuS GameOver some months ago, but this time the files are using extensions such as .BCK and .JMP, instead of .ENC.
We have evidence of Brazilian criminals cooperating with western European gangs involved with ZeuS and its variants; it's not unusual to find them on underground forums looking for samples, buying new crimeware and ATM/PoS malware. The first results of this cooperation can be seen in the development of new attacks such the one affecting boletos payments in Brazil.
A typical Brazilian boleto: using web-injection to change the numbers in the ID field is enough to redirect the payment
In February, security expert Gary Warner wrote about a new version of ZeuS campaign that downloads some strange and non-executable .ENC files to the infected machine. Our colleagues at CrySys did a very detailed analysis showing how this is an effective technique for passing through your firewall, webfilters, network intrusion detection systems and many other defenses you may have in place, as a tiny Trojan downloads these encrypted (.ENC) files and decrypts them to complete the infection.
Brazilian cybercriminals decided to use the .JMP extension in files encrypted in the same way, and downloaded by several small Trojans used in boletos and Trojan banker campaigns. This is what an encrypted file looks in the beginning:
After removing the encryption we can see it as a normal PE executable:
The criminals tend to encrypt the big payload files using this technique, as well as some removal tools such as Partizan and big Delphi Trojan bankers that include images of Internet banking pages. The aim is always to encrypt the payload and make it undetectable, so that it's not recognized as a normal portable executable.
Other files of interest are those with .BCK extensions – they are packed with an as yet unknown application that appears to be a commercial backup app. Just checking the head of the encrypted file is enough to see what's inside - in this case it is a malicious CPL file used in the boletos campaigns:
"refazboleto" is Portuguese for "rebuild boleto". It points to a CPL file
Our antivirus engines are prepared to unpack and detect .JMP and .BCK files like these. These facts show how Brazilian cybercriminals are adopting new techniques as a result of the collaboration with their European counterparts.
Thanks to my colleague Alexander Liskin for help with the analysis.
The second Tuesday of the month is here along with Microsoft's August security updates, and with it brings interesting updates of OneNote and Internet Explorer. The full list is nine security bulletins long.
OneNote has been a part of Microsoft's drive into mobile and cloud technologies, away from traditional Wintel computing, providing Office-integrated note-taking multi-user collaborative functionality across tablets and mobile devices. I noticed a bunch of Blackhat attendees using this software. While the vulnerability is limited to all versions of Microsoft OneNote 2007,, and there have been a couple of releases since, I believe that this vulnerability is the first RCE enabled by a component exclusively delivered with the OneNote software. In this case, it is the file parser that reads onenote (.ONE) files that enables remote code execution attacks. This software package now is available for Windows, Mac, Windows RT, Windows Phone, iOS, Android and Symbian, but the vulnerable OneNote code appears to be available only for TabletPCs and the Windows platform. cve-2014-2815 was privately reported to Microsoft.
Another big Bulletin pushed today for Internet Explorer addresses 25 critical RCE vulnerabilities(!) across IE 6 - 11 on Windows clients Vista through 8.1, all memory corruption issues. The browsers on related server installs are rated moderate. Some of these vulnerabilities have been actively exploited ItW, so it is an urgent update issue.
And Adobe released their own patch separately from the Microsoft update process to fix an extraordinary sandbox vulnerability abused by APT that we reported a while back. Be sure to check out those details. It effects fairly recent versions of Reader sandboxes.
Today Adobe released the security bulletin APSB14-19, crediting Kaspersky Lab for reporting CVE-2014-0546.
This out of band patch fixes a rather creative sandbox escape technique that we observed in a very limited number of targeted attacks.
At the moment, we are not providing any details on these attacks as the investigation is still ongoing. Although these attacks are very rare, just to stay on the safe side we recommend everyone to get the update from the Adobe site as soon as possible.
You can grab the Adobe Reader updates here.
On 1 July, new anti-spam legislation (CASL) came into effect in Canada. The new law covers commercial communications including email, messages on social networks and instant messaging services as well as SMS. Now, before a company starts sending emails, it must get the recipients' consent. Canadian companies appear to have taken the new law seriously: in the second quarter, we saw a lot emails from Canadian companies asking users for permission to send their mailings. As well as asking for permission, these emails also contained offers links to lotteries.
Some companies actually used the law as an excuse to collect subscribers' addresses. We came across requests asking users for permission to send them mass mailings even in the addresses of traps that have never been signed up to any mailing lists. Moreover, many of the users who received these sorts of request marked them as spam.
This flow of requests shows that many Canadian mass mailing distributors have never thought about the wishes of users before, but have just sent out their messages to the addresses on their lists.
There are two general views of the new law. On the one hand, an anti-spam law in yet another country will undoubtedly help the fight against spam. On the other hand, legitimate Canadian businesses that use mass mailing fear they may now be regarded as illegal. Microsoft first decided to stop sending out all its security news, but changed its mind a few days later, which is not all that surprising: despite the severity of the law, CASL includes a number of exceptions, and Microsoft's mass mailings don't fall under its jurisdiction. Among the CASL exceptions are mass mailings with various information about a product or service that the user has purchased from a company; mailings aimed at collecting donations; non-commercial mailings, etc.Playing the market again!
In Q2 2014, we saw a new wave of spam advertising offers to buy stock in small companies. This is a well-known form of stock fraud called 'pump and dump'. The peak of this type of spam was registered in 2006-2007, although fraudsters continue to use it.
Pump-and-dump spam is a form of stock market fraud where spammers buy shares in small companies, artificially inflate the prices by spreading information they were allegedly going to significantly increase in value in the near future and then sell the shares at a higher price.
Interestingly, in addition to these well-known fraudulent tricks, the scammers also applied some time-tested methods to bypass filtering:
- A random set of sentences inserted at the end of each email that use a color close to that of the background (mailings included random sentences from Wikipedia);
- Image spam: the main information is contained in a picture; the color, the text size, the font, the background color and angle of the picture vary from email to email in the mailing.
Image spam was also popular in 2006-2007, and then virtually disappeared, as anti-spam vendors developed graphical analyzers and learned to successfully block these sorts of emails. Also, because of excessive 'background noise', this spam is unlikely to attract many users. These 'stock market' mailings appear to spread in huge volumes: spammers send out hundreds of millions of emails hoping for a minimal response.Spam and the World Cup
In the first quarter of 2014, the Winter Olympics was the most popular sporting theme for spammers while in Q2 they switched their attention to the FIFA World Cup. You can get more information about phishing and malware attacks that used the World Cup theme from our blog. Apart from dangerous emails, there were messages offering hotel bookings and tickets to the matches as well as adverts for World Cup-related souvenirs and messages inviting bets on the results.
