Malware RSS Feed

Spammy Facebook friends from the neighborhood

Malware Alerts - Thu, 07/31/2014 - 11:18

Recently I stumbled upon some spam-ads on Facebook, which didn't look very unusual at first glance.

It's common for spammers to rely on social engineering techniques. They typically creating fake profiles, joining random open (or closed) groups and share links to shady e-commerce sites or survey-scams - always with catchy claims to lure the readers to click on the advertised link.

In this particular case, things are a bit different. The spammers created fake profiles featuring a nice profile photo of a young woman. But when you take a closer look at the About-page of "her" profile, you'll notice she's residing in the beautiful village of Ernersdorf in Bavaria (which is actually not far away from the Kaspersky Lab local office). I was somewhat surprised by this, because Addison is a very unusual name for a person living in such a small Bavarian village. And, according to her profile, she's actually male and was born in September 1978. So I took a closer look.

Spammers Facebook Profile About-Page

It seems the spammers strategically chose this Bavarian Village and began to send out friend-requests to several people from that region. And since I grew up in this region, some of my friends on Facebook were successfully lured into accepting the fake friend requests.

Then nothing happened for several months. A few days ago, these spammers, now equipped which a level of credibility, started posting photos advertising an online-shop for sunglasses from a big brand - most likely fake versions. And finally, to improve spreading of the picture-ads, the spammers tagged their new "friends" from nearby.

Picture Spam on Facebook

To prevent other people from using your profile for spamming all of your friends with that "technique", you can adjust your Facebook settings for "Timeline and Tagging" like I did.

Facebook Timeline and Tagging Settings

Also, please keep in mind that you don't necessarily have to fall into this "nearby friends" trap to get you and your friends spammed like that. If spammers steals your real friends' account-credentials somehow, it also could happen like in this case.

Energetic Bear: more like a Crouching Yeti

Malware Alerts - Thu, 07/31/2014 - 07:00

Report   
Appendix   

Energetic Bear/Crouching Yeti is an actor involved in several advanced persistent threat (APT) campaigns that has been active going back to at least the end of 2010. Targeted sectors include:

  • Industrial/machinery
  • Manufacturing
  • Pharmaceutical
  • Construction
  • Education
  • Information technology

Most of the victims we identified fall into the industrial / machinery building sector, indicating this is of special interest.

To infect the victims, the attackers rely on three methods:

  • Spearphishing using PDF documents embedded with a flash exploit (CVE-2011-0611)
  • Trojanized software installers
  • Waterhole attacks using a variety of re-used exploits

During the attacks, the Crouching Yeti team uses several types of malware or Trojan, all of which only infect Windows systems:

  • Havex Trojan
  • Sysmain Trojan
  • The ClientX backdoor
  • Karagany backdoor and related stealers
  • Lateral movement and second stage tools

For command and control, these connect to a large network of hacked websites. The hacked sites host malware modules and victim information as well as serving commands to infected systems.

The dozens of known Yeti exploit sites and their referrer sites were legitimate, compromised sites. They ran vulnerable content management systems or vulnerable web applications. None of the exploits used to compromise the servers were known to be zero-day. None of the client side exploits re-used from the open source metasploit framework were zero-day.

Overall, we observed about 2,800 victims worldwide, the most prevalent attack tool being the Havex trojan.

We believe this group is highly determined and focused on a very specific industrial sector of vital interest. It uses a variety of ways to infect its victims and exfiltrate strategic information. The analyzed data seems to suggest the following points:

  • Country of origin cannot be determined at this point
  • Attackers' global focus is much broader than power producers
  • Stable toolset over time
  • Managed, minimal, methodical approach to sustained operation
  • Appropriate use of encryption (symmetric key protected with attackers public key for encrypted log file exfiltration)

You can read the full report here.

FAQ What is Yeti/Energetic Bear?

Energetic Bear/Yeti is an actor involved in different campaigns dating back to at least the end of 2010. It uses different techniques to spread its malware, most notably the repackaging of legitimate software installers and waterhole attacks. The victims, from several different sectors, are infected with backdoors.

What are the malicious purposes of this campaign?

We believe this is an information stealing campaign. Given the heterogeneous profile of the victims it seems than the attackers were interested in different topics and decided to target some of the most prominent institutions and companies in the world to get latest information.

Why do you think it is significant?

In our opinion, this campaign has some of remarkable characteristics: the artifacts used for the infection and exfiltration are not particularly interesting, but they are effective; they are very persistent, successfully infecting a significant number of companies and institutions around the world for a long period of time; they have a set of tools of choice that help us identify the group through their TTPs. In this last characteristic, it is interesting that they use the LightsOut Exploit Kit to infect users through waterhole attacks.

Why not Energetic Bear? Why did you give it a new name?

Energetic Bear was the initial name given to this campaign by Crowd Strike according to their nomenclature. After analyzing the data we obtained we can confirm that victims are not limited to the energy sector but to many other ones. The Bear tag reflects Crowd Strike's belief that this campaign has a Russian origin. We couldn´t confirm this point, so we decided to give it a new name. Yetis have something in common with Bears, but have a mysterious origin

When did the campaign start? Is this attack still active?

Based in some artifacts, we believe the campaign originated at the end of 2010. The campaign is still alive and getting new daily victims.

How was the malware distributed?

The malware is distributed using three methods:

  • Spearphishing using PDF documents embedded with a flash exploit (CVE-2011-0611)
  • Trojanized software installers
  • Waterhole attacks using a variety of re-used exploits

Additional modules can be installed by the attackers once a machine has been compromised.

The most prevalent attack tool is the Havex Trojan; we identified 27 different versions.

What is the potential impact for victims?

Given the nature of the known victims, the disclosure of very sensitive information such as commercial secrets and know-how are the main impact for the victims.

Who are the attackers? What countries are they from?

