Earlier this year, we deployed new technologies in Kaspersky Lab products to identify and block zero-day attacks. This technology already proved its effectiveness earlier this year, when it caught an Adobe Flash zero day exploit (CVE-2016-1010). Earlier this month, our technology caught another zero-day Adobe Flash Player exploit deployed in targeted attacks. We believe the attacks are launched by an APT Group we track under the codename “ScarCruft”.
ScarCruft is a relatively new APT group; victims have been observed in Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations, utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.
Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.
This exploit caught by our technologies highlights a few very interesting evasion methods, some of which we haven’t seen before. We describe them below.Operation Daybreak general information
Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails. To date, we have observed more than two dozen victims for these attacks.
Although the exact attack vector remains unknown, the targets appear to receive a malicious link which points to a hacked website where the exploitation kit is hosted. The hacked web server hosting the exploit kit is associated with the ScarCruft APT and used in another line of attacks. Certain details, such as using the same infrastructure and targeting, make us believe that Operation Daybreak is being done by the ScarCruft APT group.
The ScarCruft APT group is a relatively new player and managed to stay under the radar for some time. In general, their work is very professional and focused. Their tools and techniques are well above the average. Prior to the discovery of Operation Daybreak, we observed the ScarCruft APT launching a series of attacks in Operation Erebus. Operation Erebus leverages another Flash Player exploit (CVE-2016-4117) through the use of watering hole attacks.
In the case of Operation Daybreak, the hacked website hosting the exploit kit performs a couple of browser checks before redirecting the visitor to a server controlled by the attackers hosted in Poland.
The main exploit page script contains a BASE64 decoder, as well as rc4 decryption implemented in JS.
The parameters sent to the “ap.php” script are randomly generated on each hit, so the second stage payload gets encrypted differently each time. This prevents easy detection by MD5 or signatures of the second stage payload.
The exploitation process consists of three Flash objects. The Flash object that triggers the vulnerability in Adobe Flash Player is located in second SWF delivered to the victim.
At the end of the exploitation chain, the server sends a legitimate PDF file to user – “china.pdf”. The “china.pdf” file shown to the victims in the last stage of the attack seems to be written in Korean:
Decoy document shown to victims
The document text talks about disagreements between China and “The North” over nuclear programs and demilitarization.Vulnerability technical details
The vulnerability (CVE-2016-4171) is located in the code which parses the ExecPolicy metadata information.
This is what the structure looks like:
This structure also contains an array of item_info structures:
The documentation says the following about these structures:
“The item_info entry consists of item_count elements that are interpreted as key/value pairs of indices into the string table of the constant pool. If the value of key is zero, this is a keyless entry and only carries a value.”
In the exploit used by the ScarCruft group, we have the following item_info structures:
Item_info array in exploit object
The code that triggers the vulnerability parses this structure and, for every key and value members, tries to get the respective string object from string constant pool. The problem relies on the fact that the “.key” and “.value” members are used as indexes without any kind of boundary checks. It is easy to understand that if key or value members are larger than string constant pool array, a memory corruption problem appears. It is also important to mention that this member’s (value, key) are directly read from SWF object, so an attacker can easily use them to implement arbitrary read/write operations.
Getting object by index from constant pool without any checks
Using this vulnerability, the exploit implements a series of writes at specified addresses to achieve full remote code execution.Bypassing security solutions through DDE
The Operation Daybreak attack employs multiple stages, which are all outstanding in some way. One of them attracted our attention because it implements a bypass for security solutions we have never seen before.
In the first stage of the attack, the decrypted shellcode executed by the exploit downloads and executes a special DLL file. This is internally called “yay_release.dll”:
Second stage DLL internal name and export
The code of this module is loaded directly into the exploited application and has several methods of payload execution. One of method uses a very interesting technique of payload execution which is designed mostly to bypass modern anti-malware products. This uses an interesting bug in the Windows DDE component. It is not a secret that anti-malware systems trigger on special system functions that are called in the context of potential vulnerable applications to make a deeper analysis of API calls such as CreateProcess, WinExec or ShellExecute.
