There is currently a lot of buzz about the Backoff point-of-sale Trojan that is designed to steal credit card information from computers that have POS terminals attached.
Although very thorough, the existing public analyses of Backoff are missing a very relevant piece of information: the command-and-control (C&C) servers. However, if you have access to the samples it isn't hard to extract this information. At the end of this document, you can find a full list together with other IOCs (indicators of compromise).
Backoff malware configuration, with C&Cs
We sinkholed two C&C servers that Backoff samples used to communicate with their masters. These C&C servers are used by certain samples that were compiled from January - March 2014. Over the past few days, we observed over 100 victims in several countries connecting to the sinkhole.Statistics:
There were several interesting victims among them:
- A global freight shipping and transport logistics company with headquarters in North America.
- A U.K.-based charitable organization that provides support, advice and information to local voluntary organizations and community groups.
- A payroll association in North America.
- A state institute connected with information technology and communication in Eastern Europe.
- A liquor store chain in the U.S.
- An ISP in Alabama, U.S.
- A U.S.-based Mexican food chain.
- A company that owns and manages office buildings in California, U.S.
- A Canadian company that owns and operates a massive chain of restaurants.
There are also a lot of home user lines, mostly in the U.S. and Canada, connecting to the sinkhole. This is to be expected as many smaller businesses generally tend to run those rather than dedicated corporate connections.Conclusions
The success of Backoff paints a very bleak picture of the state of point-of-sale security. Our sinkhole covers less than 5% of the C&C channels and the sinkholed domains only apply to certain Backoff samples that were created in the first quarter of this year. Yet, we've seen more than 85 victims connecting to our sinkhole.
Most of these victims are located in North America and some of them are high profile. Taking into account the U.S. Secret Service statement, it's a pretty safe bet that the number of Backoff infections at businesses in North America is well north of 1,000.
Since its appearance last year, Backoff has not changed dramatically. The author created both non-obfuscated and obfuscated samples. This was likely done to defeat the security controls on the targeted networks. However, the defenses running on a PoS terminal and/or network should not have been affected by this. This speaks volumes about the current state of PoS security, and other cybercriminals are sure to have taken note.
It's very clear that PoS networks are prime targets for malware attacks. This is especially true in the US, which still doesn't support EMV chip-enabled cards. Unlike magnetic strips, EMV chips on credit cards can't be easily cloned, making them more resilient. Unfortunately, the US is adopting chip and signature, rather than chip and PIN. This effectively negates some of the added security EMV can bring.
This may prove another costly mistake. Not adopting EMV along with the rest of the world is really haunting retail in the U.S. and the situation is not likely to change anytime soon.IOCs / C&Cs: Trojan file paths:
Festive spam in July was largely dedicated to the holy month of Ramadan. Unwanted correspondence also included offers to send promotional messages to users' phones and email boxes. We also came across fraudulent emails asking for help with investments. There were offers of beauty products and services too.Ramadan
In July, spammers continued to exploit the holy month of Ramadan by offering mass mailing services. The emails were written in English. The subject and the text of the emails attracted readers with special offers and discounts in honor of the main Muslim holiday. Mass mailings advertising SMS distribution to residents of the United Arab Emirates were sent from free email services and designed in the same style. The emails used different text fonts and provided different contact details: for example, the phone numbers in the body of the message and in the subject of the email were different. Some emails indicated the site of a company engaged in SMS-marketing.
"Nigerian" scammers did not bother to invent anything new either and tried to attract users' attention by wishing them a Happy Ramadan both in the subject of the email and in the body of the message. Fraudulent emails that offered impressive rewards for help in investing money in a business project were circulated in both English and Arabic.
Current spam flows often include emails in different languages. In particular there has been an increase in the number of messages in Semitic languages, including Arabic, over the year. At the same time the scammers use English in the subject of the emails rather than Arabic. This is probably because English is more widespread and they hope an English subject will attract more readers.
One of the emails was written allegedly on behalf of a Muslim mother. It mentioned the complicated political situation in Syria and explained that this made it impossible to safely invest money at home. In this case, the content of the message suggests the author must know Arabic so a text in this language can be used to make it look more credible.
