At the beginning of May 2014 a security researcher named Kaffeine made the first public mention of Android.OS.Koler.a, a ransomware program that blocks the screen of an infected device and requests a ransom of between $100 and $300 in order to unlock the device. It doesn't encrypt any files or perform any kind of advanced blocking of the target device other than blocking the screen.
The malware displays a localized message from the police!
It has customized messages for the following countries:Australia
As of July 23, the mobile part of the campaign has been disrupted and the Command and Control server has started sending an "Uninstall" request to victims.
In this post, instead of focusing on the mobile application itself – we highlight some details at the end – we want to shed light on its distribution infrastructure. An entire network of malicious porn sites linked to a traffic direction system that redirects the victim to different payloads targeting not only mobile devices but any other visitor. That includes redirections to browser-based ransomware and what we think is an "Angler" exploit kit distribution network.
The diagram below illustrates the bigger picture of the infrastructure used.
The main findings can be summarized as follows:
- Distribution: TDS (Traffic Distribution System)
- Main controller: video-sartex.us (TDS Controller)
- Malicious porn sites (redirector): 49 domains detected
- Exploit kit websites: 700+ URLs (200+ domains)
- Browser-based screen-lock domains: 49 domains detected
- Mobile infection domain: video-porno-gratuit.eu
- Mobile Current C2: policemobile.biz.
- Traffic: almost 200,000 visitors to the mobile infection domain
- 80% of visitors from the US
The use of a pornographic network for this "police" ransomware is no coincidence: the victims are more likely to feel guilty about browsing such content and pay the alleged fine from the authorities. This psychological factor can be the difference between a failed campaign and a successful one.
With regards to the malicious mobile application, we have found different APKs with the same behavior. Some of them (not yet distributed through this malicious network) have interesting names such as PronHub.com.Apk, whatsapp.apk or updateflash.apk.
This suggests the attackers could expand their campaign in the near future.Mobile payload distribution
The mobile infection is triggered when the user visits specific pornographic sites from an Android device. Those sites are part of the distribution network created for this campaign and will redirect the victims to a landing page that contains an APK file called animalporn.apk.
All the porn sites in the campaign redirect their traffic to the same server: hxxp://video-porno-gratuit.eu. This domain hosts the malicious APK.
When visited, the website automatically redirects the user to the malicious application. The user still has to confirm the download and installation of the application on their device.
We were able to obtain the statistics showing the geographical distribution of visitors to this malicious site:
According to the same stats, we see that the campaign started and reached peak activity in April 2014.Redirectors: The malicious porn network
The pornographic sites of the network are not compromised sites. They all look the same, have the same HTML infrastructure and don´t provide their own pornographic material.
We identified a total of 48 domains in this porn redirecting network.
Almost all the websites used in this infrastructure were created using the same template – in many cases using templates from the legitimate site Tubewizardpro and Webloader for the external resources.
All the content (mainly videos and pictures) on these porn sites is loaded from external sources using Webloader.
Basically, all the porn sites redirect to the "controller" domain videosartex.us.
Videosartex.us then performs a redirect based on the parameter in the URL, the referrer, the user agent and the geographical location of the visitor's IP.
If the IP belongs to any of the 30 affected countries and the user-agent belongs to an Android device, the visitor is redirected to the APK at video-porno-gratuit.eu.
In other cases, the user is either redirected to a porn site on the network, to a screen-locker or to an exploit kit. The attackers use Keitaro TDS (Traffic Distribution System) to redirect users.Non-mobile payloads
During our analysis we noticed that some domains showed ransomware-themed pop-ups to non-mobile victims. These additional servers are used when the controller (videosartex) detects the following two conditions:
- The request contains no Internet Explorer user agent.
- The request is from one of the 30 affected countries, but it doesn't contain an Android user agent.
In this case, the victim is redirected to any of the browser ransomware websites, while a blocking screen identical to the one used for mobiles is displayed on the victim's computer. There is no infection in this case, just a pop-up showing a blocking template.
The following images are examples of the headers used in the ransomware pop-ups:
The redirection infrastructure used in this campaign contained one final surprise; redirecting visitors using Internet Explorer to sites hosting the Angler exploit kit, which has exploits for Silverlight, Adobe Flash and Java.
The following is an example of such a redirection:
We detected more than 200 domains used for hosting this exploit kit.
During our analysis, the exploit code was not fully functional and it didn´t deliver any payload.Conclusions
Ransomware for mobile devices appeared on almost every prediction list for 2014. We are not dealing with the most advanced families here such as cryptolocker for Windows. The ransomware is fairly basic, but sufficient to annoy the victim.
Of most interest is the distribution network used in the campaign. Dozens of automatically generated websites redirect traffic to a central hub where users are redirected again. Depending on a number of conditions, this second redirection could be to a malicious Android application, to browser-based ransomware or to a website with the Angler Exploit Kit.
We believe this infrastructure demonstrates just how well organized and dangerous these campaigns are that are currently targeting, but not limited to, Android users. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways for monetizing their campaign income in a truly multi-device scheme.
A couple weeks ago, my colleague Mikhail K posted on the "versatile linux DDoS trojan", with analysis of several bots, including a bot implementing some extraordinary DNS amplification DDoS functionality. Operators of these bots are currently active, and we observe new variants of the trojan building bigger botnets.
Let's explore some additional offensive details of this crew's activity in the past week. In general, the DDoS trojans are being distributed to fire on victim profiles that seem to indicate purely cybercrime activity. We have not heard from the site owners themselves of the DDoS targets, just the compromised sites. These victims have been running Amazon EC2 instances, but of course, this platform is not the only one being attacked and mis-used. It's also interesting that operators of this botnet apparently have no problem working with CN sites, as demonstrated by their use of the site hosting their tools since late 2013. Seven of their eight tools hosted here were uploaded in the past couple of weeks, coinciding with their updated attack activity. Their repository includes a couple recent Linux escalation of privilege exploit source code, likely compiled on the compromised hosts only when higher privileges are necessary, along with compiled offensive sql tools, multiple webshell and two new variants of the "versatile bots", the udp-only "xudp" code being the newer of the two:
But first, how are they getting in to EC2 instances and running their linux DDoS bots from the cloud? They are actively exploiting a known, recent elasticsearch vulnerability in all versions 1.1.x (cve-2014-3120), which happens to still be in active commercial deployment for some organizations. If you are still running 1.1.x, upgrade to the latest 1.2 or 1.3 release, which was released a couple of days ago. Dynamic scripting is disabled by default, and other features added to help ease the migration. From a couple of incidents on Amazon EC2 customers whose instances were compromised by these attackers, we were able to capture very early stages of the attacks. The attackers re-purpose known cve-2014-3120 proof-of-concept exploit code to deliver a perl webshell that Kaspersky products detect as Backdoor.Perl.RShell.c. Linux admins can scan for these malicious components with our server product.
Gaining this foothold presents the attacker with bash shell access on the server. The script "pack.pl" is fetched with wget and saved from the web host above to /tmp/zerl and run from there, providing the bash shell access to the attacker. Events in your index logs may suggest your server has fallen to this attack:
Hosted on the same remote server and fetched via the perl webshell are the DDoS bots maintaining new encrypted c2 strings, detected as Backdoor.Linux.Mayday.g. One of the variants includes the DNS amplification functionality described in Mikhail's previous post. But the one in use on compromised EC2 instances oddly enough were flooding sites with UDP traffic only. The flow is strong enough that the DDoS'd victims were forced to move from their normal hosting operations ip addresses to those of an anti-DDoS solution. The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers. The situation is probably similar at other cloud providers. The list of the DDoS victims include a large regional US bank and a large electronics maker and service provider in Japan, indicating the perpetrators are likely your standard financially driven cybercrime ilk.
Ransomware is now one of the fastest growing classes of malicious software. In the last few years it has evolved from simple screen blockers demanding payments to something far more dangerous.
The Ransomware class is now based on so-called encryptors – Trojans that encrypt every kind of data that may be of value to the user without his or her knowledge. The data can include personal photos, archives, documents, databases (e.g., databases used in 1C:Enterprise software intended for automation of business activities), diagrams, etc. In order to decrypt these files the criminals demand a payment – often a significant sum. CryptoLocker, CryptoDefence (and its successor CryptoWall), ACCDFISA, and GpCode are some of the most notorious examples. There are also lots of lesser-known families that have spread in Russia and the CIS.
At the end of June 2014 Kaspersky Lab detected a new encryptor. Analysis showed that the Trojan had nothing in common with other known families and a number of features that suggested it was a completely new creation. Its name? CTB-Locker.
This new family is detected by Kaspersky Lab as Trojan-Ransom.Win32.Onion.
This encryption malware belongs to a new generation of ransomware. Its developers used both proven techniques 'tested' on its predecessors (such as demanding that ransom be paid in Bitcoin) and solutions that are completely new for this class of malware. Specifically, hiding the command and control servers in Tor anonymity network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. All this makes Trojan-Ransom.Win32.Onion a highly dangerous threat and one of the most technologically advanced encryptors out there.Description
The high-level algorithm used by the malicious encryptor is quite ordinary and is as follows:
- after launching, the malware copies its body to (CSIDL_COMMON_APPDATA) and adds the task to launch the file to the Task Scheduler;
- search all the fixed, removable and network drives for files matching a list of extensions (see Figure 1);
- encrypt the files found;
- display a window demanding ransom and containing a list of files that have been encrypted. The cybercriminals demand that the user pay ransom in Bitcoins (Figures 2, 3);
- set an image named AllFilesAreLocked.bmp as desktop wallpaper. The wallpaper informs the user that data on the computer has been encrypted (Figure 4).
So what sets this Trojan apart from dozens of similar malicious programs?The command server is located within the Tor anonymity network
The sample analyzed has a single static command server address, which belongs to the .onion domain zone.
However, this is a new development for ransomware. Although some of the ransom Trojans from families detected earlier demanded that the victim visit a certain site on the Tor network, the malware discussed here supports full interaction with Tor without the victim's input, setting it apart from the others.
This brings us to another feature, which is unique among known malware.Unusual technical implementation of access to the Tor network
All the previously detected malware, if it communicated to the Tor network at all, did this in an unsophisticated manner: it launched (sometimes by injecting code into other processes) the legitimate file tor.exe, which is available for download on the network's official website.
Trojan-Ransom.Win32.Onion does not use the existing file tor.exe. Instead, all the code needed to implement interaction with the anonymity network is statically linked to the malicious program's executable file (i.e., is implemented as part of the malicious code) and is launched in a separate thread.
Figure 5. Pseudocode showing how launching the tor proxy thread is implemented
The code contained inside the thread_tor_proxy procedure is nearly all taken from open sources (Tor is an open-source project).
When connection to Tor has been established and a local tor proxy server has been set up at IP 127.0.0.1 (the port number varies from one infected machine to another and depends on the MachineGuid parameter), the global flag can_complete_circuit is set, which is later checked in the thread thread_post_unlock_data.
As soon as this happens, the malware establishes network communication with this local address, as shown in Figure 6.
Figure 6. Pseudocode showing how network communication with the tor proxy is implemented
A request sent by the malware to the server contains protected data required to decrypt the victim's files.
In response, the server returns data about the cost of unblocking the user's files in bitcoins and US dollars, as well as the address of the wallet to which the payment is to be made.
Compressing files before encryption
Figure 8. Data returned by the command server
None of the encryptors known before used compression technologies (with the exception of ACCDFISA, which simply adds files to a password-protected rar-sfx archive; however, in this case encryption and compression is not functionality implemented in a malicious program but simply utilization of a ready-made product – WinRAR).
In this aspect of its operation, Trojan-Ransom.Win32.Onion also shows considerable originality. Here is what it does:
- moves the victim's file to a temporary file using the MoveFileEx API function;
- reads temporary file from disk block-by-block;
- each block is compressed using Zlib, a freely distributed library (procedure deflate());
- after compression, each block is encrypted and written to disk;
- service information required for decryption is placed at the beginning of the resulting file;
- the encrypted file is given the .ctbl extension.
