Malware RSS Feed
In 2013, together with our partner CrySyS Lab, we announced our research on a new APT actor we dubbed "Miniduke". It stood out from the "APT bunch" for several reasons, including:
- Its use of a customized backdoor written in Assembler (who still writes in Assembler in the age of Java and .NET?)
- A unique command and control mechanism that uses multiple redundancy paths, including Twitter accounts
- Stealthy transfer of updates as executables hidden inside GIF files (a form of steganography)
We have pointed out that this threat actor used malware developed using "old-school" virus writing techniques and habits.
Our analysis was continued later by researchers from CIRCL/Luxembourg and several other AV companies. Recently, we became aware of an F-Secure publication on the same topic (under the name "CosmicDuke").
In the wake of our publications from 2013, the Miniduke campaigns have stopped or at least decreased in intensity. However, in the beginning of 2014 they resumed attacks in full force, once again grabbing our attention.
We believe it's time to uncover more information on their operations."Old" Miniduke in 2014
The old style Miniduke implants from 2013 are still around and being used during the current campaigns.
It still relies on Twitter accounts which contain a hardcoded C&C URL pointing to the command and control server. One such account was the following, observed in February 2014:
Although the format of the C&C URL was changed from previous variants, the encoding algorithm is the same. The line above can be decoded into the full C&C URL:
This decoded URL was an active C&C, from which several updates have been collected:
Update 1:MD5 93382e0b2db1a1283dbed5d9866c7bf2 Size 705536 bytes Compilation Sat Dec 14 18:44:11 2013
This Trojan is a large package, due to the use of a custom packer. The bundle has a specific debug string inside:
The package executes a smaller Trojan module:MD5 b80232f25dbceb6953994e45fb7ff749 Size 27648 bytes Compilation timestamp Wed Mar 05 09:44:36 2014 C&C hxxp://rtproductionsusa.com/wp-includes/images/smilies/icon_gif.php
Another update that has been observed on the C&C server was:
Update 2:MD5 7fcf05f7773dc3714ebad1a9b28ea8b9 Size 28160 bytes Compilation timestamp Fri Mar 07 10:04:58 2014 C&C hxxp://tangentialreality.com/cache/template/yoo_cache.php
We have observed another similar Trojan, although not on the C&Cs directly:MD5 edf7a81dab0bf0520bfb8204a010b730,
ba57f95eba99722ebdeae433fc168d72 (dropped) Size 700K, 28160 (dropped) Compilation timestamps Sat Dec 14 18:44:11 2013 (top)
Fri Jan 10 12:59:36 2014 (dropped) C&C hxxp://store.extremesportsevents.net/index.php?i=62B...[snip]
The use of the Nemesis Gemina packer in the Miniduke payloads made us look for further samples in our collection. This led us to several new findings.The "New" Miniduke Malware (the "CosmicDuke")
After the 2013 exposure, the actor behind Miniduke appears to have switched to using another custom backdoor, capable of stealing various types of information.
The malware spoofs popular applications designed to run in the background, including file information, icons and even file size:
The main "new" Miniduke backdoor (aka TinyBaron or CosmicDuke) is compiled using a customizable framework called "BotGenStudio", which has flexibility to enable/disable components when the bot is constructed.
The components can be divided into 3 groups
Miniduke/CosmicDuke is capable of starting via Windows Task Scheduler, via a customized service binary that spawns a new process set in the special registry key, or is launched when the user is away and the screensaver is activated.Reconnaissance
The malware can steal a variety of information, including files based on extensions and file name keywords:
Note: we believe the "*sifr*" and "*sifer*" keywords above refer to the transliteration of the English word "Cypher" in some languages.
Also, the backdoor has many other capabilities including:
- Skype password stealer
- General network information harvester
- Screen grabber (grabs images every 5 minutes)
- Clipboard grabber (grabs clipboard contents every 30 seconds)
- Microsoft Outlook, Windows Address Book stealer
- Google Chrome password stealer
- Google Talk password stealer
- Opera password stealer
- TheBat! password stealer
- Firefox, Thunderbird password stealer
- Drives/location/locale/installed software harvester
- WiFi network/adapter information harvester
- LSA secrets harvester
- Protected Storage secrets harvester
- Certificate/private keys exporter
- URL History harvester
- InteliForms secrets harvester
- IE Autocomplete, Outlook Express secrets harvester
- and more...
