Feed aggregator

Google Moving Toward Encrypted Ad Services

Threatpost for B2B - Fri, 04/17/2015 - 11:42
Google engineers have spent the last several years moving many of the company’s online services to encrypted links. Gmail is HTTPS by default, and Google search is done over SSL for much of the world. Now the company is working to move its ad-serving and ad-buying platforms to HTTPS, as well. Google’s ad networks are pervasive […]

Threatpost News Wrap, April 17, 2015

Threatpost for B2B - Fri, 04/17/2015 - 11:36
Dennis Fisher and Mike Mimoso discuss the Windows HTTP.sys vulnerability, Google's decision to turn off the NPAPI in Chrome and the voting machine security disaster in Virginia.

Active DoS Exploits for MS15-034 Under Way

Threatpost for B2B - Fri, 04/17/2015 - 11:06
Public denial-of-service exploits for a critical vulnerability in Microsoft's implementation of the HTTP protocol stack, HTTP.sys are under way, while remote code execution attacks may still be to come.

Ransomware Teslacrypt Still Targeting Gamers

Threatpost for B2B - Thu, 04/16/2015 - 14:19
Teslacrypt, the fairly new strain of ransomware that's been targeting gamers, is continuing to make the rounds online.

Virginia Voting Machines Exposed to Simple, Potentially Election-Altering Hacks Since 2004

Threatpost for B2B - Thu, 04/16/2015 - 13:16
Voting machines in Virginia are hopelessly vulnerable to scores of low level hacks, calling into question the integrity of recent elections there.

Google Shuts Off NPAPI in Chrome

Threatpost for B2B - Thu, 04/16/2015 - 10:27
With the release of Chrome 42 this week, Google fixed more than 40 vulnerabilities. But the most significant security change in the new browser is Google’s decision to disable the NPAPI, essentially turning off plugins such as Java and Silverlight by default. The decision didn’t come out of nowhere. Google warned developers and users about it […]

Dropbox Launches Bounty Program on HackerOne

Threatpost for B2B - Wed, 04/15/2015 - 13:59
Dropbox has become the latest high-profile Internet firm to start a bug bounty program, hooking up with HackerOne to provide rewards to security researchers who report vulnerabilities through the program. The new reward system from Dropbox covers a variety of the company’s offerings, including the Dropbox and Carousel iOS and Android applications; the Dropbox and Carousel […]

Oracle CPU Delivers 98 Fixes Across Product Line

Threatpost for B2B - Wed, 04/15/2015 - 13:26
Oracle’s regularly scheduled Critical Patch Update fixed 98 issues across a handful of products,

Report Recommends Series of Cybersecurity Changes at FAA

Threatpost for B2B - Wed, 04/15/2015 - 11:47
The Federal Aviation Administration needs to upgrade and update its information security capabilities–including building a threat-modeling capability and implementing federal security guidelines–in order to ensure the safety of the nation’s aviation infrastructure, according to a new report by the General Accounting Office. The report is the result of a review of the FAA’s security practices […]

SearchBlox Fixes XSS, File Upload Flaws

Threatpost for B2B - Wed, 04/15/2015 - 10:32
SearchBlox, a provider of enterprise search technology, has patched several serious vulnerabilities in its flagship product, including cross-site scripting, cross-site request forgery and other issues. The company, which sells a variety of enterprise search products, has released version 8.2 of the main SearchBlox product to address the vulnerabilities, which were report to the CERT/CC at […]

AirDroid Patches Web App Hijacking Vulnerability

Threatpost for B2B - Wed, 04/15/2015 - 09:53
Researchers at Bishop Fox disclose details on a patched authentication vulnerability in the AirDroid web application that could give attackers remote control over Android devices.

The Chronicles of the Hellsing APT: the Empire Strikes Back

Secure List feed for B2B - Tue, 04/14/2015 - 22:30

Introduction

One of the most active APT groups in Asia, and especially around the South China Sea area is "Naikon". Naikon plays a key part in our story, but the focus of this report is on another threat actor entirely; one who came to our attention when they hit back at a Naikon attack.