Among July's major mailings there was a notable campaign offering a variety of skin care products for women as well as promotions for beauty clinics. Spam mailings were used to sell different cleansers, anti-wrinkle creams, "elixirs of youth" and other cosmetic products. The scammers offered product samples to convince the user of their merits and promised to return the money if the results were unsatisfactory. The fraudsters tried to encourage potential customers by promising quick and free shipping to any country.
Beauty clinics were actively offering laser hair removal procedures at considerable discounts or even free of charge to supposed lottery winners. The sales pitch, complete with pictures, focused on the pressing need for this procedure before relaxing on the beach. Sometimes these emails were "noised" with texts that had nothing to do with the advertised goods and services. In some cases, this "noise" took up half the message (see the example below). The senders' names in these emails were a randomly generated combination of letters and numbers. The names of advertised centers and clinics were also mentioned in the body of the message to make it easier to find them via the search engine. However the links in the emails led to spammer parked sites registered on newly created domains. Sometimes they offered similar goods or services; sometimes they promoted completely different ones.
The heat of the summer has warmed up the market for products that help us to cool down: spam traffic actively promoted sun-protected foil for windows, fans and air conditioners, including repair and maintenance services. We often came across emails advertising water coolers and bottled water. Water was offered with special summer discounts and free delivery to homes and offices, while an extra bonus promised a free basket of fruit with every order in July or August. Making an order is as simple as calling the number in the advert.
Sunglasses were among the most popular summer offers. Knock-offs of designer sunglasses were offered at huge discounts compared to the original. Such emails often contained the designer logos and included icons of different social networks where the company is officially represented. However, these icons were merely decorative and offered no link to these sites. They were simply intended to make the email seem more realistic. Once users clicked on the link in the email, they were redirected to a newly created online sunglasses store. The names of the sites often included the words 'glasses' or 'sunglasses'. Sometimes you could even visually identify the distorted name of the glasses brand in the random set of letters and numbers which comprised the address of the site.Statistics The percentage of spam in email traffic
The percentage of spam in email traffic averaged 67%, which is 2.2 percentage points up from June. The highest spam levels were seen during the second week of the month (67.6%), and the lowest levels were seen in the first week (66%).
Percentage of spam in email trafficThe geographical distribution of spam sources
In July, the list of the most popular sources of spam around the world looked like this:
Sources of spam around the world
The USA took first place (15.3%) after its percentage increased 2.2 percentage points from the previous month. Next, Russia came in second place with 5.6%; the amount of spam originating in that country was down 1.4 percentage points. China was in third place with 5.3% having produced 0.3 pp less spam than in June.
Argentina was in 4th position with 4.2% of all distributed spam; its contribution remained practically unchanged but the country still climbed one place in the rankings. It is followed by Ukraine (4.1%) with a 0.9 pp rise compared to June.
In July, we saw the 1.8 pp reduction in the amount of spam from Vietnam (3.5%) which pushed this country from 4th to 8th place.
France rounded up the Top 10 with 2.63% of all distributed spam having pushed India (2.59%) to 11th position.Malicious attachments in email
The graphic below shows the Top 10 malicious programs spread by email in July.
The Top 10 malicious programs spread by email
This time the rating was topped by Trojan.Win32.Yakes.fize, the Trojan downloader Dofoil. This program downloads a malicious file on the victim computer, runs it, steals the user's personal information (especially passwords) and forwards it to the fraudsters.
The notorious Trojan-Spy.HTML.Fraud.gen dropped out of top spot for the first time in many months. Readers may remember that this is the threat that appears as an HTML phishing website and sends emails disguised as important notifications from banks, online stores, and other services.
Next came Trojan.JS.Redirector.adf which is the HTML page containing code to redirect users to a scammer site offering downloads of Binbot, the service for automatic sales of binary options which are currently very popular in the Internet. This malicious program is distributed via email attachments.
