Malware Alerts

Subscribe to Malware Alerts feed
Online headquarters of Kaspersky Lab security experts.
Updated: 24 min 28 sec ago

Grabit and the RATs

Wed, 05/27/2015 - 22:00

Not so long ago, Kaspersky clients in the United States approached Kaspersky researchers with a request to investigate a new type of malicious software that they were able to recover from their organizations’ servers. The malware calls itself Grabit and is distinctive because of its versatile behavior. Every sample we found was different in size and activity from the others but the internal name and other identifiers were disturbingly similar. The timestamp seems valid and close to the documented infection timeline. Our documentation points to a campaign that started somewhere in late February 2015 and ended in mid-March. As the development phase supposedly ended, malware started spreading from India, the United States and Israel to other countries around the globe.

All of the dozens of samples we managed to collect were programmed in Windows machine 32bit processor, over the Microsoft .NET Framework (Visual Basic/C#). Files were compiled over the course of three days, between March 7th and 9th of 2015. The following chart illustrates how the group or individual created the samples, the size of each sample, the time of the day when each was compiled and the time lapses between each compilation.

Malware compilation timeline

The smallest sample (0.52Mb) and the largest (1.57Mb) were both created on the same day, which could indicate experiments made by the group to test features, packers and “dead code” implementations.

Looking at the chart, it is interesting to see the modus operandi as the threat actor consistently strives to achieve a variety of samples, different code sizes and supposedly more complicated obfuscation.

Along with these different sizes, activities and obfuscation, a serious encryption algorithm was also implemented in each one of them. The proprietary obfuscated string, methods and classes made it rather challenging to analyze. ASLR is also enabled, which might point to an open source RAT or even a commercial framework that packed the malicious software in a well written structure. This type of work is known as a mitigation factor for threat actors to keep their code hidden from analysts’ eyes.

During our research, dynamic analysis showed that the malicious software’s “call home” functionality communicates over obvious channels and does not go the extra mile to hide its activity. In addition, the files themselves were not programmed to make any kind of registry maneuvers that would hide them from Windows Explorer. Taking that into an equation, it seems that the threat actors are sending a “weak knight in a heavy armor” to war. It means that whoever programmed the malware did not write all the code from scratch. A well trained knight would never go to war with a blazing shield and yet a stick for a sword.

Looking into the “call home” traffic, the Keylogger functionality prepares files that act as a container for keyboard interrupts, collecting hostnames, application names, usernames and passwords. However, the interesting part lies here.

The file names contain a very informative string:

HawkEye_Keylogger_Execution_Confirmed_<VICTIM> 3.10.2015 6:08:31 PM

HawkEye is a commercial tool that has been in development for a few years now; it appeared in 2014, as a website called HawkEyeProducts, and made a very famous contribution to the hacker community.

In the website, the product shows great versatility as it contains many types of RATs, features and functionality, such as the traditional HawkEye Logger or other types of remote administration tools like Cyborg Logger, CyberGate, DarkComet, NanoCore and more. It seems to support three types of delivery: FTP, SMTP and Web-Panel.

As seen, the malware uses a number of RATs to control its victims or track their activity. One of the threat actor’s successful implementations contained the well-known DarkComet. This convenient “choose your RAT” functionality plays a very important role in the malware infection, routine and survival on the victim’s machine. The DarkComet samples are more complicated than the traditional HawkEye logger. One instance had a random key generator which sets an initialization vector of the first 4 bytes of the executable file and appends a random 5 byte key that unpacks another PE file, less than 20Kb in size. The PE file then contains another packer with an even more challenging obfuscation technique. The last sample we tested had still more complicated behavior. The code itself had the same obfuscation technique, though traffic was not transferring in clear text. Stolen data was packed and sent encrypted over HTTP random ports. This means that the group is trying to produce other types of malicious samples with different RATs.

Approximately 10,000 stolen files have been collected. Companies based in Thailand and India had the largest percentage of infected machines. By looking at the stolen credentials, it is very clear that employees sent the malware to one another, as stolen host names and internal applications are the same.

The following is the full chart, updated to May 2015:

Malware distribution by country

Demonstrating the effectiveness of their simple Keyloggers, one C2 (on May 15th) maintained thousands of victim account credentials from hundreds of infected systems.

To sum it up, Grabit threat actors did not use any sophisticated evasions or maneuvers in their dynamic activity. It is interesting to see the major differences between the core development of the malware and the actual functionality it uses.

Some malware samples used the same hosting server, and even the same credentials. Could it be that our threat actor was in a hurry?
Our guess is that we are looking at a group and not an individual. Some members of the group are more technical than the others and some are more security oriented and aware of the risks they might expose themselves to.

Back nj square one:

From what we have seen so far, the malware is being delivered as a Microsoft Office Word (.doc) email attachment, containing a malicious macro called AutoOpen. This macro simply opens a socket over TCP and sends an HTTP request to a remote server that was hacked by the group to serve as a malware hub, before downloading the malware. In some cases the malicious macro was password protected, but our threat actor might have forgotten that a .doc file is actually an archive and when that archive is opened in a convenient editor of your choice, the macro strings are shown in clear-text.

The malware is in plain view, modifying commonplace registry entries, such as the startup configurations, and not covering its tracks. Its binaries are not deleted in most cases, and its communication is in clear-text, where the victim can sniff the communication and grab the FTP/SMTP server’s credentials.

Malware derivatives are mainly located in:

C:\Users\ <user> \AppData\Roaming\Microsoft

Phishing extensions: .doc

3f77403a64a2dde60c4962a6752de601d56a621a

4E7765F3BF73AEC6E350F412B623C23D37964DFC

Icons: .pdf, .doc, .ttf, .xls, .ppt, .msg, .exe

Stealer: .txt, .jpeg, .eml

Additional Executable names:

AudioEndpointBuilder.exe
BrokerInfrastructure.exe
WindowsUpdate.exe

Malware extensions: .zip or .exe

9b48a2e82d8a82c1717f135fa750ba774403e972b6edb2a522f9870bed57e72a

ea57da38870f0460f526b8504b5f4f1af3ee490ba8acfde4ad781a4e206a3d27

0b96811e4f4cfaa57fe47ebc369fdac7dfb4a900a2af8a07a7b3f513eb3e0dfa

1948f57cad96d37df95da2ee0057dd91dd4a9a67153efc278aa0736113f969e5

1d15003732430c004997f0df7cac7749ae10f992bea217a8da84e1c957143b1c

2049352f94a75978761a5367b01d486283aab1b7b94df7b08cf856f92352166b

26c6167dfcb7cda40621a952eac03b87a2f0dff1769ab9d09dafd09edc1a4c29

2e4507ff9e490f9137b73229cb0cd7b04b4dd88637890059eb1b90a757e99bcf

3928ea510a114ad0411a3528cd894f6b65f59e3d52532d3e0c35157b1de27651

710960677066beba4db33a62e59d069676ffce4a01e63dc968ad7446158f55d6

7371983a64ef9389bf3bfa8d2abacd3a909d13c3ee8b53cccf437026d5925df5

76ba61e510a340f8751e46449a7d857a2d242bd4724d0d040b060137ab5fb31a

78970883afe52e4ee846f4a7cf75b569f6e5a8e7a830d69358a8b33d186d6fec

7c8c3247ffeb269dbf840c7648e9bfaa8cf3d375a03066b57773c48de2b6d477

7f0c4d3644fdcd8ac5bc2e007bb5c3e9eab56a3d2d470bb796af88125cd74ac9

IP Addresses:

65.55.163.152
31.220.16.147
204.152.219.78
173.194.67.109
128.90.15.98
31.170.163.242
185.77.128.65
193.0.200.136
208.91.199.223
31.170.164.81
185.28.21.35
185.28.21.32
217.69.139.160
112.209.76.184

Does CCTV put the public at risk of cyberattack?

Wed, 05/27/2015 - 04:00

The research was originally presented at DefCon 2014. It has been published as part of Kaspersky Lab’s support of Securing Smart Cities – a global not-for-profit initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, not-for-profit initiatives and individuals across the world.

Thomas Kinsey from Exigent Systems Inc. contributed to this report.

Late one night, a colleague and I decided it would be a good idea to climb up a public fountain in the middle of a city. Suddenly a disembodied voice from the heavens boomed out: “PLEASE GET DOWN FROM THE FOUNTAIN.” We were shocked, until we noticed a number of cameras – complete with speakers attached – pointing to us from various lamp-posts in the city. This was the first time we’d ever felt so closely monitored so we decided to take a look at how the systems worked.

It is nothing new that police departments and governments have been surveilling citizens for years with the help of security cameras set up throughout various cities. These days most of us accept this as a fair tradeoff that we are willing to make, sacrificing a measure of privacy in the hope that it will keep us safer from criminals and terrorists. However, we also expect that our private data, in this case video feeds of our public life, will be handled responsibly and securely to ensure that this surveillance does not end up doing more harm than good.

In our recent research, we came across many cities that use wireless technology for their security cameras and infrastructure, rather than the hard-wired setups that were common in the past. This change makes things more cost and time effective for the city authorities.

Unfortunately, the problem is that right now wireless technology is not as secure as it could be. As security-conscious people, we instantly saw that handling data in this manner could potentially be vulnerable to a number of attacks, and so we started looking into whether these systems were implemented in a way that handled our data safely, or whether the data could be easily manipulated for malicious intent.

Although wireless technology itself can be vulnerable, there are still many additional improvements which can be implemented to add a sufficient level of security. Ideally, there should be many levels of security in place, so if a hacker clears one hurdle, he must then face a greater challenge at the next. However that was not the case in this instance.

Research

Our research started on the physical level: we traveled to various locations around the city, looking at how the hardware was set up, and finding the first sign that the city really had not put enough thought and effort into properly handing their own systems.

The security system

As the picture shows, the security system was set up in a sloppy way. The units that will be carrying our data have not been masked at all; on some units we could clearly see the name and model of the hardware needed in order to identify the devices and begin the research.

Why it is so important to protect the labeling of the hardware that you use? I will provide an example to help illustrate why this is such a major flaw. When there is a server that needs to be secured, a major factor in preventing it from being exploited is that the server binary is not publicly available. The reason for this is that if a researcher can get his hands on the binary, it can be reverse engineered and studied to find bugs and vulnerabilities. It is rare that a vulnerability can be discovered without being able to look at the code implementing the service. This is why not covering up the device labeling, seemingly a small mistake, actually has a massive effect.

Returning to the camera network: if a hacker was to crack the wireless security of these systems (which only implement your standard WEP or WPA wireless protections), he would at this point only be able to see unknown protocols, headers, and wireless packets with no reference to what system they belong to. In our analysis, we initially had no idea what software was generating these packets, as it is a proprietary system. Without getting our hands on the actual code, it would have been more or less impossible to reverse the protocol they use, which is really the only way to properly examine the network. At this point, our work was cut out for us.

Encryption modules had not been set up and clear text data was being sent through the network#SmartCitySecurity

Tweet

Having obtained the hardware, we realized, despite the fact that the police department’s setup was weak, the hardware they chose was actually not the problem at all. The mesh nodes were actually a very complex and well-made solution, and there are modules built into it to secure communications beyond the outlying wireless security. It just needed a sufficiently knowledgeable person to implement this technology and ensure it was properly set up. Unfortunately, having inspected many of the packets, we quickly realized that these encryption modules had not been set up and were not being implemented at all. Clear text data was being sent through the network for any observer who could join. There was no encryption to subvert, so we knew that it would just be a matter of recreating our own version of this software in order to manipulate the data traveling across it.

A quick comparison of how the mesh network works to transport video feeds will help give an understanding of what exactly we learned in order to manipulate the system. In a traditional Wi-Fi network, each device is typically connected to a router that serves as a central point. In order to send one piece of data to another part of the network, you would send it to that address, and it would travel via the router to the connected device. This works well in close proximity, but in order to be able to communicate over a long distance, the camera network used a topology and protocol that we will not name in this article.

Traditional topology of a home wireless network. Clients can be any device connected to the Internet

An attacker tells the user he is the router, and tells the router he is the user, thus intercepting traffic to and from the web server

In general, being on any wireless network – a home wireless network, for example – makes it possible for anyone connected to perform regular Man-in-the-Middle attacks by using methods such as ARP poisoning. This essentially enables the user to alter any data sent to and from the router. Because of the nature of the mesh software, however, this standard method would not be very valuable if attempted in the vanilla form. Basically, each node in the mesh network can only have a direct line of sight to a few of the many nodes that exist in the network. In order to send a packet to a device that is not within range, the packet must travel from the origin point, through several other nodes, and eventually reach the destination node. The hardware vendor’s system implements a pathfinding algorithm in order to efficiently transport data and to be able to find the most reliable route to destination. The algorithm is very similar to that which is commonly used in video games to determine the path a character will take to get to his destination, avoiding obstructions.

The Pathfinding algorithm find routes for characters to travel based on variables such as difficulty of terrain

The pathfinding algorithm used for the cameras relies on a number of variables, but most important is the signal strength between one node and the next and the number of nodes it travels through in order to reach to the destination.

Packet originates from Node A and travels through B to C and finally to Destination (Simulated police station). Meanwhile, all other nodes travel through a completely different path and thus cannot be intercepted by listening in at a single location

With that set up, a classic man-in-the-middle scenario is possible on the video data #SmartCitySecurity

Tweet

This is exactly what we took advantage of. By lying to the other nodes, telling them that we had a direct line of site to the simulated police station and would behave as a node by forwarding the packets along, the cameras set up in proximity actually began forwarding their packets directly to us because of the A* implementation. With that set up, a classic Man-in-the-Middle scenario is possible, but now on a very wide range of video feeds. A good analogy here with the RTS game above would be like building a bridge across the lake, so all characters would follow that path, rather than traveling around the shore of the lake.

So what are the implications?

We are not in the business of hacking, we simply wanted to create a proof of concept to demonstrate that this kind of attack is possible, to expose that a vulnerability exists, and ultimately to alert the authorities to a weakness that needs to be fixed. Because of that, our research was done on our own private lab setup, replicating the systems the police had in place, and did not actually harm their network in any way.

As frequently seen in Hollywood movies, if hackers with criminal intent were to take advantage of the problems which we have shown, many dangerous scenarios could unfold. Being able to launch Man-in-the-Middle attacks on the video data is a short step away from replacing real video feeds with pre-recorded footage. In this scenario a cybercriminal gang could lead the police department to believe that a crime is taking place in one area of the city, and wait for the department to dispatch officers there. This would leave a window of opportunity for crime in another region of the city where there are no officers available. This is just one way in which someone could maliciously use these systems to actually assist them in committing crimes much more efficiently than if they were not in place at all. Unfortunately, this is not just a Hollywood scenario. We successfully replicated this functionality in our lab.

It is a short step away from replacing real video feeds with pre-recorded footage #SmartCitySecurity

Tweet

We trust the proper authorities to access our private data, but when those authorities do not spend the time and resources necessary to responsibly handle this data we are better off without this technology at all. Thankfully, after we alerted them to the problem, the cities involved expressed their concern and have since acted to increase security.

The unfortunate truth here is that everything is connected these days, and as new technology is being implemented across the board to modernize older technology, it will inevitably introduce new vulnerabilities. Aside from just the surveillance systems which we analyzed today, there are many more systems which are, and will be, vulnerable to various attacks. The race is on for “the good guys” to test security, before “the bad guys” can use it for malicious intent. Our task is to continue in this effort, to keep the world a safer place.