As is usual in such cases, the theme of the World Cup was exploited in spam that had no direct connection to the event. For example, one resourceful German used the theme to advertise Viagra.
"Remain the champion in your bedroom after the World Cup is over," states the advert above.Sent from iPhone: mobile-themed email
To continue the theme of integration between email spam and mobile devices, we should note that in the second quarter of 2014 mass mailings imitating messages sent from iPad and iPhone were particularly popular. The range of emails was quite diverse – from pharmaceutical offers to messages with malicious attachments. All of them contained the same line in the body of the message: 'Sent from iPhone/iPad'.
In the first example, the link, following several redirects, opened a site advertising medication to enhance male potency; the second attachment contained a malicious program detected by Kaspersky Lab as Trojan-PSW.Win32.Tepfer.tmyd.
The mailings were most likely sent by different groups of spammers as the technical headers (such as Data, X-Mailer, Message-ID) were very different. For example, in some emails the headers were written carelessly while in the others the fields were empty. The only thing they had in common with real messages sent from the iOS-based devices was the phrase in the body of the message. In other emails the headers were not just accurate, they were imitations of the headers used by the real Apple mail client:
X-Mailer: iPhone Mail (9B206)
However, on closer examination, the headers only looked like the real thing (in terms of the number of symbols and the location of hyphens). The fact is that real messages sent from iOS mobile devices use hex code to record Message-ID. The hexadecimal format includes numbers from 0 to 9 and the letters ABCDEF, which means there can be nothing else apart from these numbers and letters in the Message-ID. The fake emails just contained a random set of letters and numbers.Redirects
To bypass filtering, criminals often try to hide the address of the site the user is prompted to visit. There are many ways to hide spam links. One of the most widespread is when the links in emails lead to compromised sites from which the user is redirected to the target site. This site may contain an advertisement and/or malicious code. Usually, compromised sites are included in the system redirects simply because cybercriminals can hack them, but sometimes the fraudsters intentionally seek them out. For example, we came across a mass mailing which redirected the user to an advertisement for pharmaceuticals via a compromised site. Moreover, the sites that had been compromised were actually pharmaceutical sites (rxpharmacy *****. com). Cybercriminals use such targeting to make the link appear as genuine as possible to the user.
In addition, we have recently come across a lot of hacked sites belonging to religious societies. It is unlikely they were targeted or subjected to social engineering deliberately – they were probably just poorly protected.Malicious attachments in email
As is now traditional, the list of malware spread by email is topped by Trojan-Spy.HTML.Fraud.gen. This threat appears as an HTML phishing website where a user has to enter his personal data which is then forwarded to cybercriminals. Noticeably, the percentage of this malicious program decreased by 1.67 percentage points from the previous quarter.
Trojan-Banker.Win32.ChePro.ilc. ended the quarter in second position. This banking Trojan mainly targets online customers of Brazilian and Portuguese banks.
For the first time in a while, exploits made it into the Top 10, with one (Exploit.JS.CVE-2010-0188.f) coming straight in at third place. Exploits in email are especially dangerous as they are created in the form of harmless documents rather than executable files. This particular exploit appears in the form of a PDF file and uses a vulnerability in version 9.3 and lower of Adobe Reader. This vulnerability has been known for a long time and poses no danger to users who update their software regularly. However, if the Adobe version is old, the exploit downloads and runs the executable file detected by Kaspersky Lab as Trojan-Dropper.Win32.Agent.lcqs. The dropper installs and runs a java script (Backdoor.JS.Agent.h) which collects information about the system, sends it to the attackers' server and receives various commands in return from the server. The commands and the results of their execution are transmitted in an encrypted form.
In Q2 2014, representatives of the Bublik family occupied fourth, sixth, seventh and eighth places. Their main functionality is the unauthorized download and installation of new versions of malware onto victim computers. These Trojans appear in the form of the .EXE files, although they imitate Adobe documents with the help of an icon. They often download the notorious ZeuS/Zbot to users' computers.
The Email-Worm.Win32.Bagle.gt ranked fifth in Q2. The main functionality of this type of worm is to harvest the email addresses from compromised computers. The Bagle family worm can also receive remote commands to install other malware on the infected computer.
Yet another exploit – Exploit.Win32.CVE-2012-0158.j – ended the quarter in ninth place. It was designed to look like a Microsoft Word document and exploits a vulnerability in the mscomctl.ocx code in Microsoft Office. Its activity results in the installation and launch of malicious programs on the user computer.
The Top 10 in Q2 was rounded off by Trojan-Spy.Win32.Zbot.sivm from the Zbot family. Zbot is a family of Trojans that can execute different malicious operations (their functionality is updated over time) but most often they are used to steal banking information. Zbot can also install CryptoLocker, a malicious program that demands money to decrypt user data.
With regards to the most popular malware families rather than individual modifications, the distribution in Q2 was slightly different:
Bublik (which often downloads other malware, specifically the Zbot family of Trojans), as well as Zbot itself, are far ahead of their competitors in the rating. These two malware families account for over a third of all email antivirus detections. This is because the majority of malware is used to steal money and Zeus/Zbot is one of the most popular and widely available of these programs.
The Androm family is in third place. The Andromeda family of malware consists of backdoors that allow cybercriminals to secretly control a compromised computer. Machines infected by these programs often become parts of botnets.Targets of malicious mass mailings by country
The TOP 20 countries with the highest number of antivirus detections saw some change from the first quarter of 2014. The percentage of malicious spam targeting users in the US decreased slightly (-3.5 pp). However, this was enough to see it drop from first to third place, allowing the UK and Germany to take the lead. Among the other significant changes was the 2.5 times increase in the proportion of malicious spam sent to Brazil which moved this country up from 15th to fifth place. This was due to the ChePro family banker: over 80% of instances of this malicious program were sent to Brazilian users.Special features of malicious spam
Cybercriminals often mask spam with malicious attachments in emails from well-known organizations – delivery services, stores, social networks. However, as a rule, all such mass mailings imitate emails regularly received by users (bills, delivery status notifications, etc.). In Q2, we registered a more creative mass mailing supposedly sent by Starbucks coffee house chain that made use of a social engineering technique.
The message claimed that one of the recipient's friends, who requested anonymity, had allegedly made an order at for him at Starbucks. To view the menu, find out the address and the exact time that the order was available, the recipient had to open the attachment, an executable that the cybercriminals hadn't even bothered to mask.Statistics The proportion of spam in email traffic
The percentage of spam in all email traffic during the second quarter the year came to 68.6%, up 2.2 pp from the previous quarter. A peak was reached in April and since then the share of unwanted messages in email traffic has been falling gradually.Sources of spam by country
Previously our statistical data on the sources of spam by country was based on information received from spam traps in different countries. However, the spam from the traps differs from the spam received by ordinary users. For example, spam targeting specialized companies does not reach the traps. That is why we have changed the data source, and now with KSN (Kaspersky Security Network) we compile statistical reports on spam based on the messages that the users of our products receive worldwide. Since the information for the statistical report in June was received from a different source, comparing the results with the statistics for the previous quarter would be incorrect.