It is followed by Backdoor.Win32.Androm.enji. This malicious program is a modification of Andromeda – Gamarue, a universal modular bot which is a basis for building a botnet with a variety of features. The functionality of the bot can be expanded using a system of plugins that are loaded by the criminals as required.
Fifth position is occupied by Trojan-Banker.Win32.ChePro.ink. This downloader appears in the form of a CPL applet (a component of the control panel) and, as is typical for this type of malware, it downloads Trojans developed to steal bank information and passwords. These banking Trojans mainly target online customers of Brazilian and Portuguese banks.
Trojan-Ransom.Win32.Cryptodef.ny ended 8th in July. This malicious program encrypts files on computers, blocks the screen and asks the user to pay to restore the files.
Rounding off the Top 10 was Trojan.Win32.Bublik.cran. The main functionality of the Bublik malware family is the unauthorized download and installation of new versions of malware onto victim computers.
Distribution of email antivirus detections by country
July's Top 3 remained unchanged from June. Germany accounted for 11.7% of all antivirus detections and topped the rating (+4.71 percentage points). The USA was second with 9.82% (+0.28 pp). The UK was third with 6.9% (+0.10 percentage points).
India (5.16%) overtook Brazil (3.94%) and came fourth having increased its share by 0.54 percentage points. Italy moved up two steps to 5th in the rating (+1.2 pp).
Russia increased its contribution by 1.37 percentage points averaging 3.40% of all antivirus detections and climbing from 13th to 8th position.
The UAE saw a noticeable drop in antivirus detections – a 1.09 pp fall saw it lose six places on the ranking.
The July Top 20's newcomer was Poland which occupied 19th place with 1.42% of all antivirus detections.
The percentage of email antivirus detections in other countries did not change significantly in June.Special features of malicious spam
In July, we saw an increase in the number of fake Portuguese language notifications = sent on behalf of the popular smartphone messenger WhatsApp.
In another case, the fake message notified the recipient that after months of hard work WhatsApp for PC could now enable users to chat with friends in real time via their computer. To add to the intrigue the message claimed that 11 people had already sent friend request to the recipient. To find out who these 11 people were, the user had to download the latest version of the Messenger for PC by clicking on the link in the email. Noticeably, we have been registering different versions of this message since the beginning of 2014.
As in the previous cases, instead of the desired program the user received a ZIP-archive which contained the dropper Trojan-Dropper.Win32.Dapato.egel. Its task is to connect to a remote Brazilian host then download and run a Trojan banker designed to steal the user's financial data. The dropper also copies itself to C:\Documents and Settings\Administrator\Local Settings\Application Data\ under the name of BaRbEcuE.exe. There it creates a file called windataup.inf, in which it indicates its presence and states the current date. Finally it writes itself into the AutoRun, ensuring it is launched automatically.Phishing
In July 2014, Kaspersky Lab's anti-phishing component registered 20,157,877 detections.
Phishers attacked users in Brazil most often: at least once during the month the Anti-Phishing component of the system was activated on computers of 18.17% of Brazilian users. This surge in activity is probably related to the football World Cup that took place in the country in June and July.
The geography of phishing attacks*, June 2014
* The percentage of users on whose computers the Anti-Phishing component was activated, from the total number of all Kaspersky Lab users
Top 10 countries by the percentage of attacked users:Country % of users 1 Brazil 18.17 2 India 12.99 3 Australia 11.10 4 France 10.73 5 Kazakhstan 10.62 6 UK 10.15 7 UAE 10.14 8 Dominican Republic 10.11 9 Canada 9.61 10 Ukraine 9.53 Targets of attacks by organization
The statistics on phishing targets is based on detections of Kaspersky Lab's anti-phishing component. It is activated every time a user enters a phishing page while information about it is not included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning about a potential threat.
In our previous reports we referred to the Top 100 organizations when analyzing the most attractive targets for phishing attacks. In July, we analyzed the statistics for all organizations that were attacked.
In July, the Global Internet portals category continued to top the rating of organizations most often attacked by phishers (29.49%) although its share decreased by 2.67 pp. Social networks came second with 14.61%, a 3.2 pp decline from the previous month.