Conclusions

The following considerations are necessary to bring a mesh network to a reasonable level of security:

  • Although still potentially crack-able, WPA with strong password is a minimum requirement to stop the system from being an easy target.
  • Hidden SSID and MAC filtering will also weed out unskilled hackers.
  • Make sure all labels on all equipment are concealed and enclosed to deter attackers who do not have insider information.
  • Securing video data using Public-key cryptography will make it more or less impossible to manipulate video data.

Fraudsters can have rights, too

Thu, 05/21/2015 - 06:00

We have recently come across a method of getting personal information that was interesting from the technical point of view. Our customer received an email saying that someone had used his Live ID to distribute unsolicited email, so his account would be blocked. The email suggested that, to prevent the account from being blocked, the customer should follow the link and fulfill the service’s new security requirements.

This sounds very much like a typical phishing email. The victim is expected to click on the link that will take him to a fake site imitating the official Windows Live page, enter data which will be sent to the scammers, etc. However, to our surprise, the link from the scam email actually led to the Windows Live website and the cybercriminals did not make any attempt to get the victim’s login and password. Their scam was much more sophisticated than that.

The scam

Then why is it dangerous to follow the link if it does lead to the official Microsoft service?

The scam email

This is because the Live ID account can also be used for authorization with other services – Xbox LIVE, Zune, Hotmail, Outlook, MSN, Messenger, OneDrive, etc. The attack does not result in the fraudster getting direct access to these services on behalf of his victim, but it does enable the attacker to steal personal information contained in the user profiles for these services and subsequently use it for fraudulent purposes.

Having followed the link in the email, we are taken to the official live.com service, where we are asked to authenticate using our login and password.

After successful authentication, the user’s login and password are not intercepted by the fraudsters as one might suppose (and as it usually happens); the user does get authenticated on live.com. But after this they receive a curious prompt from the service:

Some application requests permission to automatically log into our account, view our profile information and contact list and access the list of e-mail addresses. By clicking “Yes” we assign it these rights – in effect providing its creators with our personal information, our contacts’ email addresses, our friends’ nicknames and real names, etc.

Do not give the right to access your personal data to applications that you do not know or trust

Tweet

Since in this case we know nothing about the application or its authors, we can only assume that the data collected will be used for fraudulent purposes. Once again – the login and password do remain confidential.

How it works

Technically, this is not very complicated. There is a special open protocol for authorization, OAuth, which allows resource owners to give third parties limited access to their protected resources without sharing their credentials. The protocol is commonly used by the developers of web applications for social networks if these applications require some data for their operation, such as the ability to access the contact list. It is convenient for users because once they are authenticated with the service they do not have to enter their credentials every time an application requests authorization.

This is the first time we have come across a phishing email used by fraudsters to put these techniques into practice

Tweet

The security flaws of the OAuth protocol have been known for quite a while: in early 2014, a student from Singapore described possible techniques for stealing user data after authentication. However, this is the first time we have come across a phishing email used by fraudsters to put these techniques into practice.

In our case, after clicking on the link hxxps://login.live.com/oauth20_authorize.srf?client_id=00xxx4142735&scope=wl.signin%20wl.basic%20wl.emails%20wl.contacts_emails&response_type=code&redirect_uri=hxxp://webmail.code4life.me/hot/oauth-hotmail.php, which was received in a scam email, a user is taken to the authentication page where (s)he is asked to assign certain rights to an application. The list of rights requested is encoded in the link’s parameters. If the user agrees, (s)he is redirected to a landing page (hxxp://webmail.code4life.me/hot/oauth-hotmail.php) whose URL includes an “access token” (hxxp://webmail.code4life.me/hot/oauth-hotmail.php?code=36cef237-b8f6-9cae-c8e4-ad92677ba) after the “code” parameter, which is then intercepted by the application right from the address bar. The “access token” is then used by the application to access protected resources. It is worth noting that the capabilities offered by OAuth are not limited to authentication and authorization. A token received during authorization can be used for integrating a web service’s or social network’s functionality into your own resource, including the ability to read and write posts, access the news feed, the Wall, etc.

Link parameters

If you take a closer look at the link, you can see the following parameters: wl.signin, wl.basic, wl.emails, and wl.contacts_emails. These parameters are used to encode the permission levels requested by the application:

  • wl.signin – single sign-in enabling users who are logged into Windows Live to automatically log into any web site that supports this type of authorization;
  • wl.basic gives permission to read basic information in the user profile, such as the user’s nickname, first and last name, sex, age, country of residence, as well as giving access to the user’s contact list;
  • wl.emails – gives reading access to the user’s personal, preferred and business email addresses;
  • wl.contacts_emails gives access to the email addresses of all people on the user’s contact list.

There are many other parameters, which give permissions to access the user’s and their contacts’ photos, date of birth, the list of meetings and important events. In fact, a scammer can use this information to create a person’s profile, including information on what the user’s activities are when going out, the user’s friends and people (s)he meets, etc. This profile can then be used for criminal purposes.

The victim's information is gathered in order to send spam or to launch spear phishing attacks

Tweet

Further research enabled us to find a few similar phishing emails containing links to the official Microsoft service. In all cases, attackers asked the user to provide the same information (profile data, email addresses, contacts). Only the addresses of the landing pages hosting the scammers’ application were different.

hxxps://login.live.com/oauth20_authorize.srf?client_id=000000004C1xxx06&scope=wl.signin%20wl.basic%20wl.emails%20wl.contacts_emails&response_type=code&redirect_uri=http://soluciones-ntflix.com/web/oauth-hotmail.php

hxxps://login.live.com/oauth20_authorize.srf?client_id=000000004C1xxx3C&scope=wl.signin%20wl.basic%20wl.emails%20wl.contacts_emails&response_type=code&redirect_uri=http://registros-promos.com/web/oauth-hotmail.php

hxxps://login.live.com/oauth20_authorize.srf?client_id=00000000441xxx1B&scope=wl.signin%20wl.basic%20wl.emails%20wl.contacts_emails&response_type=code&redirect_uri=http://applications-registro.com/web/oauth-hotmail.php

hxxps://login.live.com/oauth20_authorize.srf?client_id=00000000441xxx17&scope=wl.signin%20wl.basic%20wl.emails%20wl.contacts_emails&response_type=code&redirect_uri=http://estimaciones-serv.com/web/oauth-hotmail.php

It should be noted that some applications designed for social networks also use the OAuth protocol.

Example of rights assigned to an application on Facebook

An application created by scammers might request the victim’s permission to publish posts and pictures on the Wall, to read and send private messages, to add entries in guest books. These features can be used to distribute spam or links to phishing or malicious sites.

Conclusion

In the case discussed above, information is most likely gathered in order to send spam to the contacts in the victim’s address book or to launch spear phishing attacks.

To avoid falling victim to scammers, do not follow links received by email or in private messages on social networks. Most importantly, do not give the right to access your personal data to applications that you do not know or trust. Before you agree, carefully read the descriptions of the account access rights which the application will get and assess the threat level. You can also search the Internet for information and feedback on the application requesting these rights. Any social networking site or web service also allows users to view the rights of currently installed applications in account/profile settings and cancel some of the permissions if necessary.

Example of Google access rights assigned to an application

If you have found out that an application is already distributing spam or malicious links on your behalf, you can send a complaint to the administration of the social networking site or web service and the application will be blocked. If you want to log on to a service or social networking site, it is best to go directly to the official website by manually entering its address in the browser. And, of course, keep the databases of your antivirus software with integrated anti-phishing protection up to date.

The Naikon APT and the MsnMM Campaigns

Wed, 05/20/2015 - 23:58

The MsnMM Campaigns [pdf]

For over half a decade, the Naikon APT waged multiple attack campaigns on sensitive targets throughout South-eastern Asia and around the South China Sea. It maintained a heavy offensive focus on Myanmar, Vietnam, Singapore, the Philippines, Malaysia, and Laos. Targets and victims included ASEAN governmental agencies and government departments, investment enterprises, military, law enforcement and border control organizations, embassies, university faculties and others.

Parts of the campaigns have been publicly discussed according to the nature of their tools. For example, the MsnMM backdoors started out with internal names like “WinMM” and “SslMM”, and their file naming spoofed MSN Talk and Msn Gaming Zone. The backdoor term “naikon” was derived from the User-Agent string “NOKIAN95″. But msnMM, naikon, sakto, and rarstone backdoors are all used by the same actor that we call the Naikon APT. Their second stage tools largely remained unknown.

The Naikon attackers attempted to exfiltrate sensitive geo-political, military, and economic data; to intercept communications and to maintain surveillance on their victims throughout the MsnMM campaigns. Their toolset and techniques changed over time in many minor ways, and appear to be run by Chinese-speaking individuals. The group’s infrastructure, reliant on web apps located mostly via dynamic dns domains, overlapped across these campaigns. As previously described, the APT’s methods and technologies are simple, but highly effective against its targets’ defenses. We do not find 0-days here.

Much of Naikon’s spear-phish and decoy document content, as well as its deployment, coincided approximately with highly-charged geopolitical events. The consistent list of military, economic, and political targets gave away the actor’s interests. Naikon’s earliest campaigns deployed the exe_exchange, winMM, and sys10 backdoors, and the codebase was later built out into more custom tools. The MsnMM campaigns were waged into the start of 2014, and then dropped off before picking up again later in the year and into 2015.

Regarding interaction with other APTs, it’s interesting to note that Naikon APT victims overlap with Cycldek APT victims.  Cycldek is another persistent, but weaker APT. In addition, not only does the APT30 target profile match the Naikon APT, its toolset also features minor but noticeable similarities. And the later Naikon campaigns led to an all out APT v APT confrontation with the Hellsing APT, when “the empire struck back.”

Although aspects of the malware set have been discussed on some blogs and in other papers, there hasn’t been an accurate report bringing together details of the MsnMM, Sys10, and Naikon campaigns as the work of one crew, the Naikon APT. Finally, while this report looks into their past activity, the Naikon APT remains active, deploying a more recent codebase. The top targets for 2015 that we are aware of include organizations in Myanmar, Cambodia, Vietnam, Thailand, and Laos.

The Naikon APT

Wed, 05/13/2015 - 23:00

Our recent report, “The Chronicles of the Hellsing APT: the Empire Strikes Back” began with an introduction to the Naikon APT, describing it as “One of the most active APTs in Asia, especially around the South China Sea”. Naikon was mentioned because of its role in what turned out to be a unique and surprising story about payback. It was a Naikon attack on a Hellsing-related organization that first introduced us to the Hellsing APT.  Considering the volume of Naikon activity observed and its relentless, repeated attack attempts, such a confrontation was worth looking into, so we did.

The Naikon group was spear-phished by an actor we now call "Hellsing"

Tweet

The Naikon APT aligns with the actor our colleagues at FireEye recently revealed to be APT30, but we haven’t discovered any exact matches. It is hardly surprising that there is an element of overlap, considering both actors have for years mined victims in the South China Sea area, apparently in search of geo-political intelligence.

The Naikon group has for 5 years mined victims, apparently in search of geo-political intelligence

Tweet

This Naikon report will be complemented by a follow-on report that will examine the Naikon TTP and the incredible volume of attack activity around the South China Sea that has been going on since at least 2010.

Noteworthy operational and logistical characteristics of this APT include:

  • At least five years of high volume, high profile,  geo-political attack activity
  • Geographical  focus – per-country, individual operator assignment and proxy presence
  • Dynamic, well organized infrastructure
  • Reliance on an externally developed, consistent set of tools comprising a full-featured backdoor, a builder, and an exploit builder
  • High success rate in infiltrating national organisations in ASEAN countries
Highly Focused and Effective Around the South China Sea

In the spring of 2014, we noticed an increase in the volume of attack activity by the Naikon APT. The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos and China.

Decoy

An attack typically starts with an email carrying an attachment that contains information of interest to the potential victim. The document may be based on information from open sources or on proprietary information stolen from other compromised systems.

This bait “document”, or email attachment, appears to be a Word document, but is in fact an executable file with a double extension exploiting CVE-2012-0158 so it can execute code without the user’s knowledge or consent. When the executable is launched, spyware is installed on the victim computer at the same time as a decoy document is displayed to the user; fooling them into thinking they have simply opened a document.

Configuration

The Naikon tool of choice generates a special, small, encrypted file which is 8,000 bytes in size, and contains platform-independent code to be injected into the browser along with configuration data. With the help of a start-up module, this whole file is injected into the browser memory and decrypts the configuration block containing the following:

  • C&C server
  • Ports and path to the server
  • User-agent string
  • Filenames and paths to its components
  • Hash sums of the user API functions

The same code then downloads its main body from the C&C server using the SSL protocol, loads it independently from the operating system functions and, without saving it to the hard drive, hands over control to the XS02 function. All functionality is handled in memory.

Payload

The main module is a remote administration utility. Using SSL, the module establishes a reverse connection to the C&C server as follows: it sets up an outgoing connection to the C&C server and checks if there is a command that it should execute. If there is, it executes the command and returns the result to the C&C. There are 48 commands in the module’s repertoire, which a remote operator can use to effectively control the victim computer.  This includes taking a complete inventory, downloading and uploading data, installing add-on modules, or working with the command line.

The main module supports 48 commands, which the attackers can use to control the victim machine

Tweet

Here is the complete list of commands:

0 CMD_MAIN_INFO 1 CMD_PROCESS_REFRESH 2 CMD_PROCESS_NAME 3 CMD_PROCESS_KILL 4 CMD_PROCESS_MODULE 5 CMD_DRIVE_REFRESH 6 CMD_DIRECTORY 7 CMD_DIRECTORY_CREATE 8 CMD_DIRECTORY_CREATE_HIDDEN 9 CMD_DIRECTORY_DELETE 10 CMD_DIRECTORY_RENAME 11 CMD_DIRECOTRY_DOWNLOAD 12 CMD_FILE_REFRESH 13 CMD_FILE_DELETE 14 CMD_FILE_RENAME 15 CMD_FILE_EXECUTE_NORMAL 16 CMD_FILE_EXECUTE_HIDDEN 17 CMD_FILE_EXECUTE_NORMAL_CMD 18 CMD_FILE_EXECUTE_HIDDEN_CMD 19 CMD_FILE_UPLOAD 20 CMD_FILE_DOWNLOAD 21 CMD_WINDOWS_INFO 22 CMD_WINDOWS_MESSAGE 23 CMD_SHELL_OPEN 24 CMD_SHELL_CLOSE 25 CMD_SHELL_WRITE 26 CMD_SERVICE_REFRESH 27 CMD_SERVICE_CONTROL 28 CMD_PROGRAM_INFO 29 CMD_UNINSTALL_PROGRAM 30 CMD_REGESTRY_INFO 31 CMD_ADD_AUTO_START 32 CMD_MY_PLUGIN 33 CMD_3RD_PLUGIN 34 CMD_REG_CREATEKEY 35 CMD_REG_DELETEKEY 36 CMD_REG_SETVALUE 37 CMD_REG_DELETEVALUE 38 CMD_SELF_KILL 39 CMD_SELF_RESTART 40 CMD_SELF_CONFIG 41 CMD_SELF_UPDATE 42 CMD_SERVER_INFO 43 CMD_INSTALL_SERVICE 44 CMD_FILE_DOWNLOAD2 45 CMD_RESET 46 CMD_CONNECTION_TABLE 47   48   49 CMD_HEART_BEAT

Several modifications of the main module exist. There are no fundamental differences between modifications; it’s just that extra features get added to the latest versions, such as compression and encryption of transmitted data, or the piecemeal download of large files.

d085ba82824c1e61e93e113a705b8e9a 118272 Aug 23 18:46:57 2012 b4a8dc9eb26e727eafb6c8477963829c 140800 May 20 11:56:38 2013 172fd9cce78de38d8cbcad605e3d6675 118784 Jun 13 12:14:40 2013 d74a7e7a4de0da503472f1f051b68745 190464 Aug 19 05:30:12 2013 93e84075bef7a11832d9c5aa70135dc6 154624 Jan 07 04:39:43 2014 CC-Proxy-Op

C&C server operations are characterized by the following:

  • Low maintenance requirements
  • Organized geo-specific task assignments
  • Different approaches to communication

The C&C servers required only a few operators to manage the entire network. Each operator appears to have focused on their own particular set of targets, because a correlation exists between C&C and the location of targets/victims.