There simply is no one piece or set of data that would lead to a conclusion regarding the origin of this threat actor.

Who are the victims? What is the scale of the attack?

Overall, we observed about 2,800 victims worldwide.
Most of the victims we identified fall into the industrial / machinery building sector.

Targeted sectors include:

  • Industrial/machinery
  • Manufacturing
  • Pharmaceutical
  • Construction
  • Education
  • Information technology

The most targeted countries are: United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland and China.

How are users (both home and corporate) protected against this type of attack?

Our products detect and eliminate all variants of the malware used in this campaign including but
not limited to:

  • Trojan.Win32.Sysmain.xxx
  • Trojan.Win32.Havex.xxx
  • Trojan.Win32.ddex.xxx
  • Backdoor.MSIL.ClientX.xxx
  • Trojan.Win32.Karagany.xxx
  • Trojan-Spy.Win32.HavexOPC.xxx
  • Trojan-Spy.Win32.HavexNk2.xxx
  • Trojan-Dropper.Win32.HavexDrop.xxx
  • Trojan-Spy.Win32.HavexNetscan.xxx
  • Trojan-Spy.Win32.HavexSysinfo.xxx

All the exploits are also detected and detailed in the report.

Behind the 'Android.OS.Koler' distribution network

Malware Alerts - Mon, 07/28/2014 - 04:00

Our full Koler report (PDF) 

At the beginning of May 2014 a security researcher named Kaffeine made the first public mention of Android.OS.Koler.a, a ransomware program that blocks the screen of an infected device and requests a ransom of between $100 and $300 in order to unlock the device. It doesn't encrypt any files or perform any kind of advanced blocking of the target device other than blocking the screen.

The malware displays a localized message from the police!

It has customized messages for the following countries:

Australia
Austria
Belgium
Bolivia
Canada
Czech Republic
Denmark
Ecuador
Finland
France Germany
Hungary
Ireland
Italy
Latvia
Mexico
Netherlands
New Zealand
Norway
Poland Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
Switzerland
Turkey
United Kingdom
United States

As of July 23, the mobile part of the campaign has been disrupted and the Command and Control server has started sending an "Uninstall" request to victims.

In this post, instead of focusing on the mobile application itself – we highlight some details at the end – we want to shed light on its distribution infrastructure.  An entire network of malicious porn sites linked to a traffic direction system that redirects the victim to different payloads targeting not only mobile devices but any other visitor. That includes redirections to browser-based ransomware and what we think is an "Angler" exploit kit distribution network.

The diagram below illustrates the bigger picture of the infrastructure used.

The main findings can be summarized as follows:

  • Distribution:      TDS (Traffic Distribution System)
  • Main controller:      video-sartex.us (TDS Controller)
  • Malicious porn sites (redirector):      49 domains detected
  • Exploit kit websites:      700+ URLs (200+ domains)
  • Browser-based screen-lock domains:      49 domains detected
  • Mobile infection domain:      video-porno-gratuit.eu
  • Mobile Current C2:      policemobile.biz.
  • Traffic: almost 200,000 visitors to the mobile infection domain
  • 80% of visitors from the US

The use of a pornographic network for this "police" ransomware is no coincidence: the victims are more likely to feel guilty about browsing such content and pay the alleged fine from the authorities. This psychological factor can be the difference between a failed campaign and a successful one.

With regards to the malicious mobile application, we have found different APKs with the same behavior. Some of them (not yet distributed through this malicious network) have interesting names such as PronHub.com.Apk, whatsapp.apk or updateflash.apk.

This suggests the attackers could expand their campaign in the near future.

Mobile payload distribution

The mobile infection is triggered when the user visits specific pornographic sites from an Android device. Those sites are part of the distribution network created for this campaign and will redirect the victims to a landing page that contains an APK file called animalporn.apk.

All the porn sites in the campaign redirect their traffic to the same server: hxxp://video-porno-gratuit.eu. This domain hosts the malicious APK.

When visited, the website automatically redirects the user to the malicious application. The user still has to confirm the download and installation of the application on their device.

We were able to obtain the statistics showing the geographical distribution of visitors to this malicious site:

According to the same stats, we see that the campaign started and reached peak activity in April 2014.

Redirectors:  The malicious porn network

The pornographic sites of the network are not compromised sites. They all look the same, have the same HTML infrastructure and don´t provide their own pornographic material.

We identified a total of 48 domains in this porn redirecting network.

Almost all the websites used in this infrastructure were created using the same template – in many cases using templates from the legitimate site Tubewizardpro and Webloader for the external resources.

All the content (mainly videos and pictures) on these porn sites is loaded from external sources using Webloader.

Basically, all the porn sites redirect to the "controller" domain videosartex.us.

Videosartex.us then performs a redirect based on the parameter in the URL, the referrer, the user agent and the geographical location of the visitor's IP.

If the IP belongs to any of the 30 affected countries and the user-agent belongs to an Android device, the visitor is redirected to the APK at video-porno-gratuit.eu.

In other cases, the user is either redirected to a porn site on the network, to a screen-locker or to an exploit kit. The attackers use Keitaro TDS (Traffic Distribution System) to redirect users.

Non-mobile payloads

During our analysis we noticed that some domains showed ransomware-themed pop-ups to non-mobile victims. These additional servers are used when the controller (videosartex) detects the following two conditions:

  • The request contains no Internet Explorer user agent.
  • The request is from one of the 30 affected countries, but it doesn't contain an Android user agent.

In this case, the victim is redirected to any of the browser ransomware websites, while a blocking screen identical to the one used for mobiles is displayed on the victim's computer. There is no infection in this case, just a pop-up showing a blocking template.

The following images are examples of the headers used in the ransomware pop-ups:



Exploit kits

The redirection infrastructure used in this campaign contained one final surprise; redirecting visitors using Internet Explorer to sites hosting the Angler exploit kit, which has exploits for Silverlight, Adobe Flash and Java.

