Feed aggregator

"El Machete"

Secure List feed for B2B - Wed, 08/20/2014 - 02:30
Introduction

Some time ago, a Kaspersky Lab customer in Latin America contacted us to say he had visited China and suspected his machine was infected with an unknown, undetected malware. While assisting the customer, we found a very interesting file in the system that is completely unrelated to China and contained no Chinese coding traces. At first look, it pretends to be a Java related application but after a quick analysis, it was obvious this was something more than just a simple Java file.  It was a targeted attack we are calling "Machete".

What is "Machete"?

"Machete" is a targeted attack campaign with Spanish speaking roots. We believe this campaign started in 2010 and was renewed with an improved infrastructure in 2012. The operation may be still "active".

The malware is capable of the following cyber-espionage operations:

  • Logging keystrokes
  • Capturing audio from the computer's microphone
  • Capturing screenshots
  • Capturing geolocation data
  • Taking photos from the computer's web camera
  • Copying files to a remote server
  • Copying files to a special USB device if inserted
  • Hijjacking the clipboard and capturing information from the target machine
Targets of "Machete"

Most of the victims are located in, Venezuela, Ecuador, Colombia, Peru, Russia, Cuba, and Spain, among others. In some cases, such as Russia, the target appears to be an embassy from one of the countries of this list.

Targets include high-level profiles, including intelligence services, military, embassies and government institutions.

How does "Machete" operate?

The malware is distributed via social engineering techniques, which includes spear-phishing emails and infections via Web by a fake Blog website. We have found no evidence of of exploits targeting zero-day vulnerabilities. Both the attackers and the victims appear to be Spanish-speaking.

During this investigation, we also discovered many other the files installing this cyber-espionage tool in what appears to be a dedicated a spear phishing campaign. These files display a PowerPoint presentation that installs the malware on the target system once the file is opened.  These are the names of the PowerPoint attachments:

  • Hermosa XXX.pps.rar
  • Suntzu.rar
  • El arte de la guerra.rar
  • Hot brazilian XXX.rar

These files are in reality Nullsoft Installer self-extracting archives and have compilation dates going back to 2008.

A consequence of the embedded  Python code inside the executables is that these installers include all the necessary Python libraries as well as the PowerPoint file shown to the victim during the installation. The result is extremely large files, over 3MB.

Here are some screnshots of the mentioned files:

A technical relevant fact about this campaign is the use of Python embedded into Windows executables of the malware. This is very unusual and does not have any advantage for the attackers except ease of coding. There is no multi-platform support as the code is heavily Windows-oriented (use of libraries). However, we discovered several clues that the attackers prepared the infrastructure for Mac OS X and Unix victims as well. In addition to Windows components, we also found a mobile (Android) component.

Both attackers and victims speak Spanish natively, as we see it consistently in the source code of the client side and in the Python code.

Indicators of Compromise Web infections

The following code snippets were found into the HTML of websites used to infect victims:

Note: Thanks to Tyler Hudak from Korelogic who noticed that the above HTML is copy pasted from SET, The Social Engineering Toolkit.

Also the following link to one known infection artifact:

hxxp://name.domain.org/nickname/set/Signed_Update.jar

Domains

The following are domains found during the infection campaign. Any communication with them must be considered extremely suspicious

java.serveblog.net
agaliarept.com
frejabe.com
grannegral.com
plushbr.com
xmailliwx.com
blogwhereyou.com (sinkholed by Kaspersky Lab)
grannegral.com (sinkholed by Kaspersky Lab)

Infection artifacts MD5 Filename 61d33dc5b257a18eb6514e473c1495fe AwgXuBV31pGV.eXe b5ada760476ba9a815ca56f12a11d557 EL ARTE DE LA GUERRA.exe d6c112d951cb48cab37e5d7ebed2420b Hermosa XXX.rar df2889df7ac209e7b696733aa6b52af5 Hermosa XXX.pps.rar e486eddffd13bed33e68d6d8d4052270 Hermosa XXX.pps.rar e9b2499b92279669a09fef798af7f45b Suntzu.rar f7e23b876fc887052ac8e2558f0d6c38 Hot Brazilian XXX.rar b26d1aec219ce45b2e80769368310471 Signed_Update.jar Traces on infected machines

Creates the file Java Update.lnk pointing to appdata/Jre6/java.exe

Malware is installed in appdata/ MicroDes/

Running processes Creates Task Microsoft_up

Human part of "Machete" Language

The first evidence is the language used, both for the victims and attackers, is Spanish.

The victims are all Spanish speaking according to the filenames of the stolen documents.

The language is also Spanish for the operators of the campaign, we can find all the server side code written in this language: reportes, ingresar, peso, etc.

Conclusion

The "Machete" discovery shows there are many regional  players in the world of targeted attacks. Unfortunately, such attacks became a part of the cyber arsenal of many nations located over the world. We can be sure there are other parallel targeted attacks running now in Latin America and other regions.