There is a geo-specific correlation between the location of Nikon C&Cs and that of targets/victims

Tweet

Communication with victim systems changed depending on the target involved. In some cases, a direct connection was established between the victim computer and the operator system. In other cases, the connection was established via dedicated proxy servers installed on dedicated servers rented in third countries. In all likelihood, this additional setup was a reaction to the network administrators in some targets limiting or monitoring outbound network connections from their organizations.

Here is a partial list of C&C servers and victim locations, demonstrating the geo-specific correlation:

ID Jakarta linda.googlenow.in ID Jakarta admin0805.gnway.net ID Jakarta free.googlenow.in ID   frankhere.oicp.net ID Bandung frankhere.oicp.net ID Bandung telcom.dhtu.info ID Jakarta laotel08.vicp.net JP Tokyo greensky27.vicp.net KH   googlemm.vicp.net KH Phnom Penh googlemm.vicp.net MM   peacesyou.imwork.net MM   sayakyaw.xicp.net MM   ubaoyouxiang.gicp.net MM Yangon htkg009.gicp.net MM   kyawthumyin.xicp.net MM   myanmartech.vicp.net MM   test-user123.vicp.cc MY   us.googlereader.pw MY   net.googlereader.pw MY   lovethai.vicp.net MY   yahoo.goodns.in MY Putrajaya xl.findmy.pw MY Putrajaya xl.kevins.pw PH Caloocan oraydns.googlesec.pw PH Caloocan gov.yahoomail.pw PH   pp.googledata.pw PH   xl.findmy.pw PH   mlfjcjssl.gicp.net PH   o.wm.ggpw.pw PH   oooppp.findmy.pw PH   cipta.kevins.pw PH   phi.yahoomail.pw SG Singapore xl.findmy.pw SG Singapore dd.googleoffice.in VN Hanoi moziliafirefox.wicp.net VN Hanoi bkav.imshop.in VN Hanoi baomoi.coyo.eu VN Dong Ket macstore.vicp.cc VN Hanoi downloadwindows.imwork.net VN Hanoi vietkey.xicp.net VN Hanoi baomoi.vicp.cc VN Hanoi downloadwindow.imwork.net VN Binh Duong www.ttxvn.net VN Binh Duong vietlex.gnway.net VN Hanoi www.ttxvn.net VN Hanoi us.googlereader.pw VN Hanoi yahoo.goodns.in VN Hanoi lovethai.vicp.net VN Hanoi vietlex.gnway.net XSControl – the Naikon APT’s “victim management software”

In the Naikon scheme, a C&C server is essentially  specialized XSControl software running on the operator’s machine. It can be used to manage an entire network of infected clients. In some cases, a proxy is used to tunnel victim traffic to the XSControl server. A Naikon proxy server is a dedicated server that accepts incoming connections from victim computers and redirects them to the operator’s computer. An individual Naikon proxy server can be set up in any target country with traffic tunnelling from victim systems to the related C&C servers.

XSControl is written in .NET with the use of DevExpress. Its main capabilities are:

  • Accept initial connections from clients
  • Provide clients with the main remote administration module
  • Enable them to remotely administer infected computers with the help of a GUI
  • Keep logs of client activity
  • Keep logs of operator activity
  • Upload logs and files to an FTP server

The operator’s activity logs contain the following:

  • An XML database of downloaded files, specifying the time of operation, the remote path and the local path
  • A database of file names, the victim computer registry keys for the folders and sections requested by the operator
  • A history of executed commands
Country X, Operator X

Now let’s do an overview of one Naikon campaign, focusing on country “X”.

Analysis revealed that the cyber-espionage campaign against country X had been going on for many years. Computers infected with the remote control modules provided attackers with access to employees’ corporate email and internal resources, and access to personal and corporate email content  hosted on external services.

Below is a partial list of organizations affected by Naikon’s “operator X’s” espionage campaign in country X.

  • Office of the President
  • Military Forces
  • Office of the Cabinet Secretary
  • National Security Council
  • Office of the Solicitor General
  • National Intelligence Coordinating Agency
  • Civil Aviation Authority
  • Department of Justice
  • Federal Police
  • Executive/Presidential Administration and Management Staff

A few of these organizations were key targets and under continuous, real-time monitoring. It was during operator X’s network monitoring that the attackers placed Naikon proxies within the countries’ borders, to cloak and support  real-time outbound connections and data exfiltration from high-profile victim organizations.

In order to obtain employees’ credentials, operator X sometimes used keyloggers. If necessary, operator X delivered them via the remote control client. In addition to stealing keystrokes, this attacker also intercepted network traffic. Lateral movements included copying over and remotely setting up winpcap across desktop systems within sensitive office networks, then remotely setting up AT jobs to run these network sniffers. Some APTs like Naikon distribute tools such as these across multiple systems in order to regain control if it is lost accidentally and to maintain persistence.

The Naikon group took advantage of cultural idiosyncrasies in its target countries

Tweet

Operator X also took advantage of cultural idiosyncrasies in its target countries, for example, the regular and widely accepted use of personal Gmail accounts for work. So it was not difficult for the Naikon APT to register similar-looking email addresses and to spear-phish targets with attachments, links to sites serving malware, and links to google drive.

The empire strikes back

Every once in a while the Naikon group clashes with other APT groups that are also active in the region. In particular, we noticed that the Naikon group was spear-phished by an actor we now call “Hellsing”. More details about the cloak and dagger games between Naikon and Hellsing can be found in our blogpost: “The Chronicles of the Hellsing APT: The Empire Strikes Back”.

Spam and Phishing in the First Quarter of 2015

Wed, 05/13/2015 - 08:00

Spam: features of the quarter New domain zones

In January 2014 the New gTLD program of registration for new generic top-level domains designated for certain types of communities and organizations was launched. The main advantage of this program is the opportunity for organizations to choose a domain zone that is clearly consistent with their activities and the themes of their sites. The new business opportunities provided by the New gTLD program were enthusiastically endorsed by the Internet community, and active registration of new domain names is still ongoing.

Spammers and cybercriminals were quick to react: for them new domains are an excellent tool for promoting illegitimate campaigns. As a result, new domain zones almost immediately became an arena for the large-scale distribution of advertising spam, phishing and malicious emails. Cybercriminals either registered domains to spread spam mass mailings, hacked existing sites to place spam pages, or used these and other web resources in chains that redirect users to spam sites.

According to our observations, email traffic in Q1 2015 saw a considerable increase in the number of new domains that sent out spam of different content. In general there wasn’t much connection between the theme of the spam and the domain name, but in some cases there was an evident logical connection between them. For example, emails sent from the .work domains contained offers to carry out various types of work such as household maintenance, construction or equipment installation. Many of the messages from the .science domains were advertising schools that offer distance learning, colleges to train nurses, criminal lawyers and other professionals.

Q1’s spam traffic also featured many emails sent from color domains like .pink, .red, or .black. Basically they were used to advertise Asian dating sites. At the same time, the top-level domains used in mass mailings exploiting the dating theme were generally empty and did not contain any content related to this subject. They were only used in the chain of redirects leading to the main sites. It should also be noted that the first-level domains of the main sites were created recently and are constantly changing, in contrast with their content, which is still designed according to the same typical spam patterns.

The second- and lower-level domains in such messages are usually generated automatically and appear in the form of a random combination of alphanumeric characters. Meanwhile we are still seeing well-known .com, .org, .info, etc. used as domain zones as well as ones from the New gTLD program.

New domains, old themes

As for spam categories on new domains and Q1 spam in general insurance was one of the hottest topics, both in terms of the number of messages and the number of changing domains seen in mass mailings. This covers all types of insurance - life, health, property, cars, animals, and funeral insurance. Spam offering insurance services used newly-created top-level domains as well as compromised or expired ones. And even though the domains were new, spammers continued to use their old tricks, for example, they substituted domains of well-known organizations such as @ amazon.com or @ ebay.com in the From field.

The emails we came across generally followed the same template:

  • very little text (the email generally contains a typical header consisting of several words which is exactly repeated in the body of the message)
  • one or more links which load a brightly decorated picture (sometimes in parts) with all the necessary advertising data (a more detailed advertising text plus contacts: website address, phone number, company name)
  • another long link that leads to a resource that corresponds to the content of the email
  • additional ‘white noise’ text to bulk out the email

The latter consists of random phrases or single words in any language which may not be the same as the language of the mass mailing. This text is generally invisible to the reader of the email as it is written in white or pale color on a standard white background. This technique is used in many types of mass mailing.

The source code of a page containing a random set of words to ‘noise’ an email

Spammer tricks

To bypass antispam filtering scammers often noise emails with the large pieces of text written in white lettering on a standard white background to create the illusion of a non-spam text message.

In Q1 spammers exploited yet another technique, deliberating distorting spammer site addresses by writing them separately or adding extra characters. At the same time the message text always contained the name of a second-level domain where the spammer site is hosted, as well as instructions about how to use it with the domain zone: for example, "remove all the extra characters, and copy to the address bar" or "enter in the address bar without spaces". In fact, the addressee of the email is encouraged to create the address of spam site of his own and enter it in the address bar.

Macros in malicious spam

Spam is getting more and more dangerous for Internet users. Cybercriminals are coming up with new tricks and are also reverting to the well-known but now forgotten methods. Thus, in the first quarter of 2015 the fraudsters used spam to distributed macro viruses, programs written in the macro languages built into data processing systems (text and graphic editors, spreadsheets, etc.).

In the Q1 2015 Trojan-Banker.Win32.ChePro.ink was the malicious program most often distributed via email

Tweet

Malicious emails contained attachments with a .doc or .xls extension. These launched the VBA script when the attachment was opened. This script downloaded and installed other malicious programs, such as the banking Trojan Cridex, in the system. The micro viruses registered by Kaspersky Lab belong to the Trojan downloaders: Trojan-Downloader.MSExcel.Agent, Trojan-Downloader.MSWord.Agent and Trojan-Downloader.VBS.Agent.

Basically, malicious attachments imitated various financial documents: notifications of a fine or a money transfer, unpaid bills, payments, orders and complaints, e-tickets, etc.

Among these fraudulent notifications were fake messages written on behalf of public services, stores, hotel, airlines and other well-known organizations.

One interesting example of a fake notification was the confirmation of payment sent allegedly on behalf of the employee of the leading British supplier of water coolers for offices. The design of the fake message was a perfect imitation of an official email containing full contact details, logos and legitimate links.

Earlier this year, we came across a mass mailing that contained malicious attachments in Microsoft Word or Excel. Instead of the promised detailed information, the attachment contained a Trojan downloader (Trojan-Downloader.MSExcel.Agent or Trojan-Downloader.MSWord.Agent) that downloaded and ran other malicious software. The emails in the mass mailing were based on a single template; only the sender address and the amount of money specified in the subject and the body of the message varied.

The content of the document with a macro virus may look like a set of random characters similar to an incorrect display of coding. Fraudsters use this technique as a pretext: under the pretense of correcting the coding they tried to convince their potential victims to enable macros because back in 2007 Microsoft disabled the automatic activation of macros in files for safety reasons.

In addition to the mass mailings in which the malicious script had been inserted as macros we came across emails in which the script had been inserted as an object. The authors of one of these emails informed recipients they should pay a debt within a week or face legal action that would bring additional financial expenses.

The attached file was also in Microsoft Word while the malicious VBS script (according to the Kaspersky Lab verdict - Trojan-Downloader.VBS.Agent.all) had been inserted into it as an object. To deceive the user the inserted script was displayed as an Excel file: the scammers used the icon of this program and added.xls to the name of the file.

The first macro virus was registered in August 1995 in MS Word "Concept" documents and quickly infected tens of thousands of computers around the world. Despite its 20-year history, this type of malware is still popular largely due to the fact that the VBA language developed to create macros is one of the most simple and accessible, but at the same time functional, programming languages.

The Top 3 countries most often targeted by mailshots: Great Britain, Brazil and USA

Tweet

Most macro viruses are active not only when opening or closing the infected file but as long as the user is working with the editor (text or table). Macro viruses constitute a threat because they infect not only the initially opened file but any other files that are directly addressed.

The active distribution of macro viruses via email is aided by the simplicity with which they can be created and by the fact that users are constantly working with text and spreadsheet applications – often without being aware of the potential danger of macro viruses.

Malicious email attachments

Top 10 malicious programs sent by email, first quarter of 2015

In the first quarter of 2015 Trojan-Banker.Win32.ChePro.ink was the malicious program most often distributed via email, according to our ranking. This downloader, which was as low as the sixth position in last year’s ranking, is a CPL applet (a Control Panel component) that downloads Trojans designed to steal confidential financial information. Most malicious programs of this type are aimed at Brazilian and Portuguese banks.

Next came Trojan-Spy.HTML.Fraud.gen. As we have written before, this program is a fake HTML page which is sent via email, imitating an important notification from a large commercial bank, an online store, a software developer, etc.

In Q1 2015, the proportion of spam in email traffic was 59.2%, which is 6 p.p. lower than in the previous quarter

Tweet

Trojan-Downloader.HTML.Agent.aax and Trojan.HTML.Redirector.ci are in fourth and seventh positions respectively. Both are HTML pages which, when opened by users, redirect them to a rigged site. There, a victim is usually faced with a phishing page or is offered to download Binbot — a binary option trading bot, which has lately been popular on the net. The two malicious programs spread via email attachments and only difference between them is the link which redirects users to rigged sites.

Sixth comes Trojan.Win32.VBKrypt.sbds. It is just a common Trojan downloader designed to download a malicious file to the victim’s computer and run it.

Eighth and ninth places are occupied by downloaders from the Upatre family - Trojan-Downloader.Win32.Upatre.fbq и Trojan-Downloader.Win32.Upatre.fca, respectively, which are usually disguised as PDF or RTF documents. Their main task is to download, unpack and run additional applications.

It should be noted that if popular malware families rather than specific malicious programs are ranked, Upatre heads the Q1 rating. In most cases, malware from the Upatre family downloads the Dyre (aka Dyreza, Dyzap) banker, as a result of which this family also leads our rating of most widespread banking threats.

The Andromeda family, which headed last year’s rating, moved down to second position in Q1 2015. As we have mentioned before, these malicious programs allow cybercriminals to secretly control infected computers, which are often made part of a botnet.

The MSWord.Agent family occupies third position in the Top 10. These malicious programs are.doc files with an embedded macro written in Visual Basic for Applications (VBA), which runs on opening the document. It downloads and runs other malware, such as malicious programs from the Andromeda family.