The US tops the rating of the most popular spam sources, accounting for 13.4% of junk mail sent worldwide. This is not surprising since the US is the country with the largest number of Internet users. Even with high user awareness about the dangers of the Internet, not everyone can avoid an infection on their computer, which can result in the machine becoming part of a botnet that spreads spam.
The distribution of other spam sources by country is quite uniform. This makes sense in that botnets are distributed throughout the world, meaning there are infected computers in almost every country.
Russia came second having accounted for 6% of world spam. Vietnam is in third place (5%).
According to our statistics, in many countries a significant amount of incoming junk mail is "domestic spam", i.e. it originates and is addressed to users in one country. In Q2, 18% of spam sent to Russian users originated in Russia. In the US "domestic spam" accounted for 27.2% of the country's junk mail. The same trend can be seen in other large countries from which a significant share of the world spam is sent. In smaller countries, spam mostly comes from abroad.The size of spam emails
The distribution of spam emails by size was almost identical to that in the previous quarter. Small spam emails weighing in at under 1 KB are by far the most common – they are easier and quicker to send.
In Q2 we registered some decline in the proportion of 2-5 KB emails (-2.7 pp) and a small growth in 5-10 KB emails. This might be due to the increase in the share of image spam: firstly, there were lots of mass mailings of stock market fraud containing pictures (see above) and secondly, Russian-language spam of the "How to lose weight" and "Fake designer goods" categories also included a lot of images.Phishing
In Q2 2014, Kaspersky Lab's anti-phishing component registered 60,090,173 detections. Phishers attacked users in Brazil most often: at least once during the quarter the Anti-Phishing component of the system was activated on computers the of 23.2% of Brazilian users.
* The percentage of users on whose computers the Anti-Phishing component was activated, from the total number of all Kaspersky Lab users
Top 10 countries by the percentage of attacked users:Country % of attacked users 1 Brazil 23.2% 2 India 19.2% 3 Puerto Rico 18.6% 4 Japan 17.1% 5 France 17.0% 6 Armenia 16.8% 7 Dominican Republic 16.2% 8 Russia 16.1% 9 Australia 16.1% 10 UK 15.8%
Brazil only entered the Top 10 in 2014. The increase in phisher activity targeting Brazilian users may be down to the World Cup being held in the country.Targets of attacks by organization
The statistics on phishing targets is based on detections of Kaspersky Lab's anti-phishing component. It is activated every time a user enters a phishing page while information about it is not included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning about a potential threat.
In our previous reports we referred to the TOP 100 organizations when analyzing the most attractive targets for phishing attacks. In Q2, we analyzed the statistics for all attacked organizations.
During attacks on organizations from the Banks, E-pay systems, and Online stores and e-auctions categories the attackers were interested in users' personal information in order to gain access to their e-accounts. As a result, we have merged these three categories into one - Online finances.
Below is a similar chart for the previous quarter:
As in Q1 2014, in the second quarter the Global Internet portals category tops the rating of organizations most often attacked by phishers: its share dropping by just 1.7 pp. This category incorporates portals that combine many services including search and email services. The data stolen from such portal allows fraudsters to access all their services. Most often the phishers imitate the authorization pages of email services.
* The rating does not show the safety level of phisher targets but reflects the popularity and credibility of the services with users, which affects their attractiveness to phishers
Financial phishing accounted for 24.84% of all attacks, a 1.8 pp growth compared with the previous quarter. The percentage of detections on Banks and Online stores increased by 0.93 and 0.85 pp respectively.
Social networks remained in third.
* The rating does not show the safety level of phisher targets but reflects the popularity and credibility of the services with users, which affects their attractiveness to phishers
In the first quarter, Facebook accounted for 79.5% of the total number of user attempts to click on links leading to fake social networking sites. In Q2, the number of phishing attacks on Facebook users decreased significantly (-23.54 pp) while the percentage of user attempts to visit fake pages on the Russian social networks Odnoklassniki (Classmates) (+18.7 pp) and VKontakte (+10.68 pp) rose sharply.Top 3 most organizations most frequently targeted by phishers Organization % phishing links 1 Yahoo! 30.96% 2 Google Inc 8.68% 3 Facebook 8.1%
In Q2 2014, the share of phishing links to the pages of Yahoo! services reached 30.96% of all attacks.
Yahoo! topped the rating of the most popular phisher targets in the first quarter of 2014 with 31.94% of all attacks after a sharp increase in the number of such fraudulent links in early January.
In the second quarter there were no peaks in the detection of phishing links to fake Yahoo! pages
In January of this year in its blog, Yahoo! announced the introduction of HTTPS by default for its email service. This security measure, in addition to protecting the transmitted data can help fight phishers: now, in the event of a phishing attack when the domain name in the address bar remains unchanged (for example, the DNS server is substituted), the absence of a secure connection icon in the address bar should alert the user. However, the absence of a secure connection is just one sign of a phishing page, while its presence does not guarantee the site authenticity.
In Q2, Google (8.68%) became the second most popular phishing target outstripping Facebook. Previously, phishers used to imitate the entry page of the Gmail service while now they have switched to the authentication page common to all Google services. This is a highly attractive target for phishers - "One account. All of Google."
In the second quarter of 2014 we came across a very interesting example demonstrating the appetite of phishers who are obviously not satisfied with just targeting Google:
This phishing page imitating the authentication page for all Google accounts provides the owners of AOL, Hotmail and Yahoo email accounts with the option of choosing passwords.
Last year's leader, Facebook, dropped one place and settled in third in the rating of Anti-Phishing component detections (8.02%). The percentage of phishing attacks targeting users of social networks lags far behind that of the visitors to global Internet portals, but the former is still of interest for phishers on the hunt for users' accounts worldwide.Hot topics in phishing
The main "seasonal" theme for phishers was the FIFA World Cup.
Fraudsters exploited the football theme until the end of the World Cup. The first football-related mass mailings emerged in early 2014 and then appeared regularly throughout the first half of the year. Typically, the phishers imitated messages from well-known organizations (mainly FIFA) and asked the user to follow a link to a site offering the chance to win a valuable prize. The prize, like the example above, was usually tickets to a World Cup match. The user had to enter his personal information including his credit card details, i.e. information that is especially interesting for the scammers.