For instance, such defense technologies trigger if a potentially vulnerable application such as Adobe Flash starts other untrusted applications, scripts interpreters or even the command console.
To make execution of payload invisible for these defense systems, the threat actors used the Windows DDE interface in a very clever way. First, they register a special window for it:
In the window procedure, they post WM_DDE_EXECUTE messages with commands:
Sending WM_DDE_EXECUTE message to window
The attackers used the following commands:
The main idea here is that if you create a LNK to an executable or command, then use the ShowGroup method, the program will be executed. This is an undocumented behavior in Microsoft Windows.
In our case, a malicious VBS was executed, which installs a next stage payload stored in CAB file:
Malicious VBS used in the attack
We have reported this “creative” abuse of DDE to Microsoft’s security team.
The final payload of the attack is a CAB file with the following MD5:
The MS CAB file (md5: 8844a537e7f533192ca8e81886e70fbc) contains 4 malicious DLL files:MD5 Filename a6f14b547d9a7190a1f9f1c06f906063 cfgifut.dll e51ce28c2e2d226365bc5315d3e5f83e cldbct.dll 067681b79756156ba26c12bc36bf835c cryptbase.dll f8a2d4ddf9dc2de750c8b4b7ee45ba3f msfte.dll
The file cldbct.dll (e51ce28c2e2d226365bc5315d3e5f83e) connects to the following C2:
The modules are signed by an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited” with serial numbers, copied from real Tencent certificates:
- 5d 06 88 f9 04 0a d5 22 87 fc 32 ad ec eb 85 b0
- 71 70 bd 93 cf 3f 18 9a e6 45 2b 51 4c 49 34 0e
Invalid digital signature on malware samples
The malware deployed in this attack is extremely rare and apparently reserved only for high profile victims. Our products detect it as well as other malware from ScarCruft as HEUR:Trojan.Win32.ScarCruft.gen.Victims:
Although our visibility is rather limited, some of the victims of these attacks include:
- A law enforcement agency in an Asian country
- One of the largest trading companies in Asia and in the world
- A mobile advertising and app monetization company in the USA
- Individuals related to the International Association of Athletics Federations
- A restaurant located in one of the top malls in Dubai
Some of these were compromised over the last few days, indicating the attackers are still very active.Conclusions:
Nowadays, in-the-wild Flash Player exploits are becoming rare. This is because in most cases they need to be coupled with a Sandbox bypass exploit, which makes them rather tricky.
Additionally, Adobe has been doing a great job at implementing new mitigations to make exploitation of Flash Player more and more difficult.
Nevertheless, resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets.
As usual, the best defense against targeted attacks is a multi-layered approach. Windows users should combine traditional anti-malware technologies with patch management, host intrusion detection and, ideally, whitelisting and default-deny strategies. According to a study by the Australian DSD, 85% of the targeted attacks analysed could have been stopped by four simple defense strategies. While it’s impossible to achieve 100% protection, in practice and most cases all you have to do is increase your defenses to the point where it becomes too expensive for the attacker – who will just give up and move on to other targets.
Kaspersky products detect flash exploit as HEUR:Exploit.SWF.Agent.gen also our AEP (Automatic Exploit Prevention) component can successfully detect this attack. Payloads are detected with HEUR:Trojan.Win32.ScarCruft.gen verdict.
* More information about the ScarCruft APT group is available to customers of Kaspersky Intelligent Services.Indicators of compromise: Malicious IPs and hostnames:
Over the last two years, deep in the slums of the Internet, a different kind of underground market has flourished.
The short, cryptic name perhaps doesn’t say much about it: xDedic. However, on this obscure marketplace anyone can purchase more than 70,000 hacked servers from all around the Internet.
xDedic forum login
From government networks to corporations, from web servers to databases, xDedic provides a marketplace for buyers to find anything. And the best thing about it – it’s cheap! Purchasing access to a server located in a European Union country government network can cost as little as $6.
