Feed aggregator

Venafi to Launch Certificate Transparency Log

Threatpost for B2B - Tue, 01/27/2015 - 10:25
Three weeks after the first non-Google public log for Certificate Transparency was launched by DigiCert, officials at Venafi said that the company plans to debut its own public CT log. On Jan. 1 Google approved the use of DigiCert’s log, the first CT log that is independent and not operated by Google. As part of […]

Analysis of Flash Zero Day Shows Layers of Obfuscation

Threatpost for B2B - Tue, 01/27/2015 - 08:56
The Flash zero day that made its way into the Angler exploit kit was wrapped in multiple layers of obfuscation and has the ability to inject its malicious payload straight into users’ browsers. In the last week, since the news broke of the Adobe Flash zero-day flaw appearing in the Angler kit, security researchers have […]

Comparing the Regin module 50251 and the "Qwerty" keylogger

Secure List feed for B2B - Tue, 01/27/2015 - 06:00

On January 17 2015, Spiegel.de published an extensive article based on documents obtained from Edward Snowden. At the same time, they provided a copy of a malicious program codenamed "QWERTY" (http://www.spiegel.de/media/media-35668.pdf), supposedly used by several governments in their CNE operations.

We've obtained a copy of the malicious files published by Der Spiegel and when we analyzed them, they immediately reminded us of Regin. Looking at the code closely, we conclude that the "QWERTY" malware is identical in functionality to the Regin 50251 plugin.

Analysis

The Qwerty module pack consists of three binaries and accompanying configuration files. One file from the package– 20123.sys – is particularly interesting.

The "20123.sys" is a kernel mode part of the keylogger. As it turns out, it was built from source code that can also be found one Regin module, the "50251" plugin.

Using a binary diff it is easy to spot a significant part of code that is shared between both files:

Most of the shared code belongs to the function that accesses the system keyboard driver:

Most of the "Qwerty" components call plugins from the same pack (with plugin numbers 20121 – 20123), however  there is also one piece code that references plugins from the Regin platform. One particular part of code is used in both the "Qwerty" 20123 module and the Regin's 50251 counterpart, and it addresses the plugin 50225 that can be found in the virtual filesystems of Regin. The Regin's plugin 50225 is reponsible for kernel-mode hooking.

This is a solid proof that the Qwerty plugin can only operate as part of the Regin platform, leveraging the kernel hooking functions from plugin 50225.

As an additional proof that both modules use the same software platform, we can take a look at functions exported by ordinal 1 of both modules. They contain the startup code that can be found in any other plugin of Regin, and include the actual plugin number that is registered within the platform to allow further addressing of the module. This only makes sense if the modules are used with the Regin platform orchestrator.

The reason why the two modules have different plugin IDs is unknown. This is perhaps because they are leveraged by different actors, each one with its own allocated plugin ID ranges.

Conclusions

Our analysis of the QWERTY malware published by Der Spiegel indicates it is a plugin designed to work part of the Regin platform.  The QWERTY keylogger doesn't function as a stand-alone module, it relies on kernel hooking functions which are provided by the Regin module 50225.  Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together.

Another important observation is that Regin plugins are stored inside an encrypted and compressed VFS, meaning they don't exist directly on the victim's machine in "native" format. The platform dispatcher loads and executes there plugins at startup. The only way to catch the keylogger is by scanning the system memory or decoding the VFSes.

 

Appendix (MD5 hashes):

QWERTY 20123.sys:

0ed11a73694999bc45d18b4189f41ac2


Regin 50251 plugins:

c0de81512a08bdf2ec18cb93b43bdc2d  e9a43ea2882ac63b7bc036d954c79aa1

Researchers Link Regin to Malware Disclosed in Recent Snowden Documents

Threatpost for B2B - Tue, 01/27/2015 - 06:00
Kaspersky Lab has found shared code and functionality between the Regin malware platform and a keylogger described in recently disclosed Snowden documents.