Organizations most frequently targeted by phishers, by category – July 2014
Below is a similar chart for the previous month:
Organizations most frequently targeted by phishers, by category – June 2014
Financial phishing accounted for 41.85% of all attacks, a 7.86 pp growth compared with the previous month. The percentage of detections affecting Banks, Online stores and E-payment systems was up 2.25, 2.64 and 2.29 pp respectively. The most significant spike affected PayPal (3.24%) up 2.27 pp in July.
We came across an interesting example of PayPal phishing at the end of the month. The fraudulent email informed the recipient about an incoming payment from a Craiglist user (most likely, it is the incorrect spelling of Craigslist, the site of e-ads) but the money could not be transferred because of an error with a PayPal account.
The email arrived from the address which does not belong to PayPal. In addition, it is impersonal which is a typical feature of a phishing email
To solve the problem, the user was asked to immediately download the attached form, open it and fill it in.
The form was created using the design elements of the PayPal site
The attackers are phishing for the user's email address and a password for it, his full name and date of birth, his mother's maiden name, his address, his credit card number, its expiry date and CVV as well as any passwords for Verified by Visa or MasterCard SecureCode. This detailed personal information would make it easy for fraudsters to rob the user of all electronic savings.
If you look at the HTML code of the page, you can see that all the data entered in the form will be sent to a page that has nothing to do with PayPal.Top 3 most organizations most frequently targeted by phishers Organization % detections 1 Google Inc 11.64% 2 Facebook 9.64% 3 Windows Live 6.28%
In July, Google services were most heavily targeted by phishing links: their share made up 11.64% of all Anti-Phishing component detections.
The number of fraudulent links to Windows Live, the global portal of the Microsoft services (including Outlook), grew significantly in July. The attractiveness of this resource for fraudsters is easily explained because of the popularity of the MS services and especially with the fact that they are accessed from a single account. Phishing pages are usually designed as an entry page to Outlook (currently there is also a fake login page to live.com).
An example of the phishing page imitating the Outlook entry page
Interestingly, many recent phishing pages still use the old Hotmail design despite the fact that Outlook replaced it as far back as the beginning of 2012. However, it does not seem to worry users very much: they still jump at the bait of such phishing pages.
An example of phishing on live.com using the outdated Hotmail designConclusion
The proportion of spam in global email traffic in July increased 2.2 percentage points and averaged 67%.
Spam emails advertising services that would send messages to users' phones and emails tried to capitalize on the Ramadan festivities while new customers were lured with holiday discounts and favorable offers. "Nigerian" scammers spread emails in English and Arabic asking for assistance in investing money. There were also offers of beauty products and services.
In July, the list of the most popular sources of spam around the world was topped by the US (15.3%), Russia (%5.6%) and China (5.3%).
In July 2014, Kaspersky Lab's anti-phishing component registered 20,157,877 detections. Phishers attacked users in Brazil most often: 18.2% Brazilian computers flagged at least one phishing alert during the month. The Global Internet portals category continued to top the rating of organizations most often attacked by phishers (29.5%). Financial phishing accounted for 41.85% of all attacks, a 7.86 pp growth compared with the previous month.
The rating of the most popular malicious attachments distributed via email was topped by Trojan.Win32.Yakes.fize. Germany remains the country with the highest number of antivirus detections (11.7%).
A significant number of malicious attachments imitated fake notifications in Portuguese allegedly sent on behalf of the popular smartphone messenger WhatsApp. These attachments targeted the financial data of users in Brazil and Portugal.
Last week, GReAT LatAm had the pleasure of participating in the Fourth Latin American Security Analysts Summit in Cartagena, Colombia. We were joined by 29 journalists from 12 different countries throughout the region and a guest speaker. This is one of our favorite events as it presents a rare opportunity to discuss ongoing research with journalists one-on-one and address security concerns at a regional level. The LatAm focus of the event allows us to examine the 'latin flavor' of cybercrime and cyberespionage originating within our borders.