The malware implements several methods to exfiltrate information, including uploading data via FTP and three variants of HTTP-based communication mechanisms. A number of different HTTP connectors act as helpers, trying various methods in case one of them is restricted by local security policies or security software. These three methods are:
- Direct TCP connection and HTTP session via Winsock library
- HTTP session via Urlmon.dll
- HTTP session via invisible instance of Internet Explorer as OLE object
Each victim is assigned a unique ID, making it possible to push specific updates to an individual victim. As we noted, Miniduke/CosmicDuke is protected with a custom obfuscated loader which heavily consumes CPU resources for 3-5 minutes before passing execution to the payload. This not only complicates analysis of the malware but is also used to drain resources reserved for execution in emulators integrated in security software. Besides its own obfuscator, it makes heavy use of encryption and compression based on the RC4 and LZRW algorithms respectively. Implementations of these algorithms have tiny differences from the standardized code which perhaps looks like a mistake in the code. Nevertheless, we believe that these changes were introduced on purpose to mislead researchers.
One of the more technically advanced parts of Miniduke is the data storage. The internal configuration of the malware is encrypted, compressed and serialized as a complicated registry-like structure which has various record types including strings, integers and internal references.
In addition, Miniduke uses an unusual method to store the exfiltrated data. When a file is uploaded to the C&C server it is split into small chunks (~3KB), which are compressed, encrypted and placed in a container to be uploaded to the server. If the source file is large enough it may be placed into several hundred different containers that are uploaded independently. These data chunks are probably parsed, decrypted, unpacked, extracted and reassembled on the attacker' side. This method is used to upload screenshots made on the victim's machine. Creating such a complicated storage might be an overhead; however, all those layers of additional processing guarantees that very few researchers will get to the original data while offering an increased reliability against network errors.Victim geography and profiles
Based on our analysis, the victims of Miniduke and CosmicDuke fall into these categories:
- telecom operators
- military, including military contractors
- individuals involved in the traffic and selling of illegal and controlled substances
From one of the old style Miniduke servers we were able to extract a list of victims and their corresponding countries. We were able to identify victims in three of these countries which belonged to the "government" category. Here's the list of countries affected:
- United States
One of the CosmicDuke servers we analyzed had a long list of victims dating back to April 2012. This server had 265 unique identifiers assigned to victims from 139 unique IPs. Geographical distribution of the victims was as follows (top10):84 Georgia 61 Russia 34 United States 14 United Kingdom 9 Kazakhstan 8 India 8 Belarus 6 Cyprus 4 Ukraine 4 Lithuania
According to our analysis, the attackers were more interested in expanding their operations and scanned IP ranges and servers in Azerbaijan, Greece and Ukraine.Command and control server analysis and hacking tools
During the analysis, we were able to obtain a copy of one of the CosmicDuke command and control servers. It appears it was also used for other operations by the group members, including hacking into other servers on the internet.
The attackers have deployed a number of publicly available hacking tools on this server in order to scan and compromise websites of victim organizations as well as collect information for future targeted attacks.
Here is the list of hacking tools found on the server:
Hydra: "A very fast network logon cracker which support many different services"
Fierce2: "A semi-lightweight enumeration scanner that helps penetration testers locate non-contiguous IP space and hostnames for a specified domains using things like DNS, Whois and ARIN"
The Harvester: "The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database"
RitX: "A Reverse IP Lookup Tool that will allows you to use an IP address or domain name to identify all currently domains hosted on a server using multiple services and various techniques"
Joomscan: "OWASP Joomla! Vulnerability Scanner"
Ncrack: "High-speed network authentication cracking tool. It allows for rapid, yet reliable large-scale auditing of multiple hosts"
Sqlmap: "An open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers"
WPScan: "A black box WordPress vulnerability scanner"
Note: tool descriptions were copied from their public websitesAttribution and Artifacts, connections with other campaigns
Although the attackers use English in several places, indicating knowledge of this language, there are certain indicators to suggest they are not native English speakers.
The following strings were discovered in a block of memory appended to the malware component used for persistence:
c:\documents and settings\владимир\local settings\...
The C&C hosts appear to have been compromised by the attackers, which uploaded a specific webshell.