In the Q1 2015 the USA remained the biggest source of spam, sending 14.5% of all unwanted mail

Tweet

Malware from the ZeuS/Zbot family, which are among the most popular and readily available programs used to steal banking information and therefore users’ money, came only seventh in Q1.

Countries targeted by malicious mailshots

Distribution of email antivirus verdicts by country, Q1 2015

In the first quarter, there were major changes in the Top 3 countries most often targeted by mailshots. Brazil unexpectedly moved up to second place with 7.44% (compared to 3.55% in 2014), pushing Germany down in the ranking. Britain tops the rating (7.85%). The USA is in the third place (7.18%). Germany, which headed the rating for a long time, dropped to fourth position (6.05%).

It is also worth mentioning Australia: it climbed to sixth place in the first quarter with 4.12%.

As for Russia, on the one hand, it dropped two positions in the rating (from 8th to 10th), but on the other hand, the percentage of malicious programs targeting the territory of Russia increased in Q1 (from 3.24% in 2014 to 3 36% in the first quarter of 2015).

Statistics Proportion of spam in email traffic

Proportion of spam in email traffic, October 2014 – March 2015

In Q1 2015, the proportion of spam in email traffic was 59.2%, which is 6 percentage points lower than in the previous quarter. The share of spam gradually decreased: the largest amount of spam was sent in January (61.68%) and the smallest in March (56.17%).

Spam sources by country

Countries that were sources of spam, Q1 2015

In the first quarter of 2015 the USA remained the biggest source of spam, sending 14.5% of all unwanted mail. Russia was in second place with 7.27%. Ukraine came third with 5.56% of the world's spam.

Vietnam (4.82%), China (4.51%) and Germany (4.39%) followed the leaders of the rating. India brought up the rear in the Top 10 with 2.83% of all spam distributed worldwide.

Spam email size

Spam email size distribution, Q4 2014 and Q1 2015

The distribution of spam emails by size remained stable. The leaders were very small emails of up to 2 KB (73.99%), which are easy to handle in mass mailings. The proportion of such emails decreased by 3.28 percentage points.

The proportion of emails in the size range of 2 KB — 5 KB increased by 5.4 percentage points, reaching 16.00%, while the percentage of spam in the 5-10 KB range decreased by 2.28 percentage points to 2.20%. The share of emails sized 10-20 KB saw hardly changed from the previous quarter.

Phishing

In the first quarter of 2015, the Anti-Phishing system was triggered 50,077,057 times on computers of Kaspersky Lab users. This is 1 million times more than in the previous quarter.

For several quarters in a row, the largest percentage of users affected by phishing attacks was in Brazil, although in Q1 of 2015 the number (18.28%) was down by 2.74 percentage points.

Geography of phishing attacks*, Q1 2015

* Number of users on whose computers the Anti-Phishing system was triggered as  a percentage of the total number of Kaspersky Lab users in the country

Top 10 countries by percentage of users attacked:

  Country % of users 1 Brazil 18.28 2 India 17.73 3 China 14.92 4 Kazakhstan 11.68 5 Russia 11.62 6 UAE 11.61 7 Australia 11.18 8 France 10.93 9 Canada 10.66 10 Malaysia 10.40

There was a noticeable increase in the proportion of users attacked in India (+1.8 pp). At the same time, we registered a slight decrease in the number of users attacked in Russia (-0.57 pp), Australia (-2.22 pp) and France (-2.78 pp).

Organisations under attack

The statistics on phishing attack targets are based on the heuristic component of the Anti-Phishing system being triggered. The heuristic component of Anti-Phishing is triggered when the user follows a link to a phishing page information on which is not yet included in Kaspersky Lab databases, regardless of the way in which the page was reached – as a result of clicking on a link in a phishing email, a message on a social network or, for example, as a result of a malicious program’s operation. When the component is triggered, it displays a banner in the browser, warning the user of a possible threat.

Although the share of the “Email and search portals” category in the rating of organizations attacked by phishers diminished considerably in Q3 2014, the category (25.66%) still occupies the top position in the rating in 2015. The share of this category increased by a mere 0.40 percentage points from Q4 2014.

Distribution of organizations affected by phishing attacks, Q1 2015.

In the first quarter of 2015 the share of "Online shops" (9.68%) increased by 2.78 pp. Although the percentage of the "Online games" category (3.40%) rose by 0.54 percentage points, it yielded its place to the “IMS” category (3.92%), which saw its share grow by 1.69 pp.

In Q1 2015, we included a new category, “Delivery companies”, in our rating. Despite the fact that currently the contribution of this category is only 0.23%, it has recently demonstrated a growth (+0.04). In addition, DHL, one of the companies in this category, was among the Top 100 organizations most often attacked by phishers.

Distribution of phishing attacks on delivery companies, Q1 2015

In a number of emails the scammers offer users to purchase goods with delivery provided by a well-known logistics company. If you agree, they require an advance payment for delivery and provide fake invoices with the logo of the relevant delivery company. Having received the money, the fraudsters disappear.

Additionally, phishing messages sent on behalf of logistics firms often contain malicious attachments. Generally, an email includes a delivery notice; to receive the goods the recipients are expected either to open the attachment, which turns out to be malicious, or to go to the website and enter their personal data. The latter method is used to collect valid email addresses and other personal information of users.

Phishing email sent on behalf of FedEx

Phishing page imitating a DHL personal account login page

Phishing page imitating UPS personal account login page

Phishing page imitating FedEx personal account login page

Top 3 organizations attacked

The Top 3 organizations most often attacked by phishers remained the same as in the last quarter of 2014.

  Organization % of phishing links 1 Facebook 10.97 2 Google 8.11 3 Yahoo! 5.21

The top three organizations targeted by phishers are Facebook (+0.63 pp), Google (+1.51 pp) and Yahoo! (5.21%). The percentage of attacks on the latter continues to slowly decrease (-1.37 pp).

Conclusion

The share of spam in email traffic in the first quarter of 2015 was 59.2%, which is 6 percentage points less than in the previous quarter. The percentage of spam gradually declined during the quarter.

Spam traffic in Q1 of 2015 included a large number of mass mailings with Microsoft Word or Excel attachments containing macro viruses. Fraudsters tried to lure users into opening malicious files by disguising them as various documents, including financial. The fake messages often imitated notifications from well-known organizations and services.

In Q1 of 2015 the results of the New gTLD program of registration for new generic top-level domains launched in 2014 became especially noticeable. The new domains are registered daily but not always for legitimate purposes. We expect further growth in the number of new top-level domains used in mass mailings. The increase in the volume of mass mailings sent from new domains which have evident logical connection between the type of goods and services advertised and the domain name is also possible, although this can hardly be considered a trend.

The three leading source countries for spam sent across the world are the USA (14.5%), Russia (7.27%) and Ukraine (5.56%).

In the Q1 2015 the Anti-Phishing system was triggered more than 50 mln times

Tweet

In the first quarter of 2015 Trojan-Banker.Win32.ChePro.ink was the malicious program most often distributed via email, according to our ranking. The Upatre downloaders, which are used to download the Trojan banker Dyre/Dyreza, became the most popular malware family of Q1. Britain tops the rating of countries most often targeted by mailshots with 7.85% of all mail antivirus detections.

In Q1 2015, the Anti-Phishing system was triggered on the computers of Kaspersky Lab users 50,077,057 times. The largest percentage of users affected by phishing attacks was in Brazil.

Microsoft Security Updates May 2015

Tue, 05/12/2015 - 19:40

Microsoft released a set of thirteen Security Bulletins (MS015-043 through MS015-055) to start off May 2015, addressing 38 vulnerabilities in a wide set of Microsoft software technologies. Three of these are rated critical for RCE and the rest of the May 2015 Security Bulletins are rated Important. Two of the critical Bulletins (043 and 044) are especially risky and address critical RCE vulnerabilities across all versions of supported Windows platforms.

  • Internet Explorer (MS015-043) critical
  • GDI+ drivers handling fonts (MS015-044) critical
  • Windows Journal (MS015-045) critical
  • Microsoft Office
  • Sharepoint Server
  • Silverlight
  • .NET Framework
  • JScript and VBScript Scripting Engines
  • MMC file format
  • Schannel (Microsoft's network crypto libraries)

Most likely, your Windows systems are running at least a couple of those software packages, and will require a reboot after updating.

This round of IE memory corruption vulnerabilities enable remote code execution across all versions of the browser and supported Windows OS, IE6 - IE11. Even Internet Explorer 11 on Windows 8.1 maintains the flawed code, leading many to anticipate Microsoft's new approach to web browser security in the upcoming Microsoft Edge: Building a safer browser.

Another issue enables RCE in Windows Journal, a note-taking application first written for XP Tablet associated with .jnt files. To disable the app, it seems that you can simply disable the "Tablet PC Options Components" Windows Feature on Vista or Windows 7, but you are without the Control Panel option on Windows 8.x. On Windows 8 and above systems, it looks like you can remove the .jnt file association in the registry, or, you can deny access to journal.exe with a couple of shell commands:

takeown.exe /f "%ProgramFiles%\Windows Journal\Journal.exe"
icacls.exe %ProgramFiles%\Windows Journal\Journal.exe" /deny everyone:(F)

And finally, another couple of font handling GDI+ vulnerabilities are patched, this time in the DirectWrite library handling for both OpenType (cve-2015-1670) and TrueType (cve-2015-1671) fonts. It's 1671 that enables RCE on Windows systems running SilverLight, Lync, Live Meeting, Microsoft Office 2007 and 2010, supported .Net framework versions, and all the supported Windows operating system versions, including Windows 2008 and 2012 R2 Server Core. Depending on your OS, the patches can touch on a set of files, not just win32k.sys driver code:

Win32k.sys
Gdiplus.dll
D2d1.dll
Fntcache.dll
Dwrite.dll
D3d10level9.dll
D3d10_1.dll
D3d10_1core.dll
D3d10warp.dll

According to Microsoft, "When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers". Which may be mincing words, because Microsoft's cve-2015-1671 vulnerability acknowledgement listed the Threat Research Manager at FireEye. That disclosure detail may add urgency to updating this vulnerability for some organizations.

How to mitigate 85% of threats with only four strategies

Tue, 05/12/2015 - 07:00

The Australian Signals Directorate Top35 list of mitigation strategies shows us that at least 85% of intrusions could have been mitigated by following the top four mitigation strategies together. These are: application whitelisting, updating applications, updating operating systems and restricting administrative privileges. Kaspersky Lab has technological solutions to cover the first three of these (i.e. all the technology-based strategies) as well as the most of the others from Top35 ASD’s list.

Many respected technology-focused organizations have already developed strategies for coping with targeted attacks. Gartner, for example, has issued guidelines for dealing with social engineering techniques, including keeping pace with an evolving threat landscape through ongoing information security education1. While no ICT infrastructure can ever be 100% secure, there are reasonable steps every organization can take to significantly reduce the risk of a cyber-intrusion.

Among all the available strategies, here at Kaspersky Lab we consider the Australian Signals Directorate (ASD) document to be the best publicly available guidelines from a government organization on how to successfully fight APTs. But we don’t just like this list of strategies; we also want to make sure that Kaspersky Lab technologies cover as many of them as possible. Please check the list below.  Bear in mind, of course, that not all technologies have something in common with security software:

The Australia’s Signals Directorate’s full Mitigation Strategies list comprises 35 points.

This list of mitigation strategies can be roughly divided into four logical types, according to the implementation approach:

Measures Brief description Administrative Training, physical security Networking These measures are easier to  implement at  a network hardware level System administration The OS contains everything needed for implementation Specialized security solutions Specialized security software is applicable

Through comprehensive, detailed analysis of local attacks and threats, ASD has found that at least 85 per cent of the targeted cyber-intrusions it responds to could be mitigated by four basic strategies. Three of them are related to specialized security solutions. Kaspersky Lab products include technological solutions to cover these first three major strategies:

  • Use application whitelisting to help prevent malicious software and unapproved programs from running
  • Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office
  • Patch operating system vulnerabilities
  • Restrict administrative privileges to operating systems and applications, based on user duties2.

In addition, over half of the ASD list could be implemented using our specialized information security solutions. Take a look at the strategies (those related to specialized security solutions) mapped to Kaspersky Lab technologies. We have highlighted the ones that ASD believes account for 85% mitigation:

ASD rank Mitigation strategy, short name Kaspersky Lab technologies 1 Application whitelisting Dynamic whitelisting 2 Patching application vulnerabilities Vulnerability Assessment and Patch Management 3 Patching OS vulnerabilities 5 User application configuration hardening Web control (blocking scripts in web-browsers) , Web Anti-Virus 6 Automated dynamic analysis of email and web content Mail Anti-Virus and Web Anti-Virus, Security for Mail Server, Security for Internet Gateway, DLP for Mail and Collaboration add-ons 7 OS generic exploit mitigation Automatic Exploit Prevention 8 HIDS/HIPS System Watcher and Application Privilege Control 12 Software-based application firewall for incoming traffic Advanced Firewall 13 Software-based application firewall for outgoing traffic Advanced Firewall 15 Computer event logging Kaspersky Security Center 16 Network activity logging Kaspersky Security Center 17 E-mail content filtering Kaspersky Security for Mail Sever 18 Web content filtering Web Control 19 Web domain whitelisting Web Control 20 Block spoofed e-mails Anti-Spam 22 AV software using heuristics and automated Internet-based reputation ratings Anti-Malware 26 Removable and portable media control Device Control 29 Workstation inspection of Microsoft Office files Anti-Malware 30 Signature-based AV software Anti-Malware

ASD Strategies that can be implemented effectively using Kaspersky Lab’s product range.

For more detailed data about ASD strategies please consult the mitigation strategies document in the Securelist encyclopedia: part 1, part 2 and part 3. We hope that this information will be useful for system administrators, CIO/CISOs and researchers fighting targeted cyber intrusions.

1 Gartner: Best Practice for Mitigating Advanced Persistent Threats (document ID G00256438). >>>
2 Australian Signals Directorate, Strategies to Mitigate Targeted Cyber Intrusions >>>

IT threat evolution in Q1 2015

Wed, 05/06/2015 - 06:00

Q1 in figures
  • According to KSN data, Kaspersky Lab products detected and neutralized a total of 2,205,858,791 malicious attacks on computers and mobile devices in the first quarter of 2015.
  • Kaspersky Lab solutions repelled 469,220,213 attacks launched from online resources located all over the world.
  • Kaspersky Lab's web antivirus detected 28,483,783 unique malicious objects: scripts, exploits, executable files, etc.
  • 93,473,068 unique URLs were recognized as malicious by web antivirus components.
  • 40% of web attacks neutralized by Kaspersky Lab products were carried out using malicious web resources located in Russia.
  • Kaspersky Lab's antivirus solutions detected a total of 253,560,227 unique malicious and potentially unwanted objects.
  • Kaspersky Lab mobile security products detected
    • 147,835 installation packages;
    • 103,072 new malicious mobile programs;
    • 1,527 mobile banking Trojans.
Overview Equation APT – the most sophisticated attacks

The story of the powerful Equation cyberespionage group was perhaps the most talked-about news story of Q1. The group has interacted with other influential groups, such as Stuxnet and Flame, for many years. Attacks carried out by Equation are arguably the most sophisticated of all: one of the group’s modules can be used to modify hard drive firmware. Since 2001, Equation has successfully infected the computers of thousands of victims in Iran, Russia, Syria, Afghanistan, the US and other countries. Its victims come from sectors such as government and diplomatic institutions, telecommunications, energy, etc.