Additionally, in Q2 phishers turned their attention to the popular fast-food restaurant McDonald's. In April, the attackers tried to lure card data from Portuguese-speaking users. The fake email informed the recipient of the chance to win 150 euros from McDonald's. To do this, he had to follow the link in the email and participate in the survey. The phishing page which opened once the user clicked the link suggested he answer a few questions and enter his credit card data for the alleged money transfer. This was exactly what the criminals were after – many unsuspecting users send their personal information to third parties without being aware of the fraudsters' plans.
Noticeably, the fraudulent email was written in Portuguese and most likely addressed to residents in Brazil and Portugal while the text of the survey was in English, which is quite typical for this type of "survey".Conclusion
In the second quarter of 2014 we came across a lot of mailings from various Canadian organizations willing to get users' agreement to receive mass mailings before the new anti-spammer law comes into force there. In a bid to attract new users, the companies sent out the requests to email addresses on lists that included many that were not already among the recipients of their mailings. Nevertheless, the law has begun to yield some favorable results even before it comes into force.
One of the most popular spam themes in Q2 was the stock market spam used in fraudulent "pump and dump" schemes. Interestingly, the distributors of this time-tested theme tried to bypass filtering using some well-known methods – image spam and "white text".
The mobile theme in spam continued with fake notifications sent from iOS-based devices. Most imitations did not take into consideration the details and specifics of this operating system, meaning these mailings were easily detected.
In Q2 2014, Fraud.gen remained the most popular malicious program distributed via mail. This malicious program was designed to steal users' banking data. Second came Brazilian banking Trojan ChePro. Among the most popular malware families were Bublik and Zeus/Zbot. Interestingly, after a long break the TOP 10 welcomed back two exploits, one of which went straight in at third place.
The World Cup theme was actively exploited both for advertising goods and for malicious and phishing spam. The percentage of malicious spam sent to Brazil in Q2 increased 2.5 times compared with the previous quarter (mainly due to the Trojan Banker family ChePro). Brazil also came first in the rating of countries most often attacked by phishers. The Global Internet portals category took the lead among the organizations most frequently targeted in phishing attacks.
According to KSN statistics, the US topped the list of the most popular spam sources by country. Russia was second followed by Vietnam. Interestingly, in many large countries a significant portion of spam received by their users originated from their own territories.
This years DefCon just ended and thousands of hackers, security professionals and other visitors heading back home. This years schedule was again a good mix of talks, but which to attend is not that easy due to the mass of visitors. That's why the organizers will move again next year to a different location, in order to deal with the growth of participants and events happening.
Five main tracks of talks, skytalks, contests and areas for different interests fills participation schedule for three days easily. Some talks got lots of attention as the experiment by Gene Bransfield, who utilized a cat to map WiFis in the neighborhood, named "Warkitteh". Hacking airplanes let one quick think of horror scenarios, but, as Phil Polstra stated, it's not possible to override the pilot. But also attacks on Mainframes were discussed. Mainframes are special systems, mainly used in enterprise and government segement. Several talks focused on hacking connected devices, reflecting the general IoT (Internet of Things) trend.
This years DefCon-Badge was again an electronic one, open for hacking and modifying. This ranked from basic to advanced LED/Light-extensions to Quadcopter mounting.
This year's BlackHat had a particularly wide range of topics. A more diverse range of topics means that more targets are under attack. This should come as no surprise.
On the one hand companies like Microsoft and Google have hardened their software against easy vulnerability exploitation.
On the other hand we're seeing a plethora of new (types of) devices getting equipped with network connectivity. Those devices come with limited or no built-in security.
This focus on embedded devices is also reflected in the amount of research done on the embedded devices within our phones and personal computers. There was a demonstration of a practical attack against smartphone baseband processors over the OMA DM protocol. The lack of built-in security, or the ability to easily add security controls, again demonstrates this major weakness in today's defense capabilities.
My colleague Vitaly Kamluk demonstrated, together with Anibal Sacco from Cubica Labs, how Computrace, popular low-jacking software, can be leveraged by attackers to perform remote code execution. Short of disabling the feature, which sometimes isn't even possible, there's no easy mitigation.
We're increasingly relying on more technology that can only be somewhat reliably protected by turning it off. This is not a sustainable path. While I appreciate that our personal operating systems appear to be getting safer, I'm rather pessimistic for the post-PC world.
Blackhat2014 USA was held at the Mandalay Bay, Las Vegas, after being held at Caesar's for the past 15 years or so. While the location wasn't central like Caesar's, the hotel was more spacious, easier to navigate, cleaner, and generally an improvement.
Jeff Moss inspired the Blackhat 2014 crowd with his introduction, and suggested that we are in a bubble that will pass. The cybersecurity crowd not only is finally taken seriously, but has never been more relevant, and is close to its peak of relevance. Access control manufacturers, medical device makers, automotive producers like Tesla, all of these enterprises are now not only listening. They are baking security better into their production processes, and this is good. We have made some progress. But with this relevance, when we look back, what can we say we contributed?
Dan Geer's rich keynote wound through a long list of policy proposals for a set of current cybersecurity challenges. Although I can't agree with everything he says, he is one of my favorite thinker-speaker-writers in the space and I find myself seeking out his talks. Interesting topics included mandatory reporting on cybersecurity failures on a national level, strikeback, resiliency, and the right to be forgotten. There were more. Many more. A text version of "Cybersecurity as Realpolitik" is online, and I recommend setting aside a block of time for dense, thoughtful material like this.
Dan supports mandatory reporting for breaches as laid out in "Surviving on a Diet of Poisoned Fruit", and real support for a cybersecurity failure reporting regime. He laid out current precedent in relevant law requiring reporting for other subject matter, and basic examples of why it would work. The CDC's communicable disease reporting and Mitre's anonymized near-miss aviation reporting center are strong examples of systems where self reporting on sensitive events, communicable disease and airline flight near misses, is both working and beneficial. He made the strong case that such a collection of cybersecurity data can be practical and is highly valuable, and it is time for national government or quasi-governmental entities to support transparent, anonymous collections.
The legitimacy of defensive strikeback is something that Dan dismissed onstage for strange reasons, but his text version gives it a LIMITED YES. He claimed that while Microsft and the Fbi are pulling off examples of successful strikeback activity, smaller organizations do not have the means to properly perform a strikeback effort. This is strange because small businesses can pool resources when they are under attack, co-ops and other pooling structures can help solve that problem. The US Chamber of Commerce, for example, is an incredibly powerful organization partly acting on behalf of small businesses pooling resources to get things done. The Chamber is incredibly powerful in the US, and small businesses benefit in some ways from some of those efforts (and perhaps suffer from some of them as well). And he didn't address the idea that strikeback doesn't need to be messy, extremely destructive, or sustained to put a quick end to a variety of attacks. But remotely stopping a large scale DDoS attack launched from compromised servers does not necessarily require attribution, and certainly does not require very messy or destructive solutions. They can be precise, and attribution is often possible. Everyone makes mistakes. He mentioned that difficulty in attribution compounds the problem. The bigger issue here is that these events cross multiple jurisdictions, definitions of law, and law enforcement organizations. And for some activity that would be otherwise criminal in different parts of the world, there is little if any enforcement.