For the webshell, it is interesting to point to the use of Codepage 1251, which is commonly used to render Cyrillic characters. The password used to protect the shell, is checked against the MD5 hash "35c7c2d1fe03f0eeaa4630332c242a36". (BTW: can you crack it? It took us some days to solve it!)
Perhaps it is noteworthy to say that the same webshell has been observed in the operations of another advanced threat actor known as Turla, Snake or Uroburos.
Another interesting aspect is the debug path strings from the malware, which indicate several build environments or groups of "users" of the "Bot Gen Studio", "NITRO" and "Nemesis Gemina":
Based on the compilation timestamps, we were able to put together the following chart indicating the activity of the Miniduke/CosmicDuke attackers on a 'Day of the Week' basis:
It appears the attackers follow the Mon-Fri work week, however, they do work on the weekends from time to time.
In terms of activity hours, the attackers appear to be working between 6am and 7pm GMT. Most of the work is done between 6am and 4pm though.
Although they stopped or at least decreased in intensity following our announcement last year, the Miniduke attacks are now back in force. The old style Miniduke malware is still being used, deploying previously known stages packed with a new obfuscator observed with the mysterious "Bot Gen Studio" for the "NITRO" and "Nemesis Gemina" projects.
While the old style Miniduke implants were used to target mostly government victims, the new style CosmicDuke implants have a somehow different typology of victims. The most unusual is the targeting of individuals that appear to be involved in the traffic and reselling of controlled and illegal substances, such as steroids and hormones. These victims in the NITRO project have been observed only in Russia. One possibility is that "Bot Gen Studio" is a malware platform also available as a so-called "legal spyware" tool, similar to others, such as HackingTeam's RCS, widely used by law enforcement agencies. Another possibility is that it's simply available in the underground and purchased by various competitors in the pharmaceutical business to spy on each other.
At the same time, the "Nemesis Gemina" project focuses on government, diplomatic, energy, military and telecom operators.
One of the big questions here is: Are the Miniduke attackers still "elite"? Though the old malware is still in use, the new malware is no longer pure assembler; instead, it's written in C/C++.
The new samples of Miniduke/CosmicDuke use a powerful obfuscator. For almost all of the samples we analyzed, it jumps to the beginning of dynamic PE loader - always from the same "l33t" address (if memory layout allowed it during the bot construction):
Hence, you could say that CosmicDuke is still "l33t"!
NO-IP is one of the many Dynamic DNS providers out there, which can be used for free to register a subdomain on top of popular names such as servepics.com or servebeer.com . For a long time, this has been a favorite method for cybercriminals who wanted to register easy to update hostnames to control their malware implants. Yesterday, Microsoft moved against NO-IP and seized 22 of their domains. They also filed a civil case against Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software harming Microsoft, its customers and the public at large.
Interestingly, Microsoft cited two specific malware families which were used to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware . These have been used by multiple cybercriminal and activist groups to target users, including the (in-)famous Syrian Electronic Army. (stay tuned for a more detailed blog on that soon)
In addition to these, the takedown disrupted many other APT operations, which used NO-IP for their C&C infrastructure. These include:
- Turla/Snake/Uroburos, including Epic
- HackingTeam RCS customers
Based on our statistics, the shutdown has affected in some form at least 25% of the APT groups we are tracking. Some of these hosts that were previously used in large and sophisticated cyberespionage operations are now pointing to what appears to be a Microsoft sinkhole, at 22.214.171.124.
Some top level domains that have been taken away from Vitalwerks and now use Microsoft's DNS infrastructure include:
In the meantime, NO-IP / Vitalwerks have published their answer online:
Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft s attempt to remediate hostnames associated with a few bad actors.
We think yesterday s events have dealt a major blow to many cybercriminal and APT operations around the world.
In the future, we can assume these groups will be more careful on using Dynamic DNS providers and rely more often on hacked websites and direct IP addresses to manage their C&C infrastructure.
Since the publication of our blogpost, many people have contacted us and complained about disruption of their otherwise clean hosts due to the Microsoft takedown. In fact, two hosts previously used in APT attacks that we were sinkholing were also taken away from us. We were using the logs from these, together with other data from our sinkhole to notify victims in many different countries.