The Summit was divided into two days. The first day involved presentations ranging from the evolution of the threat landscape to issues involving wearable devices, the disturbing trend of 'camfecting', and new tendencies in Brazilian trojan bankers now aided by cooperation with Eastern European cybercriminals. The second day largely revolved around APTs and cyberespionage campaigns as well as mobile threats affecting integration with the cloud.
The ever-charismatic Fabio Assolini discussed a favorite topic of his, the development of banking trojans in his native Brazil. The country is known for its carder culture and widespread cybercrime. Interesting figures presented included the correlation between the cost of Zeus and Caberp and their infection rates in the region, as we witness an exhorbitant rise in the rate of infection once their respective source codes leak and effectively eliminate the initial investment on the part of the criminals. Fabio also unveiled the link between Brazilian and Eastern European cybercriminals who are now exchanging knowledge through online resources to enhance their crimes.
Our very own Santiago Pontiroli took to the stage to discuss mobile- and cloud-based attack vectors in a presentation rife with Orwellian parallels and forewarnings. Santiago discussed Latin America's proclivity for piracy and pornography as presenting massive opportunities for cybercriminals fully willing to exploit them.
Android, a platform enjoying wide-adoption in the region is also an increasingly appealing target for cybercriminals as evidenced by the fact that 98% of mobile malware detected in 2013 were aimed at Android devices –a number that doubled in the first quarter of 2014! Many of these devices are now integrated with the cloud which breathes new life into old phishing schemes whose pay-off now includes extensive access to personal data, storage, and even real-time location information. Some criminals have gone so far as to misuse manufacturer recovery services to act as pre-installed ransomware.
Roberto Martinez and I took on the topic of wearable technologies, increasingly popular devices that collect all kinds of stats about their users, store personal information, and are designed to be worn continuously. I focused on the Samsung Galaxy Gear 2 smartwatch and the ease with which it can be misused by deviants in the 'creepshots' community, as rooting and executing a handful of commands disables camera alerts and recording limitations. Roberto focused on Google Glass whose integrated wifi capability leaves it susceptible to tried-and-true sniffing to expose some of the traffic being relayed to the device.
Emphasizing that the design itself of wearable devices has a propensity to embolden well-known methods of attack as users have limited access to information regarding altered applications or suspicious connections. As wearable devices function by linking with a mobile device, they can eventually become an interesting means for persistent attacks as they are capable of interacting with the information on our phones without being subject to the security measures of their master devices.
Evolving Threats in Cyberespionage
On the cyberespionage front, we saw two thought-provoking and exciting presentations:
We were joined by Jaime Blasco, Director of Research at Alienvault and a close friend of GReAT. Jaime discussed an overview of APT campaigns over the past decade, the measures developed to understand them, and traits that help categorize the work of recurring nationstate players.
Dmitry Bestuzhev announced GReAT's discovery of the first ever cyberespionage campaign of Latin American origin! The Machete campaign affected military, diplomatic, and governmental institutions in 15 countries, primarily Venezuela, Ecuador, and Colombia. Interestingly, though LatAm has been considered by many as lacking the infrastructure for sustained cyberespionage, research revealed that the campaign has been active since 2010.
Finally, no Kaspersky event would be complete without an active entertainment day for all participants. We retreated to the Cartagena Golf Club for an afternoon of activities ranging from kayaking and beach volleyball to cocktail-making, dance lessons, and guided flower arrangements, as well as a massage area. The evening concluded with a gala dinner accompanied by the traditional music and dances of Colombia and closing words from our thoughtful organizers. I hope you can join us next year!
For more follow me on twitter: @juanandres_gs
Earlier this year, we observed an uptick in the number of attacks against Uyghur and Tibetan supporters using an updated version of the NetTraveler backdoor.
Here's an example of a targeted spear-phishing e-mail directed at Uyghur activists in March 2014.