Kaspersky Lab products detect malicious samples related to this targeted attack as Trojan-Spy.Python.Ragua.

Note: A full analysis of the Machete attacks is available to the Kaspersky Intelligent Services customers. Contact: intelreports@kaspersky.com

U.S. Nuclear Regulator Hacked Three Times in Three Years

Threatpost for B2B - Tue, 08/19/2014 - 15:01
Hackers hit the U.S. Nuclear Regulatory Commission (NRC) three separate times over the past three years.

Close to All Facebook Outbound Notification Emails Encrypted

Threatpost for B2B - Tue, 08/19/2014 - 13:00
Facebook published numbers today that demonstrate the pervasiveness of encryption on the web; the social network said 95 percent of its notification emails are encrypted with Perfect Forward Secrecy, up from 29 percent in May.

APT Gang Branches Out to Medical Espionage in Community Health Breach

Threatpost for B2B - Tue, 08/19/2014 - 10:29
The Community Health Systems data breach has been tied to a Chinese APT gang that has branched out to medical espionage, stealing patient data in an effort to target intelligence on medical device development.

Pro-Syrian Malware Increasing in Number, Complexity

Threatpost for B2B - Mon, 08/18/2014 - 15:48
Malware deployed against activists in Syria is increasing as the groups deploying these remote access tools become more sophisticated and utilize more complex tactics.

Microsoft Yet to Deliver Fix for Faulty Patch Tuesday Update

Threatpost for B2B - Mon, 08/18/2014 - 15:07
Microsoft said it is still working on a fix for a broken patch released last Patch Tuesday that is causing Blue Screens of Death and system crashes.

Siemens Patches DoS Vulnerability in SIMATIC S7 PLC

Threatpost for B2B - Mon, 08/18/2014 - 14:15
Siemens released an update for its SIMATIC S7-1500 CPU last week, patching a denial of service vulnerability in the programmable logic controller.

New Attack Binds Malware in Parallel to Software Downloads

Threatpost for B2B - Mon, 08/18/2014 - 12:21
Open source software distribution systems that lack security processes and integrity checks are prone to a new attack that binds malware to a download without modifying the original application.

ZeroLocker won't come to your rescue

Secure List feed for B2B - Mon, 08/18/2014 - 11:16

In recent times we've been seeing a lot of file-encrypting ransomware activity.

One of the new ones we've seen pop up in the last couple weeks is called ZeroLocker. There's indication the C&C configuration contains some errors which would prevent successful decryption. This is why we urge people not to pay up even more so than normal.

So far we've observed a limited amount of detections through our Kaspersky Security Network. The actors behind ZeroLocker are initially asking $300 worth of BTC for decrypting the files. This goes up to $500 and $1000 as time passes:

ZeroLocker adds a .encrypt extension to all files it encrypts. Unlike most other ransomware ZeroLocker encrypts virtually all files on the system, rather than using a set of pre-defined filetypes to encrypt. It doesn't encrypt files larger than 20MB in size, or files located in directories containing the words "Windows", "WINDOWS", "Program Files", "ZeroLocker" or "Desktop". The malware gets executed at boot from C:\ZeroLocker\ZeroRescue.exe.

Though there's a Bitcoin wallet hardcoded inside the binary the malware tries to fetch a new wallet address from the C&C. This is most likely done to make it more difficult to trace how successful the operation is and where the money goes.

We've gathered several Bitcoin wallet addresses and at the time of writing none had any transactions associated with them. As the C&C server is providing the Bitcoin wallet information it's possible the attackers are able to use a unique wallet for each victim.

The malware generates one random 160-bit AES key to encrypt all the files with. Due to the way the key is generated the key space is somewhat limited, though still large enough to make general brute forcing unfeasible. After encryption the malware runs the cipher.exe utility to remove all unused data from the drive, making file recovery much harder. The encryption key, together with a CRC32 of the computer's MAC address, and the associated Bitcoin wallet is sent to the server.

Interestingly enough, the encryption key along with the other information is sent through a GET request, rather than a POST. This results in a 404 on the server. This could mean that the server is not storing this information. That means victims who pay up may likely not see their files restored.

Several other URLs that the malware tries to get result in 404s as well, which indicates this particular operation may still be in its infancy. When those errors are fixed we may see ZeroLocker deployed on a larger scale. These operations rely on people paying up. Don't do it. Make sure you have backups instead.

We detect current ZeroLocker samples as Trojan-Ransom.MSIL.Agent.uh.

The Syrian Malware House of Cards

Secure List feed for B2B - Mon, 08/18/2014 - 04:00

 Our full Report

Introduction

The geopolitical conflicts in the Middle East have deepened in the last few years. Syria is no exception, with the crisis there taking many forms, and the cyberspace conflict is intensifying as sides try to tilt the struggle in their favor by exploiting cyber intelligence and using distortion.