The group uses a variety of malware, some of which is even more sophisticated than the infamous Regin platform. Known methods of dissemination and infection include using the Fanny USB worm (its arsenal included two zero-day vulnerabilities that were later used in Stuxnet), malicious installers on CDROMs, and web exploits.

Carbanak – the most successful cyber campaign

In spring 2014, Kaspersky Lab got involved in a forensic investigation: a bank’s ATMs dispensed cash without the recipient physically interacting with the ATM. This was the start of our investigation into the Carbanak campaign and an analysis of the eponymous malicious program.

Carbanak is a backdoor originally based on Carberp code. It is designed for espionage, data exfiltration and remote control of any computer infected with it. Once the attackers were inside the victim´s network, they performed a reconnaissance of that network with a view to performing lateral movement and compromising critically important systems – processing systems, accounting systems and ATMs.

Kaspersky Lab products detected a total of 2.2 bln malicious attacks in the Q1 2015

Tweet

Three methods of cashing out have been identified:

  1. via ATMs,
  2. by transferring money to cybercriminals’ accounts using the SWIFT network,
  3. by altering databases to create fake accounts and subsequently using mule services to collect the money.

Infections were carried out using typical APT-style methods – via spearphishing emails with documents containing exploits. The emails were constructed in such a way as to avoid raising suspicions, in some cases coming from the addresses of employees working for the company under attack.

Kaspersky Lab estimates that about 100 financial organizations, most of them in Eastern Europe, have been hit by the group, with total financial losses approaching $1 billion. This makes Carbanak by far the most successful criminal cyber campaign we have ever seen.

Desert Falcons – attacks in the Middle East

While investigating an incident in the Middle East, Kaspersky Lab experts came across the activity of a previously unknown group carrying out targeted attacks. The group was given the name Desert Falcons. It is the first Arabic speaking group seen conducting full-scale cyberespionage operations, and its work is apparently connected with the political situation in the region.

The first signs of Desert Falcons’ activity were seen in 2011 and the first known infections were carried out in 2013. The group’s activity peaked in late 2014 and early 2015. The group’s members are clearly no newbies: they developed Windows and Android malware from scratch; they also skillfully organized attacks which relied on phishing emails, fake websites and fake social network accounts.

Kaspersky Lab solutions repelled 470 mln attacks launched from online resources located all over the world

Tweet

The group’s victims are located primarily in Palestine, Egypt, Israel and Jordan. Victims include political activists and leaders, military and governmental organizations, mass media, financial institutions and other organizations. The group has currently claimed more than 3,000 victims; the attackers have succeeded in stealing over a million files and documents.

In addition to highly sophisticated and carefully planned distribution of spear phishing emails designed to infect the victims, Desert Falcons used social engineering on Facebook. The attackers created dedicated accounts to begin communicating with their intended victims, gain their trust and then use the chat facility to send each victim a malicious program disguised as an image. For infections on a bigger scale, the group used posts containing malicious links, created using compromised or fake accounts of political leaders.

Animal Farm APT

In March 2014 the French newspaper Le Monde published an article on a cyberespionage toolset identified by Communications Security Establishment Canada (CSEC). The toolset described was used in the Snowglobe operation, which targeted francophone Canadian media, as well as Greece, France, Norway and some African countries. Based on the results of their analysis, CSEC believed that the operation might have been initiated by French intelligence agencies.

In early 2015, researchers published analyses of some malicious programs (1, 2, 3) that had much in common with Snowglobe. In particular the research identified samples that contained the internal name Babar, which was the same as the name of the program mentioned in the CSEC slides.

Kaspersky Lab's web antivirus detected 28,5 mln unique malicious objects in the Q1 2015

Tweet

After analyzing the malicious programs used in this campaign and identifying the connections between them, Kaspersky Lab experts gave the group behind them the name Animal Farm. It was discovered that two of the three zero-day vulnerabilities found by Kaspersky Lab in 2014 and used by cybercriminals in their attacks were present in the group’s arsenal. For example, an attack from the compromised website of the Syrian Ministry of Justice using exploits for CVE-2014-0515 led to an Animal Farm tool, known as Casper, being downloaded.

A curious feature of this campaign is that NBOT – one of the malicious programs used by the group – is designed to conduct DDoS attacks. This functionality is not commonly used by typical APT groups. In addition, one of the malicious ‘animals’ has the strange name of Tafacalou – possibly, a word in Occitan, a language spoken in France and some other places.

Upatre – active distribution of the Dyre/Dyreza banker

Last quarter, the most widespread example of a banker Trojan was Upatre – a downloader for the Dyre financial malware, also known as Dyreza. This banker Trojan first appeared in 2014. It targets users from various financial organizations. It uses a technique designed to bypass SSL protection in order to steal payment information. This malware can also be used as a remote administration tool (RAT), enabling attackers to manually carry out transactions on behalf of online banking users.

The Upatre downloader is delivered to users in spam emails, many of which look like legitimate messages from financial institutions. Banks attacked by the banker Trojan Dyre, which is downloaded by Upatre, include Bank of America, Natwest, Citibank, RBS and Ulsterbank. According to researchers, the bulk of Dyre activity is currently taking place in the UK.

PoSeidon – attacks on PoS terminals

A new banker Trojan which attacks PoS terminals has been detected. PoSeidon scans a PoS system’s memory for payment information stored in plain text and sends any information it finds to the attackers.

Researchers from Cisco Security Solutions have identified three malware components that are probably associated with PoSeidon: a keylogger, a loader and a memory scraper that also has keylogging functionality. The keylogger is designed to steal credentials for the LogMeIn remote access application. It deletes encrypted LogMeIn passwords and profiles that are stored in the system registry in order to force users to type them again. The researchers believe this keylogger is potentially used to steal the remote access credentials that are needed to compromise point-of-sale systems and install PoSeidon.

In the Q1 2015 Kaspersky Lab mobile products detected 103 072 new malicious mobile programs

Tweet

Once the PoSeidon attackers get access to a PoS terminal, they install a loader. This component downloads another file called FindStr from the group’s command-and-control (C&C) servers. FindStr is used to find strings that match payment card numbers in the memory of running processes. Curiously, the malware only looks for card numbers that begin with specific digits.

Statistics

All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

Mobile threats

Mobile malware is evolving towards monetization – with malware writers trying to render their creations capable of obtaining money and users’ bank data using a variety of techniques.

More and more SMS Trojans are being enhanced with features that enable them to attack victims’ bank accounts. An example of this is Trojan-SMS.AndroidOS.OpFake.cc, which can now attack at least 29 banking and financial applications.

Malware writers are also beginning to build ransomware functionality into their SMS Trojans. For example, in order to obtain victims’ bank card data, Trojan-SMS.AndroidOS.FakeInst.ep uses techniques typical of ransomware programs: windows opened by the malware cannot be closed without entering the data.

What the user sees is a message, purportedly from Google, demanding that the user opens Google Wallet and goes through the ‘personification’ procedure by entering their credit card details (curiously, one of the justifications given for these actions is the need to combat cybercrime). The window cannot be removed until the victim enters credit card details.

Trojan-Spy programs, like SMS Trojans, are modified so that they can attack victims’ bank accounts. For example, Trojan-Spy.AndroidOS.SmsThief.ay is now capable of attacking five different banking and financial applications.

The upshot of this is that the mobile malware used by cybercriminals to hunt for their victims’ money is becoming increasingly versatile. Stealing money from users’ bank accounts by attacking banking applications is now something that can be done not only by dedicated Trojan-Bankers but also by some SMS Trojans and even Trojan-Spies. This may be one of the reasons why relatively few mobile banker Trojans were detected in Q1 2015.

In the Q1 2015 Kaspersky Lab mobile products detected 1,527 mobile banking Trojans

Tweet

Overall, mobile malware designed to steal or extort money from users (SMS Trojans, banker Trojans and ransomware Trojans) accounted for 23.2% of new mobile threats in Q1 2015. All three malware types are extremely dangerous and the malware writers' interest in their victims' money provides an incentive for their further development and evolution.

New developments from malware writers
  1. Trojan-Banker.AndroidOS.Binka.d, a banker Trojan, has evolved. Now it can ‘listen in’ to its victim. Sound is recorded using the device’s microphone and written to a file that is transferred to the cybercriminals’ server.
  2. A technique based on patching applications and embedding malicious code into them is now one of the main methods used to distribute Trojans. For example, Trojan-SMS.AndroidOS.Chyapo.a was embedded in the Unity Launcher Free app. The difference between clean and malicious applications is, in this case, manifested only by a new permission requirement – the malicious app requires access to the handling of incoming SMS messages. Another curious thing about this Trojan was that its command-and-control server was hosted on sites.google.com.
  3. The developers of Podec, an SMS Trojan, have mastered a new distribution technique – through the VKontakte social network. A malicious file was uploaded to the popular social network’s content storage servers.  The Trojan made it into the Top Three malicious mobile programs based on the number of users attacked.
  4. Malware that can actively resist security solutions is not a new technology, but it is gaining in popularity. Trojan-Banker.AndroidOS.Svpeng.f, a banker Trojan first detected in Q1, tries to remove the applications of three antivirus vendors: Avast, Eset, and DrWeb.
Mobile threat statistics

In Q1 2015, Kaspersky Lab mobile security products detected 103,072 new malicious mobile programs, a 3.3 fold increase on Q4 2014.

The number of installation packages detected was 147,835 – this is 2.3 times as many as in the previous quarter.

Number of malicious installation packages
and new malicious mobile programs detected (Q3 2014 - Q1 2015)

We have lately seen the ratio of malicious installation packages to new malicious programs diminish. In Q3 2014, there was an average of 6.2 malicious installation packages per malicious program, in Q4 – there were about two installation packages per malicious program. In Q1 2015, the ratio was down to 1.4.

Distribution of mobile malware by type

Distribution of new mobile malware by type, Q1 2015

The ranking of malware objects for mobile devices for the first quarter of 2015 was headed by RiskTool (35.7%). These are legitimate applications that are potentially dangerous for the user – if used carelessly or manipulated by a cybercriminal, they could lead to financial losses.

SMS Trojans came second with 21%. As we wrote in our previous reports, in Q3 2014 the proportion of SMS Trojans to all new mobile threats fell from 22% to 14%. However, this type of malware regained lost ground by the end of 2014. In terms of growth rate, it is in third place: in Q1 2015 the total number of SMS Trojans in our collection increased by 18.7%.

Third place in the rankings was taken by potentially unwanted advertising apps (15.2%). The number of such applications in the overall stream of new mobile threats is gradually declining.

Более 93 млн. опасных ссылок выявили продукты "ЛК" с января по март 2015 года

Tweet

The share of banker Trojans among all the mobile malware first detected in Q1 has significantly declined compared to previous quarters and was down to 1.1%. The number of new mobile bankers in our collection grew by 6.5% during the quarter.

One other thing worth noting is that Trojan-Ransom malware, which has not been in the cybercriminals’ arsenal for very long, demonstrated the highest growth rate of all mobile threats. The number of new samples detected in Q1 was 1,113, resulting in a 65% increase in the number of mobile ransomware samples in our collection. This is a dangerous trend: since malware of this type is designed to extort money, it can damage personal data and block infected devices.

Another type of mobile threat which is showing a high growth rate is spyware (Trojan-Spy). The number of such programs in our collection increased by 35% in the first quarter of 2015.

Top 20 malicious mobile programs   Name % of attacks * 1 DangerousObject.Multi.Generic 10.90% 2 AdWare.AndroidOS.Viser.a 9.20% 3 Trojan-SMS.AndroidOS.Podec.a 7.92% 4 RiskTool.AndroidOS.MimobSMS.a 7.82% 5 Trojan-SMS.AndroidOS.OpFake.a 6.44% 6 Trojan.AndroidOS.Mobtes.b 6.09% 7 Adware.AndroidOS.MobiDash.a 5.96% 8 Exploit.AndroidOS.Lotoor.be 4.84% 9 RiskTool.AndroidOS.SMSreg.gc 4.42% 10 AdWare.AndroidOS.Xynyin.a 3.31% 11 AdWare.AndroidOS.Ganlet.a 2.63% 12 Exploit.AndroidOS.Lotoor.a 2.19% 13 AdWare.AndroidOS.Dowgin.l 2.16% 14 Trojan-SMS.AndroidOS.Stealer.a 2.08% 15 AdWare.AndroidOS.Kirko.a 2.04% 16 Trojan.AndroidOS.Rootnik.a 1.82% 17 Trojan.AndroidOS.Pawen.a 1.81% 18 Trojan-SMS.AndroidOS.Gudex.f 1.75% 19 RiskTool.AndroidOS.SMSreg.dd 1.69% 20 AdWare.AndroidOS.Kemoge.a 1.52%

* Percentage of users attacked by the malware in question, relative to all users attacked

The top position in the rankings was occupied by DangerousObject.Multi.Generic (10.90%). This is how new malicious applications are detected by Kaspersky Security Network cloud technologies, which help our products to significantly shorten the response time to new and unknown threats.

Potentially unwanted advertising applications accounted for seven positions in the rankings, including second place, which was taken by AdWare.AndroidOS.Viser.a (9.2%).

SMS Trojans continue to lose ground in the Top 20 ranking of mobile threats: while in Q4 2014 they had nine positions in the rankings, in Q1 2015 they only had four.

Nevertheless, Trojan-SMS.AndroidOS.Podec.a (7.92%) has been among the Top Three malicious mobile programs for two quarters in a row due to its active dissemination. As we mentioned above, the malware was uploaded to the file storage servers of VKontakte, Russia’s largest social network. On top of everything else, this Trojan is known to use the most powerful commercial obfuscator available today.

RiskTool malware occupied six positions in the Top 20, with RiskTool.AndroidOS.MimobSMS.a (7.82% of users attacked) ranking fourth.

Mobile banker Trojans

In Q1 2015, we detected 1,527 mobile banker Trojans –a 4.4 fold decline on the previous quarter.

Number of mobile banker Trojans detected (Q1 2014 – Q1 2015)

Geography of mobile banking threats in Q1 2015
(number of users attacked)

96% of attacks involving mobile banker Trojans were against users located in 10 countries.

Top 10 counties attacked by mobile banker Trojans:

  Country % of all attacks* 1 Russia 86.66% 2 Ukraine 2.27% 3 US 2.21% 4 Kazakhstan 1.87% 5 Germany 0.97% 6 Republic of Korea 0.70% 7 Belarus 0.64% 8 UK 0.37% 9 Uzbekistan 0.34% 10 India 0.21%

* Percentage of users attacked per country, relative to all users attacked

Russia retained its traditional top position in the rankings. Ukraine moved up to second place, pushing the US and Kazakhstan down to the third and fourth positions, respectively. Belarus moved two notches down to seventh place.

The geography of mobile threats

In Q1 2015, mobile malicious attacks were detected at least once in 213 countries.

The geography of mobile malware infection attempts in Q1 2015
(percentage of all users attacked)

Top 10 countries attacked by mobile malware:

  Country % of attacks* 1 Russia 41.92% 2 India 7.55% 3 Germany 4.37% 4 Brazil 3.20% 5 Iran 3.12% 6 Kazakhstan 2.88% 7 US 2.84% 8 Ukraine 2.53% 9 Malaysia 2.05% 10 Vietnam 1.87%

*Percentage of users attacked per country, relative to all users attacked

Russia (42%) remained at the top of this ranking, with the other countries lagging far behind. India (7.5%) was in second place.