Cryptomalware most commonly uses a cryptographic scheme based on the AES+RSA combination. In this scheme, the server generates a pair of keys – rsa-public + rsa-private – for RSA, which is an asymmetric encryption algorithm. The private key, rsa-private, remains on the server, while rsa-public is sent to the malware. Next, the malware generates a new key – aes-key – for each of the victim's files, to be used by AES, a symmetric-key block algorithm. Each file is encrypted using AES, then its aes-key is encrypted using RSA (using the rsa-public key) and saved to the file.
Since the scheme uses asymmetric encryption, nobody can decrypt the file without having the rsa-private key, which never left the cybercriminals' server.
However, Trojan-Ransom.Win32.Onion has used an unusual approach yet again!
The sample uses the asymmetric cryptographic protocol known as ECDH – Elliptic curve Diffie–Hellman.Elliptic curve Diffie-Hellman
The original Diffie-Hellman algorithm (the so-called key exchange method or shared-secret protocol) was developed some time ago and published in 1976 by famed cryptographers Whitfield Diffie and Martin Hellman. A modification of the algorithm which uses elliptic curves was published later in 2000, in a Certicom Research article, Standards for efficient cryptography, SEC 1: Elliptic Curve Cryptography.
A detailed description of the protocol is beyond the scope of this publication, so we are going to drop the details and describe the main principles that will be helpful in understanding how the malware operates.
- A pair of keys – private and public can be generated.
- The so-called shared secret can be generated from your private key and the other party's public key.
- If the two parties have exchanged public keys (the private keys are not exchanged!) and each has independently calculated the shared secret from the other party's public key and its own private key, both parties will get the same value.
- The resulting shared secret can be used as a key for any symmetric encryption algorithm.
The authors of Trojan-Ransom.Win32.Onion used an existing implementation of this cryptographic algorithm, a description of which is available on the Internet.
The high-level cryptographic scheme used by Trojan-Ransom.Win32.Onion is as follows.
- the malware generates the pair master-public (public key) + master-private (private key);
- master-private is sent to the server securely along with other data. It is not saved on the client (fact I);
- for each file to be encrypted, a new key pair is generated – session-public + session-private;
- the shared secret is calculated: session-shared = ECDH(master-public, session-private).
Encrypting a file belonging to the victim
- the file is compressed using the Zlib library;
- after being compressed with Zlib, each file is encrypted using AES, with the hash SHA256 (session-shared) used as the key;
- after encryption, the session-public key is saved in the file (fact II), while session-private is not saved (fact III);
- the shared secret calculated – session-shared – is not saved, either (fact IV).
Decrypting a file belonging to the victim
The Diffie-Hellman protocol is designed in such a way that the following equality is true:
ECDH(master-public, session-private) = session-shared = ECDH(master-private, session-public) (fact V)
The above equality defines the underlying principle on which the operation of Trojan-Ransom.Win32.Onion is based.
Provided that the Trojan has not saved session-private (see. fact III) and session-shared (see. fact IV), only one decryption method remains – calculating ECDH(master-private, session-public). This requires the master-private key (sent to the cybercriminals' server, see fact I) and session-public key (saved in the beginning of the encrypted file, see fact II). There are no other ways to decrypt the file, which means that the file cannot be decrypted without the master-private key.Securing connection with the command server
The key sent to the server might be intercepted, but unfortunately, this would not be sufficient to decrypt the victim's files. This is because the malware writers have used the same asymmetric protocol, ECDH, to protect their traffic, albeit with a separate, dedicated set of keys.
- the malicious program's body contains the public key, network-server-public;
- when establishing a connection, the malware generates a new pair of keys: network-client-public + network-client-private;
- the malware calculates the shared secret network-shared = ECDH(network-client-private, network-server-public);
- the malware encrypts the data being sent using AES with SHA256(network-shared) used as the key;
- the public key network-client-public is sent to the server in an unprotected form (fact VI);
- the client keys, network-client-public + network-client-private, as well as the shared secret network-shared, are not saved (fact VII).
The cybercriminals have the key network-server-private and receive the key network-client-public from the client (see fact VI). As a result, they can decrypt the data received. To do this, they have to calculate network-shared = ECDH(network-client-public, network-server-private).
Without having network-server-private, this value cannot be calculated (see fact VII). As a result, unfortunately, intercepting traffic will not provide master-private, without which the victim's file cannot be decrypted.Propagation
The creators of the early versions of Trojan-Ransom.Win32.Onion had English-speaking users in view as their primary targets, so English was the only supported GUI language.
In the more recent versions, however, Russian also came to be supported in the Trojan's GUI along with English. The piece of malware also underwent some visual refurbishments, such as a countdown displayed to intimidate the user. The new Russian GUI and, more specifically, certain strings within the Trojans' body give us ground to assume that its creators are Russian speakers.
The analysis of how Trojan-Ransom.Win32.Onion penetrates victim computers has shown that it is different (once again) in this respect from most other encryptors that are active today. For many known ransomware programs, the main propagation vectors are spam messages with malware in an attachment, or brute forcing weak passwords and launching a file via remote administration tools.The propagation method
We established that the bot Andromeda (detected as Backdoor.Win32.Androm by Kaspersky Lab products) receives a command to download and run another malicious program from the Email-Worm.Win32.Joleee family to the victim computer. The latter is primarily a malicious tool for sending spam emails, but it can also execute a number of commands from the cybercriminals, including the command to download and launch an executable file. It is actually Joleee that downloads the encryptor to the infected computer.
Trojan-Ransom.Win32.Onion's propagation procedure is presented in the following flowchart.
Figure 9. Trojan-Ransom.Win32.Onion's propagation scheme
Below are the infection statistics as of July 20, 2014. Most attempted infections took place in the CIS, while there were individual cases recorded in Germany, Bulgaria, Israel, the United Arab Emirates and Libya.
Trojan-Ransom.Win32.Onion was detected in the following countries:Country Number of users attacked Russia 24 Ukraine 19 Kazakhstan 7 Belarus 9 Georgia 1 Germany 1 Bulgaria 1 Turkey 1 United Arab Emirates 1 Libya 1
Please note that the above numbers are provided for the verdict "Trojan-Ransom.Win32.Onion" only. The number of users attacked by the encryptor is in fact greater, as malicious packers with different verdicts are used to spread the malware. Unknown samples of the encryptor are also proactively detected by Kaspersky Lab products as "PDM:Trojan.Win32.Generic". This data is not included into the statistics above.Recommendations for staying safe Backup copies of important files
The best way to ensure the safety of critical data is a consistent backup schedule. Backup should be performed regularly and, moreover, copies need to be created on a storage device that is accessible only during this process (e.g., a removable storage device that disconnects immediately after backup). Failure to follow these recommendations will result in the backed-up files being attacked and encrypted by the ransomware in the same way as the original file versions.
Backup procedures must be in place for any systems containing files of any appreciable importance. Even if no malware threats arise, remember – no one is completely secured against a commonplace hardware failure.Security solutions
Your security solution should be turned on at all times and all its components should be active. The solution's databases should also be up to date.
Kaspersky Lab products detect this threat based on its signature with the verdict Trojan-Ransom.Win32.Onion.*. Unknown modifications are detected heuristically with the verdict HEUR:Trojan.Win32.Generic, or proactively with the verdict PDM:Trojan.Win32.Generic.
In addition, Kaspersky Lab products incorporate the Cryptomalware Countermeasures technology which is capable of protecting user data even from unknown encryptors for which there are still no signatures or cloud-based data available. This technology is based on the principle of creating protected backup copies of personal files as soon as a suspicious program attempts to access them. The technology will automatically restore the file even if it is encrypted by malware. For this technology to operate, the System Watcher component must be enabled in the Kaspersky Lab product settings.
Over the past decade, APT have intensely targeted organizations and individuals across India. Its developing base of technology, its geographical location and bounds, its inclusive and riotous political energy, and its growing economic weight makes it a special place of interest for badly intentioned cyber attackers. The list of APT groups targeting Indian organizations is unfortunately quite long. A few interesting mentions include Gh0stNet, Shadownet, an Enfal actor, Red October, NetTraveler, the LuckyCat actor, the Turla APT, a Mirage actor, and the Naikon crew. There are many more. And, in unique cases, we have seen unusual new techniques, some for infiltrating mobile devices by the Chuli attackers, the Sabpub attackers' focus on Apple's OS X devices, various effective watering holes, and the generally noisy, targeted activity we would expect from most of these actors.
More recently in March, we saw a pickup in offensive activity on Indian organizations invested in environmental, economic and government policy. This crew has been targeting organizations for a few years now with an unusual offensive WMI technique that continues to be effective. The components have been called WMIGhost or Shadow. These attackers, like others currently active, are generally re-using current headline geopolitical event spearphishing themes to establish a foothold in target organizations. For example, in a March 2014 attack, this actor used an upcoming meeting between national energy labs and the Departments of Energy as their spearphishing lure, filename mis-spellings and all, "India US strategic dialouge press release.doc" (000150415302D7898F56D89C610DE4A9).
From there, the dropper and component chain is the same they have used in the past. Successful exploitation drops "dw20.exe" (803e8f531989abd5c11b424d8890b407) --> "gupdate.exe" (481f8320b016d7f57997c8d9f200fe18) and "~tmpinst.js" (6a279a35141e9a7c73a8b25f23470d80). The script instantiates WMI objects for communications complete with their Comment Crew-like encoded wordpress site instructions that redirect the backdoor to the appropriate command and control server for further instruction.
Along with other groups, WMIGhost attackers are actively hitting Indian targets. In another recent WMIGhost campaign this year, a spoofed unclassified military document was sent simultaneously to several Indian targets with the consistent WMIGhost toolchain, "united states air force unmanned aircraft systems flight plan 2009-2047.doc".
We observe more of these current attacks occurring throughout the country on government and military agencies, NGOs, subcontractors and technology developers, with an expanding scope of targets.
Of these groups to date, NetTraveler was the most prolific, and in many ways the most successful at exfiltrating large volumes of information. The NetTraveler crew spent a disproportionate amount of effort and attention on extracting data from Indian organizations overall. NetTraveler is stealing GB of data from victims all over the globe, including the many victims in India. An example of their past spearphish decoys deployed to India is displayed here. The content encompasses Indian political issues, current at the time of delivery:
Meanwhile, other actors are currently working to exfiltrate more data out of India. Multiple levels of Indian organizations are frightfully pounded with spearphish and webserver attacks with no end in sight.
In June, high-profile news events such as the FIFA World Cup and the situation in Ukraine were exploited by fraudsters to extract money and financial information from Internet users.
In the run-up to the Muslim holiday of Ramadan and Father's Day, English-language holiday-related spam offered a variety of themed products and services. The leading spam themes in June were adverts for various online dating services as well as offer for fuel cards and jewelry.The World Cup
In June, football fans around the world finally saw the World Cup get underway. Popular sporting events like the World Cup attract the attention not only of millions of spectators but also spammers and phishers. This year, the first fraudulent mailings exploiting the World Cup theme were first registered back in November, long before it began. In June, the attackers sent out phishing emails in Portuguese offering the chance to win tickets to the opening ceremony and other World Cup matches. To do this, the user was required to click a link (which was of course fraudulent) and enter his registration data and credit card information. The fake link was directly attached to a graphic file that was displayed when the user opened the message. The phishing pages were located on the free .tk domain – the national top-level domain for the Tokelau Islands (New Zealand). To convince the user that the email was legitimate, the spammers used the domains of the Visa payment system and FIFA in the sender address.
English-language spam in June was dominated by Father's Day, celebrated on the third Sunday of the month. The spammers sent out adverts for e-gadgets, replicas of designer goods and weapons from various ages trying to attract the recipient's attention with discounts, sales and low prices. In order to bypass spam filters, spammers inserted junk text at the end of the message – a quote from a literary work. They also used a popular short link service to mask the real address and redirect users to a spammer site. The name of the holiday was mentioned in the subject and text field of the email.
