Malware RSS Feed

Browse With Encryption

SANS Tip of the Day - Thu, 08/18/2016 - 01:00
When browsing online, encrypting your online activities is one of the best ways to protect yourself. Make sure your online connection is encrypted by making sure HTTPS is in the website address and that there is a green lock next to it.

Operation Ghoul: targeted attacks on industrial and engineering organizations

Malware Alerts - Wed, 08/17/2016 - 04:56

Introduction

Kaspersky Lab has observed new waves of attacks that started on the 8th and the 27th of June 2016. These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions. The attackers try to lure targets through spear phishing emails that include compressed executables. The malware collects all data such as passwords, keystrokes and screenshots, then sends it to the attackers.

#OpGhoul targeting industrial, manufacturing and engineering organizations in 30+ countries

Tweet

We found that the group behind this campaign targeted mainly industrial, engineering and manufacturing organizations in more than 30 countries. In total, over 130 organizations have been identified as victims of this campaign. Using the Kaspersky Security Network (KSN) and artifacts from malware files and attack sites, we were able to trace the attacks back to March 2015. Noteworthy is that since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties, most infiltrated victim organizations are considered SMBs (Small to Medium size businesses, 30-300 employees), the utilization of commercial off-the-shelf malware makes the attribution of the attacks more difficult.

In total, over 130 organizations have been identified as victims of Operation Ghoul #OpGhoul

Tweet

In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon. Today, the term is sometimes used to describe a greedy or materialistic individual.

Main infection vector: malicious emails

The following picture represents emails that are being used to deliver malware to the victims, in what looks like a payment document. The e-mails sent by attackers appear to be coming from a bank in the UAE, the Emirates NBD, and include a 7z file with malware. In other cases, victims received phishing links. A quick analysis of the email headers reveals fake sources being utilised to deliver the emails to victims.

Malicious attachments

In the case of spear phishing emails with an attachment, the 7z does not contain payment instructions but a malware executable (EmiratesNBD_ADVICE.exe). We have observed executables with the following MD5s:

Malware MD5 hashes

fc8da575077ae3db4f9b5991ae67dab1
b8f6e6a0cb1bcf1f100b8d8ee5cccc4c
08c18d38809910667bbed747b2746201
55358155f96b67879938fe1a14a00dd6

Email file MD5 hashes

5f684750129e83b9b47dc53c96770e09
460e18f5ae3e3eb38f8cae911d447590

The spear phishing emails are mostly sent to senior members and executives of targeted organizations, most likely because the attackers hope to get access to core intelligence, controlling accounts and other interesting information from people who have the following positions or similar:

  • Chief Executive Officer
  • Chief Operations Officer
  • General Manager
  • General Manager, Sales and Marketing
  • Deputy General Manager
  • Finance and Admin Manager
  • Business Development Manager
  • Manager
  • Export manager
  • Finance Manager
  • Purchase manager
  • Head of Logistics
  • Sales Executive
  • Supervisor
  • Engineer
Technical details Malware functionality

The malware is based on the Hawkeye commercial spyware, which provides a variety of tools for the attackers, in addition to malware anonymity from attribution. It initiates by self-deploying and configuring persistence, while using anti-debugging and timeout techniques, then starts collecting interesting data from the victim’s device, including:

  • Keystrokes
  • Clipboard data
  • FileZilla ftp server credentials
  • Account data from local browsers
  • Account data from local messaging clients (Paltalk, Google talk, AIM…)
  • Account data from local email clients (Outlook, Windows Live mail…)
  • License information of some installed applications

#OpGhoul malware collects all data such as #passwords, keystrokes and screenshots

Tweet

Data exfiltration

Data is collected by the attackers using primarily:

Http GET posts

  • Sent to hxxp://192.169.82.86

Email messages

  • mail.ozlercelikkapi[.]com (37.230.110.53), mail to info@ozlercelikkapi[.]com
  • mail.eminenture[.]com (192.185.140.232), mail to eminfo@eminenture[.]com

Both ozlercelikkapi[.]com and eminenture[.]com seem to belong to compromised organisations operating in manufacturing and technology services.

Malware command center

The malware connects to 192.169.82.86 to deliver collected information from the victim’s PC. This information includes passwords, clipboard data, screenshots…

hxxp://192.169.82.86/~loftyco/skool/login.php
hxxp://192.169.82.86/~loftyco/okilo/login.php

The IP address 192.169.82.86 seems to belong to a compromised device running multiple malware campaigns.