Dan's take on the right to be forgotten brings out some unsettling Foucaltian subject matter, "I've spoken elsewhere about how we are all intelligence agents now, collecting on each other on behalf of various overlords" and that he wants to maintain some rights in the digital world to defend privacy, "I want to choose whether to misrepresent myself". But it's refreshing to hear a thought leader describe his desire and right to hop out of the digital panopticon.
Kaspersky Lab's Vitaly Kamluk, Sergey Belov, and Cubica's Anibal Sacco presented on "Absolute Backdoor Revisted", a surprising update on the state of security for a widely deployed low level utility. They presented a set of unusual behaviors implemented by this software that I rarely see exhibited by legitimate software but very frequently by malware. And then they abused it in multiple live demos, remotely wiping a brand new Windows 8 x64 laptop just out of the box via Absolute Computrace vulnerabilities.
Several years would seem to be ample opportunity to fix severe problems in update mechanisms, and it seems that the work has recently begun in response to the research review.
Web services came under serious attack this year. "Pivoting in Amazon Clouds" from Andres Riancho was interesting in light of the recent attacks on Elasticsearch sites abused in the Amazon cloud, demonstrating post-exploitation issues that enable attackers to further burrow into the cloud. He released a nice Nimbostratus tool and Hacme environment that aided his past penetration tests and EC2 security issue understanding. And Mobile Device Management systems were demonstrated to be chock full of web application problems with SQLi, poorly chosen crypto and encoding schemes, and poorly designed custom authentication schemes briefly put on the screen by Stephen Breen in "Mobile Device Mismanagement".
Promises to marry a potential groom if he covers his bride-to-be's travel expenses to his hometown are a fairly common feature of fraudulent spam. Less common are more 'noble' offers of help, though even these charitable offers usually come at a price.
In a recent mailing, a resident from the Ukrainian city of Odessa expressed his wish to become an organ donor, but for a considerable fee. In the email, he provided an overview of his current state of health – "good, not perfect" – his biometric data (height – 1.74 m, weight - 63 kg) and even his blood type. The price for which he was willing to sell a kidney or his liver was not specified; the main condition was that the operation had to be done in a European clinic.
It is obvious that anyone who decides to take him up on his offer will have to pay a considerable sum of money. It is highly likely that our "man from Odessa" will also want money to pay for his trip to Europe or to carry out tests in a good laboratory, before disappearing once he receives a money transfer. Honesty and offers made in spam are just incompatible. Moreover, no one should ever enter into negotiations with people who send unsolicited emails, especially when it concerns health issues.
Summer, sand and sun may let you think about vacation at a beach, but not IT-Security interested people. Every year gatherings happen in Las Vegas attracting amateurs and professionals from around the globe – BlackHat and Defcon. But also the local BSides conference, BSidesLV, takes place before - which teamed-up with Passwordscon this year.
Seven streams of presentations with a wide spectrum of topics were offered at Tuscany. At Passwordscon talks were given on securing passwords and attacking. Among these topics as "Target specific automated dictionary generation" which covered ways to automatically create dictionaries used for attacks against password hashes from one specified source. Rick Redman, from KoreLogic, gave a defense talk "Password Topology Histogram Wear-Leveling, a.k.a. PathWell". As attacks are getting easier because of better Hardware, not using stronger hash-types and defenses as password policies may lead to predictable passwords a new approach on defending passwords on enterprise level was presented. This is based on targeting the topology of passwords by limiting the use of password topologies and ban common password topologies.
Password topology means how the password is created. For example the topology of "Passw0rd" is uppercase (u) + 4x lowercase (l) + digit (d) + 2x lowercase (l) (simple: ulllldll). By using Levenshtein distance algorithm the change of topologies may be measured on a password change, to enforce new topologies rather than just updating any character in a password, to make cracking more difficult. [Link]
Dimitri Fousekis also focused on passwords in enterprise underlining the importance of "associate the password with data ownership" in order to avoid users disrespecting the importance of a good password.
Over the last 10 months, Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call "Epic Turla". The attackers behind Epic Turla have infected several hundred computers in more than 45 countries, including government institutions, embassies, military, education, research and pharmaceutical companies.
The attacks are known to have used at least two zero-day exploits:
- CVE-2013-5065 - Privilege escalation vulnerability in Windows XP and Windows 2003
- CVE-2013-3346 - Arbitrary code-execution vulnerability in Adobe Reader
We also observed exploits against older (patched) vulnerabilities, social engineering techniques and watering hole strategies in these attacks. The primary backdoor used in the Epic attacks is also known as "WorldCupSec", "TadjMakhal", "Wipbot" or "Tavdig".
When G-Data published on Turla/Uroburos back in February, several questions remained unanswered. One big unknown was the infection vector for Turla (aka Snake or Uroburos). Our analysis indicates that victims are infected via a sophisticated multi-stage attack, which begins with the Epic Turla. In time, as the attackers gain confidence, this is upgraded to more sophisticated backdoors, such as the Carbon/Cobra system. Sometimes, both backdoors are run in tandem, and used to "rescue" each other if communications are lost with one of the backdoors.
Once the attackers obtain the necessary credentials without the victim noticing, they deploy the rootkit and other extreme persistence mechanisms.
The attacks are still ongoing as of July 2014, actively targeting users in Europe and the Middle East.
Note: A full analysis of the Epic attacks is available to the Kaspersky Intelligent Services subscribers. Contact: email@example.comThe Epic Turla attacks
The attacks in this campaign fall into several different categories depending on the vector used in the initial compromise:
- Spearphishing e-mails with Adobe PDF exploits (CVE-2013-3346 + CVE-2013-5065)
- Social engineering to trick the user into running malware installers with ".SCR" extension, sometimes packed with RAR
- Watering hole attacks using Java exploits (CVE-2012-1723), Flash exploits (unknown) or Internet Explorer 6,7,8 exploits (unknown)
- Watering hole attacks that rely on social engineering to trick the user into running fake "Flash Player" malware installers
The attackers use both direct spearphishing and watering hole attacks to infect their victims. Watering holes (waterholes) are websites of interest to the victims that have been compromised by the attackers and injected to serve malicious code.