More secular holidays are exploited in spam than religious ones, but spammers never forget to provide users with appropriate promotional offers. The name of the Muslim holy Ramadan appears in spam traffic every year. This year was no exception: in June, we came across adverts for restaurants that contained references to Ramadan (as well as an invitation to come and watch broadcasts of World Cup matches). We also registered offers of IT services and services for sending out promotional text messages. Ramadan will continue until the end of July, and we expect the spammers will continue spreading messages exploiting this holiday.
The political events in Ukraine were again used by "Nigerian" scams for luring money from credulous users. This time, the author of the email presented himself as a personal assistant to a Ukrainian female politician who was among the first victims of the clashes in Kiev. As is usual with these types of letter, the deceased has left her assistant millions of dollars that have to be urgently transferred from Ukraine to the account of a foreign recipient. The assistant is promised a reward and a certain amount of money to cover any fees that may arise when transferring the money.
The same "Nigerian" scam is used from year to year, only the details change. However, we would like to remind you that all "Nigerian" offers to make you rich quick are merely scams to lure money from users.Online dating
A significant part of June's spam was adverts for dating services targeting different social and ethnic groups, including Muslims, Christians as well as elderly and married people.
In June, we registered emails and mass mailings spread on behalf of people who wanted to get acquainted, via the Internet, "for serious relationships or marriage". The offers involved not only traditional but also same-sex relations. Some "senders" had attached their photo and provided their email address or a link to their page on a dating service site (which was often a veiled advertisement of such services and the emails were most probably sent on behalf of non-existent members as bait). The senders described their appearance and interests and said they wanted to start correspondence. It was often stated that the recipient's address had been provided by a mutual friend or found on a social networking site or on another dating site, which was not necessarily true.
Spammers also sent out emails promising a partner that met absolutely any criteria (age, skin color, interests and so on) within three minutes of using their "Soulmate database". To use the service, the recipient had to send a text message to a short number. In addition to the money taken from the user's mobile account the spammers got access to his contact information, in particular to his phone number.
For those more interested in meeting people in person the spammers offered lessons in seducing women ("24 laws of attracting women"), and other tips for successful relationships.
One of the mailings contained an advert for a dating spam service. The spammers offered their assistance in creating and promoting (of course, with the help of mass mailings) a new dating site which would include users from many countries. The message included an email address and an ICQ number for communication.
There were a lot of jewelry-themed offers in June. Most of them were promotional and bonus offers from small jewelry stores, jewelry manufacturers and firms engaged in the production and cutting of diamonds. They offered the spam recipients the chance to participate in their business and provided the price list for their products.
Yet another popular theme in English-language spam was fuel cards for automatic payments at gas stations. This payment method is quite convenient for transportation companies with lots of vehicles routes that find it difficult to control the fueling process. Spam "middlemen" offer the recipients the chance to compare prices, choose the most favorable fueling company and sign a contract for a special fuel card. A specific feature of this sort of spam mass mailing was the fact that the links in the emails led to sites registered on recently created domains. And the sites are intended for calculating quotes only.
The percentage of spam in email traffic averaged 64.8%, which is 5 percentage points less than in May. The highest spam levels were seen during the second week of the month (65.8%), and the lowest levels were seen in the third week (63.5%).The geographical distribution of spam sources
Previously our statistical data on the sources of spam by country was based on the information received from spam traps in different countries. However, the spam from the traps differs from the spam received by common users. For example, spam targeting specialized companies does not reach the traps. That is why we have changed the data source and now with KSN (Kaspersky Security Network) we draw statistical reports on spam based on the messages that the users of our products receive worldwide. Since the information for the statistical report in June was received from a different source, comparing the results with the statistics for the previous month would be incorrect.
At the end of June 2014, the top three sources of spam around the world included the US (13.2%), Russia (7%) and China (5.6%).
Vietnam was in fourth place (5.3%) followed by Argentina (4.1%), Germany (3.7%), Spain (3.6%), Ukraine (3.2%) and Italy (2.9%).
The Top 10 was rounded off by India, which accounted for 2.8% of the world spam.Malicious attachments in email
The graph below shows the Top 10 malicious programs spread by email in June.
As is now traditional, the list of malware spread by email is topped by Trojan-Spy.HTML.Fraud.gen. This threat appears as an HTML phishing website and sends email disguised as an important notification from banks, online stores, and other services.
Second in June was Trojan-Downloader.MSWord.Agent.z. This malicious program appears in the form of the *.doc file with the embedded macros written in Visual Basic for Applications (VBA) which is executed on opening the document. The macro itself downloads and runs the malicious program.
In June, representatives of the Bublik family occupied third, fourth, fifth and seventh places. Their main functionality is the unauthorized download and installation of new versions of malware onto victim computers.
Backdoor.Win32.Androm.elwa took sixth place. This malicious program is the modification of Andromeda – Gamarue, a universal modular bot which is a basis for building a botnet with a variety of features. The functionality of the bot is expanded using a system of plugins that are loaded by the criminals in the necessary amount at any time.
The Email-Worm.Win32.Bagle.gt worm, which ranked eighth in June, sends itself to all of the email addresses it can find on the computer. Its main objective is to download and launch files from the Internet without the victims noticing. To spread infected messages, Worm.Win32.Bagle.gt uses its own SMTP library.
Trojan-Banker.Win32.ChePro.ilc. ended the month in ninth position. This downloader appears in the form of a CPL applet (a component of the control panel) and, as is typical for this type of malware, it downloads Trojans developed to steal bank information and passwords. These banking Trojans mainly target online customers of Brazilian and Portuguese banks.
Rounding off the Top 10 was Email-Worm.Win32.Mydoom.l, a network worm with backdoor functionality that is spread as an email attachment via file sharing services and writable network resources. It harvests email addresses from infected computers so they can be used for further mass mailings. The worm also connects directly to the recipient's SMTP server.
In June, Germany saw a big surge in the number of antivirus detections and topped the rating (+8.17 percentage points) having pushed the UK off top spot.
Russian reentered the Top 20 at 13th place with 2.03% of all antivirus detections.
The UAE (+0.96 percentage points) bypassed Australia, Hong Kong and Vietnam in terms of antivirus detections, while Switzerland dropped out of the Top 20.
The percentage of email antivirus detections in other countries did not change much in June.Special features of malicious spam
The vacation season is gaining momentum: many people are still thinking over their holiday plans while those who have already decided where to go often self-book flight tickets and hotel accommodation. Besides the traditional seasonal increase of holiday spam, we have seen a growth in the number of fraudulent messages sent on behalf of various booking services, including international ones. These fake notifications appear in the form of a booking confirmation and usually contain malicious attachments imitating bills for a hotel reservation. Generally, the email includes the order number, the date of arrival/departure and the cost of the order. One of the most popular malicious programs used in the holiday spam in June was Trojan-Spy.Win32.Ursnif. This Trojan steals confidential data and sends it to a remote server. It can listen for network traffic, download and run other malicious programs, as well as disable some system applications such as the firewall.
In order to send malicious attachments, the fraudsters use not only fake notifications from major booking services, banks or online hypermarkets but also shops with more narrow specialization. For example, last month we came across a malicious mailing spread on behalf of an online pet store. The recipient was asked to download and print out the invoice for purchased goods. Should he have any questions, the email read, he could contact the support service of the pet store by clicking the link on its official website. Instead of the promised PDF file with the information about the purchase, the archive contained Trojan-Banker.Win32.Shiotob.c. This malware steals system information, user names and passwords from FTP and various sites when the user logins on to them.
Email search sites (32.1%) again topped the rating of organizations most frequently targeted by phishers in June, with a slight drop of 0.2 percentage points from the previous month. Second came Social networks (27.7%), having increased their contribution by 3.7 percentage points from May. Financial and payment organizations (11.6%) and Online stores (10.6%) declined by 1.2 and 1.5 percentage points respectively. The percentage of attacks targeting Telephone and Internet service providers fell by 0.1 percentage points leaving this category in fifth place in the rating.
The ranking is based on Kaspersky Lab's anti-phishing component detections that are triggered every time a user attempts to click on a phishing link, regardless of whether the link is in a spam email or on a web page.
In June, the scammers sent out fake notices on behalf of the US corporation Electronic Arts that produces and sells video games. The phishers tried to access users' personal accounts in the online store Origin owned by the company. To deceive their victims, the attackers used an old trick of sending out an email saying the online store was going to enhance protection for their customer accounts and asked the recipients to confirm they were the owner of the account. In order to make the email look legitimate the fraudsters used the Origin logo, links to the official website of the company and the usual warning not to give the password from a personal account to anybody.
The proportion of spam in global email traffic in June dropped 5 percentage points and averaged 64.8%. This may be a seasonal decline as summer business activity decreases and many spam bots are disabled for the vacation season.
In June, high-profile political and sporting events were used by scammers to trick users. In the run-up to the FIFA World Cup, a huge event for football fans, phishers were trying to obtain banking information from users by asking them to participate in the competition to win tickets. "Nigerian" scammers again exploited the situation in Ukraine and asked for help to transfer non-existent millions.
In June, Email search sites (32.1%) again topped the rating of organizations most frequently targeted by phishers. Second came Social networks (27.7%), having increased their contribution by 3.7 percentage points from May. This can be explained by the traditional growth in the activity of schoolchildren and students during the holidays, which is of course used by the fraudsters. Financial and payment organizations (11.6%) rounded off the Top 3 organizations most frequently targeted by phishers.
As is now traditional, the list of malware spread by email is topped by Trojan-Spy.HTML.Fraud.gen imitating notifications from banks and online stores. The holiday season has brought an increase in the number of fake notifications from various booking services containing malicious attachments. Germany (16.4%) was the country with the highest proportion of email antivirus detections.
Recently Kaspersky Lab has contributed to an alliance of law enforcement and industry organizations, to undertake measures against the internet domains and servers that form the core of an advanced cybercriminal infrastructure that uses the Shylock Trojan to attack online banking systems around the globe.
Shylock is a banking Trojan that was first discovered in 2011. It utilizes man-in-the-browser attacks designed to pilfer banking login credentials from the PCs of clients of a predetermined list of target organizations. Most of these organizations are banks, located in different countries.
Kaspersky Lab products detect the Shylock malware as Backdoor.Win32.Caphaw and Trojan-Spy.Win32.Shylock.
We detected this malware generically from the end of August 2011, as Backdoor.Win32.Bifrose.fly. Specific detection of this separate family was added in February 2012. Since then we have observed a very few detections – approximately 24,000 attempts to infect PCs protected by Kaspersky Lab products worldwide.
These are very modest numbers, especially in comparison with other infamous banking malware such as ZeuS, SpyEye, Carberp which have generated (and, in the case of some of them, such as ZeuS , still generate) tens or hundreds of thousands of detections. Of course, these numbers don't tell us everything about how widespread or effective Shylock is, because Kaspersky Lab "sees" only a part of the total number of PC users - only those who use our products.
Low popularity doesn't make Shylock less dangerous though. The set of malicious techniques it utilizes is no less dangerous than that used by other similar malware. It is able to inject its body in multiple running processes, has tools to avoid detection by anti-malware software, uses several plugins which add additional malicious functions aimed at bypassing anti-malware software, collects passwords for ftp-servers, spreads itself via messengers and servers, provides remote access to the infected machine, video grabbing and of course web injection.
This last function is used to steal online banking credentials by injecting fake data entry fields into the web page loaded in the victim's browser.
During the entire period we've seen two relatively big peaks in detection rate for this malware.
The first one was in November 2012 and the second one was in December 2013.
The geography of the November 2012 peak was as follows:United Kingdom Italy Poland Russian Federation Mexico Thailand Iran Turkey India Spain
The table above shows the top 10 countries wheremost attacks using the Shylock malware were registered. A little more than a year later, in December 2013, the picture had changed dramatically.Brazil Russian federation Vietnam Italy Ukraine India United Kingdom Belarus Turkey Taiwan
As these tables show, the criminals behind this malware definitely stopped paying so much attention to the developed e-money markets of the UK, Italy and Poland in favor of the actively developing markets of Brazil, Russia and Vietnam. It's slso interesting that both peaks happened in the late autumn to early winter period, a traditional high retail season in many countries around the world.