The one-time cost gives a malicious buyer access to all the data on the server and the possibility to use this access to launch further attacks. It is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors.
Server purchase forum
To investigate xDedic, Kaspersky Lab teamed up with a European ISP. The research allowed us to collect data about the victims and the way the marketplace operates.
In May 2016, we counted 70,624 servers available for purchase, from 416 unique sellers in 173 affected countries. In March 2016, the number was about 55,000, a clear indication that the database of users and servers is carefully maintained and updated.
Top countries with servers on sale
Interestingly, the developers of xDedic are not selling anything themselves – instead, they have created a marketplace where a network of affiliates can sell access to compromised servers. If the truth be told, the people behind xDedic have created what appears to be a “quality” service – the forum even includes live technical support, special tools to patch hacked servers to allow multiple RDP sessions and profiling tools that upload information about the hacked servers into the xDedic database.
Top 10 sellers – May 2016
So who are the xDedic sellers listed above? We have been able to identify a very specific piece of malware (SCCLIENT) which is used by one of them, and to sinkhole its C&Cs. This provided a glimpse into the operations of one of these entities, which, based on the number of victims, we suspect is either Narko, xLeon or sirr.
SCCLIENT Trojan: victims’ information from sinkholing (first 12 hours)
The profiling software created by the xDedic developers also collects information about the software installed on the server, such as online gambling, trading and payments.
Apparently, there is strong interest in accounting, tax reporting and point-of -sale (PoS) software which open up many opportunities for fraudsters:Spam and Attacking Tools Gambling and Financial Software POS Software
Advanced Mass Sender
LexisNexis Spam Soft
Full Tilt Poker
UltraTax 2010 (2011,..,2015)
Abacus Tax Software
CCH tax14 (tax15)
CCH Small Firm Services
ProSeries TAX (2014,2015)
ProSystem fx Tax
2015 Tax Praparation
Tax Management Inc.
POS Software (Generic)
During our research, we counted 453 servers from 67 countries with PoS software installed:
Servers for sale with Point-of-Sale software – May 2016
For instance, a malicious user could go to the xDedic forum, register an account, top it up with Bitcoins and then purchase a number of servers which have PoS software installed. Then, they can install PoS malware, such as Backoff to harvest credit card numbers. The possibilities are truly endless.
Kaspersky Lab has reported this issue with the appropriate law enforcement agencies and is cooperating in an ongoing investigation.
To read our full report on xDedic which includes IOCs, download the xDedic Marketplace Analysis PDF here.
* For more information about Kaspersky Lab Intelligence Services, Threat Reports and custom threat analysis contact email@example.com
Earlier today, Adobe published the security advisory APSA16-03, which describes a critical vulnerability in Adobe Flash Player version 188.8.131.52 and earlier versions for Windows, Macintosh, Linux, and Chrome OS:
A few of months ago, we deployed a new set of technologies into our products designed to identify and block zero day attacks. These technologies already proved its effectiveness earlier this year, when they caught an Adobe Flash zero day exploit, CVE-2016-1010. Earlier this month, we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks.
We believe these attacks are launched by an APT Group we call “ScarCruft”.
ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.
Currently, the group is engaged in two major operations: Operation Daybreak and Operation Erebus. The first of them, Operation Daybreak, appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit, focusing on high profile victims. The other one, “Operation Erebus” employs an older exploit, for CVE-2016-4117 and leverages watering holes. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.
We will publish more details about the attack once Adobe patches the vulnerability, which should be on June 16. Until then, we confirm that Microsoft EMET is effective at mitigating the attacks. Additionally, our products detect and block the exploit, as well as the malware used by the ScarCruft APT threat actor.