The following is an example of such a redirection:

We detected more than 200 domains used for hosting this exploit kit.

During our analysis, the exploit code was not fully functional and it didn´t deliver any payload.

Conclusions

Ransomware for mobile devices appeared on almost every prediction list for 2014. We are not dealing with the most advanced families here such as cryptolocker for Windows. The ransomware is fairly basic, but sufficient to annoy the victim.

Of most interest is the distribution network used in the campaign. Dozens of automatically generated websites redirect traffic to a central hub where users are redirected again. Depending on a number of conditions, this second redirection could be to a malicious Android application, to browser-based ransomware or to a website with the Angler Exploit Kit.

We believe this infrastructure demonstrates just how well organized and dangerous these campaigns are that are currently targeting, but not limited to, Android users. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways for monetizing their campaign income in a truly multi-device scheme.

elasticsearch Vuln Abuse on Amazon Cloud and More for DDoS and Profit

Malware Alerts - Fri, 07/25/2014 - 19:07

A couple weeks ago, my colleague Mikhail K posted on the "versatile linux DDoS trojan", with analysis of several bots, including a bot implementing some extraordinary DNS amplification DDoS functionality. Operators of these bots are currently active, and we observe new variants of the trojan building bigger botnets.

Let's explore some additional offensive details of this crew's activity in the past week. In general, the DDoS trojans are being distributed to fire on victim profiles that seem to indicate purely cybercrime activity. We have not heard from the site owners themselves of the DDoS targets, just the compromised sites. These victims have been running Amazon EC2 instances, but of course, this platform is not the only one being attacked and mis-used. It's also interesting that operators of this botnet apparently have no problem working with CN sites, as demonstrated by their use of the site hosting their tools since late 2013. Seven of their eight tools hosted here were uploaded in the past couple of weeks, coinciding with their updated attack activity. Their repository includes a couple recent Linux escalation of privilege exploit source code, likely compiled on the compromised hosts only when higher privileges are necessary, along with compiled offensive sql tools, multiple webshell and two new variants of the "versatile bots", the udp-only "xudp" code being the newer of the two:

But first, how are they getting in to EC2 instances and running their linux DDoS bots from the cloud? They are actively exploiting a known, recent elasticsearch vulnerability in all versions 1.1.x (cve-2014-3120), which happens to still be in active commercial deployment for some organizations. If you are still running 1.1.x, upgrade to the latest 1.2 or 1.3 release, which was released a couple of days ago. Dynamic scripting is disabled by default, and other features added to help ease the migration. From a couple of incidents on Amazon EC2 customers whose instances were compromised by these attackers, we were able to capture very early stages of the attacks. The attackers re-purpose known cve-2014-3120 proof-of-concept exploit code to deliver a perl webshell that Kaspersky products detect as Backdoor.Perl.RShell.c. Linux admins can scan for these malicious components with our server product.

Gaining this foothold presents the attacker with bash shell access on the server. The script "pack.pl" is fetched with wget and saved from the web host above to /tmp/zerl and run from there, providing the bash shell access to the attacker. Events in your index logs may suggest your server has fallen to this attack:

Hosted on the same remote server and fetched via the perl webshell are the DDoS bots maintaining new encrypted c2 strings, detected as Backdoor.Linux.Mayday.g. One of the variants includes the DNS amplification functionality described in Mikhail's previous post. But the one in use on compromised EC2 instances oddly enough were flooding sites with UDP traffic only. The flow is strong enough that the DDoS'd victims were forced to move from their normal hosting operations ip addresses to those of an anti-DDoS solution. The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers. The situation is probably similar at other cloud providers. The list of the DDoS victims include a large regional US bank and a large electronics maker and service provider in Japan, indicating the perpetrators are likely your standard financially driven cybercrime ilk.

A new generation of ransomware

Malware Alerts - Thu, 07/24/2014 - 08:55

Ransomware is now one of the fastest growing classes of malicious software. In the last few years it has evolved from simple screen blockers demanding payments to something far more dangerous.

The Ransomware class is now based on so-called encryptors – Trojans that encrypt every kind of data that may be of value to the user without his or her knowledge. The data can include personal photos, archives, documents, databases (e.g., databases used in 1C:Enterprise software intended for automation of business activities), diagrams, etc. In order to decrypt these files the criminals demand a payment – often a significant sum. CryptoLocker, CryptoDefence (and its successor CryptoWall), ACCDFISA, and GpCode are some of the most notorious examples. There are also lots of lesser-known families that have spread in Russia and the CIS.

At the end of June 2014 Kaspersky Lab detected a new encryptor. Analysis showed that the Trojan had nothing in common with other known families and a number of features that suggested it was a completely new creation. Its name? CTB-Locker.

This new family is detected by Kaspersky Lab as Trojan-Ransom.Win32.Onion.

This encryption malware belongs to a new generation of ransomware. Its developers used both proven techniques 'tested' on its predecessors (such as demanding that ransom be paid in Bitcoin) and solutions that are completely new for this class of malware. Specifically, hiding the command and control servers in Tor anonymity network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. All this makes Trojan-Ransom.Win32.Onion a highly dangerous threat and one of the most technologically advanced encryptors out there.

Description

The high-level algorithm used by the malicious encryptor is quite ordinary and is as follows:

  • after launching, the malware copies its body to (CSIDL_COMMON_APPDATA) and adds the task to launch the file to the Task Scheduler;
  • search all the fixed, removable and network drives for files matching a list of extensions (see Figure 1);


Figure 1. Data fragment with a list of file extensions used by the encryptor

  • encrypt the files found;
  • display a window demanding ransom and containing a list of files that have been encrypted. The cybercriminals demand that the user pay ransom in Bitcoins (Figures 2, 3);
  • set an image named AllFilesAreLocked.bmp as desktop wallpaper. The wallpaper informs the user that data on the computer has been encrypted (Figure 4).