Update (2014-07-04): NO-IP just sent a note to their customers that all 23 domains that were seized by Microsoft are now back in their control. This appears to be true, with Microsoft DNS servers no longer controlling the domains.
Have you been affected about the NO-IP takedown? Please let us know by sharing your comments below.
Blog: Microsoft seizes 22 NO-IP domains, disrupts cybercriminal and nation state APT malware operations
In the run-up to the summer, spammers offered their potential customers seedlings and seeds for gardening. In addition, English-language festive spam in May was dedicated to Mother's Day - the attackers sent out adverts offering flowers and candies.Holiday spam for Mom
As usual, the spammers were very busy in the run-up to the Mother's Day celebration in May, sending out adverts for flowers and candies ahead of the holiday. To get the attention of the recipient, the subject of the email contained the name of the holiday while the body of the message included colorfully decorated promises of generous discounts and prompt delivery.
However, most links in these emails redirected the user to completely different pages instead of the advertised sites. The redirects went to newly created domains which were used not only in the links in the body of the message but also as a server domain name in the sender address. Some emails also included a link which would supposedly enable recipients to unsubscribe from further mailings. In fact, this link was used to collect users' email addresses and send them new spam messages.Spam for gardeners
It's no secret that Americans are enthusiastic about their gardens - and gardening is one of the most popular hobbies in the country. With summer fast approaching, the spammers started spreading more offers of seeds for lawns and flowers, as well as berries and fruits. Potential buyers were lured in by phrases like "special," "limited offer" and offers of a free plant for every two bought. The messages included colorful images and contained a link. Interestingly, most of the domains to which these links led had been created less than a week before launching the mass mailing.Diplomas and degrees
In May, we came across a lot of mailings advertising schools and colleges that provided distance learning services. However, there were also mailings in which spammers invited users to simply buy a qualification. All that was required was to make a donation to a church, which would then officially award an honorary doctorate to the benefactor.
In Germany, for example, only universities and similar higher education institutions have the right to award doctorates. However, the situation is somewhat different when it comes to so-called honorary doctorate degrees that are awarded on behalf of a church. Although getting this doctorate does not entail any learning or writing of dissertations, the spam mailings used images of students and other university themes to advertise the service.
There were also many offers to help struggling graduates repay their student loans. These messages urged recipients to follow a link to a site where they would find adverts for organizations that recruit volunteers and staff for non-profit institutions. In the US it is possible to enroll in state programs that offer credits to people who do some kind of service for their community, and these credits can offset student loans. However, the mailings came from unknown accounts that regularly change their email addresses, and not from an official source. The links in the messages went to newly created websites that prompted users to submit personal data.
To get the recipient interested, such emails often contained a personal appeal: "Still can't repay your student loan? I've found an interesting program for you that is definitely worth reading. It will help significantly reduce your monthly payments".Insuring everyone against everything
Yet another popular topic last month was insuring against different risks, mainly life insurance, although we saw offers of car insurance.
These mailings aimed to redirect users to sites where they could compare the cost of insurance cover from different insurers and choose the most favorable terms. In other cases, the links in the emails led to the spammer parked page where the visitor was offered a wider choice of the types of insurance, companies and programs. Having made his choice and clicked on one of the proposed options, the user entered another resource. The links in the messages might also lead to a site advertising one particular insurance company; typically it was a recently established medium-sized firm.
One unusual type of insurance offer that was limited to English-speaking spam, was burial insurance. In fact, it is an extended version of life insurance: a larger insurance premium means the insurance policy includes funeral services in the event of a sudden death. In May, such messages came in the form of images containing a hyperlink leading to the notorious parked page of the insurance company. These links varied from email to email, but they were always based on different domains registered by the spammers shortly before launching the mailings.The percentage of spam in email traffic
The percentage of spam in email traffic in May averaged 69.8%, which is 1.3 percentage points less than in April. The highest spam levels were seen during the third week of the month (72.1%), and the lowest levels were seen in the middle of the month (69%).Malicious attachments in email
The graph below shows the Top 10 malicious programs spread by email in May.
Once again Trojan-Spy.HTML.Fraud.gen tops the charts. This threat appears as an HTML phishing website and sends email disguised as an important notification from banks, online stores, and other services.