So far we haven't been able to locate any e-mail used against the victims, only the attachments. The PDF attachments do not show any "lure" to the victim when opened, however, the SCR packages sometime show a clean PDF upon successful installation.
Some of known attachment names used in the spearphishing attacks are:
- ؤتمر جنيف.rar (translation from Arabic: "Geneva conference.rar")
- NATO position on Syria.scr
- Talking Points.scr
- Security protocol.scr
In some cases, these filenames can provide clues about the type of victims the attackers are targeting.The watering hole attacks
Currently, the Epic attackers run a vast network of watering holes that target visitors with surgical precision.
Some of the injected websites include:
In total, we observed more than 100 injected websites. Currently, the largest number of injected sites is in Romania.
Here's a statistic on the injected websites:
The distribution is obviously not random, and it reflects some of the interests of the attackers. For instance, in Romania many of the infected sites are in the Mures region, while many of the Spanish infected sites belong to local governments (City Hall).
Most of the infected sites use the TYPO3 CMS (see: http://typo3.org/), which could indicate the attackers are abusing a specific vulnerability in this publishing platform.
The script "sitenavigatoin.js" is a Pinlady-style browser and plugin detection script, which in turn, redirects to a PHP script sometimes called main.php or wreq.php. Sometimes, the attackers register the .JPG extension with the PHP handler on the server, using "JPG" files to run PHP scripts:
The main exploitation script "wreq.php", "main.php" or "main.jpg" performs a numbers of tasks. We have located several versions of this script which attempt various exploitation mechanisms.
One version of this script attempts to exploit Internet Explorer versions 6, 7 and 8:
Unfortunately, the Internet Explorer exploits have not yet been retrieved.
Another more recent version attempts to exploit Oracle Sun Java and Adobe Flash Player:
Although the Flash Player exploits couldn't be retrieved, we did manage to obtain the Java exploits:Name MD5 allj.html 536eca0defc14eff0a38b64c74e03c79 allj.jar f41077c4734ef27dec41c89223136cf8 allj64.html 15060a4b998d8e288589d31ccd230f86 allj64.jar e481f5ea90d684e5986e70e6338539b4 lstj.jar 21cbc17b28126b88b954b3b123958b46 lstj.html acae4a875cd160c015adfdea57bd62c4
The Java files exploit a popular vulnerability, CVE-2012-1723, in various configurations.
The payload dropped by these Java exploits is the following:MD5: d7ca9cf72753df7392bfeea834bcf992
The Java exploit use a special loader that attempts to inject the final Epic backdoor payload into explorer.exe. The backdoor extracted from the Java exploits has the following C&C hardcoded inside:www.arshinmalalan[.]com/themes/v6/templates/css/in.php
This C&C is still online at the moment although it redirects to a currently suspended page at "hxxp://busandcoachdirectory.com[.]au". For a full list of C&C servers, please see the Appendix.
The Epic Turla attackers are extremely dynamic in using exploits or different methods depending on what is available at the moment. Most recently, we observed them using yet another technique coupled with watering hole attacks. This takes advantage of social engineering to trick the user into running a fake Flash Player (MD5: 030f5fdb78bfc1ce7b459d3cc2cf1877):
In at least one case, they tried to trick the user into downloading and running a fake Microsoft Security Essentials app (MD5: 89b0f1a3a667e5cd43f5670e12dba411):
The fake application is signed by a valid digital certificate from Sysprint AG:
Serial number: 00 c0 a3 9e 33 ec 8b ea 47 72 de 4b dc b7 49 bb 95
Thumbprint: 24 21 58 64 f1 28 97 2b 26 22 17 2d ee 62 82 46 07 99 ca 46
This file was distributed from the Ministry of Foreign Affairs of Tajikistan's website, at "hxxp://mfa[.]tj/upload/security.php".
The file is a .NET application that contains an encrypted resource. This drops the malicious file with the MD5 7731d42b043865559258464fe1c98513.
This is an Epic backdoor which connects to the following C&Cs, with a generic internal ID of 1156fd22-3443-4344-c4ffff:hxxp://homaxcompany[.]com/components/com_sitemap/
A full list with all the C&C server URLs that we recovered from the samples can be found in the technical Appendix.The Epic command-and-control infrastructure
The Epic backdoors are commanded by a huge network of hacked servers that deliver command and control functionality.
The huge network commanded by the Epic Turla attackers serves multiple purposes. For instance, the motherships function as both exploitation sites and command and control panels for the malware.
Here's how the big picture looks like:
The first level of command and control proxies generally talk to a second level of proxies, which in turn, talk to the "mothership" server. The mothership server is generally a VPS, which runs the Control panel software used to interact with the victims. The attackers operate the mothership using a network of proxies and VPN servers for anonymity reasons. The mothership also work as the exploitation servers used in the watering hole attacks, delivering Java, IE or fake applications to the victim.
We were able to get a copy of one of the motherships, which provided some insight into the operation.
It runs a control panel which is password protected:
Epic mothership control panel login
Once logged into the Control panel, the attackers can see a general overview of the system including the number of interesting potential targets:
A very interesting file on the servers is task.css, where the attackers define the IP ranges they are interested in. To change the file, they are using the "Task editor" from the menu. Depending on the "tasks", they will decide whether to infect the visitors or not. In this case, we found they targeted two ranges belonging to:
- "Country A" - Federal Government Network
- "Country B" - Government Telecommunications and Informatics Services Network
It should be noted though, the fact that the attackers were targeting these ranges doesn't necessarily mean they also got infected. Some other unknown IPs were also observed in the targeting schedules.
There is also an "except.css" file where attackers log the reasons they didn't try to exploit certain visitors. There are three possible values:
- DON'T TRY -> Version of the browser and OS does not meet the conditions
- DON'T TRY -> (2012-09-19 10:02:04) - checktime
These are the "don't meet the conditions" reasons observed in the logs:
- Windows 7 or 2008 R2
- MSIE 8.0
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E)
- Adobe Shockwave 188.8.131.521
- Adobe Flash 10.3.181.14
- Adobe Reader 10.1.0.0
- Win Media Player 12.0.7601.17514
- Quick Time null
- MS Word null
- Java null
For this first stage of the attack, the threat actor uses a custom backdoor. In some cases, the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated. This makes the analysis more difficult.
The CVE-2013-5065 exploit allows the backdoor to achieve administrator privileges on the system and run unrestricted. This exploit only works on unpatched Microsoft Windows XP systems.
Other known detection names for the backdoor is Trojan.Wipbot (Symantec) or Tavdig.