The Global Research & Analysis Team (GReAT) at Kaspersky Lab has discovered new malware attacks in Syria, using some techniques to hide and operate malware, in addition to proficient social engineering tricks to deliver malware by tricking and tempting victims to open and launch malicious files. The malware files were found on activist sites and social networking forums, some other files were also reported by local organizations like CyberArabs and Technicians for Freedom.

The full report detailing the attacks and related activities can be found here.

A glance at what was discovered

The number of attacks and malicious files being distributed is constantly increasing as the attackers become more organized and proficient. The samples are all based on Remote Administration Trojan Tools (RATs)
The number of malicious files found: 110
The number of domains linked to the attacks: 20
The number of IP addresses linked to the attacks: 47

The National Security Program - what the malware attacks look like

Masquerading as a reportedly "Government leaked program" that has the names of all wanted people in Syria, the National Security Program conceals a full featured RAT client to steal all sorts of information under one of its buttons.

برنامج الأمن الوطني.exe (The national security program)

Using shockingly disturbing videos to distribute malware

A disturbing video showing injured victims of recent bombings was used on YouTube to appeal to people's fear and prompt them to download a malicious application available on a public file sharing website. After initial analysis, the file named "فضائح.exe" (Scandals.exe) proved to be heavily obfuscated with the commercial utility "MaxToCode" for .NET in order to avoid early detection by antivirus solutions.

Did you install your "Ammazon" Security Suite?

If you thought the era of fake antiviruses was over, here comes this newly developed Syrian sample to challenge your beliefs. With the innocent title of "Ammazon Internet Security", this malicious application tries to mimic a security scanner, even including a quite thorough graphical user interface and some interactive functionality.

Your "Ammazon" is now secure, what about the rest of your network?

Total Network Monitor (which is a legitimate application) is inside another sample found, being used with embedded malware for spying purposes. Offering security applications to protect against surveillance is one of the many techniques used by malware writing groups to get users desperate for privacy to execute these dubious programs.

Instant messaging, instant infection

It's also the case with other samples, where social engineering does all the heavy work. Instant messaging applications for desktop operating systems have been used in the past to spread malware and it seems Syrian malware authors have jumped on the bandwagon.

Beware of Chemical Attacks

Another of the attacks using social engineering tricks, the sample named Kimawi.exe (Arabic for Chemicals) with a JPG icon, is a RAT file bound to the image Kimawi.jpg. The picture is a previously leaked paper supposedly from the regime in Syria warning military units to prepare for Chemical Attacks. The file is being sent by email to selected victims.

FAQ What is new?

The threat actors are becoming more organized, the number of attacks is increasing and the samples being used are becoming more sophisticated, while also relying extensively on powerful social engineering tricks that many people fall for.

Where are the victims and the attackers?

The victims infected when accessing the hacked forums and social networking sites tend to be ordinary users or activistshey were, or specific targets if they receive the malware via email, Skype, or messages on social networking sites.

The victims are also located outside Syria. We have seen victims of Syrian-based malware in:

  1. Turkey
  2. Saudi Arabia
  3. Lebanon
  4. Palestine
  5. United Arab Emirates
  6. Israel
  7. Morocco
  8. France
  9. United States

The attackers' command and control centers were tracked to IP addresses in Syria, Russia, Lebanon, the US and Brazil.

How many have fallen victim?

We believe the number of victims exceeds 10,000, with some of the files being downloaded more than 2000 times.

The attackers' malware samples and variations have increased dramatically from only a few in Q1 2013 to around 40 in Q2 2014.

What is the impact on victims?

Remote Administration Trojans tools are used to fully compromise the system on victim devices. RATs are capable of stealing user credentials in addition to activating camera and microphone functionalities...

Are users protected?

Kaspersky detects and blocks all the samples that have been found. They are detected as follows:

  • Trojan.MSIL.Zapchast
  • Backdoor.Win32.Bifrose
  • Backdoor.Win32.Fynloski
  • Backdoor.Win32.Xtreme

More details and analysis of the attacks and malware samples can be found in the full report here.

 

Further reading

If you'd like to read more on the subject, CitizenLab and EFF have published several other good analyses of related malware and attacks:

Supermarkets Nationwide Affected by Albertsons, SUPERVALU Data Breach

Threatpost for B2B - Fri, 08/15/2014 - 13:27
Albertsons and SUPERVALUE, the second and third largest grocery store chains in the U.S., yesterday announced that customer payment information was exposed a month-long data breach earlier this summer.

Cridex Malware Takes Lesson From GameOver Zeus

Threatpost for B2B - Fri, 08/15/2014 - 10:05
Researchers have now identified a new variant of the Cridex malware that has adopted some of the techniques that made GOZ so successful in its day.

Google Fixes 12 Vulnerabilities in Chrome 36

Threatpost for B2B - Fri, 08/15/2014 - 09:23
Google patched its Chrome browser this week, fixing 12 vulnerabilities including both a serious information disclosure bug and a use-after-free vulnerability that could let users obtain potentially sensitive information and execute arbitrary code.
Syndicate content