Naikon is known for its custom backdoor, called RARSTONE, which our colleagues at Trend Micro have described in detail. The name Naikon comes from a custom user agent string, "NOKIAN95/WEB", located within the backdoor:

NOKIAN string in Naikon backdoor

The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way. What was perhaps one of the biggest operations of the Naikon group was launched in March 2014, in the wake of the MH370 tragedy that took place on March 8th. By March 11th, the Naikon group was actively hitting most of the nations involved in the search for MH370. The targets were extremely wide-ranging but included institutions with access to information related to the disappearance of MH370, such as:

  • Office of the President
  • Armed Forces
  • Office of the Cabinet Secretary
  • National Security Council(s)
  • Office of the Solicitor General
  • National Intelligence Coordinating Agency
  • Civil Aviation Authority
  • Department of Justice
  • National Police
  • Presidential Management Staff

The Naikon group used mostly spear-phished documents for the attacks, with CVE-2012-0158 exploits that dropped the group's signature backdoor.

While many of these attacks were successful, at least one of the targets didn't seem to like being hit, and instead of opening the documents, decided on a very different course of action.

The empire strikes back

Here's a question - what should you do when you receiving a suspicious document from somebody you don't know, or know very little? Choose one:

  • Open the document
  • Don't open the document
  • Open the document on a Mac (everybody knows Mac's don't get viruses)
  • Open the document in a virtual machine with Linux

Based on our experience, most people would say 2, 3 or 4. Very few would open the document and even fewer would actually decide to test the attacker and verify its story.

But this is exactly what happened when one of the Naikon spear-phishing targets received a suspicious email. Instead of opening the document or choosing to open it on an exotic platform, they decided to check the story with the sender:

Naikon target asks for confirmation of the email

In the email above, we can see the target questioning the authenticity of the Naikon spear-phishing. They ask the sender if it was their intention to email this document.

The attacker was, of course, not confused in the slightest, and being very familiar with the internal structure of the target's government agency, replied claiming that they work for the secretariat division and were instructed to send it by the organization's management:

Naikon attacker replies to the target

The reply is written in poor English and indicates that the attacker is probably not as proficient in the language as the intended victim. Seeing the reply, the target obviously decided not to open the document. Moreover, they decided to go a bit further and try to learn more about the attacker.

Not long after the first exchange, the following email was sent to the attacker by the target:

The attachment is a RAR archive with password, which allows it to safely bypass malware scanners associated with the free email account used by the attackers. Inside the archive we find two decode PDF files and one SCR file:

Much to our surprise, the "SCR" file turned out to be a backdoor prepared especially for the Naikon fraudsters.

The file "Directory of ... Mar 31, 2014.scr" (md5: 198fc1af5cd278091f36645a77c18ffa) drops a blank document containing the error message and a backdoor module (md5: 588f41b1f34b29529bc117346355113f). The backdoor connects to the command server located at philippinenews[.]mooo[.]com.

The backdoor can perform the following actions:

  • download files
  • upload files
  • update itself
  • uninstall itself

We were amazed to see this course of action and decided to investigate the "Empire Strikes Back"-door further; naming the actor "Hellsing" (explained later).

The malware used by the intended victim appears to have the following geographical distribution, according to KSN data:

  • Malaysia – government networks
  • Philippines – government networks
  • Indonesia – government networks
  • USA - diplomatic agencies
  • India (old versions of malware)

In addition, we've observed the targeting of ASEAN-related entities.

Victims of Hellsing attacks

The actor targets its intended victims using spear-phishing emails with archives containing malware, similar to the one it used against the Naikon group. Some of the attachment names we observed include:

  • 2013 Mid-Year IAG Meeting Admin Circular FINAL.7z
  • HSG FOLG ITEMS FOR USE OF NEWLY PROMOTED YNC FEDERICO P AMORADA 798085 PN CLN.zip
  • Home Office Directory as of May 2012.Please find attached here the latest DFA directory and key position officials for your referenece.scr
  • LOI Nr 135-12 re 2nd Quarter.Scr
  • Letter from Paquito Ochoa to Albert Del Rosario,the Current Secretary of Foreign Affairs of the Philippines.7z
  • Letter to SND_Office Call and Visit to Commander, United States Pacific Command (USPACOM) VER 4.0.zip
  • PAF-ACES Fellowship Program.scr
  • RAND Analytic Architecture for Capabilities Based Planning, Mission System Analysis, and Transformation.scr
  • Update Attachments_Interaction of Military Personnel with the President _2012_06_28.rar
  • Update SND Meeting with the President re Hasahasa Shoal Incident.scr
  • Washington DC Directory November 2012-EMBASSY OF THE PHILIPPINES.zip
  • ZPE-791-2012&ZPE-792-2012.rar
  • zpe-791-2012.PDF.scr

We've observed RAR, ZIP and 7ZIP archives in the attacks - the 7ZIP archives with passwords were probably introduced as a way to bypass the recent security features on Gmail, which block password-protected archives with executables inside.