The Syrian malware part 2: Who is The Joe?

Secure List feed for B2B - Tue, 01/27/2015 - 03:00
Introduction

Kaspersky Lab would like to alert users in the Middle East for new malware attacks being delivered through Syrian news and social networking forums. Malware writers are using multiple techniques to deliver their files and entice the victims to run them, creating an effective infection vector. Mainly depending on social engineering, the attackers exploit Victims' trust in social networking forums, curiosity in following news related to the conflict in Syria, their standing in Syria, in addition to their lack of Cyber Security awareness. Once criminals infect the victim's computer, attackers have full access and control over victim's devices.

In the first report on Syrian malware, Kaspersky Lab detailed many attacks being used in Syria to spy on users, the report included attacks from different teams and many sources.

This post will follow up on one of the domains, seemingly the most active in the last period: thejoe.publicvm.com

The malware files were found on activist sites and social networking forums, some others were reported by regional organisations like CyberArabs.

Reports that mention "the Joe"
https://citizenlab.org/2013/06/a-call-to-harm/
https://www.eff.org/files/2013/12/28/quantum_of_surveillance4d.pdf

All the files hide under the hood a full-featured variant of a RAT, Remote Administration Trojan (Bitfrose/NjRAT/Shadowtech/Darkcomet...), capable of getting full control over victim machines and devices, monitoring any movements and accessing all files. The thejoe.publicvm.com domain is related to many samples, here we will focus on the most important and luring, that most probably collected the highest number of targeted victims, estimated in thousands.

There are many factors and entities at play in this event, we will only focus on the malware and the facts that have been found during the analysis, presenting only relevant information, in the hope of setting a clear context for this research.

What is the information we had on theJoe?
What has the Joe been doing in the last period?
Who is the Joe?

What is the information we had on the Joe?

The Joe is one of the most active cyber criminals in Syria and the Middle East, targeting all types of users, following is the information collected on the Joe and his activities.

Domain information "thejoe.publicvm.com"

The Joe is using a dynamic domain to be able to change his IP address and maintain anonymity:
The domain thejoe.publicvm.com has been seen using the following IP addresses located in Syria and Russia:

  • 31.9.48.146
  • 31.9.48.119
  • 31.9.48.146
  • 31.9.48.80
  • 31.9.48.78
  • 31.9.48.119
  • 31.8.48.7

TCP ports used in the attacks: 1234, 1177, 5522.

Malware information

From the malware samples collected, we were able to find strings in the code, from the Windows device used by the Joe.

Folder paths recovered from the malware files:

  • C:\Users\joe\Desktop\2014\WindowsApplication1\WindowsApplication1\obj\Debug\WindowsApplication1.pdb
  • C:\Users\joe\Desktop\Desktop\Syriatel\Syriatel\obj\Debug\Syriatel.pdb
  • C:\Users\joe\Desktop\NJServer\NJServer\obj\Debug\NJServer.pdb
Youtube Channel

The Joe is also using a fake youtube channel where he posts social engineering videos with links to download malware.

http://www.youtube.com/channel/UCCdoQBw-a6dM15ZyhrsqW_w

The Channel is distributing malware files under the name "Lions of the revolution" or other...

What has the Joe been doing in the last period?

The Joe was busy in the last period; In the below we display some of the most graphical and luring samples collected by the Kaspersky Intelligence services and the Kaspersky Security Network (KSN cloud), detailing their functionalities and how The Joe is able to use the situation in Syria to have the users automatically open the files even if they suspect infected. The most targeted countries are Syria, Turkey, Lebanon and Saudi Arabia. The number of victims is estimated around 2000.

6 new stories:

  1. Let us fix your SSL vulnerability
  2. Now Let us clean your Skype!
  3. Did you update to the latest VPN version?
  4. Let's Check if your phone number is among the monitored numbers
  5. The Facebook account encryption application
  6. What's your favourite security product?