Figure 2. Window informing the victim that files on the computer have been encrypted


Figure 3. The cybercriminals' demands


Figure 4. Image set as desktop wallpaper

So what sets this Trojan apart from dozens of similar malicious programs?

The command server is located within the Tor anonymity network

The sample analyzed has a single static command server address, which belongs to the .onion domain zone.

It is worth noting that this in itself is not 'innovative'. We have seen similar arrangements in other malware types (discussed, for example, here and here).

However, this is a new development for ransomware. Although some of the ransom Trojans from families detected earlier demanded that the victim visit a certain site on the Tor network, the malware discussed here supports full interaction with Tor without the victim's input, setting it apart from the others.

This brings us to another feature, which is unique among known malware.

Unusual technical implementation of access to the Tor network

All the previously detected malware, if it communicated to the Tor network at all, did this in an unsophisticated manner: it launched (sometimes by injecting code into other processes) the legitimate file tor.exe, which is available for download on the network's official website.

Trojan-Ransom.Win32.Onion does not use the existing file tor.exe. Instead, all the code needed to implement interaction with the anonymity network is statically linked to the malicious program's executable file (i.e., is implemented as part of the malicious code) and is launched in a separate thread.


Figure 5. Pseudocode showing how launching the tor proxy thread is implemented

The code contained inside the thread_tor_proxy procedure is nearly all taken from open sources (Tor is an open-source project).

When connection to Tor has been established and a local tor proxy server has been set up at IP 127.0.0.1 (the port number varies from one infected machine to another and depends on the MachineGuid parameter), the global flag can_complete_circuit is set, which is later checked in the thread thread_post_unlock_data.

As soon as this happens, the malware establishes network communication with this local address, as shown in Figure 6.


Figure 6. Pseudocode showing how network communication with the tor proxy is implemented

A request sent by the malware to the server contains protected data required to decrypt the victim's files.


Figure 7. Data sent to the command server

In response, the server returns data about the cost of unblocking the user's files in bitcoins and US dollars, as well as the address of the wallet to which the payment is to be made.


Figure 8. Data returned by the command server

Compressing files before encryption

None of the encryptors known before used compression technologies (with the exception of ACCDFISA, which simply adds files to a password-protected rar-sfx archive; however, in this case encryption and compression is not functionality implemented in a malicious program but simply utilization of a ready-made product – WinRAR).

In this aspect of its operation, Trojan-Ransom.Win32.Onion also shows considerable originality. Here is what it does:

  • moves the victim's file to a temporary file using the MoveFileEx API function;
  • reads temporary file from disk block-by-block;
  • each block is compressed using Zlib, a freely distributed library (procedure deflate());
  • after compression, each block is encrypted and written to disk;
  • service information required for decryption is placed at the beginning of the resulting file;
  • the encrypted file is given the .ctbl extension.
Unusual cryptographic scheme

Cryptomalware most commonly uses a cryptographic scheme based on the AES+RSA combination. In this scheme, the server generates a pair of keys – rsa-public + rsa-private – for RSA, which is an asymmetric encryption algorithm. The private key, rsa-private, remains on the server, while rsa-public is sent to the malware. Next, the malware generates a new key – aes-key – for each of the victim's files, to be used by AES, a symmetric-key block algorithm. Each file is encrypted using AES, then its aes-key is encrypted using RSA (using the rsa-public key) and saved to the file.

Since the scheme uses asymmetric encryption, nobody can decrypt the file without having the rsa-private key, which never left the cybercriminals' server.

However, Trojan-Ransom.Win32.Onion has used an unusual approach yet again!

The sample uses the asymmetric cryptographic protocol known as ECDH – Elliptic curve Diffie–Hellman.

Elliptic curve Diffie-Hellman

The original Diffie-Hellman algorithm (the so-called key exchange method or shared-secret protocol) was developed some time ago and published in 1976 by famed cryptographers Whitfield Diffie and Martin Hellman. A modification of the algorithm which uses elliptic curves was published later in 2000, in a Certicom Research article, Standards for efficient cryptography, SEC 1: Elliptic Curve Cryptography.

A detailed description of the protocol is beyond the scope of this publication, so we are going to drop the details and describe the main principles that will be helpful in understanding how the malware operates.

  • A pair of keys – private and public can be generated.
  • The so-called shared secret can be generated from your private key and the other party's public key.
  • If the two parties have exchanged public keys (the private keys are not exchanged!) and each has independently calculated the shared secret from the other party's public key and its own private key, both parties will get the same value.
  • The resulting shared secret can be used as a key for any symmetric encryption algorithm.

The authors of Trojan-Ransom.Win32.Onion used an existing implementation of this cryptographic algorithm, a description of which is available on the Internet.

The high-level cryptographic scheme used by Trojan-Ransom.Win32.Onion is as follows.

Key generation:

  • the malware generates the pair master-public (public key) + master-private (private key);
  • master-private is sent to the server securely along with other data. It is not saved on the client (fact I);
  • for each file to be encrypted, a new key pair is generated – session-public + session-private;
  • the shared secret is calculated: session-shared = ECDH(master-public, session-private).

Encrypting a file belonging to the victim

  • the file is compressed using the Zlib library;
  • after being compressed with Zlib, each file is encrypted using AES, with the hash SHA256 (session-shared) used as the key;
  • after encryption, the session-public key is saved in the file (fact II), while session-private is not saved (fact III);
  • the shared secret calculated – session-shared – is not saved, either (fact IV).

Decrypting a file belonging to the victim

The Diffie-Hellman protocol is designed in such a way that the following equality is true:

ECDH(master-public, session-private) = session-shared = ECDH(master-private, session-public) (fact V)

The above equality defines the underlying principle on which the operation of Trojan-Ransom.Win32.Onion is based.