Each backdoor has a command and control server inside as well as a version number and a campaign or victim identifier. Some examples include:

MD5 Date C&C Campaign identifier 2682a1246199a18967c98cb32191230c Mar 31 2014 freebsd.extrimtur[.]com 1.6.1_MOTAC 31b3cc60dbecb653ae972db9e57e14ec Mar 31 2014 freebsd.extrimtur[.]com 1.6.1_MOTAC 4dbfd37fd851daebdae7f009adec3cbd Nov 08 2013 articles.whynotad[.]com 1.5_articles.whynotad.com-nsc 015915bbfcda1b2b884db87262970a11 Feb 19 2014 guaranteed9.strangled[.]net 1.5_guaranteed9-nsc 3a40e0deb14f821516eadaed24301335 Mar 31 2014 hosts.mysaol[.]com 1.6.1_imi;simple 73396bacd33cde4c8cb699bcf11d9f56 Nov 08 2013 web01.crabdance[.]com 1.5_op_laptop 7c0be4e6aee5bc5960baa57c6a93f420 Nov 08 2013 hosts.mysaol[.]com 1.5_MMEA bff9c356e20a49bbcb12547c8d483352 Apr 02 2014 imgs09.homenet[.]org 1.6.1_It c0e85b34697c8561452a149a0b123435 Apr 02 2014 imgs09.homenet[.]org 1.6.1_It f13deac7d2c1a971f98c9365b071db92 Nov 08 2013 hosts.mysaol[.]com 1.5_MMEA f74ccb013edd82b25fd1726b17b670e5 May 12 2014 second.photo-frame[.]com 1.6.2s_Ab

The campaign identifiers could be related to the organizations targeted by the specific builds of this APT. Some possible descriptions for these initials could be:

Artifacts and overlap with other APTs

Interestingly, some of the infrastructure used by the attackers appears to overlap (although around a year apart) with a group tracked internally at Kaspersky Lab as PlayfullDragon (also known as "GREF"); while other aspects of the infrastructure overlap with a group known as Mirage or Vixen Panda.

For instance, one of the PlayfullDragon's Xslcmd backdoors described by our colleagues from FireEye (md5: 6c3be96b65a7db4662ccaae34d6e72cc) beams to cdi.indiadigest[.]in:53. One of the Hellsing samples we analysed (md5: 0cbefd8cd4b9a36c791d926f84f10b7b) connects to the C&C server at webmm[.]indiadigest[.]in. Although the hostname is not the same, the top level domain suggests some kind of connection between the groups. Several other C&C subdomains on "indiadigest[.]in" include:

  • aac.indiadigest[.]in
  • ld.indiadigest[.]in
  • longc.indiadigest[.]in

Another overlap we observed is with an APT known as Cycldek or Goblin Panda. Some of the Hellsing samples we analysed in this operation (e.g. md5: a91c9a2b1bc4020514c6c49c5ff84298) communicate with the server webb[.]huntingtomingalls[.]com, using a protocol specific to the Cycldek backdoors (binup.asp/textup.asp/online.asp).

It appears that the Hellsing developer started with the Cycldek sources and worked together with the operators from other APT groups. Nevertheless, it is sufficiently different to warrant classification as a stand-alone operation.

So, where does the Hellsing name come from? One of the samples we analysed (md5: 036e021e1b7f61cddfd294f791de7ea2) appears to have been compiled in a rush and the attacker forgot to remove the debug information. One can see the project name is Hellsing and the malware is called "msger":

Of course, Hellsing can have many different meanings, including the famous doctor from Bram Stoker's Dracula. However, according to Wikipedia, "Hellsing (ヘルシング Herushingu) is also a Japanese manga series written and illustrated by Kouta Hirano. It first premiered in Young King Ours in 1997 and ended in September 2008".

The Hellsing series chronicles the efforts of the mysterious and secret Hellsing Organization, as it combats vampires, ghouls, and other supernatural foes; which makes it perhaps an appropriate name for our group.