In May, representatives of the Bublik family occupied 2nd, 3rd, 5th, 7th and 10th places. In the previous month eight of the top 10 malicious programs were part of this group. Their main functionality is the unauthorized download and installation of new versions of malware onto victim computers. Once the task is fulfilled, the program does not remain active: it copies itself into the %temp% file imitating an Adobe application or document. Trojan.Win32.Bublik.cpik and Trojan.Win32.Bublik.cpil download the notorious ZeuS/Zbot. Although this malicious program is able to execute a variety of malicious actions it is most often used to steal banking information. It can also install CryptoLocker, a malicious program that encrypts user data and demands a ransom to decipher it.
Trojan-Banker.Win32.ChePro.ilc, a banking Trojan targeting the users of Brazilian banks, came fourth. As is typical for this type of malware, it steals bank information and passwords.
Ninth place was occupied by Trojan.Win32.Pakes.agxu, a piece of spyware that intercepts keystrokes, collects screenshots from victim computers and sends the harvested information to the criminal's email address.
The UK was the country with the highest proportion of email antivirus detections with 13.5% (up 3.5 percentage points from April). The US (9.9%) dropped to second. Germany (8.2%) stayed in third.
Columbia (1.83%) was a new entry to the top 20 in May while Russia dropped off the list.
The percentage of email antivirus detections in other countries did not change much in May.Special features of malicious spam
The insurance theme did not just feature in spam advertising this month - it was also used in mass mailings that spread malicious attachments. For example, we came across German-language messages with the subject "You have not paid your monthly premium", with a warning that next month the interest rate would change. These emails contained a link to allegedly more detailed information and once the recipient clicked on it, a ZIP archive with the name 'Dokumentation' (documentation) or 'Rechnung' (bill) was downloaded on the computer. In both cases the archive contained Backdoor.Win32.Androm.dsqy. This member of the Andromeda family is a backdoor that allows attackers to control infected computers while remaining unnoticed. The infected computers often become part of a botnet.
In May, the attackers sent out fake notifications on behalf of the popular iTunes Store. The recipient was informed about the alleged purchase of an application; the email even specified the name of the product and the price. The attached file, which was supposedly the invoice, in fact contained Trojan-Banker.Win32.Shiotob.f. This family of Trojans steals passwords stored in FTP clients and monitors browser traffic to intercept login details.
Customers of energy company E.ON, which generates and supplies electricity and heating in many countries, were also targeted by a similar scam. An email with the company logo sent on behalf of E.ON read: "This email is to bring to your notice that we were unable to process your last payment. See the details in the attachment". The attached archive contained Trojan-Spy.Win32.Zbot.svvs, a representative of the popular Zbot family designed to steal personal data, especially banking information.Phishing
In May, Email search sites (32.2%) topped the rating of organizations most frequently targeted by phishers with a slight growth of 0.5 percentage points from the previous month. Second came Social networks (23.9%), headed by Facebook. Financial and payment organizations were in third place with 12.8% (+0.2 percentage points) followed by Online stores (12.1%) whose share also grew 0.2 percentage points from April. The percentage of attacks targeting Telephone and Internet service providers fell by 0.4 percentage points compared with the previous month.The ranking is based on Kaspersky Lab's anti-phishing component detections that are triggered every time a user attempts to click on a phishing link, regardless of whether the link is in a spam email or on a web page.
Fake tax notifications are frequently sent by fraudsters in order to install various malware on users' computers. In May, we came across a fake notification supposedly sent on behalf of the State Tax Service of South Africa. The attachment contained a phishing HTML page rather than a malicious file. The attackers tried to persuade the recipient to enter his bank card details into a form on the pretext of returning overpaid tax. To make the page look legitimate the scammers used the logo of the Service and in the 'From' field they specified not only the name of the government organization but also its official address - sars.gov.za - as the server domain name.Conclusion
The proportion of spam in global email traffic in May dropped 1.3 percentage points and averaged 69.8%.
The summer season and the end of the school year were used by spammers to spread tourism-themed spam advertising different summer vacation ideas for children, offers of help with academic work and invitations to buy ready-made qualifications from any higher education establishment. The annual increase in the quantity of tourist spam in the run-up to the holiday season is expected this summer too.