* More information about the ScarCruft APT and Operation Daybreak is available to customers of Kaspersky Intelligence Services. Contact: firstname.lastname@example.org
Are you planning to visit Brazil during the Olympic Games? Or watch it online? In this blog post we discuss the threats to visitors aiming to travel to Brazil to watch the games and to those planning to watch it online. In the first part we’ll talk about phishing attacks, including one against the organizers of the Games; in the second we highlight WiFi security and the results of the wardriving we did on the streets of Rio, visiting the same places as tourists and the athletes. In the third and final part we touch upon physical security that involves the usage of USB charging spots at airports, the problem of credit card cloning and ATM skimmers that will directly affect visitors to this summer’s Olympic Games in Rio.
It is clear that using the Olympic Games theme is very attractive to the bad guys. Cybercriminals always use popular sports events as bait for their attacks, as they did it in the 2014 World Cup – an event we monitored very closely due to the impressive amount of attacks registered at the time, mainly in Brazil. But the forthcoming Olympic Games has been a bit different. The number of attacks has been low, compared with the World Cup. There are many reasons to explain it one of which is that the International Olympic Committee (IOC) keeps a very active Security Operations Center (SOC), working and treating the security incidents, reporting phishing and malware campaigns. As a result, the number of “in-the-wild” attacks targeting users at this time are low.
However, the bad guys have no limit when it comes to creating new attacks. We were able to track and block several of them, such as the registration of malicious domains, fake giveaways promoted on social networks and, of course, websites selling fake tickets, using all possible ways to trick users.The rise of bad domains
Most of the attacks start with the registration of a domain that clearly shows its malicious intent. Since the beginning of the year, we monitored the creation of new domains registered with the name of the city that will held the games. In fact, we found that the bad guys are constantly registering new creations at the start of every attack. Our blacklist contains more than 230 of these bad domains.
Several of these domains were registered via a free webmail account or use domains as protection to hide the real identity of the owner. Some of these domains are hibernating, waiting for the right moment to start an attack (especially those promising free streaming). Others were used to host fake ecommerce sites selling tickets, hosting phishing, malware, or even used to spread fake ticket giveaways. Another interesting point is that several of these domains are already using the new gTLD approved by ICANN (such as .tech and others).The phishing phenomenon
It’s not only end-users who are targets of phishing attacks. Brazil tops the list as the most attacked country with this type of scam, and employees of the Games organization were also targeted for their potentially lucrative credentials. In February we identified a very interesting targeted campaign, on our domain monitoring system, against the IOC using the malicious domain masquerade as their Intranet portal. The purpose of the attackers was to steal credentials of IOC employees working in Brazil. The fake site looked like this when it was live and we are also aware of several other attacks including this one:
IOC employees were the target of phishing campaigns to steal credentials
The most common attacks are those that aim to phish the final user – stealing credentials is a very easy attack that even a non-skilled criminal can do. We saw phishing scams with different goals, in several colors and guises. This one was very popular in Brazil and aims to clone your credit card using the name of a Brazilian company and promising to giveaway a new car and tickets to the Games:
Free tickets and car giveaway. All fake promises.Fake tickets, fake giveaways, real losses
As happened during the last World Cup, most of the malicious e-mails sent by the Brazilian bad guys used free tickets to watch the Games in Rio as the bait. Some of these messages also pointed to fake websites. This is a good example of a very well done campaign, promising the direct sales of tickets without applications to the official lotteries, that take place for people living in Brazil:
Why bother to participate in the official lottery when you can buy a ticket direct from a fraudster?
Other fake websites also offered tickets with a very low price, to attract people looking to buy tickets at the last hour. This website, targeting Brazilians, looks good but on closer inspection it is written in poor Portuguese:
The purpose here was to sell fake tickets with the victim paying but receiving nothing. The payment method selected by the fraudster was Brazilian boletos, a very popular payment system, used mostly for people that don’t have credit cards.