According to Europol data, this malware has infected more than 30,000 PCs worldwide. This is a big enough scale to cause huge financial damage, so the disruption of the Shylock backbone infrastructure is very good news.
And even better news is that the recent operation, coordinated by the UK's National Crime Agency (NCA), brought together partners from the law enforcement and the private sector, including – besides Kaspersky Lab – Europol, the FBI, BAE Systems Applied Intelligence, Dell SecureWorks and the UK's GCHQ (Government Communications Headquarters), to jointly combat the threat. We at Kaspersky Lab were glad to add our modest contribution to this operation. Global action brings positive results – an example being the operation targeting the Shylock malware.
Looking past the 23 Critical Internet Explorer remote code execution vulnerabilities being patched this month by MS14-037 that require immediate attention, most interesting is CVE-2014-2783, the Internet Explorer "Extended Validation (EV) Certificate Security Feature Bypass Vulnerability". The vulnerability itself, reported by Eric Lawrence of "Fiddler" fame, is applicable in a "corner case" situation and can lead to MiTM attacks.
Let's narrow down the complexity of the issue for everyone's sake. What is an "EV" certificate? Well, it's a special certificate that an organization or individual would pay extra money to a certificate authority like Verisign to create and then use to "secure" their communications. Sites using them are usually handled in a special manner by the major web browsers. The address bar turns green, a special rectangle is set around the address, or some other visual image assures the user that the connection is with the right web site and encrypted. Here is an example of a web browser presenting the green bar EV visualization, please click on the image for a closeup:
The related flaw being patched this month is a tricky one. Internet Explorer versions 7 through 11 all allow for wildcard subdomains with EV Certificates, which should never be allowed. Neither Certificate Authorities nor web browsers should allow for such a flaw, but their compliance is questionable. In the past, CAs like Diginotar, Comodo, Trustwave, TurkTrust, and currently the National Informatics Centre in India, all maintained incidents of major improprieties at the CA level.
So, coupled with this flaw in IE 7,8,9,10 and 11, attackers (whether or not they are state sponsored or more traditional cybercrime organizations) could set up sites with wildcard EV certs to spoof major web properties like at google, twitter, facebook and elsewhere, and steal data from sensitive communications there. The Certificate Authority infrastructure trust model continues to show major cracks as a flawed trust model, and this "corner case" simply enables more situations like it. Potential solutions like Convergence have not been seriously pushed. At the same time, cheers to Microsoft for patching and reporting on the two current issues.
Unfortunately, these sorts of issues find their way into software products all the time. Partly, they are very tricky to understand by QA teams and developers certainly need to narrow the scope of their projects. You can't automate this sort of test, and even if it is found, it is not assigned a severity of 5 or "showstopper" because it doesn't immediately disrupt operation of the product. So they can sit unaddressed in a product for four or five versions or more even if privately known. Only an exposure because of a security researcher's work or a major public incident might push it to the front of the priority list.
All of this discussion of corner cases lays down groundwork for further discussion of the "Internet of Things". Whenever there are cross-disciplinary approaches (like heavy mathmematics and communications, or internal network computing and automobiles) to solutions, there is an elevated risk of incident because of practical and theoretical issues. As the industry progresses, and as the startups generating IoT solution code are dealing with their own corner case issues, and as adoption and acquisitions move forward, IoT technologies will demonstrate on a larger scale that we are not learning from past mistakes.
Cybercriminals around the world have already started to point their guns and attacks at the new gTLDs, the 'generic Top Level Domains' approved by ICANN and offered by registrars to people interested in buying a new domain name. Recently we found malicious activities including malware and phishing pages registered in the top level domains .club, .berlin, .blue, .computer, .camera, .futbol, .link, .pink, .report, .travel, .vacations and .xyz.
The new gTDLS were recently approved by ICANN and registrars are already offering them as a solution to those bored with the traditional .com or .org and who want more possibilities when registering internet domains. You should be prepared to see websites like"funny.dance"or "joe.dentist"or even "my.creditcard".
According nTLDStats.com, more than 1.4 million domains have already been registered using these new gTLDs:
There are now more than 322 new top level domains granted by ICANN, among these the most popular are .xyz (designated at Feb. 2014), .berlin and .club (both designated in January 2014):
Brazilian phishers and domains squatters are particularly interested in these new gTLDs, already having registered several new domains using names of local brands such as banks, online stores, and credit card companies. For example:
These domains were registered with the intention of being used for phishing campaigns, so it comes as no surprise that the data registered in the respective "whois" databases is completely fake:
Malware is also involved. We're aware of bad guys hosting their exploit kits in such domains – the Nuclear Exploit Pack is currently using the .blue, .pink, .futbol, and .report gTLDs, as pointed out by security researcher Frank Denis.
But Brazilian bad guys aren't the only ones interested in the new gTLDs as English-speakers have showcased similar interests by already starting a fraudulent domain that sells coins for online games such as Fifa '14 and others.
Other phishers already started their phishing campaigns, even using older TLDs such as .travel (started in 2005). As you can see in the following abused domain that hosts a phishing page aimed at a Brazilian bank:
If you're a regular user, be aware of such links appearing in email messages or in social networks – they can be just as dangerous as others links. If you're a company, it's a great idea to start a brand monitoring process to insure that your company name or brand aren't being used in campaigns involving these new TLDs.
Kaspersky users are protected against all of these attacks.
In February 2014, an article was published on a popular Russian IT website under a curious title - Studying the BillGates Linux Botnet. It described a Trojan with sufficiently versatile DDoS functionality. The capability that we found the most interesting was the Trojan's ability to conduct DNS Amplification-type attacks. In addition, it followed from the article that the Trojan had a sophisticated modular structure, something we had not seen in the world of Linux malware before.
The article also provided a link for downloading all of the Trojan's files (taken directly from an infected machine) - which is what we did.
The archive that we downloaded contained the following files, which, according to the author of the article, were all modules of the same Trojan:
The files cupsdd and cupsddh are detected by Kaspersky Lab products as Backdoor.Linux.Ganiw.a; atddd and the remaining files are detected as Backdoor.Linux.Mayday.f.
The archive with the files also contained a configuration file for cron - the Linux task scheduler. In this case, the utility is used by the Trojan as a means of getting a foothold in the system. The Trojan uses cron to perform the following tasks:
- Once a minute - terminate the processes of all applications that can interfere with its operation: .IptabLes, nfsd4, profild.key, nfsd, DDosl, lengchao32, b26, codelove, node24
- Approximately once in ninety minutes - terminate all of its processes: kysapd, atdd, skysapd, xfsdx, ksapd
- Approximately once in two hours - download all of its components to the /etc folder from http://www.dgnfd564sdf.com:8080/[module_name] (module_name = name of the Trojan's module, e.g., cupsdd), after deleting these files from the /etc folder
- Once in ninety minutes - relaunch all of its modules
- Every minute - purge system logs and bash command history and execute chmod 7777 [module_name]
During subsequent analysis of the files, we did not find any code responsible for saving the config file for cron. Most likely, the file was manually downloaded to the victim machine by a cybercriminal after gaining remote access to the system.Backdoor.Linux.Mayday.f (atddd)
The file atddd is a backdoor designed to conduct various types of DDoS attacks against the servers specified. As mentioned above, Kaspersky Lab products detect it as Backdoor.Linux.Mayday.f. The files kysapdd, skysapdd, xfsdxd, ksapdd are almost exact copies of atddd - with one exception, which is discussed later in the text.
The backdoor starts its operation by calling the function daemon(1, 0), continuing to run in the background and redirecting standard input, output and errors to /dev/null
Next, atddd collects relevant information about the system, including:
- system version (by calling uname())
- number of CPU cores and their clock rates (taken from /proc/cpuinfo)
- CPU load (taken from /proc/stat)
- network load (data for interfaces with the "eth" prefix taken from /proc/net/dev)
The information listed above is stored in the g_statBase structure.
After this, the backdoor decrypts strings defining the C&C server's IP address and port number. The encryption algorithm used is very simple: an encrypted string is taken character-by-character, with 1 added to the ASCII code of a character if its number is odd and subtracted from it if the character's number is even. As a result, the string "3/3-2/4-269-85" yields the IP-адрес "188.8.131.52", while "2/:82" stands for port number "10991".
After this, atddd reads configuration file fwke.cfg, which is located in the same folder with the malicious program. Information from the config file is saved in the g_fakeCfg structure. If the file does not exist, the backdoor attempts to create it and store the following information in it:
1st line: 0 //flag, if 1 then begin attack, if 0 then terminate attack
2nd line: 127.0.0.1:127.0.0.1 //range of outgoing IP addresses
3rd line: 10000:60000 //outgoing port range for an attack
4th line: an empty line //domain name in the case of DNS flood (see below)
This information is subsequently sent to the C&C server and can be updated with a command from the C&C.
Next, the backdoor creates a new thread, CThreadTaskManager::ProcessMain(), in which commands to begin an attack and terminate an attack are put into the execution queue. After this, a new thread is created - CThreadHostStatus::ProcessMain(). In this thread, data on CPU and network load is updated every second and can subsequently be sent to the C&C server if requested.
After this, 20 threads are created, which read information from the task queue and, depending on the information read, launch an attack or terminate it. However, some of the threads may not be used in an attack if the relevant C&C command has a parameter (the number of threads to be used).
Then the malware enters an endless loop of processing messages from the C&C. After a connection with the C&C is established, information about system version and CPU clock rate, as well as data from the g_fakeCfg structure, is sent to the C&C every 30 seconds.
In response, the server should send 4 bytes, the first of which is the serial number of a command - from 1 to 4.
Next, if the command has parameters, the C&C sends another 4 bytes defining the amount of data that will be sent (i.e., the parameters). Then the parameters themselves are sent; their size should match the number from the previous C&C response.
About each command in greater detail:
- 0x01. Command to launch an attack. Parameters define the attack's type and the number of threads to be used. The attack type is defined by a byte which can take values from 0x80 to 0x84. This means that 5 attack types are possible:
- 0x80 - TCP flood. The destination port number is sent by the C&C in its response as a parameter. The source port range is defined in fwke.cfg. Each new request is sent from a new port within the range defined, in the ascending order of port numbers. The destination IP address is also defined in parameters.
- 0x81 - UDP flood. The same as 0x80, but UDP is used as the transport layer protocol.
- 0x82 - ICMP flood. Same as above, but via ICMP.
- 0x83, 0x84 - two DNS flood attacks. The only difference is the domain name sent in the DNS request. In the former case, the name is generated randomly, in the second, it is defined in a parameter (the fourth line in fwke.cfg). Essentially, both attacks are similar to 0x81, except that port 53 (the default port for the DNS service) is used as destination port.
- 0x02. Command to terminate an attack. The value in the first line of fwke.cfg is changed to 0 and the attack is terminated.
- 0x03. Command to update the file fwke.cfg. The response also includes a structure similar to g_fakeCfg, data from which is used to create the new fwke.cfg file.
- 0x04. Command to send the current command's execution status to the C&C server.
In addition to the above, the backdoor includes several empty methods (without any code), which have curious names: CThreadAttack::EmptyConnectionAtk, CThreadAttack::FakeUserAtk, CThreadAttack::HttpAtk. Apparently, the malware writer had plans to extend the malicious program's functionality, and this is a test version rather than a final version. The file cupsdd, which is discussed below, provides a confirmation of this.
The files kysapdd, skysapdd, xfsdxd, ksapdd are almost identical copies of atddd, with the exception that they contain different C&C server addresses: 184.108.40.206:10991, 220.127.116.11:10991, 18.104.22.168:10991 and 22.214.171.124:10991, respectively. The names of their configuration files are also different: fsfe.cfg, btgw.cfg, fake.cfg, xcke.cfg, respectively.
This means that, contrary to our expectations, the files atddd, kysapdd, skysapdd, xfsdxd, ksapdd are not modules of a single piece of malware but rather different copies of the same Trojan, each connecting to its own C&C server. However, this is not the most curious part of it by far.Backdoor.Linux.Ganiw.a (cupsdd)
Like the files described above, this file is a backdoor designed to carry out various types of DDoS attacks. However, cupsdd is significantly more feature-rich and sophisticated than its 'colleagues', although in places its code is very similar to that found in atddd.