Victim information

Victim organizations are distributed in different countries worldwide with attackers focused on certain countries more than others:

Number of Victim Organisations by Country

Countries marked as “others” have less than three victim organizations each, they are: Switzerland, Gibraltar, USA, Sweden, China, France, Azerbaijan, Iraq, Turkey, Romania, Iran, Iraq and Italy.

Victim industry information

Victim industry types were also indicators of targeted attacks as attackers were looking to infiltrate organizations that belong to the product life cycle of multiple goods, especially industrial equipment.

#Manufacturing #transportation #travel targets of #OpGhoul

Tweet

Number of Victim Organizations by Industry Type

Victim industry description

Industrial Petrochemical, naval, military, aerospace, heavy machinery, solar energy, steel, pumps, plastics Engineering Construction, architecture, automation, chemical, transport, water Shipping International freight shipping Pharmaceutical Production/research of pharmaceutical and beauty products Manufacturing Furniture, decor, textiles Trading Industrial, electronics and food trading Education Training centers, universities, academic publishing Tourism Travel agencies Technology/IT Providers of IT technologies and consulting services Unknown Unidentified victims The last attack waves

Kaspersky Lab user statistics indicate the new waves of attacks that started in June 2016 are focused on certain countries more than others.

#opghoul highly active in #MiddleEast

Tweet

Hundreds of detections have been reported by Kaspersky Lab users; 70% of the attacked users were found in the United Arab Emirates alone, the other 30% were distributed in Russia, Malaysia, India, Jordan, Lebanon, Turkey, Algeria, Germany, Iran, Egypt, Japan, Switzerland, Bahrain and Tunisia.

Other attack information

Phishing pages have also been spotted through 192.169.82.86, and although they are taken down quickly, more than 150 user accounts were identified as victims of the phishing links sent by the attackers. Victims were connecting from the following devices and inserting their credentials, a reminder that phishing attacks do work on all platforms:

  • Windows
  • Mac OS X
  • Ubuntu
  • iPhone
  • Android

The malware files are detected using the following heuristic signatures:

Trojan.MSIL.ShopBot.ww
Trojan.Win32.Fsysna.dfah
Trojan.Win32.Generic

Conclusion

Operation Ghoul is one of the many attacks in the wild targeting industrial, manufacturing and engineering organizations, Kaspersky Lab recommends users to be extra cautious while checking and opening emails and attachments. In addition, privileged users need to be well trained and ready to deal with cyber threats; failure in this is, in most cases, the cause behind private or corporate data leakage, reputation and financial loss.

Indicators of Compromise

The following are common among the different malware infections; the presence of these is an indication of a possible infection.

Filenames and paths related to malware

C:\Users\%UserName%\AppData\Local\Microsoft\Windows\bthserv.exe
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\BsBhvScan.exe
C:\Users\%UserName%\AppData\Local\Client\WinHttpAutoProxySync.exe
C:\Users\%UserName%\AppData\Local\Client\WdiServiceHost.exe
C:\Users\%UserName%\AppData\Local\Temp\AF7B1841C6A70C858E3201422E2D0BEA.dat
C:\Users\%UserName%\AppData\Roaming\Helper\Browser.txt
C:\Users\%UserName%\AppData\Roaming\Helper\Mail.txt
C:\Users\%UserName%\AppData\Roaming\Helper\Mess.txt
C:\Users\%UserName%\AppData\Roaming\Helper\OS.txt
C:\ProgramData\Mails.txt
C:\ProgramData\Browsers.txt

List of malware related MD5 hashes

55358155f96b67879938fe1a14a00dd6
f9ef50c53a10db09fc78c123a95e8eec
b8f6e6a0cb1bcf1f100b8d8ee5cccc4c
07b105f15010b8c99d7d727ff3a9e70f
ae2a78473d4544ed2acd46af2e09633d
21ea64157c84ef6b0451513d0d11d02e
08c18d38809910667bbed747b2746201
fc8da575077ae3db4f9b5991ae67dab1
8d46ee2d141176e9543dea9bf1c079c8
36a9ae8c6d32599f21c9d1725485f1a3
cc6926cde42c6e29e96474f740d12a78
6e959ccb692668e70780ff92757d2335
3664d7150ac98571e7b5652fd7e44085
d87d26309ef01b162882ee5069dc0bde
5a97d62dc84ede64846ea4f3ad4d2f93
5a68f149c193715d13a361732f5adaa1
dabc47df7ae7d921f18faf685c367889
aaee8ba81bee3deb1c95bd3aaa6b13d7
460e18f5ae3e3eb38f8cae911d447590
c3cf7b29426b9749ece1465a4ab4259e