1 - Let us fix your SSL vulnerability

MD5 Hash: dc6166005db7487c9a8b32d938fec846
Filename: TheSSL.exe, SSL Cleaner.rar

Following up on the vulnerabilities in the OPENSSL, and the amount of news it reached, the cyber criminals are trying to benefit of the user perception of such news but lack of awareness on how the vulnerabilities could be fixed.

Demonstration video on the Heartbleed vulnerability + Link to download the "Fix" with infection



2 - Now Let us clean your Skype!

MD5 Hash: d6ab8ca6406fefe29e91c0604c812ff9
File Name: Skype.exe

Another social engineering trick used to lure criminals to download and execute a malicious file, the skype cleaner to "protect and encrypt your skype communications".


3 - Did you update to the latest VPN version?

MD5 Hash: 2e07e8622b4e997f6543fc0497452dad
File Name: VPN.exe

Psiphon, a legitimate application used around the world for anonymity protection, is particularly effective and used in Syria for users to protect their traffic from snooping or interception, the application here is bound with malware and delivered to the users as an updated version.


4 - Let's Check if your phone number is among the monitored numbers

MD5 Hash: ad9a18e1db0b43cb38da786eb3bf7c00
File Name: Syriatel.exe

Another one of the popular malware files, is used to fake a tool that is used to check the mobile phone numbers under surveillance and sorted by location, delivered as a "leaked program" to the victims.



5 - The Facebook account encryption application

MD5 Hash: efdaa73e0ac1b045d5f2214cadd77f09
File Name: Rooms.exe


6 - What's your favourite security product?

One of the latest files used to infect users is quite different: a binding of a Kaspersky Lab tool with malware. Developed by Kaspersky Lab, TDSSKiller is a powerful free tool that can detect and remove a specific list of rootkit malware families.

Bound with malware, the Joe is using the Kaspersky name to deliver the malware in an attempt to lure victims to open and trust the files he is sending.

 Who is "The Joe"

Hundreds of samples were analyzed relating to the Syrian malware, one of the samples, extracts to multiple documents, in one of which, we were able to find a metadata slip which extracted to some interesting information.

The metadata slip by the guy using "Joe" as his nickname, revealed his personal email, which using further research leads to his other emails, full identity, social pages...

On Facebook:

On Linkedin:

Indicators of compromise MD5 Hash Name(s) used for the malware file First Seen f62cfd2484ff8c5b1a4751366e914613 Adobe.exe
Reader.exe
Card.exe Sept 2013 012f25d09fd53aeeddc11c23902770a7
89e6ae33b170ee712b47449bbbd84784 قائمة الأرهاب .zip ("list of terrorism") file extracts to .JPG and malicious .SCR files Jan 2014 dc6166005db7487c9a8b32d938fec846
62023eb959a79bbdecd5aa167b51541f TheSSL.exe (to "remove SSL weaknesses")
SSL Cleaner.rar April 2014 cc694b1f8f0cd901f65856e419233044 Desktop.exe
Empty.exe
Host.exe Mar 2014 d6ab8ca6406fefe29e91c0604c812ff9 Skype.exe
Skypecleaner.exe July 2014 2e07e8622b4e997f6543fc0497452dad VPN.exe Sept 2014 efdaa73e0ac1b045d5f2214cadd77f09 Rooms.exe (to "encrypt your Facebook") Nov 2014 39d0d7e6880652e58b2d4d6e50ca084c Photo.exe Nov 2014 abf3cfecd2e194961fc97dac34f57b24 Ram.exe
Setup.exe Nov 2014 a238f8ab946516b6153816c5fb4307be tdskiler.exe (to "remove malware") Jan 2015 6379afd35285e16df4cb81803fde382c Locker.exe (to "encrypt/decrypt" files) Jan 2015

Kaspersky Lab detects all malicious files used in the attacks.
All files are actively being used by the cybercriminals at the time of this report.