The backdoor starts its operation by initializing the variables it needs from the string "126.96.36.199:30000:1:1:h:578856:579372:579888" (separator - ":"), which it first decrypts using the RSA algorithm. The string contains the following variables:
g_strConnTgt=188.8.131.52 - C&C server's IP address
g_iGatsPort=30000 - C&C server's port
g_iGatsIsFx=1 and g_iIsService=1 - flags used later
g_strBillTail=h - postfix for the name of the file that will be dropped (see below)
g_strCryptStart=578856, g_strDStart=579372, g_strNStart=579888 - pointers to RSA data (encrypted string and key)
Next, the malware drops and executes a file, which is located at offset 0xb1728 from the beginning of the original file and is 335872 bytes in size, provided that the file is not already running. The malware checks whether the file is running by trying to bind a socket to 127.0.0.1:10808. If the attempt is successful, it means that the file is not running, and it needs to be dropped and executed.
If the file is already running, its process, whose PID can be found in the file /tmp/bill.lock, is terminated (kill(pid, 9)). Then the file is dropped anyway, replacing the existing copy.
The name of the file that is dropped is generated from the name of the current file that is running + postfix from the variable g_strBillTail. In our case, the file was named cupsddh and was located in the same folder with the dropper.
After this, the current process forks and the child process calls the function system("/path/to/cupsddh"), which executes the file dropped.
Next, the function daemon(1, 0) is called, for the same purpose as in the case of the sample described above (atddd).
After this, the malware handles the situation if cupsdd was executed earlier and is currently active. For this purpose, it checks whether the file /tmp/gates.lock exists. If it does exist, the current process is terminated (exit(0)). If not, the file (/tmp/gates.lock) is created and the PID of the current process is written to it.
Then, if flag g_iIsService == 1, the backdoor sets itself to run at system startup by creating the following script named DbSecuritySpt in /etc/init.d/:
The malware also creates symbolic links to the script in /etc/rc[1-5].1/S97DbSecuritySpt
Next, the malware reads the configuration file conf.n (if it exists) from the same folder as the one in which cupsdd is located. The first 4 bytes of the file define the size of the data which follows. All the data is stored in the structure g_cnfgDoing.
Then the malware reads the file containing commands - cmd.n. The format is the same as in conf.n. The data is stored in the structure g_cmdDoing.
After this, the malware obtains all the necessary information about the system, including:
- The operating system's name and kernel version (e.g., Linux 3.11.0-15-generic), by calling uname()
- CPU clock rate, taken from /proc/cpuinfo
- Number of CPU cores, taken from /proc/cpuinfo, and CPU load, taken from /proc/stat
- Network load, taken from /proc/net/dev
- Hard drive size in megabytes, taken from /proc/meminfo
- Information about network interfaces, taken from /proc/net/dev
All the data is stored in the structure g_statBase.
Next, a new stream, CThreadTaskGates::ProcessMain, is created, in which the following commands are processed:
- 0x03. DoConfigCommand(). Update the configuration file conf.n.
- 0x05. DoUpdateCommand(). Start a new thread, CThreadUpdate::ProcessMain, in which update one of its components. The command accepts a number from 1 to 3 as a parameter. Each of the numbers is associated with one of the following strings:
1 - "Alib" - the file /usr/lib/libamplify.so
2 - "Bill" - the dropped module (cupsddh)
3 - "Gates" - the dropper (cupsdd)
Depending on the parameter, one of the malicious program's components is updated. An update is launched by sending 6 bytes containing the string "EF76#^" to the C&C server, followed by one of the strings described above (depending on the parameter).
The C&C responds by sending 4 bytes containing the length (in bytes) of the file that will be transferred next. Then the C&C transfers the file itself in 1024-byte packets.
First, the file is saved in the /tmp folder under a random name consisting of digits. Then, depending on the file that was received, the existing file cupsdd (or cupsddh) is replaced or the file is copied to /usr/lib/libamplify.so
Next, the temporary file is deleted from /tmp, and the chmod command is used to set 755 permissions for the resulting file. After this, in the case of updating cupsddh, the active process is terminated and the new file is launched. In the case of updating cupsdd, the final stage (starting from copying a file from /tmp) is carried out by cupsddh, to which the relevant command is sent.
- 0x07. DoCommandCommand(). Write a new command to cmd.n.
- 0x02. StopUpdate(). Close the current connection, which was established in order to update modules.
Next, the backdoor starts several threads, in which it simultaneously performs several additional operations:
- CThreadClientStatus updates the data on CPU and network load in the g_statBase structure every second.
- CThreadRecycle removes completed tasks from the queue.
- CThreadConnSender reads commands from the queue and passes them to the cupsddh module via a TCP connection with 127.0.0.1 on port 10808. In response it receives the status of their execution.
- CThreadMonBill checks whether the module cupsddh is running once every minute. If not, it drops and executes it again.
- CThreadLoopCmd reads commands from g_cmdDoing (the file cmd.n) and executes them using the call system(cmd).
Next, the main thread enters the loop of receiving and processing commands from the C&C server. There are two possibilities in this case, depending on the g_iGatsIsFx flag:
- If the flag is set (==1), the malware simply uses the new thread to send information about the system and the current configuration from g_cnfgDoing to the C&C and waits to receive commands in response, like the sample (atddd) described above;
- If the flag is not set, then the communication session is initiated by the C&C. In other words, the malware waits for the C&C to connect and begins to transfer the data mentioned above only when a connection has been established.
Commands received from the C&C are divided into two queues: either for execution in the current module (in the thread CThreadTaskGates described above) or for passing to the cupsddh module (thread CThreadConnSender).Backdoor.Linux.Ganiw.a (cupsddh)
The file is packed with UPX. After being unpacked, it calls daemon(1,0). It creates the file /tmp/bill.lock, in which it stores the PID of the current process. cupsddh stores system data in the structure g_statBase, which is identical to that used by cupsdd.
Next, it populates the structure g_provinceDns with the IP addresses of DNS servers converted to binary data in network byte order using the function inet_addr(), taking data from the string array g_sProvinceDns (offset in unpacked file: 0x8f44с, size 4608 bytes).
cupsddh executes command "insmod /usr/lib/xpacket.ko" in an attempt to load the kernel module into the kernel. However, the file is not present on 'clean' systems, and the malware does not make any attempt to download it or obtain it in any other way.
Next, data from the file /usr/libamplify.so (as it turns out, this is not a library but one more config file) is loaded into the structure g_AmpResource. The file has the following format: 1st dword is the number of dwords that follow. Apparently, it contains the list of IP addresses for DNS servers that are currently relevant, i.e., those suitable for DNS Amplification type DDoS attacks.
After this, the module creates two threads: CThreadTask and CThreadRecycle. The former executes commands from a queue comprising commands which came from the cupsdd module. The latter removes commands that have been executed. Next, the main thread binds a socket to 127.0.0.1:10808 and enters an endless loop, receiving commands from the cupsdd module and putting the commands received into the above queue.
The following commands are possible:
- 0x01. Start an attack according to the parameters received. See a more detailed description below.
- 0x02. Terminate the current attack, setting the relevant flag.
- 0x03. Update the current configuration in the g_cnfgDoing structure, which is used during an attack. Also, update the current local MAC address, as well as the MAC and IP address of the current gateway in the structure g_statBase.
- 0x05. The final stage of updating the cupsdd module (described above).
Two main attack modes are possible: normal mode and kernel mode.Kernel mode
This mode uses pktgen, a kernel-level packet generator built into Linux. Its advantage to the attacker is that traffic is generated with the greatest speed possible for the given network interface. In addition, the packets generated in this way cannot be detected using ordinary sniffers, e.g., the standard tcpdump, since packets are generated at kernel level.
The packet generator is controlled using a set of scripts/configs in the /proc/net/pktgen folder, but the module pktgen must first be loaded into the kernel by calling the command "modprobe pktgen". However, I did not find any such calls. Apparently, the call "insmod /usr/lib/xpacket.ko" is used instead, although, as mentioned above, the file is absent from the system by default. As a result, kernel mode is not operational in this version of the malware.
Nevertheless, the malware attempts to write several files to the /proc/net/pktgen folder, namely:
- the file /proc/net/pktgen/kpktgend_%d for each CPU core, where %d is the core number, beginning from 0. The file's contents is as follows:
- the file /proc/net/pktgen/eth%d for each CPU core, where %d is the core number, beginning from 0. The file's contents is as follows:
dst_mac %02x:%02x:%02x:%02x:%02x:%02x //MAC address of the gateway from g_statBase
multi_dst %s //if there are several addresses to be used in an attack (i.e., if the value in the previous line is not equal to 0), they are set in these lines, the number of which matches the previous parameter
The values of most pktgen parameters are passed from cupsdd via command parameters.
- the file /proc/net/pktgen/pgctrl, which contains the string "start".
As in the case of atddd, normal attack mode uses raw sockets.
The following attack types are possible in this mode:
- CAttackSyn - TCP-SYN flood.
- CAttackUdp - UDP flood (as in the case of atddd)
- CAttackDns - DNS flood (as in the case of atddd)
- CAttackIcmp - ICMP flood (as in the case of atddd)
- CAttackCc - HTTP flood.
- CAttackAmp - DNS Amplification.
The last attack type on the list above is different in that packets are sent to vulnerable DNS servers, with the attack target specified as the sender's IP address. As a result, the cybercriminal sends a small packet with a DNS request and the DNS server responds to the attack target with a significantly larger packet. The list of vulnerable DNS servers is stored in the file libamplify.so, which is written to disk following the relevant command from the C&C.
Post Scriptum. BillGates v1.5
This version of the Trojan appeared a little later and is probably currently the latest. Essentially, this is the same cupsdd, only a little 'shaped up'. Overall, there is more logic in the code, plus there are a couple of new functions.
The most significant changes were made to the Gates module, i.e., the file cupsdd. Now it has three operating modes. The choice of mode is based on the folder from which the file is launched. Specifically, if it is launched from /usr/bin/pojie, then monitoring mode is enabled, otherwise the module operates in installation and updating mode, which is later superseded by the mode in which it controls the Bill module.
- Installation and updating mode.
First, the module terminates its process working in monitoring mode, if it exists. Its PID is kept in the file /tmp/moni.lock.
Next, it reinstalls and re-launches the Bill module.
Next, if a process working in the 'controlling the Bill module' mode exists, that process is terminated. Its PID is kept in the file /tmp/gates.lock.
If the flag g_iIsService is set (it is defined in the same way as in the previous version), the module sets itself to run at system startup in the same way as before (in the previous version).
Next, the module writes its path to the file /tmp/notify.file and then copies itself to the file /usr/bin/pojie. After this, it launches its copy, which is, obviously, set to run in monitoring mode, and then changes its own operating mode to controlling the Bill module.
- Monitoring mode.
Writes the PID of the current process to the file /tmp/moni.lock. Next, it starts two threads - one to monitor the Bill module and the other to monitor the Gates module operating in controlling Bill mode. If one of these processes is currently not running, the relevant file is created and launched again.
- Controlling the Bill module mode.
The actions of the Gates module are exactly the same as they were in the previous version of the Trojan (after installing the Bill module and initializing the relevant variables and structures of the Trojan).
To summarize, in the new version of the Trojan its authors have added a little 'robustness' without making any significant functionality changes.
It is also worth noting that the hard-coded IP address of the C&C server has remained the same (184.108.40.206) in this version, but the port number has changed - it is now 36008 instead of 30000 in the previous version.
The most popular uses of cloud services include: storing image scans of passports and other personal documents; synchronization of password, contact list, and email/message databases; creating sites; storing versions of source codes, etc. When cloud-based data storage service Dropbox announced a patched vulnerability in its link generator, it once again sparked online discussions about how important it is to encrypt confidential data before uploading it to an online storage, even a private one. Well, File encryption (FLE) does indeed protect confidential information stored in the cloud, even if there are vulnerabilities in controlling access to user documents with certain cloud storage services.