List of malware related domains

Indyproject[.]org
Studiousb[.]com
copylines[.]biz
Glazeautocaree[.]com
Brokelimiteds[.]in
meedlifespeed[.]com
468213579[.]com
468213579[.]com
357912468[.]com
aboranian[.]com
apple-recovery[.]us
security-block[.]com
com-wn[.]in
f444c4f547116bfd052461b0b3ab1bc2b445a[.]com
deluxepharmacy[.]net
katynew[.]pw
Mercadojs[.]com

Observed phishing URLs

hxxp://free.meedlifespeed[.]com/ComCast/
hxxp://emailreferentie.appleid.apple.nl.468213579[.]com/
hxxp://468213579[.]com/emailreferentie.appleid.apple.nl/emailverificatie-40985443/home/login.php
hxxp://verificatie.appleid.apple.nl.referentie.357912468[.]com/emailverificatie-40985443/home/lo…
hxxp://192.169.82.86/~gurgenle/verify/webmail/
hxxp://customer.comcast.com.aboranian[.]com/login
hxxp://apple-recovery[.]us/
hxxp://apple.security-block[.]com/Apple%20-%20My%20Apple%20ID.html
hxxp://cgi.ebay.com-wn[.]in/itm/2000-Jeep-Wrangler-Sport-4×4-/?ViewItem&item=17475607809
hxxp://https.portal.apple.com.idmswebauth.login.html.appidkey.05c7e09b5896b0334b3af1139274f266b2hxxp://2b68.f444c4f547116bfd052461b0b3ab1bc2b445a[.]com/login.html
hxxp://www.deluxepharmacy[.]net

Other malware links

Malware links observed on 192.169.82.86 dating back to March and April 2016:

hxxp://glazeautocaree[.]com/proforma-invoice.exe
hxxp://brokelimiteds[.]in/cdn/images/bro.exe
hxxp://brokelimiteds[.]in/cdn/images/onowu.exe
hxxp://brokelimiteds[.]in/cdn/images/obe.exe
hxxp://brokelimiteds[.]in/wp-admin/css/upload/order.exe
hxxp://brokelimiteds[.]in/wp-admin/css/upload/orders.exe
hxxp://papercuts[.]info/SocialMedia/java.exe
hxxp://studiousb[.]com/mercadolivrestudio/f.zip
hxxp://copylines[.]biz/lasagna/gate.php?request=true

For more information on how you can protect your business from similar attacks, please visit this post from Kaspersky Business.

Never Share Your Passwords

SANS Tip of the Day - Wed, 08/17/2016 - 01:00
Never share your passwords with others, including your supervisor or coworkers. Your password is a secret; it only works if only you know it. If anyone else knows your password, you may be responsible for their actions.

The Equation Giveaway

Malware Alerts - Tue, 08/16/2016 - 15:22

Rare implementation of RC5/RC6 in ‘ShadowBrokers’ dump connects them to Equation malware

August 13, 2016 saw the beginning of a truly bizarre episode. A new identity going under the name ‘ShadowBrokers’ came onto the scene claiming to possess files belonging to the apex predator of the APT world, the Equation Group [PDF]. In their initial leak, the ShadowBrokers claimed the archive was related to the Equation group, however, they didn’t provide any technical details on the connections.

Along with some non-native rants against ‘Wealthy Elites’, the ShadowBrokers provided links to two PGP-encrypted archives. The first was provided for free as a presumptive show of good faith, the second remains encrypted at the time of writing. The passphrase is being ‘auctioned’, but having set the price at 1 million BTC (or 1/15th of the total amount of bitcoin in circulation), we consider this to be optimistic at best, if not ridiculous at face value.

The first archive contains close to 300MBs of firewall exploits, tools, and scripts under cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION. Most files are at least three years old, with change entries pointing to August 2013 the newest timestamp dating to October 2013.

As researchers continue to feast on the release, some have already begun to test the functional capabilities of the exploits with good results.