In addition to the Hellsing/msger malware, we've identified a second generation of Trojan samples which appear to be called "xweber" by the attackers:

"Xweber" seems to be the more recent Trojan, taking into account compilation timestamps. All the "msger" samples we have seen appear to have been compiled in 2012. The "Xweber" samples are from 2013 and from 2014, indicating that at some point during 2013 the "msger" malware project was renamed and/or integrated into "Xweber".

During our investigation we've observed the Hellsing APT using both the "Xweber" and "msger" backdoors in their attacks, as well as other tools named "xrat", "clare", "irene" and "xKat".

Other tools

Once the Hellsing attackers compromise a computer, they deploy other tools which can be used for gathering further information about the victim or doing lateral movement. One such tool is "test.exe":

Name test.exe Size 45,568 bytes MD5 14309b52f5a3df8cb0eb5b6dae9ce4da Type Win32 PE i386 executable

This tool is used to gather information and test available proxies. Interestingly, it also contains the Hellsing debug path:

Another attack tool deployed in a victim's environment was a file system driver, named "diskfilter.sys", although internally it claims to be named "xrat.sys". The driver is unsigned and compiled for 32-bit Windows. It was used briefly in 2013, before being abandoned by the attackers, possibly due to Windows 7 driver signing requirements:

Another tool used by the attackers is called "xKat":

Name xkat.exe Size 78,848 bytes MD5 621e4c293313e8638fb8f725c0ae9d0f Type Win32 PE i386 executable

This is a powerful file deletion and process killer which uses a driver (Dbgv.sys) to perform the operations. We've seen it being used by the attackers to kill and delete malware belonging to their competitors.

Some of the debug paths found in the binaries include:

  • e:\Hellsing\release\clare.pdb
  • e:\Hellsing\release\irene\irene.pdb
  • d:\hellsing\sys\irene\objchk_win7_x86\i386\irene.pdb
  • d:\hellsing\sys\xkat\objchk_win7_x86\i386\xKat.pdb
  • d:\Hellsing\release\msger\msger_install.pdb
  • d:\Hellsing\release\msger\msger_server.pdb
  • d:\hellsing\sys\xrat\objchk_win7_x86\i386\xrat.pdb
  • D:\Hellsing\release\exe\exe\test.pdb
Attribution

In general, the attribution of APTs is a very tricky task which is why we prefer to publish technical details and allow others to draw their own conclusions.

The Hellsing-related samples appear to have been compiled around the following times:

Assuming normal work starts at around 9 am, the attacker seems to be most active in a time-zone of GMT+8 or +9, considering a work program of 9/10 am to 6/7pm.

Conclusions

The Hellsing APT group is currently active in the APAC region, hitting targets mainly in the South China Sea area, with a focus on Malaysia, the Philippines and Indonesia. The group has a relatively small footprint compared to massive operations such as "Equation". Smaller groups can have the advantage of being able to stay under the radar for longer periods of time, which is what happened here.

The targeting of the Naikon group by the Hellsing APT is perhaps the most interesting part. In the past, we've seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. But, considering the timing and origin of the attack, the current case seems more likely to be an APT-on-APT attack.

To protect against a Hellsing attack, we recommend that organisations follow basic security best practices:

  • Don't open attachments from people you don't know
  • Beware of password-protected archives which contain SCR or other executable files inside
  • If you are unsure about the attachment, try to open it in a sandbox
  • Make sure you have a modern operating system with all patches installed
  • Update all third party applications such as Microsoft Office, Java, Adobe Flash Player and Adobe Reader

Kaspersky Lab products detect the backdoors used by the Hellsing attacker as: HEUR:Trojan.Win32.Generic, Trojan-Dropper.Win32.Agent.kbuj, Trojan-Dropper.Win32.Agent.kzqq.

Deny the Hellsing APT by default Appendix:

Hellsing Indicators of Compromise

Apple Fixes Cookie Access Vulnerability in Safari on Billions of Devices

Threatpost for B2B - Tue, 04/14/2015 - 15:02
Apple recently fixed a cookie vulnerability that existed in all versions of Safari - iOS, OS X, and Windows - that may have affected 1 billion devices.

Microsoft Patches Critical HTTP.sys Vulnerability

Threatpost for B2B - Tue, 04/14/2015 - 14:49
Microsoft and Adobe released security bulletins addressing critical vulnerabilities in their respective products.
Syndicate content