Conclusion

Syrian malware has a strong reliance on social engineering and the active development of malicious variants. Nevertheless, most of them quickly reveal their true nature when inspected carefully; and this is one of the main reasons for urging Syrian users to be extra vigilant about what they download and to implement a layered defense approach. We expect these attacks to evolve both in quality and quantity.

For more details, please contact: intelligence@kaspersky.com

Thunderstrike Patch Slated for New OS X Build

Threatpost for B2B - Mon, 01/26/2015 - 14:06
In addition to patching the three Project Zero vulnerabilities disclosed last week, Apple is apparently readying a fix for the Thunderstrike boot attack as well, something that will purportedly rid all Macs running Yosemite of the issue.

Android Wi-Fi Direct Vulnerability Details Disclosed

Threatpost for B2B - Mon, 01/26/2015 - 13:40
Core Security disclosed details on an Android Wi-Fi Direct denial of service vulnerability after Google said it had no timeline to patch the issue. The two sides also disagreed on the severity of the flaw.

Google Engineer Explains Company’s Decision Not to Patch Bug in Older Android Versions

Threatpost for B2B - Mon, 01/26/2015 - 13:32
Google has taken quite a bit of heat in recent weeks for its decision not to patch a vulnerability in the WebView component of Android in older versions, leaving hundreds of millions of users exposed to potential attacks. Now, a Google engineer is explaining the company’s reasoning, saying that patching older versions of the OS […]

Adobe Begins Auto-Update Patching of Second Flash Player Zero Day

Threatpost for B2B - Mon, 01/26/2015 - 11:17
Adobe on Saturday began patching a zero-day vulnerability in Flash Player for auto-update users, exploits for which have been included in the notorious Angler Exploit Kit.

Marriott Fixes Simple Bug in Web Service That Could Expose Customer Data

Threatpost for B2B - Mon, 01/26/2015 - 10:21
Customer payment information and other data was made vulnerable by a flaw in the Marriott Web service used by the Android app as well as the Web site, a security researcher found. The vulnerability is the result of Marriott’s system failing to use any kind of authentication on requests, meaning that an attacker who knew […]

Siemens Fixes Web Vulnernability in SIMATIC PLC

Threatpost for B2B - Fri, 01/23/2015 - 13:45
Siemens has patched a web vulnerability in its SIMATIC PLC family of products that could have led unsuspecting users to malicious sites

Threatpost News Wrap, January 23, 2015

Threatpost for B2B - Fri, 01/23/2015 - 11:28
Dennis Fisher and Mike Mimoso talk about all of the zero days that were dropped this week on Adobe and Apple, the Oracle backdoor drama and the upcoming Kaspersky Security Analyst Summit in Cancun. Then, Dennis calls Brian Donohue to talk about the wonders of the Blackhat movie and Brian's dog makes a special appearance, too!

PHP 5.6.5 Released With Several Security Fixes

Threatpost for B2B - Fri, 01/23/2015 - 11:02
Several new versions of PHP have been released, fixing a number of security vulnerabilities and other bugs in the popular scripting language. PHP 5.6.5 is the newest version of the language, and it has patches for a handful of vulnerabilities, including a use-after-free flaw that could lead to remote code execution in some cases. “Sapi/cgi/cgi_main.c in […]

Thousands of US Gas Stations Vulnerable to Remote Hacks

Threatpost for B2B - Fri, 01/23/2015 - 10:54
UPDATE: Thousands of U.S. gas stations contain internet-connected fuel gauges that don't require passwords and could be remotely shut down by hackers.

Unpatched Apple Vulnerabilities Latest Google Project Zero Disclosures

Threatpost for B2B - Fri, 01/23/2015 - 09:05
Three unpatched Apple OS X vulnerabilities were disclosed by Google's Project Zero research team. Project Zero discloses if a bug is not patched within 90 days of reporting it to the affected vendor.
Syndicate content