Having originally uncovered the Equation group in February 2015, we’ve taken a look at the newly released files to check for any connections with the known toolsets used by Equation, such as EQUATIONDRUG, DOUBLEFANTASY, GRAYFISH and FANNY.

While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group.

The Devil’s in the Crypto

The Equation group uses the RC5 and RC6 encryption algorithms quite extensively throughout their creations. RC5 and RC6 are two encryption algorithms designed by Ronald Rivest in 1994 and 1998. They are very similar to each other, with RC6 introducing an additional multiplication in the cypher to make it more resistant. Both cyphers use the same key setup mechanism and the same magical constants named P and Q.

The particular RC5/6 implementation from Equation group’s malware is interesting and deserves special attention because of its specifics. Inside the Equation group malware, the encryption library uses a subtract operation with the constant 0x61C88647. In most publicly available RC5/6 code, this constant is usually stored as 0x9E3779B9, which is basically -0x61C88647. Since an addition is faster on certain hardware than a subtraction, it makes sense to store the constant in its negative form and adding it instead of subtracting. In total, we’ve identified 20 different compiled versions of the RC5/6 code in the Equation group malware.

Encryption-related code in a DoubleFantasy (actxprxy32.dll) sample

In the screenshot above, one can observe the main loop of a RC6 key setup subroutine extracted from one of the Equation group samples. The ShadowBrokers’ free trove includes 347 different instances of RC5/RC6 implementations. As shown in the screenshot below, the implementation is functionally identical including the subtraction of the inverted constant 0x61C88647.

Specific RC6 implementation from “BUSURPER-2211-611.exe” (md5: 8f137a9100a9fcc8b512b3729878a373

Comparing the older, known Equation RC6 code and the code used in most of the binaries from the new leak we observe that they are functionally identical and share rare specific traits in their implementation.

In case you’re wondering, this specific RC6 implementation has only been seen before with Equation group malware. There are more than 300 files in the Shadowbrokers’ archive which implement this specific variation of RC6 in 24 different forms. The chances of all these being faked or engineered is highly unlikely.

This code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation group. While the ShadowBrokers claimed the data was related to the Equation group, they did not provide any technical evidence of these claims. The highly specific crypto implementation above confirms these allegations.

More details about the ShadowBrokers leak and similarities with Equation group are available to Kaspersky Intelligence Services reports’ subscribers. For more information, email intelreports@kaspersky.com

Securely Deleting Files

SANS Tip of the Day - Tue, 08/16/2016 - 01:00
When you delete a file, that file is actually still on your computer. The only way you can truly and securely remove a file is by wiping it or using some type of secure deletion.

Good morning Android!

Malware Alerts - Mon, 08/15/2016 - 06:13

This morning, we encountered a gratuitous act of violence against Android users. By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q. There you are, minding your own business, reading the news and BOOM! – no additional clicks or following links required. And be careful – it’s still out there!

Download of a malicious application while viewing a news site using AdSense

It turns out the malicious program is downloaded via the Google AdSense advertising network. Be warned, lots of sites use this network – not just news sites – to display targeted advertising to users. Site owners are happy to place advertising like this because they earn money every time a user clicks on it. But anyone can register their ad on this network – they just need to pay a fee. And it seems that didn’t deter the authors of the Svpeng Trojan from pushing their creation via AdSense. The Trojan is downloaded as soon as a page with the advert is visited.

A similar case was registered in mid-July by the Meduza news portal. As a result, they disabled advertising from AdSense on their pages. At that time the technique was used to distribute an earlier version of the Trojan.

Screenshot from the Meduza news site (https://new.vk.com/wall-76982440_659517)

The Svpeng family of banking Trojans has long been known to Kaspersky Lab and possesses a standard set of malicious functions. After being installed and launching, it disappears from the list of installed apps and requests the device’s admin rights (to make it harder for antivirus software or the user to remove it). Svpeng can steal information about the user’s bank cards via phishing windows, intercept, delete, and send text messages (this is necessary for attacks on remote banking systems that use SMS as a transport layer). Also, the malware can counteract mobile security solutions that are popular in Russia by completeing their processes.

In addition, Svpeng collects an impressive amount of information from the user’s phone – the call history, text and multimedia messages, browser bookmarks and contacts.

Be careful and use antivirus solutions!

Special thanks to our colleague Stanislav Zaytsev for the video.