Vulnerable applications exploited by cybercriminals

The ranking of vulnerable applications below is based on information about the exploits blocked by our products. These exploits were used by cybercriminals in Internet attacks and in attempts to compromise local applications, including those installed on mobile devices.

Distribution of exploits used in attacks by type of application attacked, Q1 2015

The top position in the Q1 2015 rankings was occupied by the Browsers category (64%), which includes exploits targeting Internet Explorer. This category was also at the top of the rankings in the last three quarters of 2014.

In Q1, we saw a significant fall in the number of exploits for Oracle Java (down seven percentage points (p.p.) from Q4 2014). This can be explained by the fact that exploits for these applications were almost completely removed from all exploit packs.

It is worth mentioning the growing number of exploits for Microsoft Office (up two p.p. from Q4 2014) and Adobe Flash Player (up by one p.p.) in Q1 2015.

The increase in the number of malicious flash objects was primarily due to the large number of vulnerabilities discovered in the first quarter of 2015. Virtually all exploit packs now include exploits for Adobe Flash Player vulnerabilities.

Online threats (Web-based attacks)

The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.

Online threats in the banking sector

In the first quarter of 2015, Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on the computers of 929,082 users. This figure represents a 64.3% increase compared to the previous quarter (565,515).

Number of computers attacked by financial malware (Q1 2015)

Attacks using financial malware are on the rise. Note that there was a sharp increase in the number of such attacks in March 2015.

A total of 5,106,804 notifications of malicious activity by programs designed to steal money via online access to bank accounts were registered by Kaspersky Lab security solutions in Q1 2015.

Geography of attacks

Geography of banking malware attacks (Q1 2014)

Top 10 countries by the number of users attacked

  Countries Number of users attacked 1 Brazil 91,893 2 Russia 85,828 3 US 66,699 4 Germany 51,670 5 UK 25,269 6 India 22,085 7 Turkey 21,397 8 Australia 18,997 9 Italy 17,663 10 Spain 17,416

Brazil continued to lead the ranking of countries most affected by banking malware, with the number of attacks increasing by 15% compared to the previous quarter (79,845).

The Top 10 banking malware families

The table below shows the top 10 programs most commonly used to attack online banking users in Q1 2015, based on the number of users attacked:

Name Number of notifications Number of users attacked Trojan-Downloader.Win32.Upatre 3,127,365 349,574 Trojan-Spy.Win32.Zbot 865,873 182,966 Trojan-Banker.Win32.ChePro 355,735 91,809 Trojan-Banker.Win32.Banbra 35,182 16,363 Trojan.Win32.Tinba 94,972 15,719 Trojan-Banker.Win32.Agent 44,640 12,893 Trojan-Banker.Win32.Shiotob 60,868 12,283 Trojan-Banker.Win32.Banker 39,728 12,110 Trojan-Spy.Win32.SpyEyes 57,418 9,168 Backdoor.Win32.Papras 56,273 3,062

The vast majority of malicious programs in the Top 10 ranking use a technique based on injecting arbitrary HTML code into the web page displayed by the browser and intercepting payment credentials entered by the user in original and injected web forms.

In the first quarter of 2015, Zeus (Trojan-Spy.Win32.Zbot), which in 2014 was the most popular malicious program in this category, gave up its top position to Trojan-Downloader.Win32.Upatre. Malicious programs in this family are relatively simple and no larger than 3.5 KB. They usually download a Trojan-Banker belonging to a family known as Dyre/Dyzap/Dyreza. The list of financial institutions attacked by the banker Trojan depends on the configuration file that is downloaded from the command-and-control center.

The third specimen in the banker Trojan Top Three is Trojan-Banker.Win32.ChePro. This malware spreads via spam emails with online banking-related subject strings (e.g., messages can have “Invoice for online banking” as their subject). A word document with an embedded image is attached to such messages; upon clicking on the image, malicious code is executed.

Financial threats

Financial threats are not limited to banker malware that attacks online banking customers.

Financial malware: distribution by malware type

The second most widespread financial threat in Q1 2015 was Bitcoin wallet theft. Another cryptocurrency-related threat was Bitcoin mining, i.e., using victims' computers to generate Bitcoins.

Top 20 malicious objects detected online

In the first quarter of 2015, Kaspersky Lab's web antivirus detected 28,483,783 unique malicious objects: scripts, exploits, executable files, etc.

We identified the 20 most active malicious objects involved in online attacks against users' computers. These 20 accounted for 95.9% of all attacks on the Internet.

Top 20 malicious objects detected online

  Name* % of all attacks** 1 Malicious URL 37.55% 2 AdWare.JS.Agent.bg 36.06% 3 AdWare.Script.Generic 6.58% 4 Trojan.Script.Iframer 4.49% 5 AdWare.NSIS.AnProt.b 3.83% 6 Trojan.Script.Generic 2.91% 7 AdWare.JS.Agent.an 1.06% 8 AdWare.Win32.Yotoon.bfm 0.81% 9 Trojan.JS.Redirector.ads 0.47% 10 Exploit.Script.Blocker 0.33% 11 AdWare.Win32.Eorezo.eod 0.31% 12 Trojan.Win32.Generic 0.24% 13 Trojan-Downloader.Win32.Generic 0.22% 14 AdWare.Win32.ConvertAd.vo 0.17% 15 Trojan-Downloader.Script.Generic 0.16% 16 AdWare.NSIS.Agent.bx 0.16% 17 AdWare.NSIS.Agent.cv 0.13% 18 AdWare.AndroidOS.Xynyin.a 0.13% 19 AdWare.Win32.Yotoon.heur 0.12% 20 AdWare.Win32.SoftPulse.xvm 0.12%

*These statistics represent the detection verdicts of the web antivirus module. Information was provided by users of Kaspersky Lab products who consented to share their local statistical data.
**The percentage of all web attacks recorded on the computers of unique users.

The Top 20 is largely made up of objects used in drive-by attacks, as well as adware programs. 37.55% of all verdicts fell on links that are included in blacklists.

Top 10 countries where online resources are seeded with malware

The following statistics are based on the physical location of online resources that were used in attacks and blocked by antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command-and-control centers, etc.). Any unique host could be the source of one or more web attacks.

In order to determine the geographical source of web-based attacks, domain names were matched up against the actual domain IP addresses, and then the geographical locations of specific IP addresses (GEOIP) were established.

In Q1 2015, Kaspersky Lab solutions blocked 469,220,213 attacks launched from web resources located in various countries around the world. 90% of notifications on blocked web attacks were triggered by attacks coming from web resources located in 10 countries.

Distribution of web attack sources by country, Q1 2015

This Top 10 ranking typically remains unchanged for extended periods of time. However, Q1 2015 saw a change of leader. The top position is now occupied by Russia (with almost 40%), which rose from fourth position. The US, which headed the ranking in the previous quarter, is now in second position with 18%.

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.

  Country* % of unique users attacked ** 1 Kazakhstan 42.37% 2 Russia 41.48% 3 Azerbaijan 38.43% 4 Ukraine 37.03% 5 Croatia 37.00% 6 Armenia 35.74% 7 Mongolia 33.54% 8 Moldova 33.47% 9 Belarus 33.36% 10 Kyrgyzstan 32.20% 11 Algeria 32.12% 12 Qatar 31.15% 13 Georgia 30.69% 14 UAE 29.36% 15 Latvia 28.69% 16 Tajikistan 28.36% 17 Bosnia and Herzegovina 28.00% 18 Greece 27.55% 19 Tunisia 27,54% 20 Bulgaria 27,44%

These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
*These calculations excluded countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
**Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In the first quarter of 2015, the top position in the rankings was occupied by Kazakhstan, which pushed Russia down to second place. Since the previous quarter, Vietnam and Portugal have left the Top 20. The rankings’ newcomers were Bosnia and Herzegovina (28.00%) and Greece (27.55%), which were in 17th and 18th positions, respectively.

The countries with the safest online surfing environments included Japan (12.4%), Denmark (12.7%), Singapore (14.3%), Finland (14.9%), South Africa (14.8%) and the Netherlands (15.2%).

On average, 26.3% of computers connected to the Internet globally were subjected to at least one web attack during the three months.

Local threats

Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems using means other than the Internet, email, or network ports.

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q1 2015, Kaspersky Lab's file antivirus modules detected 253,560,227 unique malicious and potentially unwanted objects.

Top 20 malicious objects detected on user computers   Name* % of unique users attacked ** 1 DangerousObject.Multi.Generic 22.56% 2 Trojan.WinLNK.StartPage.gena 17.05% 3 Trojan.Win32.Generic 15.06% 4 AdWare.Script.Generic 6.12% 5 WebToolbar.Win32.Agent.azm 4.49% 6 WebToolbar.JS.Condonit.a 4.20% 7 AdWare.Win32.Agent.heur 4.15% 8 RiskTool.Win32.BackupMyPC.a 3.83% 9 Downloader.Win32.Agent.bxib 3.74% 10 Trojan.Win32.AutoRun.gen 3.70% 11 Trojan.VBS.Agent.ue 3.64% 12 Downloader.Win32.MediaGet.elo 3.42% 13 AdWare.Win32.SearchProtect.ky 3.34% 14 Worm.VBS.Dinihou.r 3.31% 15 Virus.Win32.Sality.gen 3.18% 16 AdWare.Win32.DealPly.brj 2.86% 17 Trojan.Script.Generic 2.74% 18 AdWare.Win32.NewNext.a 2.70% 19 WebToolbar.JS.CroRi.b 2.66% 20 AdWare.MSIL.Kranet.heur 2.49%

*These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products who have consented to submit their statistical data.
**The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a file antivirus detection was triggered.

This ranking usually includes verdicts issued to adware programs and their components (such as Trojan.VBS.Agent.ue,). In Q1 2015, such verdicts occupied thirteen places in the Top 20.

A newcomer to the rankings, Trojan.WinLNK.StartPage.gena, jumped straight into second position. This is a verdict given to LNK files containing a browser link which specifies the page to be opened. These pages usually have names similar to those of Internet search engines, but they actually redirect users to sites with questionable content. Some of these sites can be dangerous and are even detected by antivirus solutions. Detections of such LNK files peaked in January.

The only virus in the rankings – Virus.Win32.Sality.gen – continues to lose ground. The proportion of user machines infected by this virus has been diminishing for a long time. In Q1 2015, Sality was in 15th place with 3.18%.

Countries where users faced the highest risk of local infection

For each of the countries, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus had been triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

Top 20 countries with the highest levels of computer infection

  Country* % of unique users ** 1 Vietnam 60.68% 2 Bangladesh 60.20% 3 Mongolia 57.28% 4 Yemen 55.91% 5 Somalia 55.64% 6 Nepal 55.01% 7 Afghanistan 54.91% 8 Algeria 54.83% 9 Iraq 54.38% 10 Cambodia 52.70% 11 Laos 52.54% 12 Armenia 52.44% 13 Pakistan 51.95% 14 Kazakhstan 51.54% 15 Ruanda 51.36% 16 Ethiopia 50.93% 17 Egypt 50.60% 18 Syria 50.11% 19 India 50.00% 20 Tajikistan 49.80%

These statistics are based on the detection verdicts returned by OAS and ODS antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data includes detections of malicious programs located on users' computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
**The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.

For a long time, countries in Africa, the Middle East and South-East Asia took all the positions in this ranking. However, in Q1 2015, the rankings had such newcomers as Armenia (12th position), Kazakhstan (14th position) and Tajikistan (20th position).

Vietnam (60.68%) has headed the rankings for almost two years, while Bangladesh (60.2%) and Mongolia (57.3%) have kept their positions for the third quarter in a row.

In Russia, local threats in Q1 2015 were detected on computers of 49.6% of users.

The safest countries in terms of local infection risks were: Japan (14.7%), Denmark (20.1%), Sweden (21.4%), Hong Kong (21.5%), and Finland (21.6%).

An average of 39.8% of computers globally faced at least one local threat during Q1 2015, which is two p.p. more than in Q4 2014.

RSA Conference 2015

Wed, 04/22/2015 - 07:54

The RSA Conference 2015 is being held at the Moscone Center in San Francisco. It a massive event, with thousands of people in attendance.

A huge number of booths built up by vendors provide coffee bars, presentations, and swag giveaways. Threat intelligence is hawked by many here. But, some of the most surprising parts of cyber-security that has been a long time coming is a discussion I do not always hear - cyber-security insurance and quantification methodologies of threat risk assessment. Yawn. This arrival following the massive 2014 data breaches, of course, is partly expected and a double edged sword. It both incentivizes corporate decision makers to act more irresponsible with protecting your data (just buy more insurance to cover it, it's cheap!), and the policies may incentivize decision makers to strengthen their organization's cybersecurity in order to meet coverage requirements. Either way, carriers are underwriting more cybersecurity policies and we have yet to see the real impact.

From Kaspersky Lab, our very own David Jacoby will be presenting later today on IoT security at 10:20 am, West Moscone Room 3018. Come check it out!

How exploit packs are concealed in a Flash object

Wed, 04/22/2015 - 07:00

One of the most important features of a malicious attack is its ability to conceal itself from both protection solutions and victims. The main role in performing a hidden attack is played by exploits to software vulnerabilities that can be used to secretly download malicious code on the victim machine. Generally, exploits are distributed in exploit packs which appear in the form of plugin detects (to identify the type and version of software installed on the user computer) and a set of exploits, one of which is issued to the user if an appropriate vulnerability is found.

Recently, we have come across a new technique used to hide exploit-based attacks: fraudsters packed the exploit pack in the Flash file.

Downloading an Exploit

The standard technique used in a drive-by attack is to compromise a web site with a link leading to a landing page with the exploit pack. From there the pack uploads the necessary exploit onto the user computer.  From the point of view of security software, this unmasks all the components of the exploit pack because they are simply uploaded onto the landing page. As a result, the exploits and the plugin detects are visible in the web traffic. The criminals must mask each component separately if the attack is to go unnoticed.

The unconventional new approach with the Flash package is definitely more efficient for criminals. The standard landing page is missing. The user follows the link to get to a page with a packed Flash object that turns out to be the exploit pack and the configuration file in an image form. The packed Flash file with the exploit pack is loaded to a page in the browser and has the right to write to and modify the page, i.e. it can add exploits to the page which will then be executed.

Let us look into how this works, using the Netrino exploit pack as our example.

This is what the packed Flash object looks like:

The packed Flash object (exploit pack)

This is how it looks after de-obfuscation:

The Flash object (exploit-pack) after de-obfuscation

The packing is supposed to prevent the malicious object from being detected. A Flash object like this is not opened by most popular deobfuscators. For instance, SWF Decompiler freezes and then reports an error.


The results of using a popular deobfuscator on the Flash object of the Neutrino exploit pack

The Flash object is written to a page in the user's browser with the parameter allowscriptaccess = "always" – this allows for the page to be modified, even if the object was loaded from a different domain. Although Flash objects rarely require page modification rights, there is nothing very unusual about this option and indeed a lot of legitimate Flash content is loaded this way. With this privilege, the malicious Flash object simply writes exploits to the page from its binary data.