It's tempting to think that you can secure yourself against all possible risks by encrypting your data before you upload it to a cloud storage service, or by foregoing cloud services altogether. But is that really true? As it turns out, no, it isn't.
The Internet is full of recommendations on how to "effectively use cloud-based storage services" including advice on how to remotely control a PC, monitor your computer while you are away, manage your torrent downloads, and many other things. In other words, users create all types of loopholes all by themselves. These loopholes can then be easily exploited by a Trojan, a worm, not to mention a cybercriminal, especially in targeted attacks.
So we asked ourselves: how likely is it that a corporate network can be infected via a cloud service?
At the Black Hat 2013 conference, Jacob Williams, Chief Scientist at CSRgroup Computer Security Consultants, gave a presentation on using Dropbox to penetrate a corporate network. While conducting a trial penetration test (pen test), Jacob used the Dropbox thin client installed on a laptop located outside of a corporate network to spread malware to devices within that network.
Jacob first used phishing to infect an employee's computer, then embedded malicious scripts into documents stored in the laptop's cloud-hosted folder. Dropbox automatically updated (synchronized) the infected documents on all the devices attached to the user's account. Dropbox is not unique in this respect: all applications providing access to popular cloud file services have an automatic synchronization feature, including Onedrive (aka Skydrive), Google Disk, Yandex Disk, etc.
When the user opened the infected document on a workstation located within the corporate network, the malicious scripts embedded in the document installed the backdoor DropSmack on that workstation - it was specifically crafted by Jacob for this pen test. As its name suggests, DropSmack's main feature is that it uses the Dropbox cloud file storage service as a channel to manage the backdoor and leak corporate documents through the corporate firewall.
In the pen test, Jacob used a stunningly simple method to penetrate the corporate network - it is an obvious loophole!
We also decided to check if cybercriminals are using Dropbox, OneDrive, Yandex Disk or Google Disk to spread malware for real. We collected information from KSN about instances of malware detected in cloud-based folders belonging to Kaspersky Lab product users, and found out infections like these were detected for very few users: in May this year, only 8,700 people encountered an infection in their cloud-based folder. Among Kaspersky Lab's home product users, such instances account for only 0.42% of all malware detection cases, and 0.24% for corporate product users.
We should point out one important detail: if a piece of malware is uploaded from one device, all clients connected to the infected account will download it to their devices, and they will do so via HTTPS. Even if a security solution detects the malware in the synchronization folder and deletes it, the cloud client will keep downloading it from the cloud in an endless loop.
According to the data we collected, some 30% of malware detected in cloud folders on home computers had penetrated to these computers via synchronization mechanisms. For corporate users this number reaches 50%. Thus, the infection mechanism demonstrated by Jacob Williams in his demonstration malware, does cause infections in real life. Fortunately, we have not (yet) detected targeted attacks launched using cloud-based data storage services.
If we look into the malware we detected in the cloud folders on users' computers, files for Win32, MSIL, VBS, PHP, JS, Excel, Word and Java dominate. It should be noted that there is a small difference between corporate and home users: for corporate users, infected MS Office files occur more often, while home users also face unique threats on their lists in the form of malicious Android applications.
TOP 10 verdicts:
Consumer Corporate 1 Email-Worm.Win32.Runouce.b Email-Worm.Win32.Brontok.dam.a 2 Email-Worm.Win32.Brontok.q Virus.Win32.Sality.gen 3 not-a-virus:AdWare.Win32.RivalGame.kr Virus.Win32.Tenga.a 4 Virus.Win32.Nimnul.a Trojan-Dropper.VBS.Agent.bp 5 Trojan-Clicker.HTML.IFrame.aga Trojan.Win32.Agent.ada 6 Exploit.Win32.CVE-2010-2568.gen Trojan.Win32.MicroFake.ba 7 Virus.Win32.Sality.gen Exploit.Win32.CVE-2010-2568.gen 8 Worm.Win32.AutoRun.dtbv Worm.Win32.AutoRun.dtbv 9 Trojan-Dropper.VBS.Agent.bp Trojan.Win32.Qhost.afes 10 Trojan.Win32.Genome.vqzz Virus.Win32.Nimnul.a
More often than not, virus writers use cloud storage as a place to host their malware rather than a platform to spread them. During the research, we did not encounter a single worm or backdoor (except DropSmack) specifically targeting cloud-based file storages. Naturally, these services try to counter malware which takes up storage room in the cloud. In addition hosting malware affects the service's reputation, although cloud services are not formally responsible for what files their clients upload to the storage. Regular scans of all files contained in the cloud will obviously require a lot of resources that the services would rather use to store data.
As a result of this research, we concluded that there is a relatively low risk of a corporate network being infected via cloud storage: over a period of a year, just 1 out of 1,000 corporate users using cloud services risks infection. It should be remembered, however, that in some cases even a single infected computer in a corporate network can lead to substantial damage.
Here are some measures that can be used to protect corporate networks:
- Tighten up Firewall/IDS security settings, block access to popular online storage services. The big disadvantage this approach has is that it requires constant and close monitoring of new blacklist candidates as they emerge online.
- Install a multi-purpose Security Suite. It must incorporate a heuristic and behavior-based antivirus, access restriction features (HIPS), a tool to control the functioning of the operating system (System Watcher or Hypervisor), and a tool to prevent exploitation of vulnerabilities, etc. Once installed, the product must be carefully configured.
- Remember that even the most sophisticated Security Suite can miss an APT attack. Therefore, attention should be paid to Application Control (it should be configured at Default deny). This is perhaps one of the most reliable tools that will block any unknown software, including malware spread during a targeted attack. The most difficult task arising while deploying Application Control is to configure appropriate rules so that all permitted applications can be launched and updated without problems. To this end, the manufacturers of products which include the Application Control feature have developed dedicated tools: software updates via trusted update programs, preset software whitelists including all possible system and user files, access to huge cloud services and information databases about the entire diversity of whitelisted software.
- In special cases, Application control should be used to restrict the use of cloud clients within the corporate network. Only trusted employees should be allowed to launch the applications with which to synchronize cloud folders.
As for networks with the most rigorous security requirements, such as those managing power plant operations and water supplies, which guard state secrets or control defense facilities - for all of these we thoroughly recommend not using cloud-based file storage services at all.
At the end of last week we came across a curious method of distributing links to a phishing page that collects users’ personal data.
The FIFA World Cup in Brazil is attracting not only football fans in all parts of the world, but cybercriminals too. The phishing page is designed to imitate the FIFA website. Visitors are asked to sign a petition in defense of Luis Alberto Suárez, a forward for the Uruguayan national team. (On June 24, in a last group stage match between Uruguay and Italy, Suarez bit Italy defender Giorgio Chiellini on the shoulder. As a result, Suarez was disqualified for nine official matches for the national team and banned from all football-related activity for four months. He was also slapped with a fine).
To sign the petition, the user needs to fill out a form, entering his or her name, country of residence, mobile phone number and email address:
The phishing page matches the design of the official website and all links on it redirect users to FIFA’s official site, fifa.com. The phishing domain was created on June 27, 2014. According to the whois database, it was registered in the name of a person residing in London. The data collection form was developed by the phishers using Google.Docs. Personal data obtained from the form can be used to send spam, phishing and SMS messages, as well as malicious apps. In addition, armed with users’ email addresses and telephone numbers the cybercriminals can conduct targeted attacks involving banking Trojans for computers and mobile devices. This technique is used to get round two-factor authentication in online banking systems in cases when a one-time password is sent via SMS.
After filling out the ‘petition’ form, victims were encouraged to share a link to the page with their friends on Facebook:
Unsuspecting fans shared links to the fake petition on their Facebook pages. This enabled the phishing link to spread widely across Facebook in a matter of days.
Messages with links to the phishing page were also seen on dedicated forums, from which users probably reached the phishing page originally.
In 2013, together with our partner CrySyS Lab, we announced our research on a new APT actor we dubbed "Miniduke". It stood out from the "APT bunch" for several reasons, including:
- Its use of a customized backdoor written in Assembler (who still writes in Assembler in the age of Java and .NET?)
- A unique command and control mechanism that uses multiple redundancy paths, including Twitter accounts
- Stealthy transfer of updates as executables hidden inside GIF files (a form of steganography)
We have pointed out that this threat actor used malware developed using "old-school" virus writing techniques and habits.
Our analysis was continued later by researchers from CIRCL/Luxembourg and several other AV companies. Recently, we became aware of an F-Secure publication on the same topic (under the name "CosmicDuke").
In the wake of our publications from 2013, the Miniduke campaigns have stopped or at least decreased in intensity. However, in the beginning of 2014 they resumed attacks in full force, once again grabbing our attention.
We believe it's time to uncover more information on their operations."Old" Miniduke in 2014
The old style Miniduke implants from 2013 are still around and being used during the current campaigns.
It still relies on Twitter accounts which contain a hardcoded C&C URL pointing to the command and control server. One such account was the following, observed in February 2014:
Although the format of the C&C URL was changed from previous variants, the encoding algorithm is the same. The line above can be decoded into the full C&C URL:
This decoded URL was an active C&C, from which several updates have been collected:
Update 1:MD5 93382e0b2db1a1283dbed5d9866c7bf2 Size 705536 bytes Compilation Sat Dec 14 18:44:11 2013
This Trojan is a large package, due to the use of a custom packer. The bundle has a specific debug string inside:
The package executes a smaller Trojan module:MD5 b80232f25dbceb6953994e45fb7ff749 Size 27648 bytes Compilation timestamp Wed Mar 05 09:44:36 2014 C&C hxxp://rtproductionsusa.com/wp-includes/images/smilies/icon_gif.php
Another update that has been observed on the C&C server was:
Update 2:MD5 7fcf05f7773dc3714ebad1a9b28ea8b9 Size 28160 bytes Compilation timestamp Fri Mar 07 10:04:58 2014 C&C hxxp://tangentialreality.com/cache/template/yoo_cache.php
We have observed another similar Trojan, although not on the C&Cs directly:MD5 edf7a81dab0bf0520bfb8204a010b730,
ba57f95eba99722ebdeae433fc168d72 (dropped) Size 700K, 28160 (dropped) Compilation timestamps Sat Dec 14 18:44:11 2013 (top)
Fri Jan 10 12:59:36 2014 (dropped) C&C hxxp://store.extremesportsevents.net/index.php?i=62B...[snip]
The use of the Nemesis Gemina packer in the Miniduke payloads made us look for further samples in our collection. This led us to several new findings.The "New" Miniduke Malware (the "CosmicDuke")
After the 2013 exposure, the actor behind Miniduke appears to have switched to using another custom backdoor, capable of stealing various types of information.
The malware spoofs popular applications designed to run in the background, including file information, icons and even file size:
The main "new" Miniduke backdoor (aka TinyBaron or CosmicDuke) is compiled using a customizable framework called "BotGenStudio", which has flexibility to enable/disable components when the bot is constructed.
The components can be divided into 3 groups
Miniduke/CosmicDuke is capable of starting via Windows Task Scheduler, via a customized service binary that spawns a new process set in the special registry key, or is launched when the user is away and the screensaver is activated.Reconnaissance
The malware can steal a variety of information, including files based on extensions and file name keywords:
Note: we believe the "*sifr*" and "*sifer*" keywords above refer to the transliteration of the English word "Cypher" in some languages.
Also, the backdoor has many other capabilities including:
- Skype password stealer
- General network information harvester
- Screen grabber (grabs images every 5 minutes)
- Clipboard grabber (grabs clipboard contents every 30 seconds)
- Microsoft Outlook, Windows Address Book stealer
- Google Chrome password stealer
- Google Talk password stealer
- Opera password stealer
- TheBat! password stealer
- Firefox, Thunderbird password stealer
- Drives/location/locale/installed software harvester
- WiFi network/adapter information harvester
- LSA secrets harvester
- Protected Storage secrets harvester
- Certificate/private keys exporter
- URL History harvester
- InteliForms secrets harvester
- IE Autocomplete, Outlook Express secrets harvester
- and more...