The bait to attract the attention was very low prices. The ticket to the inaugural ceremony cost U$500.00 and a match of the Brazilian National Football Team cost only U$ 50.00. Of course everything was fake:
“Watch the Male Football match paying only U$ 50,00”
Bad guys also used social media to spread their attacks. Facebook was the most used network in these cases, such as this fraudulent page announcing a fake ticket giveaway. The page is still online:
If you want to watch the games, it’s too late to buy tickets via the official channels. We do not recommend buying through unofficial markets as there is a high possibility that you are buying a pig in a poke. To make sure you don’t get caught out, the best thing is to watch the games on TV or online – but be aware of malicious streaming websites, as they will undoubtedly appear in a last ditch attempt by the bad guys to try and infect your computer and steal your data.WiFi security
When we travel, we usually access the Internet more to help stay in touch, tweet, post status updates and share pictures. However, international data plans are usually very expensive and this is why we look for WiFi hotspots. Cybercriminals know this and every year set up fake access points or compromise legitimate WiFi networks to intercept and manipulate their victim’s browsing. Their focus for the attack is user’s passwords, credit cards and other sensitive personal information. Open and misconfigured WiFi networks are actually preferred vehicles for criminals.
To identify the extent of the problem in Brazil, we drove by three major areas of the Olympic games and passively monitored the available networks which visitors are most likely to try and use during their stay – the Brazilian Olympic Committee building, Olympic Park and the stadiums (Maracanã, Maracanãzinho and Engenhão).
Beautiful beaches, bossa nova and insecure WiFi
Running a fast recognition over two days and on the map marked with a star sign, we were able to find about 4,500 unique access points located in the aforementioned areas.
Most of the networks actually work on the 802.11n standard:
That means that most of the hardware used to build the WiFi access points is new and works especially well for multimedia streaming, reaching speeds of up to 600Mbps and working not just on 2.4Ghz and 2.5Ghz but also 5Ghz.
However, when it comes to their security, 18% of all available WiFi networks in the area are insecure and openly configured. That means that all data sent and received in such networks is not protected by any encryption access key.
We can see that additionally 7% of all networks are WPA-personal protected. That algorithm is actually obsolete today and can be broken with minimal effort. In our opinion this is especially concerning as users who connect to their “trusted” networks may believe that they are actually connecting to a secure network, when in reality it could be compromised by an attacker, who could deliver different kind of attacks to manipulate network traffic with user’s data.
So, about a quarter of all WiFi networks in the areas of the Olympic games are insecure or configured with weak encryption protocols. This means that the attackers can break them first and then develop technical circumstances to sniff victim’s navigation data and steal their sensitive data.
Is it possible to use an open WiFi network and still have a secure Internet connection? The answer is yes, however only when using a VPN connection.
We strongly recommend, regardless of any WiFi network you use while travelling, to use a VPN connection, so the data from your end-point travels to the Internet through an encrypted data channel. This way even if you work from a compromised WiFi network, the attacker might not get access to your data.
However not all VPN providers actually offer the same good service. Some of them are vulnerable to DNS leak attacks. That means that even if your immediate sensitive data is sent via VPN, your DNS queries or requests are sent in plain text to the DNS servers set by the access point hardware. In this scenario the attacker can still at least know what servers you are browsing and then, if it has access to the access point of the compromised WiFi network, can define malicious DNS servers. That would essentially mean, next time you type the name of your bank in the browser, the IP address where it goes to will be a malicious one. So, even some experienced users may become an easy victim for the attackers. There is almost no limit from the attackers’ point of view when they have control of your DNS servers.
So, before you use your VPN connection, make sure it does not have a DNS leak problem. If your VPN provider doesn’t support its own DNS servers, you might consider another VPN provider or a DNSCrypt service, so your DNS requests will make external and encrypted queries to secure DNS servers. Remember that what starts as a small security issue could have big security implications.