Thus, there is no malicious content in the web traffic or on the page delivered to the browser. The malicious content is hidden behind a good packer, and the exploits emerge while a page is processed by the browser.

Contents of the Flash object

Let us have a look at what the analyzed Flash object contains, and what it writes to a web page. After unpacking, we see six embedded binary objects. These binary objects are coded with RC4, and some are also compressed with the standard 'deflate' algorithm.

The encoded binary objects within the Flash object

Here is how one of the objects is decoded and delivered:

The code for decrypting and adding the exploit to a page

Other objects are decrypted in a similar manner.

Let us summarize the binary objects contained in the Flash pack:

  • An exploit for the CVE-2013-2551 vulnerability in Internet Explorer
  • The exploit for the CVE-2013-2551 vulnerability

  • A malicious DLL which is also part of other versions of the Neutrino exploit pack (discussed later in this article).
  • Two exploits for the CVE-2014-6332 vulnerability in Internet Explorer's VBS processor:

  • Exploits for the CVE-2014-6332 vulnerability

  • An exploit for the CVE-2014-0569 vulnerability in Adobe Flash
  • The exploit for the CVE-2014-0569 vulnerability

  • An exploit for the CVE-2014-0515 vulnerability in Adobe Flash
  • The exploit for the CVE-2014-0515 vulnerability

By the way, there is no plugin detect for Adobe Flash exploits in this exploit pack. ActionScript tools are used to check the version of Adobe Flash. Adobe Flash versions that can be attacked using exploits are hardcoded in the Flash-pack code:

In the most recent versions, modifications were introduced into the Flash pack. These include adding another exploit for the vulnerability CVE-2015-0536 in Adobe Flash.

The configuration file

Let us have a look at one interesting function in the Flash pack.

It should be remembered that an image (a configuration file) is posted on the landing page alongside with the Flash object.

The image posted on the page

A special function reads this image from the landing page, decodes its Base64 and RC4, and thus obtains the configuration file.

The function for obtaining the configuration file

The configuration file contains the keys and identifiers of the exploits discussed above, which are available for the user to download. The availability of the configuration file gives some flexibility to the cybercriminals: they can specify the best settings for its operation at each specific period of time without changing the exploit pack itself. For example, they can specify priority exploits or separately keep the keys with which to decrypt the objects within the pack.

The configuration file decrypted from the image

In the later versions of the Flash pack, however, the configuration file is part of the actual exploit pack rather than a separate picture.

Implementing the payload

The shell-code of one of the exploits is a VBS code with binary code in a string, which is executed by the exploitation of the vulnerability CVE-2014-6332 in Internet Explorer's VBS processor. As a result, the file shell32.dll is loaded to the folder "%temp%/System32/.

The name and the path of the loaded file are similar to those of regular Windows DLLs. Using the regular DLL hijacking technique, one can go without using the functions run, start, open etc., and thus mask the launch of a malicious DLL from the security product.

Using DLL hijacking shell32.dll

The exploit modifies the environment variable SYSDIR and attempts to load System.ShellApplication – this launches the malicious DLL.

The launched DLL is a dropper which loads the script"p.js" to the victim's computer and launches it.

The main part of shell32.dll code

The launched p.js script

This script is the loader of the principal malicious file.

Distribution

The version of the Flash pack described in this article emerged in late 2014 and was actively distributed in Q1 2015. There were also new modifications of the Flash pack, but their basic working principles didn't change.

It wasn't until March 2015 that we observed Neutrino Flash pack attacks on the computers of 60,541 users. On average about 2,000 users were attacked every day; on certain days, the number of potential victims reached 5,000 to 6,000.

The number of unique users attacked by Neutrino Flash pack

This exploit pack is predominantly used to attack users located in the USA and Canada.

The geographic distribution of Neutrino Flash-pack attacks (as of March 2015)

Conclusion

The idea of use a Flash-pack to distribute exploits is relatively new and it has proved fairly successful for cybercriminals. Existing Flash properties allow them to pack the exploit pack into a Flash object and conceal it with an obfuscator. The Flash capability to specify website access parameters then allows them to write exploits to a webpage in the user's browser. The exploit-pack's components are not found in the web traffic, nor in the loaded page.

Although the malware writers are constantly updating the exploit-pack and introducing modifications into the code of the malicious Flash pack in order to prevent security products from detecting it, Kaspersky Lab responds promptly to these threats. Alongside regular protection methods, Kaspersky Lab's products use a special "Anti-Exploit Protection" (AEP) component, which detects this threat with the help of behavior analysis.

Kaspersky Lab's products detect this Flash pack under the verdict HEUR:Exploit.Script.Blocker, HEUR:Exploit.SWF.Generic.

The CozyDuke APT

Tue, 04/21/2015 - 16:50

CozyDuke (aka CozyBear, CozyCar or "Office Monkeys") is a threat actor that became increasingly active in the 2nd half of 2014 and hit a variety of targets. The White House and Department of State are two of the most spectacular known victims.

The operation presents several interesting aspects

  • blatantly sensitive high profile victims and targets
  • crypto and anti-detection capabilities
  • strong malware functional and structural similarities mating this toolset to early MiniDuke second stage components, along with more recent CosmicDuke and OnionDuke components

The actor often spearphishes targets with e-mails containing a link to a hacked website. Sometimes it is a high profile, legitimate site such as "diplomacy.pl", hosting a ZIP archive. The ZIP archive contains a RAR SFX which installs the malware and shows an empty PDF decoy.

In other highly successful runs, this actor sends out phony flash videos directly as email attachments. A clever example is "Office Monkeys LOL Video.zip". The executable within not only plays a flash video, but drops and runs another CozyDuke executable. These videos are quickly passed around offices with delight while systems are infected in the background silently. Many of this APT's components are signed with phony Intel and AMD digital certificates.

Recent Cozyduke APT activity attracted significant attention in the news:
Sources: State Dept. hack the 'worst ever'
White House computer network 'hacked'
Three Months Later, State Department Hasn't Rooted Out Hackers
State Department shuts down its e-mail system amid concerns about hacking

Let's examine a smattering of representative CozyDuke files and data. There is much to their toolset.

Office Monkeys dropper analysis
The droppers and spyware components often maintain fairly common characteristics
68271df868f462c06e24a896a9494225,Office Monkeys LOL Video.zip

Believe it or not, recipients in bulk run the file within:
95b3ec0a4e539efaa1faa3d4e25d51de,Office Monkeys (Short Flash Movie).exe
 
This file in turn drops two executables to %temp%

  • 2aabd78ef11926d7b562fd0d91e68ad3, Monkeys.exe
  • 3d3363598f87c78826c859077606e514, player.exe

It first launches Monkeys.exe, playing a self-contained, very funny video of white-collar tie wearing chimpanzees working in a high rise office with a human colleague. It then launches player.exe, a CozyDuke dropper maintaining anti-detection techniques:
3d3363598f87c78826c859077606e514,338kb,player.exe,Trojan.Win32.CozyBear.v,CompiledOn:2014.07.02 21:13:33

The file collects system information, and then invokes a WMI instance in the root\securitycenter namespace to identify security products installed on the system, meaning that this code was built for x86 systems, wql here:
SELECT * FROM AntiVirusProduct
SELECT * FROM FireWallProduct

The code hunts for several security products to evade:

  • CRYSTAL
  • KASPERSKY
  • SOPHOS
  • DrWeb
  • AVIRA
  • COMODO Dragon

 
In addition to the WMI/wql use, it also hunts through the "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" registry key looking for security products to avoid.
 
Following these checks, it drops several more malware files signed with the pasted AMD digital signature to a directory it creates. These files are stored within an 217kb encrypted cab file in the dropper's resources under the name "A". The cab file was encrypted and decrypted using a simple xor cipher with a rotating 16 byte key: \x36\x11\xdd\x08\xac\x4b\x72\xf8\x51\x04\x68\x2e\x3e\x38\x64\x32.

The cab file is decompressed and its contents are created on disk. These dropped files bundle functionality for both 64bit and 32bit Windows systems:
C:\Documents and Settings\user\Application Data\ATI_Subsystem\
6761106f816313394a653db5172dc487,54kb,amdhcp32.dll  ← 32bit dll,CompiledOn:2014.07.02 21:13:24
d596827d48a3ff836545b3a999f2c3e3,60kb,aticaldd.dll  ← 64bit dll,CompiledOn:2014.07.02 21:13:26
bc626c8f11ed753f33ad1c0fe848d898,285kb,atiumdag.dll ← 32bit dll, 279kb, Trojan.Win32.CozyDuke.a, CompiledOn:2014.07.02 21:13:26
4152e79e3dbde55dcf3fc2014700a022,6kb,racss.dat
 
The code copies rundll32.exe from windows\system32 to its newly created %appdata%\ATI_Subsystem subdirectory as "amdocl_as32.exe" alongside the three dll's listed above. It runs atiumdag.dll with two parameter values, it's only export and an arbitrary pid,  i.e.:
"C:\Documents and Settings\user\Application Data\ATI_Subsystem\amdocl_as32.exe" "C:\Documents and Settings\user\Application Data\ATI_Subsystem\atiumdag.dll"", ADL2_ApplicationProfiles_System_Reload 1684"
 
This dll is built with anti-AV protections as well. However, it looks for a different but overlapping set, and the random duplication suggests that this component was cobbled together with its dropper, partly regionally based on target selection.

  • K7
  • KASPERSKY
  • AVG

 
The code collects information about the system
efd5aba3-6719-4655-8a72-1aa93feefa38C:\Documents and Settings\user\Application Data\ATI_Subsystem\amdocl_as32exeMyPCuserMicrosoft Windows XP 512600 SP 30 x32Admin192.60.11.1008:11:17:f2:9a:efSophos Anti-Virus

Finally, this process beacons to www.sanjosemaristas.com, which appears to be a site that has been compromised and misused multiple times in the past couple of years.
hxxp://www.sanjosemaristas.com/app/index.php?{A01BA0AD-9BB3-4F38-B76B-A00AD11CBAAA}, providing the current network adapter's service name GUID. It uses standard Win32 base cryptography functions to generate a CALG_RC4 session key to encrypt the collected data communications and POSTs it to the server.

Executable-Signing Certificates

Samples are usually signed with a fake certificate - we've seen two instances, one AMD and one Intel:

Configuration files:

Some of the malware uses an encrypted configuration file which is stored on disk as "racss.dat". This is encrypted by RC4, using key {0xb5, 0x78, 0x62, 0x52, 0x98, 0x3e, 0x24, 0xd7, 0x3b, 0xc6, 0xee, 0x7c, 0xb9, 0xed, 0x91, 0x62}. Here's how it looks decrypted:

C&Cs:

121.193.130.170:443/wp-ajax.php
183.78.169.5:443/search.php
200.119.128.45:443/mobile.php
200.125.133.28:443/search.php
200.125.142.11:443/news.php
201.76.51.10:443/plugins/json.php
202.206.232.20:443/rss.php
202.76.237.216:443/search.php
203.156.161.49:443/plugins/twitter.php
208.75.241.246:443/msearch.php
209.40.72.2:443/plugins/fsearch.php
210.59.2.20:443/search.php
208.77.177.24:443/fsearch.php
www.getiton.hants.org.uk:80/themes/front/img/ajax.php
www.seccionpolitica.com.ar:80/galeria/index.php
209.200.83.43/ajax/links.php
209.200.83.43/ajax/api.php
209.200.83.43/ajax/index.php
209.200.83.43/ajax/error.php
209.200.83.43/ajax/profile.php
209.200.83.43/ajax/online.php
209.200.83.43/ajax/loader.php
209.200.83.43/ajax/search.php

Second stage malware and communications:

The attackers send commands and new modules to be executed to the victims through the C&Cs. The C&C scripts store these temporarily until the next victim connects in local files. We've identified two such files:

  • settings.db
  • sdfg3d.db

Here's how such a database file appears:

These are BASE64 encoded and use the same RC4 encryption key as the malware configuration.

Decoding them resulted in the following payloads:

59704bc8bedef32709ab1128734aa846 *ChromeUpdate.ex_
5d8835982d8bfc8b047eb47322436c8a *cmd_task.dll
e0b6f0d368c81a0fb197774d0072f759 *screenshot_task.dll

Decoding them also resulted in a set of tasking files maintaining agent commands and parameter values:

conf.xml

And a set of "reporting" files, maintaining stolen system "info", error output, and "AgentInfo" output, from victim systems:
DCOM_amdocl_ld_API_.raw
Util_amdave_System_.vol
Last_amdpcom_Subsystem_.max
Data_amdmiracast_API_.aaf
7.txt

screenshot_task.dll is a 32-bit dll used to take a screenshot of the full desktop window and save it as a bitmap in %temp%. The number of times the screenshot is repeated is configurable within the xml task file.

cmd_task.dll is a 32-bit dll that maintains several primitives. It is used to create new processes, perform as a command line shell, and several other tasks.

Each of these payloads is delivered together with a configuration file that explains how to run it, for instance:

Furthermore, ChromeUpdate is a 64-bit executable (which appears to be a WEXTRACT package) that oddly drops a 32-bit Dll. Cache.dll is simply stored as a cabinet file in the ChromeUpdate's resource section.

ChromeUpdate.exe starts the file with "rundll32 cache.dll,ADB_Setup"

Cache.dll analysis

Cache.dll was written in C/C++ and built with a Microsoft compiler.

Cache.dll code flow overview

  • rc4 decrypt hardcoded c2 and urls
  • resolve hidden function calls
  • collect identifying victim system data
  • encrypt collected data
  • send stolen data to c2 and retrieve commands

Cache.dll code details

Structurally, cache.dll is a fairly large backdoor at 425kb. It maintains both code and data in the raw, encrypted blobs of data to be decrypted and used at runtime, and hidden functionality that isn't exposed until runtime. No pdb/debug strings are present in the code.

It maintains eight exports, including DllMain:

  • ADB_Add
  • ADB_Cleanup
  • ADB_Initnj
  • ADB_Load
  • ADB_Release
  • ADB_Remove
  • ADB_Setup

ADB_Setup is a entry point that simply spawns another thread and waits for completion.

Above, we see a new thread created with the start address of Cache.dll export  "ADB_Load" by the initial thread.

This exported function is passed control while the initial thread runs a Windows message loop. It first grabs an encrypted blob stored away in a global variable and pulls out 381 bytes of this encrypted data:

The standard win32 api CryptDecrypt uses rc4 to decrypt this blob into a hardcoded c2, url path, and url parameters listed below with a simple 140-bit key "\x8B\xFF\x55\x8B\xEC\x83\xEC\x50\xA1\x84\x18\x03\x68\x33\xC9\x66\xF7\x45\x10\xE8\x1F\x89\x45\xFC\x8B\x45\x14\x56".

The code then decodes this set of import symbols and resolves addresses for its networking and data stealing functionality:
InternetCloseHandle
InternetReadFile
HttpSendRequestA
HttpOpenRequestA
HttpQueryInfoA
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetSetOptionW
GetAdaptersInfo

Much like the prior office monkey "atiumdag.dll" component, this code collects identifying system information using standard win32 API calls:

  • Computer name - GetComputerNameW
  • User name - GetUserNameW
  • Adapter GUID, ip address, mac address - GetAdaptersInfo
  • Windows version - GetVersionExW

It then uses the runtime resolved networking API calls to send the collected data back to a hardcoded c2 and set of urls.