Provided that the Trojan has not saved session-private (see. fact III) and session-shared (see. fact IV), only one decryption method remains – calculating ECDH(master-private, session-public). This requires the master-private key (sent to the cybercriminals' server, see fact I) and session-public key (saved in the beginning of the encrypted file, see fact II). There are no other ways to decrypt the file, which means that the file cannot be decrypted without the master-private key.

Securing connection with the command server

The key sent to the server might be intercepted, but unfortunately, this would not be sufficient to decrypt the victim's files. This is because the malware writers have used the same asymmetric protocol, ECDH, to protect their traffic, albeit with a separate, dedicated set of keys.

  • the malicious program's body contains the public key, network-server-public;
  • when establishing a connection, the malware generates a new pair of keys: network-client-public + network-client-private;
  • the malware calculates the shared secret network-shared = ECDH(network-client-private, network-server-public);
  • the malware encrypts the data being sent using AES with SHA256(network-shared) used as the key;
  • the public key network-client-public is sent to the server in an unprotected form (fact VI);
  • the client keys, network-client-public + network-client-private, as well as the shared secret network-shared, are not saved (fact VII).

The cybercriminals have the key network-server-private and receive the key network-client-public from the client (see fact VI). As a result, they can decrypt the data received. To do this, they have to calculate network-shared = ECDH(network-client-public, network-server-private).

Without having network-server-private, this value cannot be calculated (see fact VII). As a result, unfortunately, intercepting traffic will not provide master-private, without which the victim's file cannot be decrypted.

Propagation

The creators of the early versions of Trojan-Ransom.Win32.Onion had English-speaking users in view as their primary targets, so English was the only supported GUI language.

In the more recent versions, however, Russian also came to be supported in the Trojan's GUI along with English. The piece of malware also underwent some visual refurbishments, such as a countdown displayed to intimidate the user. The new Russian GUI and, more specifically, certain strings within the Trojans' body give us ground to assume that its creators are Russian speakers.

The analysis of how Trojan-Ransom.Win32.Onion penetrates victim computers has shown that it is different (once again) in this respect from most other encryptors that are active today. For many known ransomware programs, the main propagation vectors are spam messages with malware in an attachment, or brute forcing weak passwords and launching a file via remote administration tools.

The propagation method

We established that the bot Andromeda (detected as Backdoor.Win32.Androm by Kaspersky Lab products) receives a command to download and run another malicious program from the Email-Worm.Win32.Joleee family to the victim computer. The latter is primarily a malicious tool for sending spam emails, but it can also execute a number of commands from the cybercriminals, including the command to download and launch an executable file. It is actually Joleee that downloads the encryptor to the infected computer.

Trojan-Ransom.Win32.Onion's propagation procedure is presented in the following flowchart.


Figure 9. Trojan-Ransom.Win32.Onion's propagation scheme

Global distribution

Below are the infection statistics as of July 20, 2014. Most attempted infections took place in the CIS, while there were individual cases recorded in Germany, Bulgaria, Israel, the United Arab Emirates and Libya.

Trojan-Ransom.Win32.Onion was detected in the following countries:

Country Number of users attacked Russia 24 Ukraine 19 Kazakhstan 7 Belarus 9 Georgia 1 Germany 1 Bulgaria 1 Turkey 1 United Arab Emirates 1 Libya 1

Please note that the above numbers are provided for the verdict "Trojan-Ransom.Win32.Onion" only. The number of users attacked by the encryptor is in fact greater, as malicious packers with different verdicts are used to spread the malware. Unknown samples of the encryptor are also proactively detected by Kaspersky Lab products as "PDM:Trojan.Win32.Generic". This data is not included into the statistics above.

Recommendations for staying safe Backup copies of important files

The best way to ensure the safety of critical data is a consistent backup schedule. Backup should be performed regularly and, moreover, copies need to be created on a storage device that is accessible only during this process (e.g., a removable storage device that disconnects immediately after backup). Failure to follow these recommendations will result in the backed-up files being attacked and encrypted by the ransomware in the same way as the original file versions.

Backup procedures must be in place for any systems containing files of any appreciable importance. Even if no malware threats arise, remember – no one is completely secured against a commonplace hardware failure.

Security solutions

Your security solution should be turned on at all times and all its components should be active. The solution's databases should also be up to date.

Kaspersky Lab products detect this threat based on its signature with the verdict Trojan-Ransom.Win32.Onion.*. Unknown modifications are detected heuristically with the verdict HEUR:Trojan.Win32.Generic, or proactively with the verdict PDM:Trojan.Win32.Generic.

In addition, Kaspersky Lab products incorporate the Cryptomalware Countermeasures technology which is capable of protecting user data even from unknown encryptors for which there are still no signatures or cloud-based data available. This technology is based on the principle of creating protected backup copies of personal files as soon as a suspicious program attempts to access them. The technology will automatically restore the file even if it is encrypted by malware. For this technology to operate, the System Watcher component must be enabled in the Kaspersky Lab product settings.

Haunted by APT

Malware Alerts - Tue, 07/22/2014 - 00:15

Over the past decade, APT have intensely targeted organizations and individuals across India. Its developing base of technology, its geographical location and bounds, its inclusive and riotous political energy, and its growing economic weight makes it a special place of interest for badly intentioned cyber attackers. The list of APT groups targeting Indian organizations is unfortunately quite long. A few interesting mentions include Gh0stNet, Shadownet, an Enfal actor, Red October, NetTraveler, the LuckyCat actor, the Turla APT, a Mirage actor, and the Naikon crew. There are many more. And, in unique cases, we have seen unusual new techniques, some for infiltrating mobile devices by the Chuli attackers, the Sabpub attackers' focus on Apple's OS X devices, various effective watering holes, and the generally noisy, targeted activity we would expect from most of these actors.