A simple formula must be this: any network you connect to, use your VPN connection with its own DNS servers. Don’t rely on any local settings since you can’t be sure if the WiFi access point you connect to is compromised or not.Physical security
Another point that requires vigilance when travelling is physical security – not everything that is useful is exactly what it seems. Criminals often use tactics to deliver malicious attacks on situations where you do not necessarily think there is a risk. Let’s look at some common situations where this could happen.USB charging spot
As mentioned before, using a mobile phone when traveling is crucial and it can be a big challenge to keep it sufficiently charged all day long. In order to help tourists, most cities are investing in charging points that can be easily found in shopping malls, airport and taxis. Most of them provide connectors for the majority of phone models as well as a USB connector that can be used with your own cable.
Charging spot provided in a Brazilian cab
Some models usually found in shopping malls and airports also provide a traditional power supply that can be used with your own charger.
Charging spot at Rio International Airport. Which one do you think is the most secure?
While connected via USB, the attacker can execute commands in order get information about the device including the model, IMEI, phone number and battery status. With that information it is possible to run an attack for the specific phone model and then successfully infect the device and collect personal information.
This doesn’t mean that we should never charge our devices when away from home, but by following these simple rules you can protect yourself from this kind of attack:
- Always use your own charger and avoid buying one from unknown sources;
- Use the power outlet instead of USB socket when using an unknown charging point;
- Don’t use the charging cables at a public charging spot.
The ATM skimmer attack, also known as “Chupa-cabra” in Brazil and other countries in Latin America, is a very popular type of attack that is still being used by criminals in Brazil. From time to time a new gang appears on the news delivering this attack somewhere across the country, mainly in places commonly frequented by tourists, such as the Rio International Airport. In 2014 a gang installed 14 ATM skimmers there.
There are different types of ATM skimmers in Brazil, the most common just installs a reader for the card and a camera in order to record the password as it is typed.
An ATM skimmer which installs a camera to record the typed password
For this type of skimmer you can protect yourself by hiding the keypad while typing the password which will avoid your password from being recorded by the installed camera.
Unfortunately, this method will not help in all cases, as there is another type of skimmer where criminals replace the entire ATM, including the keypad and screen. In this case, the typed password will be stored on the fake ATM system.
ATM Skimmer which replaces the entire ATM
In order to avoid this type of attack it is important to be aware of any suspicious behavior while using the ATM.
- Check if the green light on the card reader is on. Usually they replace the reader with a version where there is no light or it is off.
- Before starting the transaction, check if there is anything suspicious on the ATM such as missing or badly fixed parts;
- Hide the keypad while typing your password.
Credit and debit cards are widely used in Brazil and almost everywhere accepts cards as payment methods – including street vendors. Actually most of them prefer credit card payments in order to avoid problems with the change.
Brazilian banks are referenced across the world regarding their fight against credit card cloning as well as their pioneer status in adopting chip-based cards to protect customers from this type of attack by making it much harder to clone the card. However, it was only a matter of time before Brazilian criminals would find a way to start cloning the chip-based cards, by exploiting flaws in the EMV transaction implementation.
We could see Brazilian criminals exchanging information about how to execute an attack on a chip-based card in order to extract the information and then write it back to another card using some tools.
Tool used to save the information to the smart card
It is really hard to protect yourself against this type of attack, because usually the point-of-sale is modified in order to save the information, to be collected later by the criminals. Sometimes they don’t need physical access to extract the stolen information as it is collected via bluetooth.
One good solution from the banks is SMS notifications for each transaction made using your card. Even though it does not avoid card cloning, the victim will be notified about the fraudulent transaction as soon as it happens then it can contact the bank in order to block future transactions.
To reduce the chances of having your card cloned, there are some simple steps to take:
- Never give your card to the retailer. If for some reason they cannot bring the machine to you, you must go to the machine;
- If the machine looks suspicious, change the payment method. It is always good to have some money with you as a back-up;
- Before typing your PIN make sure you are on the correct payment screen and that your PIN is not going to be shown on the screen.
For everybody visiting Brazil to watch the games, we wish you safe flights and a safe stay. To our readers we wish you safe online surfing and for the Olympic athletes, may the best one win!