Mother's Day was actively used in English-language spam to advertise various gifts. Insurance was another popular theme in May. Most Russian-language adverts offered car insurance, while in the English-speaking segment it was mostly life insurance.
The list of malware spread by email was again topped by Trojan-Spy.HTML.Fraud.gen. There were fewer members of the Bublik family in the May ranking - just five, compared with eight in April.
In May there was no big change in the organizations most frequently targeted by phishers. Email search sites (32.2%) were in first place, followed by Social networks (23.9%). Financial and payment organizations (12.8%) completed the top three.
Today was the last day of the REcon 2014 conference where reverse engineers from all over the world meet and share their research.
The event started with trainings, where I (Nicolas) gave a 4 days training on malware reverse engineering. During those 4 days, we covered various kind of topics such as how to unpack/decrypt malware, identify cryptography algorithms, deal with obfuscated code, analyze shellcode etc.
My colleague Marta Janus did a talk explaining the various techniques used by malwares to evade detection and sandboxing, and covered a lot of obfuscations tricks used in current malware.
The presentations this year were quite interesting and a few of them directly related to what we do in the labs, including graph representation of binaries , tools to help speed up analysis and handle code obfuscation.
You can find the full schedule of the conference here
The slides and the videos of every talks will be uploaded in the future on the REcon website.
Meanwhile, you can already download some of the research tools:
PANDA is the Platform for Architecture-Neutral Dynamic Analysis. It is a platform based on QEMU 1.0.1 and LLVM 3.3 for performing dynamic software analysis, abstracting architecture-level details away with a clean plugin interface. It is currently being developed in collaboration with MIT Lincoln Laboratory, Georgia Tech, and Northeastern University.
FUNCAP is a script to record function calls (and returns) across an executable using IDA debugger API, along with all the arguments passed. It dumps the info to a text file, and also inserts it into IDA's inline comments. This way, static analysis that usually follows the behavioral runtime analysis when analyzing malware, can be directly fed with runtime info such as decrypted strings returned in function's arguments
One presentation mentioned a framework for Reverse Engineering which i consider worthy to list here.
MIASM 2 is a a free and open source (GPLv2) reverse engineering framework. Miasm aims at analyzing/modifying/generating binary programs. Abilities to represent assembly semantic using intermediate language, emulating using jit (dynamic code analysis, unpacking) and expression simplification for automatic de-obfuscation.
See you next year at RECON 2015
Stealing more than half a million euro in just a week - it sounds like a Hollywood heist movie. But the organizers of the Luuuk banking fraud pulled it off with a Man-in-the-Browser (MITB) campaign against a specific European bank. The stolen money was then automatically transferred to preset mule accounts. When GReAT discovered Luuuk's control panel it immediately got in touch with the bank and launched an investigation.
On January 20th 2014 Kaspersky Lab detected a suspicious server containing several log files including events from bots reporting to a command and control web panel. The information sent seemed to be related to a financial fraud; it included details of the victims and the sums of money stolen.
Once we analyzed all the available data, it was clear that the C2 was the server-side portion of a banking Trojan infrastructure. We believe the fraud was being perpetrated using Man-in-the-Browser techniques and was also capable of performing automatic transactions to pre-set money mule accounts.
We decided to name this C2 luuuk after the path the administration panel used in the server:/server/adm/luuuk/
Below is a summary of the relevant information extracted from the server side component:
- Around 190 victims, mostly located in Italy and Turkey.
- Fraudulent transactions worth more than 500,000 € (according to logs) .
- Fraudulent transfer descriptions.
- Victims' and mules' IBANs.
The control panel was hosted in the domain uvvya-jqwph.eu, resolving to the IP address 126.96.36.199 during the analysis.
The fraudulent campaign targeted users of a single bank. Even though we were not able to get the malicious code used on the victims, we believe the criminals used a banking Trojan performing Man-in-the-Browser operations to get the credentials of their victims through a malicious web injection. Based on the information available in some of the log files, the malware stole usernames, passwords and OTP codes in real time.
This kind of injections are very common in all the variations of Zeus (Citadel, SpyEye, IceIX, etc.) and all of these are well-known in Italy. During our investigation it was not possible to find the infection vector, however banking Trojans use a variety of methods to infect victims including spam and drive-by downloads.