More recently in March, we saw a pickup in offensive activity on Indian organizations invested in environmental, economic and government policy. This crew has been targeting organizations for a few years now with an unusual offensive WMI technique that continues to be effective. The components have been called WMIGhost or Shadow. These attackers, like others currently active, are generally re-using current headline geopolitical event spearphishing themes to establish a foothold in target organizations. For example, in a March 2014 attack, this actor used an upcoming meeting between national energy labs and the Departments of Energy as their spearphishing lure, filename mis-spellings and all, "India US strategic dialouge press release.doc" (000150415302D7898F56D89C610DE4A9).

From there, the dropper and component chain is the same they have used in the past. Successful exploitation drops  "dw20.exe" (803e8f531989abd5c11b424d8890b407)  -->  "gupdate.exe" (481f8320b016d7f57997c8d9f200fe18) and "~tmpinst.js" (6a279a35141e9a7c73a8b25f23470d80). The script instantiates WMI objects for communications complete with their Comment Crew-like encoded wordpress site instructions that redirect the backdoor to the appropriate command and control server for further instruction.

Along with other groups, WMIGhost attackers are actively hitting Indian targets. In another recent WMIGhost campaign this year, a spoofed unclassified military document was sent simultaneously to several Indian targets with the consistent WMIGhost toolchain, "united states air force unmanned aircraft systems flight plan 2009-2047.doc".

We observe more of these current attacks occurring throughout the country on government and military agencies, NGOs, subcontractors and technology developers, with an expanding scope of targets.

Of these groups to date, NetTraveler was the most prolific, and in many ways the most successful at exfiltrating large volumes of information. The NetTraveler crew spent a disproportionate amount of effort and attention on extracting data from Indian organizations overall. NetTraveler is stealing GB of data from victims all over the globe, including the many victims in India. An example of their past spearphish decoys deployed to India is displayed here. The content encompasses Indian political issues, current at the time of delivery:

Meanwhile, other actors are currently working to exfiltrate more data out of India. Multiple levels of Indian organizations are frightfully pounded with spearphish and webserver attacks with no end in sight.

Spam in June 2014

Malware Alerts - Mon, 07/21/2014 - 07:00
Spam in the spotlight

In June, high-profile news events such as the FIFA World Cup and the situation in Ukraine were exploited by fraudsters to extract money and financial information from Internet users.

In the run-up to the Muslim holiday of Ramadan and Father's Day, English-language holiday-related spam offered a variety of themed products and services. The leading spam themes in June were adverts for various online dating services as well as offer for fuel cards and jewelry.

The World Cup

In June, football fans around the world finally saw the World Cup get underway. Popular sporting events like the World Cup attract the attention not only of millions of spectators but also spammers and phishers. This year, the first fraudulent mailings exploiting the World Cup theme were first registered back in November, long before it began. In June, the attackers sent out phishing emails in Portuguese offering the chance to win tickets to the opening ceremony and other World Cup matches. To do this, the user was required to click a link (which was of course fraudulent) and enter his registration data and credit card information. The fake link was directly attached to a graphic file that was displayed when the user opened the message. The phishing pages were located on the free .tk domain – the national top-level domain for the Tokelau Islands (New Zealand). To convince the user that the email was legitimate, the spammers used the domains of the Visa payment system and FIFA in the sender address.

Holiday spam

English-language spam in June was dominated by Father's Day, celebrated on the third Sunday of the month. The spammers sent out adverts for e-gadgets, replicas of designer goods and weapons from various ages trying to attract the recipient's attention with discounts, sales and low prices. In order to bypass spam filters, spammers inserted junk text at the end of the message – a quote from a literary work. They also used a popular short link service to mask the real address and redirect users to a spammer site. The name of the holiday was mentioned in the subject and text field of the email.

More secular holidays are exploited in spam than religious ones, but spammers never forget to provide users with appropriate promotional offers. The name of the Muslim holy Ramadan appears in spam traffic every year. This year was no exception: in June, we came across adverts for restaurants that contained references to Ramadan (as well as an invitation to come and watch broadcasts of World Cup matches). We also registered offers of IT services and services for sending out promotional text messages. Ramadan will continue until the end of July, and we expect the spammers will continue spreading messages exploiting this holiday.

Ukrainian 'Nigerian' spam

The political events in Ukraine were again used by "Nigerian" scams for luring money from credulous users. This time, the author of the email presented himself as a personal assistant to a Ukrainian female politician who was among the first victims of the clashes in Kiev. As is usual with these types of letter, the deceased has left her assistant millions of dollars that have to be urgently transferred from Ukraine to the account of a foreign recipient. The assistant is promised a reward and a certain amount of money to cover any fees that may arise when transferring the money.

The same "Nigerian" scam is used from year to year, only the details change. However, we would like to remind you that all "Nigerian" offers to make you rich quick are ​​merely scams to lure money from users.

Online dating

A significant part of June's spam was adverts for dating services targeting different social and ethnic groups, including Muslims, Christians as well as elderly and married people.

In June, we registered emails and mass mailings spread on behalf of people who wanted to get acquainted, via the Internet, "for serious relationships or marriage". The offers involved not only traditional but also same-sex relations. Some "senders" had attached their photo and provided their email address or a link to their page on a dating service site (which was often a veiled advertisement of such services and the emails were most probably sent on behalf of non-existent members as bait). The senders described their appearance and interests and said they wanted to start correspondence. It was often stated that the recipient's address had been provided by a mutual friend or found on a social networking site or on another dating site, which was not necessarily true.

Spammers also sent out emails promising a partner that met absolutely any criteria (age, skin color, interests and so on) within three minutes of using their "Soulmate database". To use the service, the recipient had to send a text message to a short number. In addition to the money taken from the user's mobile account the spammers got access to his contact information, in particular to his phone number.