The main backdoor is about 60KB in size and implements a C&C protocol on top of normal HTTP requests. The communication protocol uses requests in the C&C replies, which the malware decrypts and processes. The replies are sent back to the C&C through the same channel.
The malware behavior is defined by a configuration block. The configuration block usually contains two hard-coded C&C URLs. He have also seen one case where the configuration block contains just one URL. The configuration can also be updated on the fly by the attackers, via the C&C.
The backdoor attempts to identify the following processes and, if found, it will terminate itself:
It contains an internal unique ID, which is used to identify the victim to the C&C. Most samples, especially old ones, have the ID 1156fd22-3443-4344-c4ffff. Once a victim is confirmed as "interesting", the attackers upload another Epic backdoor which has a unique ID used to control this specific victim.
During the first C&C call, the backdoor sends a pack with the victim's system information. All further information sent to the C&C is encrypted with a public key framework, making decryption impossible. The commands from the C&C are encrypted in a simpler manner and can be decrypted if intercepted because the secret key is hardcoded in the malware.
Through monitoring, we were able to capture a large amount of commands sent to the victims by the attackers, providing an unique view into this operation. Here's a look at one of the encrypted server replies:
Once a victim is infected and "checks in" with the server, the attackers send a template of commands:
Next, the attackers try to move through the victim's network using pre-defined or collected passwords:
Listing all .doc files recursively is also a common "theme":
In total, we have decoded several hundreds of these command packages delivered to the victims, providing an unique insight into the inner workings of the attackers.
In addition to generic searches, some very specific lookups have been observed as well. These include searches for:
- eu energy dialogue*.*
In this case, the attackers were interested to find e-mails related to "NATO", "Energy Dialogue within European Union" and so on.
For some of the C&C servers, the attackers implemented RSA encryption for the C&C logs, which makes it impossible to decrypt them. This scheme was implemented in April 2014.Lateral movement and upgrade to more sophisticated backdoors
Once a victim is compromised, the attackers upload several tools that are used for lateral movement.
One such tool observed in the attacks and saved as "C:\Documents and Settings\All users\Start Menu\Programs\Startup\winsvclg.exe" is:Name: winsvclg.exe
Compiled: Tue Oct 02 13:51:50 2012
This is a keylogger tool that creates %temp%\~DFD3O8.tmp. Note: the filename can change across victims. On one Central Asian government's Ministry of Foreign Affairs victim system, the filename used was "adobe32updt.exe".
In addition to these custom tools, we observed the usage of standard administration utilities. For instance, another tool often uploaded by the attackers to the victim's machine is "winrs.exe":Name: winrs.exe
This is an UPX packed binary, which contains the genuine "dnsquery.exe" tool from Microsoft, unpacked MD5: c0c03b71684eb0545ef9182f5f9928ca.
In several cases, an interesting update has been observed -- a malware from a different, yet related family.Size: 275,968 bytes
Compiled: Thu Nov 08 11:05:35 2012
another example:Size: 218,112 bytes
Compiled: Thu Nov 08 11:04:39 2012
This backdoor is more sophisticated and belongs to the next level of cyber-espionage tools called the "Carbon system" or Cobra by the Turla attackers. Several plugins for the "Carbon system" are known to exist.
Note: the command and control servers www.losguayaberos[.]com and thebesttothbrushes[.]com have been sinkholed by Kaspersky Lab.
Other packages delivered to the victims include:MD5: c7617251d523f3bc4189d53df1985ca9
These top level packages deploy both updated Epic backdoors and Turla Carbon system backdoors to confirmed victims, effectively linking the Epic and Turla Carbon operations together.
The Turla Carbon dropper from these packages has the following properties:MD5: cb1b68d9971c2353c2d6a8119c49b51f
This is called internally by the authors "Carbon System", part of the "Cobra" project, as it can be seen from the debug path inside:
This acts as a dropper for the following modules, both 32 and 64 bit:MD5 Resource number 4c1017de62ea4788c7c8058a8f825a2d 101 43e896ede6fe025ee90f7f27c6d376a4 102 e6d1dcc6c2601e592f2b03f35b06fa8f 104 554450c1ecb925693fedbb9e56702646 105 df230db9bddf200b24d8744ad84d80e8 161 91a5594343b47462ebd6266a9c40abbe 162 244505129d96be57134cb00f27d4359c 164 4ae7e6011b550372d2a73ab3b4d67096 165
The Carbon system is in essence an extensible platform, very similar to other attack platforms such as the Tilded platform or the Flame platform. The plugins for the Carbon system can be easily recognized as they always feature at least two exports named:
Several Epic backdoors appear to have been designed to work as Carbon system plugins as well - they require a specialized loader to start in victim systems that do not have the Carbon system deployed.
Some modules have artifacts which indicate the Carbon system is already at version 3.x, although the exact Carbon system version is very rarely seen in samples:
The author of the Carbon module above can be also seen in the code, as "gilg", which also authored several other Turla modules.
We are planning to cover the Turla Carbon system with more details in a future report.
The payload recovered from one of the mothership servers (at newsforum.servehttp[.]com/wordpress/wp-includes/css/img/upload.php, MD5: 4dc22c1695d1f275c3b6e503a1b171f5, Compiled: Thu Sep 06 14:09:55 2012) contains two modules, a loader/injector and a backdoor. Internally, the backdoor is named "Zagruzchik.dll":
The word "Zagruzchik" means "boot loader" in Russian.
The Control panel for the Epic motherships also sets the language to codepage "1251":
Codepage 1251 is commonly used to render Cyrillic characters.
There are other indications that the attackers are not native English language speakers:
- Password it´s wrong!
- Count successful more MAX
- File is not exists
- File is exists for edit
The sample e9580b6b13822090db018c320e80865f that was delivered to several Epic victims as an upgraded backdoor, has the compilation code page language set to "LANG_RUSSIAN".
The threat actor behind the "Epic" operation uses mainly hacked servers to host their proxies. The hacked servers are controlled through the use of a PHP webshell. This shell is password protected; the password is checked against an MD5 hash:
The MD5 "af3e8be26c63c4dd066935629cf9bac8" has been solved by Kaspersky Lab as the password "kenpachi". In February 2014 we observed the Miniduke threat actor using the same backdoor on their hacked servers, although using a much stronger password.
Once again, it is also interesting to point out the usage of Codepage 1251 in the webshell, which is used to render Cyrillic characters.
There appears to be several links between Turla and Miniduke, but we will leave that for a future blogpost.Victim statistics
On some of the C&C servers used in the Epic attacks, we were able to identify detailed victim statistics, which were saved for debugging purposes by the attackers.