The e-mail has two attachments, a non-malicious JPG file and a 373 KB Microsoft Word .DOC file.File name "Sabiq sot xadimi gulnar abletning qeyin-Qistaqta olgenliki ashkarilanmaqta.doc" MD5 b2385963d3afece16bd7478b4cf290ce Size 381,667 bytes
The .DOC file, which in reality is a "Single File Web Page" container, also known as "Web archive file", appears to have been created on a system using Microsoft Office - Simplified Chinese.
It contains an exploit for the CVE-2012-0158 vulnerability, detected by Kaspersky Lab products as Exploit.MSWord.CVE-2012-0158.db.
If run on a vulnerable version of Microsoft Office, it drops the main module as "net.exe" (detected by Kaspersky Lab products as Trojan-Dropper.Win32.Agent.lifr), which in turn installs a number of other files. The main C&C module is dumped into "%SystemRoot%\system32\Windowsupdataney.dll", (detected by Kaspersky as Trojan-Spy.Win32.TravNet.qfr).Name WINDOWSUPDATANEY.DLL MD5 c13c79ad874215cfec8d318468e3d116 Size 37,888 bytes
It is registered as a service (named "Windowsupdata") through a Windows Batch file named "DOT.BAT" (detected by Kaspersky Lab products as Trojan.BAT.Tiny.b):
To make sure the malware isn't running multiple times, it uses the mutex "SD_2013 Is Running!" to mark its presence in the system. Other known mutexes used by older and current variants include:
- Boat-12 Is Running!
- DocHunter2012 Is Running!
- Hunter-2012 Is Running!
- NT-2012 Is Running!
- NetTravler Is Running!
- NetTravler2012 Is Running!
- SH-2011 Is Running!
- ShengHai Is Running!
- SD2013 is Running!
The malware configuration file is written to the "SYSTEM" folder (as opposed to SYSTEM32) and has a slightly new format compared to "older" NetTraveler samples:
For the record, here's what an older NetTraveler config file looks like:
Obviously, the developers behind NetTraveler have taken steps to try to hide the malware's configuration. Luckily, the encryption is relatively simple to break.
The algorithm is as follows:
decrypted[i]=encrypted[i] - (i + 0xa);
Once decrypted, the new config looks like this:
One can easily see the command-and-control (C&C) server in the screenshot above, which is "uyghurinfo[.]com".
We identified several samples using this new encryption scheme. A list of all the extracted C&C servers can be found below:C&C server IP IP location Registrar ssdcru[.]com 22.214.171.124 Hong Kong, Albert Heng, Trillion Company SHANGHAI MEICHENG TECHNOLOGY uygurinfo[.]com 126.96.36.199 United States, Los Angeles, Integen Inc TODAYNIC.COM
INC. samedone[.]com 188.8.131.52 Hong Kong, Kowloon, Hongkong Dingfengxinhui Bgp Datacenter SHANGHAI MEICHENG TECHNOLOGY gobackto[.]net 184.108.40.206 Hong Kong, Sun Network (hong Kong) Limited SHANGHAI MEICHENG TECHNOLOGY worksware[.]net N/A N/A SHANGHAI MEICHENG TECHNOLOGY jojomic[.]com was
220.127.116.11 Hong Kong, Sun Network (hong Kong) Limited SHANGHAI MEICHENG TECHNOLOGY angellost[.]net was 18.104.22.168 hong kong hung tai international holdings SHANGHAI MEICHENG TECHNOLOGY husden[.]com was 22.214.171.124 hong kong hung tai international holdings SHANGHAI MEICHENG TECHNOLOGY
We recommend blocking all these hosts in your firewall.Conclusion
This year, the actors behind NetTraveler celebrate 10 years of activity. Although the earliest samples we have seen appear to have been compiled in 2005, there are certain indicators that point to 2004 as the year when their activity started.
For 10 years NetTraveler has been targeting various sectors, with a focus on diplomatic, government and military targets.
NetTraveler victims by industry
Most recently, the main focus of interest for cyber-espionage activities revolved around space exploration, nano-technology, energy production, nuclear power, lasers, medicine and communications.
The targeting of Uyghur and Tibetan activists remains a standard component of their activities and we can assume it will stay this way, perhaps for another 10 years.