For those more interested in meeting people in person the spammers offered lessons in seducing women ("24 laws of attracting women"), and other tips for successful relationships.

One of the mailings contained an advert for a dating spam service. The spammers offered their assistance in creating and promoting (of course, with the help of mass mailings) a new dating site which would include users from many countries. The message included an email address and an ICQ number for communication.

Jewelry

There were a lot of jewelry-themed offers in June. Most of them were promotional and bonus offers from small jewelry stores, jewelry manufacturers and firms engaged in the production and cutting of diamonds. They offered the spam recipients the chance to participate in their business and provided the price list for their products.

Fuel cards

Yet another popular theme in English-language spam was fuel cards for automatic payments at gas stations. This payment method is quite convenient for transportation companies with lots of vehicles routes that find it difficult to control the fueling process. Spam "middlemen" offer the recipients the chance to compare prices, choose the most favorable fueling company and sign a contract for a special fuel card. A specific feature of this sort of spam mass mailing was the fact that the links in the emails led to sites registered on recently created domains. And the sites are intended for calculating quotes only.

Statistics The percentage of spam in email traffic


Percentage of spam in email traffic

The percentage of spam in email traffic averaged 64.8%, which is 5 percentage points less than in May. The highest spam levels were seen during the second week of the month (65.8%), and the lowest levels were seen in the third week (63.5%).

The geographical distribution of spam sources

Previously our statistical data on the sources of spam by country was based on the information received from spam traps in different countries. However, the spam from the traps differs from the spam received by common users. For example, spam targeting specialized companies does not reach the traps. That is why we have changed the data source and now with KSN (Kaspersky Security Network) we draw statistical reports on spam based on the messages that the users of our products receive worldwide. Since the information for the statistical report in June was received from a different source, comparing the results with the statistics for the previous month would be incorrect.


Distribution of spam sources by country

At the end of June 2014, the top three sources of spam around the world included the US (13.2%), Russia (7%) and China (5.6%).

Vietnam was in fourth place (5.3%) followed by Argentina (4.1%), Germany (3.7%), Spain (3.6%), Ukraine (3.2%) and Italy (2.9%).

The Top 10 was rounded off by India, which accounted for 2.8% of the world spam.

Malicious attachments in email

The graph below shows the Top 10 malicious programs spread by email in June.


Top 10 malicious programs spread by email

As is now traditional, the list of malware spread by email is topped by Trojan-Spy.HTML.Fraud.gen. This threat appears as an HTML phishing website and sends email disguised as an important notification from banks, online stores, and other services.

Second in June was Trojan-Downloader.MSWord.Agent.z. This malicious program appears in the form of the *.doc file with the embedded macros written in Visual Basic for Applications (VBA) which is executed on opening the document. The macro itself downloads and runs the malicious program.

In June, representatives of the Bublik family occupied third, fourth, fifth and seventh places. Their main functionality is the unauthorized download and installation of new versions of malware onto victim computers.

Backdoor.Win32.Androm.elwa took sixth place. This malicious program is the modification of Andromeda – Gamarue, a universal modular bot which is a basis for building a botnet with a variety of features. The functionality of the bot is expanded using a system of plugins that are loaded by the criminals in the necessary amount at any time.

The Email-Worm.Win32.Bagle.gt worm, which ranked eighth in June, sends itself to all of the email addresses it can find on the computer. Its main objective is to download and launch files from the Internet without the victims noticing. To spread infected messages, Worm.Win32.Bagle.gt uses its own SMTP library.

Trojan-Banker.Win32.ChePro.ilc. ended the month in ninth position. This downloader appears in the form of a CPL applet (a component of the control panel) and, as is typical for this type of malware, it downloads Trojans developed to steal bank information and passwords. These banking Trojans mainly target online customers of Brazilian and Portuguese banks.

Rounding off the Top 10 was Email-Worm.Win32.Mydoom.l, a network worm with backdoor functionality that is spread as an email attachment via file sharing services and writable network resources. It harvests email addresses from infected computers so they can be used for further mass mailings. The worm also connects directly to the recipient's SMTP server.


Distribution of email antivirus detections by country

In June, Germany saw a big surge in the number of antivirus detections and topped the rating (+8.17 percentage points) having pushed the UK off top spot.

Russian reentered the Top 20 at 13th place with 2.03% of all antivirus detections.

The UAE (+0.96 percentage points) bypassed Australia, Hong Kong and Vietnam in terms of antivirus detections, while Switzerland dropped out of the Top 20.

The percentage of email antivirus detections in other countries did not change much in June.

Special features of malicious spam

The vacation season is gaining momentum: many people are still thinking over their holiday plans while those who have already decided where to go often self-book flight tickets and hotel accommodation. Besides the traditional seasonal increase of holiday spam, we have seen a growth in the number of fraudulent messages sent on behalf of various booking services, including international ones. These fake notifications appear in the form of a booking confirmation and usually contain malicious attachments imitating bills for a hotel reservation. Generally, the email includes the order number, the date of arrival/departure and the cost of the order. One of the most popular malicious programs used in the holiday spam in June was Trojan-Spy.Win32.Ursnif. This Trojan steals confidential data and sends it to a remote server. It can listen for network traffic, download and run other malicious programs, as well as disable some system applications such as the firewall.

In order to send malicious attachments, the fraudsters use not only fake notifications from major booking services, banks or online hypermarkets but also shops with more narrow specialization. For example, last month we came across a malicious mailing spread on behalf of an online pet store. The recipient was asked to download and print out the invoice for purchased goods. Should he have any questions, the email read, he could contact the support service of the pet store by clicking the link on its official website. Instead of the promised PDF file with the information about the purchase, the archive contained Trojan-Banker.Win32.Shiotob.c. This malware steals system information, user names and passwords from FTP and various sites when the user logins on to them.