This is the country distribution for the top 20 affected countries by victim's IP:
According to the public information available for the victims' IPs, targets of "Epic" belong to the following categories:
- Ministry of interior (EU country)
- Ministry of trade and commerce (EU country)
- Ministry of foreign/external affairs (Asian country, EU country)
- Intelligence (Middle East, EU Country)
- Military (EU country)
- Research (Middle East)
- Pharmaceutical companies
- Unknown (impossible to determine based on IP/existing data)
When G-Data published their Turla paper, there were few details publicly available on how victims get infected with this malware campaign. Our analysis indicates this is a sophisticated multi-stage infection; which begins with Epic Turla. This is used to gain a foothold and validate the high profile victim. If the victim is interesting, they get upgraded to the Turla Carbon system.
Most recently, we observed this attack against a Kaspersky Lab user on August 5, 2014, indicating the operation remains fresh and ongoing.
Note: A full analysis of the Epic attacks is available to the Kaspersky Intelligent Services customers. Contact: firstname.lastname@example.org
We would like to add the following at the end of the blogpost, right before the detection names:
If you'd like to read more about Turla/Uroburos, here's a few recommendations:
- G-Data's paper "Uroburos Highly complex espionage software with Russian roots"
- BAE Systems analysis of "The Snake campaign"
- "Uroburos: the snake rootkit", technical analysis by deresz and tecamac
- "TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos" by CIRCL.LU
Kaspersky products' detection names for all the malware samples described in this post:
This week, our virus lab handled a case where a customer received a phishing email with an Android Backdoor archive masquerading as a Kaspersky mobile security app (we are aware that those who created this app are also disguising it as apps from other major AV brands).
It prompts recipients to install the fake Kaspersky Android app to protect their mobile security. From the context we can presume the intended targets are users in Poland.
Most email phishing attacks tend to target PC users, but this time the attackers have turned their attention to mobile platforms. We think it's a new trend in spreading virus. Mobile security is related to user privacy. In most cases, a mobile device is more important than PC for users. It contains user contacts, text messages, photos and call logs. And mobile security is generally considered to be a weak point. So, most people will believe these phishing emails and are likely to install the fake mobile security app.
In this case, the Android apk in the phishing email is a powerful and aggressive backdoor which is detected as Backdoor.AndroidOS.Zerat.a. The backdoor is full of malicious functions, but the GUI is a little simple and crude.
Maybe it only wants you to install it and click the button. By executing, it links to hxxp://winrar.nstrefa.pl/path/DeviceManager.php to register the victim device info.
Then it visits hxxp://winrar.nstrefa.pl/path/Linker.php to get commands.
According to the commands, it will perform lots of malicious activities.
Some of the commands are shown below.
Intercepting text messages:
Store and upload:
This is a new type of mobile security threat that works just like a phishing site or phishing SMS. With the phishing email, the backdoor will spread more easily. There is reason to believe that more increasingly complex mobile attacks with follow. Composite attacks on mobile platforms are simply a matter of time.
In this day and age it is very important to protect our privacy and device security. It's recommended to follow these tips:
- Download a mobile security app from the official Kaspersky website.
- Don't trust strange emails.
- Don't just open and execute files in email attachments.
On August 2, the Chinese Valentine's Day, an Android SMS worm struck China. It is called XXshenqi.apk. In the space of six hours, it infected about 500,000 devices. It has received widespread coverage in the local media. It's not just an SMS worm, containing two malicious modules: XXshenqi.apk and its asset Trogoogle.apk.
The function of XXshenqi.apk is to send SMS to spread itself and to drop another backdoor on the victim device. It is detected as Trojan.AndroidOS.Xshqi.a by Kaspersky Lab.
After installation, it sends an SMS to all the names on the victim's contact lists to get them to install the Trojan as well.
Then it probes whether or not com.android.Trogoogle.apk is present on the mobile device. If not, it displays a dialog window to prompt the user to install Trogoogle.apk.
Trogoogle.apk is a resource file in the assets folder of XXshenqi.apk.
After that, it asks the user to register the app. The Trojan will steal the user's personal ID and name and send them to those controlling the malware.
Trogoogle.apk contains more malicious functions. It is a backdoor and detected as Backdoor.AndroidOS.Trogle.a by Kaspersky Lab. It hides its icon after installation so the user is unaware of its presence. It will then respond to commands to perform malicious activity. The commands include:
It also monitors the victim's text messages and sends them to the malware owner by email or SMS.
The fact that this Trojan combintion appeared on the Chinese Valentine's Day is premeditated, taking advantage of user credulity on this special day. And it uses social engineering techniques to spread as much as possible and infect more devices. This Trojan is a good example of why it's always worth thinking twice about trusting a link received on your mobile phone. No matter who sends it, it could still be a malicious program.
After going out of fashion for a number of years, malicious macros inside Office files have recently experienced a revival. And why not, especially if they are a lot cheaper than exploits and capable of doing the same job?
Yes, that's right, cybercriminals are busily recycling this old technique, introducing new obfuscation forms to make it more effective. Let's look at two examples.Sample 1
This is an excel file with malicious embedded macros. However if you use standard Office tools to look at the macros, depending on the version, you will not see anything malicious at all or you won't be allowed to see the macros itself:
That is because the sample all strings in macros are obfuscated with a base64 encoding technique.
After de-obfuscation you can see clearly the URLs used to download the payloads:
This is a very simple technique but it is effective against simple heuristics that use string analysis of all incoming email attachments, and this is reflected in a very low VT detection https://www.virustotal.com/en/file/c916540dcab796e7c034bfd948c54d9b87665c62334d8fea8d3724d9b1e9cfc9/analysis/1403955807/
This particular sample is also interesting since in some Excel versions it is able to run macros automatically without prompting the user, enabling it. Once it has run, it drops a password-stealing Trojan directly onto the victim's system.Sample 2
This another example is a fake Aeromexico ticket.
There is no obfuscation but the URL is written from right to left, which again it might be quite useful against simple GREP analysis techniques:
It is interesting to note that the first sample was found in the wild in Venezuela, the second in Mexico and then the third in Brazil:
This one drops a ChePro banker. All three malicious samples drop only Trojans that steal financial data, but the same technique can be easily used to drop any type of malware.
So does it mean that only Latin American cybercriminals use this technique? The answer is no, not really. Our relative user's infections statistics show that actually the countries with the most attempted infections using this kind of malware are Germany and then Poland.
However, the technique is seen elsewhere, including Spain, Mexico, Brazil and others.
While analyzing malicious macro office files, you can see that the original document is created by one user and then somebody else (another criminal) assists in embedding the malicious macros.
The same technique can be easily used to drop any kind of malware in any country since this is all about social engineering and it will easily pass through email gateway security because it is basically an office document, and security email policies allow those.
You may follow me on twitter: @dimitribest