The malware implements several methods to exfiltrate information, including uploading data via FTP and three variants of HTTP-based communication mechanisms. A number of different HTTP connectors act as helpers, trying various methods in case one of them is restricted by local security policies or security software. These three methods are:
- Direct TCP connection and HTTP session via Winsock library
- HTTP session via Urlmon.dll
- HTTP session via invisible instance of Internet Explorer as OLE object
Each victim is assigned a unique ID, making it possible to push specific updates to an individual victim. As we noted, Miniduke/CosmicDuke is protected with a custom obfuscated loader which heavily consumes CPU resources for 3-5 minutes before passing execution to the payload. This not only complicates analysis of the malware but is also used to drain resources reserved for execution in emulators integrated in security software. Besides its own obfuscator, it makes heavy use of encryption and compression based on the RC4 and LZRW algorithms respectively. Implementations of these algorithms have tiny differences from the standardized code which perhaps looks like a mistake in the code. Nevertheless, we believe that these changes were introduced on purpose to mislead researchers.
One of the more technically advanced parts of Miniduke is the data storage. The internal configuration of the malware is encrypted, compressed and serialized as a complicated registry-like structure which has various record types including strings, integers and internal references.
In addition, Miniduke uses an unusual method to store the exfiltrated data. When a file is uploaded to the C&C server it is split into small chunks (~3KB), which are compressed, encrypted and placed in a container to be uploaded to the server. If the source file is large enough it may be placed into several hundred different containers that are uploaded independently. These data chunks are probably parsed, decrypted, unpacked, extracted and reassembled on the attacker' side. This method is used to upload screenshots made on the victim's machine. Creating such a complicated storage might be an overhead; however, all those layers of additional processing guarantees that very few researchers will get to the original data while offering an increased reliability against network errors.Victim geography and profiles
Based on our analysis, the victims of Miniduke and CosmicDuke fall into these categories:
- telecom operators
- military, including military contractors
- individuals involved in the traffic and selling of illegal and controlled substances
From one of the old style Miniduke servers we were able to extract a list of victims and their corresponding countries. We were able to identify victims in three of these countries which belonged to the "government" category. Here's the list of countries affected:
- United States
One of the CosmicDuke servers we analyzed had a long list of victims dating back to April 2012. This server had 265 unique identifiers assigned to victims from 139 unique IPs. Geographical distribution of the victims was as follows (top10):84 Georgia 61 Russia 34 United States 14 United Kingdom 9 Kazakhstan 8 India 8 Belarus 6 Cyprus 4 Ukraine 4 Lithuania
According to our analysis, the attackers were more interested in expanding their operations and scanned IP ranges and servers in Azerbaijan, Greece and Ukraine.Command and control server analysis and hacking tools
During the analysis, we were able to obtain a copy of one of the CosmicDuke command and control servers. It appears it was also used for other operations by the group members, including hacking into other servers on the internet.
The attackers have deployed a number of publicly available hacking tools on this server in order to scan and compromise websites of victim organizations as well as collect information for future targeted attacks.
Here is the list of hacking tools found on the server:
Hydra: "A very fast network logon cracker which support many different services"
Fierce2: "A semi-lightweight enumeration scanner that helps penetration testers locate non-contiguous IP space and hostnames for a specified domains using things like DNS, Whois and ARIN"
The Harvester: "The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database"
RitX: "A Reverse IP Lookup Tool that will allows you to use an IP address or domain name to identify all currently domains hosted on a server using multiple services and various techniques"
Joomscan: "OWASP Joomla! Vulnerability Scanner"
Ncrack: "High-speed network authentication cracking tool. It allows for rapid, yet reliable large-scale auditing of multiple hosts"
Sqlmap: "An open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers"
WPScan: "A black box WordPress vulnerability scanner"
Note: tool descriptions were copied from their public websitesAttribution and Artifacts, connections with other campaigns
Although the attackers use English in several places, indicating knowledge of this language, there are certain indicators to suggest they are not native English speakers.
The following strings were discovered in a block of memory appended to the malware component used for persistence:
c:\documents and settings\владимир\local settings\...
The C&C hosts appear to have been compromised by the attackers, which uploaded a specific webshell.
For the webshell, it is interesting to point to the use of Codepage 1251, which is commonly used to render Cyrillic characters. The password used to protect the shell, is checked against the MD5 hash "35c7c2d1fe03f0eeaa4630332c242a36". (BTW: can you crack it? It took us some days to solve it!)
Perhaps it is noteworthy to say that the same webshell has been observed in the operations of another advanced threat actor known as Turla, Snake or Uroburos.
Another interesting aspect is the debug path strings from the malware, which indicate several build environments or groups of "users" of the "Bot Gen Studio", "NITRO" and "Nemesis Gemina":
Based on the compilation timestamps, we were able to put together the following chart indicating the activity of the Miniduke/CosmicDuke attackers on a 'Day of the Week' basis:
It appears the attackers follow the Mon-Fri work week, however, they do work on the weekends from time to time.
In terms of activity hours, the attackers appear to be working between 6am and 7pm GMT. Most of the work is done between 6am and 4pm though.
Although they stopped or at least decreased in intensity following our announcement last year, the Miniduke attacks are now back in force. The old style Miniduke malware is still being used, deploying previously known stages packed with a new obfuscator observed with the mysterious "Bot Gen Studio" for the "NITRO" and "Nemesis Gemina" projects.
While the old style Miniduke implants were used to target mostly government victims, the new style CosmicDuke implants have a somehow different typology of victims. The most unusual is the targeting of individuals that appear to be involved in the traffic and reselling of controlled and illegal substances, such as steroids and hormones. These victims in the NITRO project have been observed only in Russia. One possibility is that "Bot Gen Studio" is a malware platform also available as a so-called "legal spyware" tool, similar to others, such as HackingTeam's RCS, widely used by law enforcement agencies. Another possibility is that it's simply available in the underground and purchased by various competitors in the pharmaceutical business to spy on each other.
At the same time, the "Nemesis Gemina" project focuses on government, diplomatic, energy, military and telecom operators.
One of the big questions here is: Are the Miniduke attackers still "elite"? Though the old malware is still in use, the new malware is no longer pure assembler; instead, it's written in C/C++.
The new samples of Miniduke/CosmicDuke use a powerful obfuscator. For almost all of the samples we analyzed, it jumps to the beginning of dynamic PE loader - always from the same "l33t" address (if memory layout allowed it during the bot construction):
Hence, you could say that CosmicDuke is still "l33t"!
NO-IP is one of the many Dynamic DNS providers out there, which can be used for free to register a subdomain on top of popular names such as servepics.com or servebeer.com . For a long time, this has been a favorite method for cybercriminals who wanted to register easy to update hostnames to control their malware implants. Yesterday, Microsoft moved against NO-IP and seized 22 of their domains. They also filed a civil case against Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software harming Microsoft, its customers and the public at large.
Interestingly, Microsoft cited two specific malware families which were used to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware . These have been used by multiple cybercriminal and activist groups to target users, including the (in-)famous Syrian Electronic Army. (stay tuned for a more detailed blog on that soon)
In addition to these, the takedown disrupted many other APT operations, which used NO-IP for their C&C infrastructure. These include:
- Turla/Snake/Uroburos, including Epic
- HackingTeam RCS customers
Based on our statistics, the shutdown has affected in some form at least 25% of the APT groups we are tracking. Some of these hosts that were previously used in large and sophisticated cyberespionage operations are now pointing to what appears to be a Microsoft sinkhole, at 220.127.116.11.
Some top level domains that have been taken away from Vitalwerks and now use Microsoft's DNS infrastructure include:
In the meantime, NO-IP / Vitalwerks have published their answer online:
Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft s attempt to remediate hostnames associated with a few bad actors.
We think yesterday s events have dealt a major blow to many cybercriminal and APT operations around the world.
In the future, we can assume these groups will be more careful on using Dynamic DNS providers and rely more often on hacked websites and direct IP addresses to manage their C&C infrastructure.
Since the publication of our blogpost, many people have contacted us and complained about disruption of their otherwise clean hosts due to the Microsoft takedown. In fact, two hosts previously used in APT attacks that we were sinkholing were also taken away from us. We were using the logs from these, together with other data from our sinkhole to notify victims in many different countries.
Update (2014-07-04): NO-IP just sent a note to their customers that all 23 domains that were seized by Microsoft are now back in their control. This appears to be true, with Microsoft DNS servers no longer controlling the domains.
Have you been affected about the NO-IP takedown? Please let us know by sharing your comments below.
Blog: Microsoft seizes 22 NO-IP domains, disrupts cybercriminal and nation state APT malware operations
In the run-up to the summer, spammers offered their potential customers seedlings and seeds for gardening. In addition, English-language festive spam in May was dedicated to Mother's Day - the attackers sent out adverts offering flowers and candies.Holiday spam for Mom
As usual, the spammers were very busy in the run-up to the Mother's Day celebration in May, sending out adverts for flowers and candies ahead of the holiday. To get the attention of the recipient, the subject of the email contained the name of the holiday while the body of the message included colorfully decorated promises of generous discounts and prompt delivery.
However, most links in these emails redirected the user to completely different pages instead of the advertised sites. The redirects went to newly created domains which were used not only in the links in the body of the message but also as a server domain name in the sender address. Some emails also included a link which would supposedly enable recipients to unsubscribe from further mailings. In fact, this link was used to collect users' email addresses and send them new spam messages.Spam for gardeners
It's no secret that Americans are enthusiastic about their gardens - and gardening is one of the most popular hobbies in the country. With summer fast approaching, the spammers started spreading more offers of seeds for lawns and flowers, as well as berries and fruits. Potential buyers were lured in by phrases like "special," "limited offer" and offers of a free plant for every two bought. The messages included colorful images and contained a link. Interestingly, most of the domains to which these links led had been created less than a week before launching the mass mailing.Diplomas and degrees
In May, we came across a lot of mailings advertising schools and colleges that provided distance learning services. However, there were also mailings in which spammers invited users to simply buy a qualification. All that was required was to make a donation to a church, which would then officially award an honorary doctorate to the benefactor.
In Germany, for example, only universities and similar higher education institutions have the right to award doctorates. However, the situation is somewhat different when it comes to so-called honorary doctorate degrees that are awarded on behalf of a church. Although getting this doctorate does not entail any learning or writing of dissertations, the spam mailings used images of students and other university themes to advertise the service.
There were also many offers to help struggling graduates repay their student loans. These messages urged recipients to follow a link to a site where they would find adverts for organizations that recruit volunteers and staff for non-profit institutions. In the US it is possible to enroll in state programs that offer credits to people who do some kind of service for their community, and these credits can offset student loans. However, the mailings came from unknown accounts that regularly change their email addresses, and not from an official source. The links in the messages went to newly created websites that prompted users to submit personal data.
To get the recipient interested, such emails often contained a personal appeal: "Still can't repay your student loan? I've found an interesting program for you that is definitely worth reading. It will help significantly reduce your monthly payments".Insuring everyone against everything
Yet another popular topic last month was insuring against different risks, mainly life insurance, although we saw offers of car insurance.
These mailings aimed to redirect users to sites where they could compare the cost of insurance cover from different insurers and choose the most favorable terms. In other cases, the links in the emails led to the spammer parked page where the visitor was offered a wider choice of the types of insurance, companies and programs. Having made his choice and clicked on one of the proposed options, the user entered another resource. The links in the messages might also lead to a site advertising one particular insurance company; typically it was a recently established medium-sized firm.
One unusual type of insurance offer that was limited to English-speaking spam, was burial insurance. In fact, it is an extended version of life insurance: a larger insurance premium means the insurance policy includes funeral services in the event of a sudden death. In May, such messages came in the form of images containing a hyperlink leading to the notorious parked page of the insurance company. These links varied from email to email, but they were always based on different domains registered by the spammers shortly before launching the mailings.The percentage of spam in email traffic
The percentage of spam in email traffic in May averaged 69.8%, which is 1.3 percentage points less than in April. The highest spam levels were seen during the third week of the month (72.1%), and the lowest levels were seen in the middle of the month (69%).Malicious attachments in email
The graph below shows the Top 10 malicious programs spread by email in May.