Phishing

Email search sites (32.1%) again topped the rating of organizations most frequently targeted by phishers in June, with a slight drop of 0.2 percentage points from the previous month. Second came Social networks (27.7%), having increased their contribution by 3.7 percentage points from May. Financial and payment organizations (11.6%) and Online stores (10.6%) declined by 1.2 and 1.5 percentage points respectively. The percentage of attacks targeting Telephone and Internet service providers fell by 0.1 percentage points leaving this category in fifth place in the rating.


Distribution of the Top 100 organizations targeted by phishers, by category

The ranking is based on Kaspersky Lab's anti-phishing component detections that are triggered every time a user attempts to click on a phishing link, regardless of whether the link is in a spam email or on a web page.

In June, the scammers sent out fake notices on behalf of the US corporation Electronic Arts that produces and sells video games. The phishers tried to access users' personal accounts in the online store Origin owned by the company. To deceive their victims, the attackers used an old trick of sending out an email saying the online store was going to enhance protection for their customer accounts and asked the recipients to confirm they were the owner of the account. In order to make the email look legitimate the fraudsters used the Origin logo, links to the official website of the company and the usual warning not to give the password from a personal account to anybody.

Conclusion

The proportion of spam in global email traffic in June dropped 5 percentage points and averaged 64.8%. This may be a seasonal decline as summer business activity decreases and many spam bots are disabled for the vacation season.

In June, high-profile political and sporting events were used by scammers to trick users. In the run-up to the FIFA World Cup, a huge event for football fans, phishers were trying to obtain banking information from users by asking them to participate in the competition to win tickets. "Nigerian" scammers again exploited the situation in Ukraine and asked for help to transfer non-existent millions.

In June, Email search sites (32.1%) again topped the rating of organizations most frequently targeted by phishers. Second came Social networks (27.7%), having increased their contribution by 3.7 percentage points from May. This can be explained by the traditional growth in the activity of schoolchildren and students during the holidays, which is of course used by the fraudsters. Financial and payment organizations (11.6%) rounded off the Top 3 organizations most frequently targeted by phishers.

As is now traditional, the list of malware spread by email is topped by Trojan-Spy.HTML.Fraud.gen imitating notifications from banks and online stores. The holiday season has brought an increase in the number of fake notifications from various booking services containing malicious attachments. Germany (16.4%) was the country with the highest proportion of email antivirus detections.

Shylock/Caphaw malware Trojan: the overview

Malware Alerts - Mon, 07/14/2014 - 06:00

Recently Kaspersky Lab has contributed to an alliance of law enforcement and industry organizations, to undertake measures against the internet domains and servers that form the core of an advanced cybercriminal infrastructure that uses the Shylock Trojan to attack online banking systems around the globe.

Shylock is a banking Trojan that was first discovered in 2011. It utilizes man-in-the-browser attacks designed to pilfer banking login credentials from the PCs of clients of a predetermined list of target organizations. Most of these organizations are banks, located in different countries.

Kaspersky Lab products detect the Shylock malware as Backdoor.Win32.Caphaw and Trojan-Spy.Win32.Shylock.

We detected this malware generically from the end of August 2011, as Backdoor.Win32.Bifrose.fly. Specific detection of this separate family was added in February 2012. Since then we have observed a very few detections – approximately 24,000 attempts to infect PCs protected by Kaspersky Lab products worldwide.

These are very modest numbers, especially in comparison with other infamous banking malware such as ZeuS, SpyEye, Carberp which have generated (and, in the case of some of them, such as ZeuS , still generate) tens or hundreds of thousands of detections. Of course, these numbers don't tell us everything about how widespread or effective Shylock is, because Kaspersky Lab "sees" only a part of the total number of PC users - only those who use our products.

Low popularity doesn't make Shylock less dangerous though. The set of malicious techniques it utilizes is no less dangerous than that used by other similar malware. It is able to inject its body in multiple running processes, has tools to avoid detection by anti-malware software, uses several plugins which add additional malicious functions aimed at bypassing anti-malware software, collects passwords for ftp-servers, spreads itself via messengers and servers, provides remote access to the infected machine, video grabbing and of course web injection.

This last function is used to steal online banking credentials by injecting fake data entry fields into the web page loaded in the victim's browser.

During the entire period we've seen two relatively big peaks in detection rate for this malware.

The first one was in November 2012 and the second one was in December 2013.

The geography of the November 2012 peak was as follows:

United Kingdom Italy Poland Russian Federation Mexico Thailand Iran Turkey India Spain

The table above shows the top 10 countries wheremost attacks using the Shylock malware were registered. A little more than a year later, in December 2013, the picture had changed dramatically.

Brazil Russian federation Vietnam Italy Ukraine India United Kingdom Belarus Turkey Taiwan

As these tables show, the criminals behind this malware definitely stopped paying so much attention to the developed e-money markets of the UK, Italy and Poland in favor of the actively developing markets of Brazil, Russia and Vietnam. It's slso interesting that both peaks happened in the late autumn to early winter period, a traditional high retail season in many countries around the world.

According to Europol data, this malware has infected more than 30,000  PCs worldwide. This is a big enough scale to cause huge financial damage, so the disruption of the Shylock backbone infrastructure is very good news.

And even better news is that the recent operation, coordinated by the UK's National Crime Agency (NCA), brought together partners from the law enforcement and the private sector, including – besides Kaspersky Lab – Europol, the FBI, BAE Systems Applied Intelligence, Dell SecureWorks and the UK's GCHQ (Government Communications Headquarters), to jointly combat the threat. We at Kaspersky Lab were glad to add our modest contribution to this operation. Global action brings positive results – an example being the operation targeting the Shylock malware.

Pages

Subscribe to RIT Information Security aggregator