Cache.dll connectback urls:
209.200.83.43/ajax/links.php
209.200.83.43/ajax/api.php
209.200.83.43/ajax/index.php
209.200.83.43/ajax/error.php
209.200.83.43/ajax/profile.php
209.200.83.43/ajax/online.php
209.200.83.43/ajax/loader.php
209.200.83.43/ajax/search.php

Observed user-agent string on the wire, but it's dynamically generated based on the Windows system settings (retrieved using standard win32 api "ObtainUserAgentString"):
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"

Connections with MiniDuke/CosmicDuke/OnionDuke:

One of the second stage modules of Cozy Bear, Show.dll, is particularly interesting because it appears to have been built onto the same platform as OnionDuke. Below we compare Show.dll with the OnionDuke sample MD5: c8eb6040fd02d77660d19057a38ff769. Both have exactly the same export tables and appear to be called internally "UserCache.dll":

This seems to indicate the authors of OnionDuke and Cozy Bear are the same, or working together.

Another interesting comparison of two other files matches a recent second stage tool from the CozyDuke attacks with a second stage component from other Miniduke/Onionduke attacks.
2e0361fd73f60c76c69806205307ccac, update.dll (Miniduke), 425kb (internal name = "UserCache.dll")
9e3f3b5e9ece79102d257e8cf982e09e, cache.dll (Cozyduke), 425kb (internal name = "UserCache.dll")

The two share identical export function names in their export directories, and the naming appears to be randomly assigned at compile time. The table below presents the function matches based on size data, but the calls, jmps and code all match as well. The contents of only one of these exports in update.dll has no match whatsoever in cache.dll.

Unlike the atiumdag.dll file above, however, cache.dll and update.dll do not maintain anti-AV and anti-analysis functionality sets. Perhaps they plan to pair this stealer with another dropper that maintains the WMI anti-AV functionality.

We expect ongoing and further activity from this group in the near future and variations on the malware used in previous duke-ish incidents.

For more information about MiniDuke, CosmicDuke and OnionDuke, please see References.

Appendix: Parallel and Previous Research

The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor, Securelist, Feb 2013

Miniduke is back: Nemesis Gemina and the Botgen Studio, Securelist, July 2014

MiniDuke 2 (CosmicDuke), CrySyS, July 2014

COSMICDUKE Cosmu with a twist of MiniDuke [pdf], F-Secure, September 2014

THE CASE OF THE MODIFIED BINARIES, Leviathan Security, October 2014

A word on CosmicDuke, Blaze's Security Blog, September 2014

OnionDuke: APT Attacks Via the Tor Network, F-Secure, November 2014

The Connections Between MiniDuke, CosmicDuke and OnionDuke, F-Secure, January 2015

The Chronicles of the Hellsing APT: the Empire Strikes Back

Tue, 04/14/2015 - 22:30

Introduction

One of the most active APT groups in Asia, and especially around the South China Sea area is "Naikon". Naikon plays a key part in our story, but the focus of this report is on another threat actor entirely; one who came to our attention when they hit back at a Naikon attack.

Naikon is known for its custom backdoor, called RARSTONE, which our colleagues at Trend Micro have described in detail. The name Naikon comes from a custom user agent string, "NOKIAN95/WEB", located within the backdoor:

NOKIAN string in Naikon backdoor

The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way. What was perhaps one of the biggest operations of the Naikon group was launched in March 2014, in the wake of the MH370 tragedy that took place on March 8th. By March 11th, the Naikon group was actively hitting most of the nations involved in the search for MH370. The targets were extremely wide-ranging but included institutions with access to information related to the disappearance of MH370, such as:

  • Office of the President
  • Armed Forces
  • Office of the Cabinet Secretary
  • National Security Council(s)
  • Office of the Solicitor General
  • National Intelligence Coordinating Agency
  • Civil Aviation Authority
  • Department of Justice
  • National Police
  • Presidential Management Staff

The Naikon group used mostly spear-phished documents for the attacks, with CVE-2012-0158 exploits that dropped the group's signature backdoor.

While many of these attacks were successful, at least one of the targets didn't seem to like being hit, and instead of opening the documents, decided on a very different course of action.

The empire strikes back

Here's a question - what should you do when you receiving a suspicious document from somebody you don't know, or know very little? Choose one:

  • Open the document
  • Don't open the document
  • Open the document on a Mac (everybody knows Mac's don't get viruses)
  • Open the document in a virtual machine with Linux

Based on our experience, most people would say 2, 3 or 4. Very few would open the document and even fewer would actually decide to test the attacker and verify its story.

But this is exactly what happened when one of the Naikon spear-phishing targets received a suspicious email. Instead of opening the document or choosing to open it on an exotic platform, they decided to check the story with the sender:

Naikon target asks for confirmation of the email

In the email above, we can see the target questioning the authenticity of the Naikon spear-phishing. They ask the sender if it was their intention to email this document.

The attacker was, of course, not confused in the slightest, and being very familiar with the internal structure of the target's government agency, replied claiming that they work for the secretariat division and were instructed to send it by the organization's management:

Naikon attacker replies to the target

The reply is written in poor English and indicates that the attacker is probably not as proficient in the language as the intended victim. Seeing the reply, the target obviously decided not to open the document. Moreover, they decided to go a bit further and try to learn more about the attacker.

Not long after the first exchange, the following email was sent to the attacker by the target:

The attachment is a RAR archive with password, which allows it to safely bypass malware scanners associated with the free email account used by the attackers. Inside the archive we find two decode PDF files and one SCR file:

Much to our surprise, the "SCR" file turned out to be a backdoor prepared especially for the Naikon fraudsters.

The file "Directory of ... Mar 31, 2014.scr" (md5: 198fc1af5cd278091f36645a77c18ffa) drops a blank document containing the error message and a backdoor module (md5: 588f41b1f34b29529bc117346355113f). The backdoor connects to the command server located at philippinenews[.]mooo[.]com.

The backdoor can perform the following actions:

  • download files
  • upload files
  • update itself
  • uninstall itself

We were amazed to see this course of action and decided to investigate the "Empire Strikes Back"-door further; naming the actor "Hellsing" (explained later).

The malware used by the intended victim appears to have the following geographical distribution, according to KSN data:

  • Malaysia – government networks
  • Philippines – government networks
  • Indonesia – government networks
  • USA - diplomatic agencies
  • India (old versions of malware)

In addition, we've observed the targeting of ASEAN-related entities.

Victims of Hellsing attacks

The actor targets its intended victims using spear-phishing emails with archives containing malware, similar to the one it used against the Naikon group. Some of the attachment names we observed include:

  • 2013 Mid-Year IAG Meeting Admin Circular FINAL.7z
  • HSG FOLG ITEMS FOR USE OF NEWLY PROMOTED YNC FEDERICO P AMORADA 798085 PN CLN.zip
  • Home Office Directory as of May 2012.Please find attached here the latest DFA directory and key position officials for your referenece.scr
  • LOI Nr 135-12 re 2nd Quarter.Scr
  • Letter from Paquito Ochoa to Albert Del Rosario,the Current Secretary of Foreign Affairs of the Philippines.7z
  • Letter to SND_Office Call and Visit to Commander, United States Pacific Command (USPACOM) VER 4.0.zip
  • PAF-ACES Fellowship Program.scr
  • RAND Analytic Architecture for Capabilities Based Planning, Mission System Analysis, and Transformation.scr
  • Update Attachments_Interaction of Military Personnel with the President _2012_06_28.rar
  • Update SND Meeting with the President re Hasahasa Shoal Incident.scr
  • Washington DC Directory November 2012-EMBASSY OF THE PHILIPPINES.zip
  • ZPE-791-2012&ZPE-792-2012.rar
  • zpe-791-2012.PDF.scr

We've observed RAR, ZIP and 7ZIP archives in the attacks - the 7ZIP archives with passwords were probably introduced as a way to bypass the recent security features on Gmail, which block password-protected archives with executables inside.

Each backdoor has a command and control server inside as well as a version number and a campaign or victim identifier. Some examples include:

MD5 Date C&C Campaign identifier 2682a1246199a18967c98cb32191230c Mar 31 2014 freebsd.extrimtur[.]com 1.6.1_MOTAC 31b3cc60dbecb653ae972db9e57e14ec Mar 31 2014 freebsd.extrimtur[.]com 1.6.1_MOTAC 4dbfd37fd851daebdae7f009adec3cbd Nov 08 2013 articles.whynotad[.]com 1.5_articles.whynotad.com-nsc 015915bbfcda1b2b884db87262970a11 Feb 19 2014 guaranteed9.strangled[.]net 1.5_guaranteed9-nsc 3a40e0deb14f821516eadaed24301335 Mar 31 2014 hosts.mysaol[.]com 1.6.1_imi;simple 73396bacd33cde4c8cb699bcf11d9f56 Nov 08 2013 web01.crabdance[.]com 1.5_op_laptop 7c0be4e6aee5bc5960baa57c6a93f420 Nov 08 2013 hosts.mysaol[.]com 1.5_MMEA bff9c356e20a49bbcb12547c8d483352 Apr 02 2014 imgs09.homenet[.]org 1.6.1_It c0e85b34697c8561452a149a0b123435 Apr 02 2014 imgs09.homenet[.]org 1.6.1_It f13deac7d2c1a971f98c9365b071db92 Nov 08 2013 hosts.mysaol[.]com 1.5_MMEA f74ccb013edd82b25fd1726b17b670e5 May 12 2014 second.photo-frame[.]com 1.6.2s_Ab

The campaign identifiers could be related to the organizations targeted by the specific builds of this APT. Some possible descriptions for these initials could be:

Artifacts and overlap with other APTs

Interestingly, some of the infrastructure used by the attackers appears to overlap (although around a year apart) with a group tracked internally at Kaspersky Lab as PlayfullDragon (also known as "GREF"); while other aspects of the infrastructure overlap with a group known as Mirage or Vixen Panda.

For instance, one of the PlayfullDragon's Xslcmd backdoors described by our colleagues from FireEye (md5: 6c3be96b65a7db4662ccaae34d6e72cc) beams to cdi.indiadigest[.]in:53. One of the Hellsing samples we analysed (md5: 0cbefd8cd4b9a36c791d926f84f10b7b) connects to the C&C server at webmm[.]indiadigest[.]in. Although the hostname is not the same, the top level domain suggests some kind of connection between the groups. Several other C&C subdomains on "indiadigest[.]in" include:

  • aac.indiadigest[.]in
  • ld.indiadigest[.]in
  • longc.indiadigest[.]in

Another overlap we observed is with an APT known as Cycldek or Goblin Panda. Some of the Hellsing samples we analysed in this operation (e.g. md5: a91c9a2b1bc4020514c6c49c5ff84298) communicate with the server webb[.]huntingtomingalls[.]com, using a protocol specific to the Cycldek backdoors (binup.asp/textup.asp/online.asp).

It appears that the Hellsing developer started with the Cycldek sources and worked together with the operators from other APT groups. Nevertheless, it is sufficiently different to warrant classification as a stand-alone operation.

So, where does the Hellsing name come from? One of the samples we analysed (md5: 036e021e1b7f61cddfd294f791de7ea2) appears to have been compiled in a rush and the attacker forgot to remove the debug information. One can see the project name is Hellsing and the malware is called "msger":

Of course, Hellsing can have many different meanings, including the famous doctor from Bram Stoker's Dracula. However, according to Wikipedia, "Hellsing (ヘルシング Herushingu) is also a Japanese manga series written and illustrated by Kouta Hirano. It first premiered in Young King Ours in 1997 and ended in September 2008".

The Hellsing series chronicles the efforts of the mysterious and secret Hellsing Organization, as it combats vampires, ghouls, and other supernatural foes; which makes it perhaps an appropriate name for our group.

In addition to the Hellsing/msger malware, we've identified a second generation of Trojan samples which appear to be called "xweber" by the attackers:

"Xweber" seems to be the more recent Trojan, taking into account compilation timestamps. All the "msger" samples we have seen appear to have been compiled in 2012. The "Xweber" samples are from 2013 and from 2014, indicating that at some point during 2013 the "msger" malware project was renamed and/or integrated into "Xweber".

During our investigation we've observed the Hellsing APT using both the "Xweber" and "msger" backdoors in their attacks, as well as other tools named "xrat", "clare", "irene" and "xKat".

Other tools

Once the Hellsing attackers compromise a computer, they deploy other tools which can be used for gathering further information about the victim or doing lateral movement. One such tool is "test.exe":

Name test.exe Size 45,568 bytes MD5 14309b52f5a3df8cb0eb5b6dae9ce4da Type Win32 PE i386 executable

This tool is used to gather information and test available proxies. Interestingly, it also contains the Hellsing debug path:

Another attack tool deployed in a victim's environment was a file system driver, named "diskfilter.sys", although internally it claims to be named "xrat.sys". The driver is unsigned and compiled for 32-bit Windows. It was used briefly in 2013, before being abandoned by the attackers, possibly due to Windows 7 driver signing requirements:

Another tool used by the attackers is called "xKat":

Name xkat.exe Size 78,848 bytes MD5 621e4c293313e8638fb8f725c0ae9d0f Type Win32 PE i386 executable

This is a powerful file deletion and process killer which uses a driver (Dbgv.sys) to perform the operations. We've seen it being used by the attackers to kill and delete malware belonging to their competitors.

Some of the debug paths found in the binaries include:

  • e:\Hellsing\release\clare.pdb
  • e:\Hellsing\release\irene\irene.pdb
  • d:\hellsing\sys\irene\objchk_win7_x86\i386\irene.pdb
  • d:\hellsing\sys\xkat\objchk_win7_x86\i386\xKat.pdb
  • d:\Hellsing\release\msger\msger_install.pdb
  • d:\Hellsing\release\msger\msger_server.pdb
  • d:\hellsing\sys\xrat\objchk_win7_x86\i386\xrat.pdb
  • D:\Hellsing\release\exe\exe\test.pdb
Attribution

In general, the attribution of APTs is a very tricky task which is why we prefer to publish technical details and allow others to draw their own conclusions.

The Hellsing-related samples appear to have been compiled around the following times:

Assuming normal work starts at around 9 am, the attacker seems to be most active in a time-zone of GMT+8 or +9, considering a work program of 9/10 am to 6/7pm.

Conclusions

The Hellsing APT group is currently active in the APAC region, hitting targets mainly in the South China Sea area, with a focus on Malaysia, the Philippines and Indonesia. The group has a relatively small footprint compared to massive operations such as "Equation". Smaller groups can have the advantage of being able to stay under the radar for longer periods of time, which is what happened here.

The targeting of the Naikon group by the Hellsing APT is perhaps the most interesting part. In the past, we've seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. But, considering the timing and origin of the attack, the current case seems more likely to be an APT-on-APT attack.

To protect against a Hellsing attack, we recommend that organisations follow basic security best practices:

  • Don't open attachments from people you don't know
  • Beware of password-protected archives which contain SCR or other executable files inside
  • If you are unsure about the attachment, try to open it in a sandbox
  • Make sure you have a modern operating system with all patches installed
  • Update all third party applications such as Microsoft Office, Java, Adobe Flash Player and Adobe Reader

Kaspersky Lab products detect the backdoors used by the Hellsing attacker as: HEUR:Trojan.Win32.Generic, Trojan-Dropper.Win32.Agent.kbuj, Trojan-Dropper.Win32.Agent.kzqq.

Appendix:

Hellsing Indicators of Compromise

Pages