Once again Trojan-Spy.HTML.Fraud.gen tops the charts. This threat appears as an HTML phishing website and sends email disguised as an important notification from banks, online stores, and other services.
In May, representatives of the Bublik family occupied 2nd, 3rd, 5th, 7th and 10th places. In the previous month eight of the top 10 malicious programs were part of this group. Their main functionality is the unauthorized download and installation of new versions of malware onto victim computers. Once the task is fulfilled, the program does not remain active: it copies itself into the %temp% file imitating an Adobe application or document. Trojan.Win32.Bublik.cpik and Trojan.Win32.Bublik.cpil download the notorious ZeuS/Zbot. Although this malicious program is able to execute a variety of malicious actions it is most often used to steal banking information. It can also install CryptoLocker, a malicious program that encrypts user data and demands a ransom to decipher it.
Trojan-Banker.Win32.ChePro.ilc, a banking Trojan targeting the users of Brazilian banks, came fourth. As is typical for this type of malware, it steals bank information and passwords.
Ninth place was occupied by Trojan.Win32.Pakes.agxu, a piece of spyware that intercepts keystrokes, collects screenshots from victim computers and sends the harvested information to the criminal's email address.
The UK was the country with the highest proportion of email antivirus detections with 13.5% (up 3.5 percentage points from April). The US (9.9%) dropped to second. Germany (8.2%) stayed in third.
Columbia (1.83%) was a new entry to the top 20 in May while Russia dropped off the list.
The percentage of email antivirus detections in other countries did not change much in May.Special features of malicious spam
The insurance theme did not just feature in spam advertising this month - it was also used in mass mailings that spread malicious attachments. For example, we came across German-language messages with the subject "You have not paid your monthly premium", with a warning that next month the interest rate would change. These emails contained a link to allegedly more detailed information and once the recipient clicked on it, a ZIP archive with the name 'Dokumentation' (documentation) or 'Rechnung' (bill) was downloaded on the computer. In both cases the archive contained Backdoor.Win32.Androm.dsqy. This member of the Andromeda family is a backdoor that allows attackers to control infected computers while remaining unnoticed. The infected computers often become part of a botnet.
In May, the attackers sent out fake notifications on behalf of the popular iTunes Store. The recipient was informed about the alleged purchase of an application; the email even specified the name of the product and the price. The attached file, which was supposedly the invoice, in fact contained Trojan-Banker.Win32.Shiotob.f. This family of Trojans steals passwords stored in FTP clients and monitors browser traffic to intercept login details.
Customers of energy company E.ON, which generates and supplies electricity and heating in many countries, were also targeted by a similar scam. An email with the company logo sent on behalf of E.ON read: "This email is to bring to your notice that we were unable to process your last payment. See the details in the attachment". The attached archive contained Trojan-Spy.Win32.Zbot.svvs, a representative of the popular Zbot family designed to steal personal data, especially banking information.Phishing
In May, Email search sites (32.2%) topped the rating of organizations most frequently targeted by phishers with a slight growth of 0.5 percentage points from the previous month. Second came Social networks (23.9%), headed by Facebook. Financial and payment organizations were in third place with 12.8% (+0.2 percentage points) followed by Online stores (12.1%) whose share also grew 0.2 percentage points from April. The percentage of attacks targeting Telephone and Internet service providers fell by 0.4 percentage points compared with the previous month.The ranking is based on Kaspersky Lab's anti-phishing component detections that are triggered every time a user attempts to click on a phishing link, regardless of whether the link is in a spam email or on a web page.
Fake tax notifications are frequently sent by fraudsters in order to install various malware on users' computers. In May, we came across a fake notification supposedly sent on behalf of the State Tax Service of South Africa. The attachment contained a phishing HTML page rather than a malicious file. The attackers tried to persuade the recipient to enter his bank card details into a form on the pretext of returning overpaid tax. To make the page look legitimate the scammers used the logo of the Service and in the 'From' field they specified not only the name of the government organization but also its official address - sars.gov.za - as the server domain name.Conclusion
The proportion of spam in global email traffic in May dropped 1.3 percentage points and averaged 69.8%.
The summer season and the end of the school year were used by spammers to spread tourism-themed spam advertising different summer vacation ideas for children, offers of help with academic work and invitations to buy ready-made qualifications from any higher education establishment. The annual increase in the quantity of tourist spam in the run-up to the holiday season is expected this summer too.
Mother's Day was actively used in English-language spam to advertise various gifts. Insurance was another popular theme in May. Most Russian-language adverts offered car insurance, while in the English-speaking segment it was mostly life insurance.
The list of malware spread by email was again topped by Trojan-Spy.HTML.Fraud.gen. There were fewer members of the Bublik family in the May ranking - just five, compared with eight in April.
In May there was no big change in the organizations most frequently targeted by phishers. Email search sites (32.2%) were in first place, followed by Social networks (23.9%). Financial and payment organizations (12.8%) completed the top three.
Today was the last day of the REcon 2014 conference where reverse engineers from all over the world meet and share their research.
The event started with trainings, where I (Nicolas) gave a 4 days training on malware reverse engineering. During those 4 days, we covered various kind of topics such as how to unpack/decrypt malware, identify cryptography algorithms, deal with obfuscated code, analyze shellcode etc.
My colleague Marta Janus did a talk explaining the various techniques used by malwares to evade detection and sandboxing, and covered a lot of obfuscations tricks used in current malware.
The presentations this year were quite interesting and a few of them directly related to what we do in the labs, including graph representation of binaries , tools to help speed up analysis and handle code obfuscation.
You can find the full schedule of the conference here
The slides and the videos of every talks will be uploaded in the future on the REcon website.
Meanwhile, you can already download some of the research tools:
PANDA is the Platform for Architecture-Neutral Dynamic Analysis. It is a platform based on QEMU 1.0.1 and LLVM 3.3 for performing dynamic software analysis, abstracting architecture-level details away with a clean plugin interface. It is currently being developed in collaboration with MIT Lincoln Laboratory, Georgia Tech, and Northeastern University.
FUNCAP is a script to record function calls (and returns) across an executable using IDA debugger API, along with all the arguments passed. It dumps the info to a text file, and also inserts it into IDA's inline comments. This way, static analysis that usually follows the behavioral runtime analysis when analyzing malware, can be directly fed with runtime info such as decrypted strings returned in function's arguments
One presentation mentioned a framework for Reverse Engineering which i consider worthy to list here.
MIASM 2 is a a free and open source (GPLv2) reverse engineering framework. Miasm aims at analyzing/modifying/generating binary programs. Abilities to represent assembly semantic using intermediate language, emulating using jit (dynamic code analysis, unpacking) and expression simplification for automatic de-obfuscation.
See you next year at RECON 2015
Stealing more than half a million euro in just a week - it sounds like a Hollywood heist movie. But the organizers of the Luuuk banking fraud pulled it off with a Man-in-the-Browser (MITB) campaign against a specific European bank. The stolen money was then automatically transferred to preset mule accounts. When GReAT discovered Luuuk's control panel it immediately got in touch with the bank and launched an investigation.
On January 20th 2014 Kaspersky Lab detected a suspicious server containing several log files including events from bots reporting to a command and control web panel. The information sent seemed to be related to a financial fraud; it included details of the victims and the sums of money stolen.
Once we analyzed all the available data, it was clear that the C2 was the server-side portion of a banking Trojan infrastructure. We believe the fraud was being perpetrated using Man-in-the-Browser techniques and was also capable of performing automatic transactions to pre-set money mule accounts.
We decided to name this C2 luuuk after the path the administration panel used in the server:/server/adm/luuuk/
Below is a summary of the relevant information extracted from the server side component:
- Around 190 victims, mostly located in Italy and Turkey.
- Fraudulent transactions worth more than 500,000 € (according to logs) .
- Fraudulent transfer descriptions.
- Victims' and mules' IBANs.
The control panel was hosted in the domain uvvya-jqwph.eu, resolving to the IP address 18.104.22.168 during the analysis.
The fraudulent campaign targeted users of a single bank. Even though we were not able to get the malicious code used on the victims, we believe the criminals used a banking Trojan performing Man-in-the-Browser operations to get the credentials of their victims through a malicious web injection. Based on the information available in some of the log files, the malware stole usernames, passwords and OTP codes in real time.
This kind of injections are very common in all the variations of Zeus (Citadel, SpyEye, IceIX, etc.) and all of these are well-known in Italy. During our investigation it was not possible to find the infection vector, however banking Trojans use a variety of methods to infect victims including spam and drive-by downloads.
The attackers used the stolen credentials to check the victim?s balance and perform several malicious transactions automatically, probably operating in the background of a legitimate banking session. That would be consistent with one of the malicious artifacts (a VNC server) we found binded to the malicious server used by the attackers.
Despite the "usual" techniques implemented to steal the users' money (user/password/OTP bypass) what is really interesting in this campaign is the classification of the predefined money mules used to transfer the stolen money.
According to the transaction logs, there were 4 different money-mule (or drop) groups:
- 13test: The limit that the drops in this group can accept is between 40,000 and 50,000 Euros, although there are some drops that have different limits, between 20,000 and 30,000.
- 14test: The limit that the drops in this group can accept is between 15,000 and 20,000 Euros, although there are some drops in this group that have different limits, between 45,000 and 50,000.
- 14smallings: The limit that the drops in this group can accept is between 2,500 and 3,000 Euros.
- 16smallings: The limit that the drops in this group can accept is between 1,750 and 2,000 Euros, although there are drops in this group that can accept a quantity between 2,500 and 3,000 Euros (as in the group 14smallings).
This could be an indicator of a well-organized mule infrastructure. Different groups have different limits on the money that can be transferred to its mules, an indicator of the levels of trust between them.
The operators of this control panel removed all the sensitive components on January 22nd, two days after our investigation started. Based on the transaction activity we believe that this could be an infrastructure change rather than a complete shutdown of the operation.
In addition, based on the fraudulent transaction activity detected in the server and several additional indicators, we believe that the criminals behind the operation are very active. Also they have shown proactive operational security activities, changing tactics and cleaning traces when discovered.
Kaspersky Lab is maintaining contacts with different LEAs and the affected financial institution in order to prosecute the criminals.Kaspersky Fraud Prevention vs. the Luuuk
The evidence uncovered by Kaspersky Lab's experts indicates that the campaign was most probably organized by professional criminals. However, the malicious tools they used to steal money can be countered effectively by security technologies. For instance, Kaspersky Lab has developed Kaspersky Fraud Prevention - a multi-tier platform to help financial organizations protect their clients from online financial fraud. The platform includes components that safeguard client devices from many types of attacks, including Man-in-the-Browser attacks, as well as tools that can help companies detect and block fraudulent transactions.UPDATE
After the publication of the post, our colleagues at Fox-IT InTELL sent us some potentially related information regarding this campaign. According to this new information, the Luuuk server could be related to the ZeusP2P (aka Murofet) infrastructure as we originally suspected.
We received two decrypted configuration files belonging to the ZeusP2P with a reference to the same server where Luuuk was hosted:
The configuration belongs to a botnet named "it" (for Italy). The Luuuk server is being used to host the code that is injected in the victims´ browser. It also manages the automatic transfers to a predefined set of money mules (drops) accounts.
We were also able to analyze the binaries using these configurations. The first one (c8a3657ea19ec43dcb569772308a6c2f) is a ZeusP2P (Murofet) sample that was first seen back in August 2013, months before the malicious transactions were made. It tries to connect to several of the sinkholed servers used to take down GameOver.
This additional data reinforces the theory that the Zeus family is behind the Luuuk server - in this particular case it appears to be of the ZeusP2P flavor. However, this is not definitive proof that the malicious transactions in the campaign were performed by this family, as the injected code on the server was not there when we analyzed it.
We would like to thank Fox-IT for sharing this information.