I'm sure you've read or heard about the malware attacking boletos – the popular Brazilian payment system – and how lots of malicious code is able to modify it, redirecting the amount paid to an account owned by criminals. Despite the fact that some numbers were overestimated by some companies and media outlets, these attacks are of particular interest and the Brazilian bad guys are quickly developing and adopting new techniques. Trust me: everything you read about boleto malware was only the tip of the iceberg; our complete research into this topic will be presented at the next Virus Bulletin conference.
The boleto malware campaigns combine several new tricks to infect and steal from more users. One of the most recent is the use of non-executable and encrypted malware payloads XORed with a 32-bit key and compressed by ZLIB. It's no coincidence that a very similar technique was used by ZeuS GameOver some months ago, but this time the files are using extensions such as .BCK and .JMP, instead of .ENC.
We have evidence of Brazilian criminals cooperating with western European gangs involved with ZeuS and its variants; it's not unusual to find them on underground forums looking for samples, buying new crimeware and ATM/PoS malware. The first results of this cooperation can be seen in the development of new attacks such the one affecting boletos payments in Brazil.
A typical Brazilian boleto: using web-injection to change the numbers in the ID field is enough to redirect the payment
In February, security expert Gary Warner wrote about a new version of ZeuS campaign that downloads some strange and non-executable .ENC files to the infected machine. Our colleagues at CrySys did a very detailed analysis showing how this is an effective technique for passing through your firewall, webfilters, network intrusion detection systems and many other defenses you may have in place, as a tiny Trojan downloads these encrypted (.ENC) files and decrypts them to complete the infection.
Brazilian cybercriminals decided to use the .JMP extension in files encrypted in the same way, and downloaded by several small Trojans used in boletos and Trojan banker campaigns. This is what an encrypted file looks in the beginning:
After removing the encryption we can see it as a normal PE executable:
The criminals tend to encrypt the big payload files using this technique, as well as some removal tools such as Partizan and big Delphi Trojan bankers that include images of Internet banking pages. The aim is always to encrypt the payload and make it undetectable, so that it's not recognized as a normal portable executable.
Other files of interest are those with .BCK extensions – they are packed with an as yet unknown application that appears to be a commercial backup app. Just checking the head of the encrypted file is enough to see what's inside - in this case it is a malicious CPL file used in the boletos campaigns:
"refazboleto" is Portuguese for "rebuild boleto". It points to a CPL file
Our antivirus engines are prepared to unpack and detect .JMP and .BCK files like these. These facts show how Brazilian cybercriminals are adopting new techniques as a result of the collaboration with their European counterparts.
Thanks to my colleague Alexander Liskin for help with the analysis.
The second Tuesday of the month is here along with Microsoft's August security updates, and with it brings interesting updates of OneNote and Internet Explorer. The full list is nine security bulletins long.
OneNote has been a part of Microsoft's drive into mobile and cloud technologies, away from traditional Wintel computing, providing Office-integrated note-taking multi-user collaborative functionality across tablets and mobile devices. I noticed a bunch of Blackhat attendees using this software. While the vulnerability is limited to all versions of Microsoft OneNote 2007,, and there have been a couple of releases since, I believe that this vulnerability is the first RCE enabled by a component exclusively delivered with the OneNote software. In this case, it is the file parser that reads onenote (.ONE) files that enables remote code execution attacks. This software package now is available for Windows, Mac, Windows RT, Windows Phone, iOS, Android and Symbian, but the vulnerable OneNote code appears to be available only for TabletPCs and the Windows platform. cve-2014-2815 was privately reported to Microsoft.
Another big Bulletin pushed today for Internet Explorer addresses 25 critical RCE vulnerabilities(!) across IE 6 - 11 on Windows clients Vista through 8.1, all memory corruption issues. The browsers on related server installs are rated moderate. Some of these vulnerabilities have been actively exploited ItW, so it is an urgent update issue.
And Adobe released their own patch separately from the Microsoft update process to fix an extraordinary sandbox vulnerability abused by APT that we reported a while back. Be sure to check out those details. It effects fairly recent versions of Reader sandboxes.
Today Adobe released the security bulletin APSB14-19, crediting Kaspersky Lab for reporting CVE-2014-0546.
This out of band patch fixes a rather creative sandbox escape technique that we observed in a very limited number of targeted attacks.
At the moment, we are not providing any details on these attacks as the investigation is still ongoing. Although these attacks are very rare, just to stay on the safe side we recommend everyone to get the update from the Adobe site as soon as possible.
You can grab the Adobe Reader updates here.