The attackers used the stolen credentials to check the victim?s balance and perform several malicious transactions automatically, probably operating in the background of a legitimate banking session. That would be consistent with one of the malicious artifacts (a VNC server) we found binded to the malicious server used by the attackers.
Despite the "usual" techniques implemented to steal the users' money (user/password/OTP bypass) what is really interesting in this campaign is the classification of the predefined money mules used to transfer the stolen money.
According to the transaction logs, there were 4 different money-mule (or drop) groups:
- 13test: The limit that the drops in this group can accept is between 40,000 and 50,000 Euros, although there are some drops that have different limits, between 20,000 and 30,000.
- 14test: The limit that the drops in this group can accept is between 15,000 and 20,000 Euros, although there are some drops in this group that have different limits, between 45,000 and 50,000.
- 14smallings: The limit that the drops in this group can accept is between 2,500 and 3,000 Euros.
- 16smallings: The limit that the drops in this group can accept is between 1,750 and 2,000 Euros, although there are drops in this group that can accept a quantity between 2,500 and 3,000 Euros (as in the group 14smallings).
This could be an indicator of a well-organized mule infrastructure. Different groups have different limits on the money that can be transferred to its mules, an indicator of the levels of trust between them.
The operators of this control panel removed all the sensitive components on January 22nd, two days after our investigation started. Based on the transaction activity we believe that this could be an infrastructure change rather than a complete shutdown of the operation.
In addition, based on the fraudulent transaction activity detected in the server and several additional indicators, we believe that the criminals behind the operation are very active. Also they have shown proactive operational security activities, changing tactics and cleaning traces when discovered.
Kaspersky Lab is maintaining contacts with different LEAs and the affected financial institution in order to prosecute the criminals.Kaspersky Fraud Prevention vs. the Luuuk
The evidence uncovered by Kaspersky Lab's experts indicates that the campaign was most probably organized by professional criminals. However, the malicious tools they used to steal money can be countered effectively by security technologies. For instance, Kaspersky Lab has developed Kaspersky Fraud Prevention - a multi-tier platform to help financial organizations protect their clients from online financial fraud. The platform includes components that safeguard client devices from many types of attacks, including Man-in-the-Browser attacks, as well as tools that can help companies detect and block fraudulent transactions.UPDATE
After the publication of the post, our colleagues at Fox-IT InTELL sent us some potentially related information regarding this campaign. According to this new information, the Luuuk server could be related to the ZeusP2P (aka Murofet) infrastructure as we originally suspected.
We received two decrypted configuration files belonging to the ZeusP2P with a reference to the same server where Luuuk was hosted:
The configuration belongs to a botnet named "it" (for Italy). The Luuuk server is being used to host the code that is injected in the victims´ browser. It also manages the automatic transfers to a predefined set of money mules (drops) accounts.
We were also able to analyze the binaries using these configurations. The first one (c8a3657ea19ec43dcb569772308a6c2f) is a ZeusP2P (Murofet) sample that was first seen back in August 2013, months before the malicious transactions were made. It tries to connect to several of the sinkholed servers used to take down GameOver.
This additional data reinforces the theory that the Zeus family is behind the Luuuk server - in this particular case it appears to be of the ZeusP2P flavor. However, this is not definitive proof that the malicious transactions in the campaign were performed by this family, as the injected code on the server was not there when we analyzed it.
We would like to thank Fox-IT for sharing this information.
More than a year has passed since the release of our last article on HackingTeam, the Italian company that develops a "legal" spyware tool known as Remote Control System, or short, RCS. In the meantime a lot has been happened, so it's time for an update on all our current research findings on the RCS malware.Locating the command servers
One of the most important things we've uncovered during our long and extensive research is a specific feature than can be used to fingerprint the RCS command servers (C2s). We presented details of this method at the Virus Bulletin 2013 conference.
To summarize, when a special request is sent to a "harmless" HackingTeam RCS C&C server, the RCS C&C responds with the following error message:
First of all, the codename 'RCS' is there, all right. What we weren't sure about was the 'Collector' referred to in the response. This probably refers to the fact that the server "collects" information from the victims. We used this particular fingerprinting method to scan the entire IPv4 space, which allowed us to find all the IP addresses of the RCS C2s around the world and plot them nicely to a map showing their locations. šWe pinpointed a grand total of 326 C2s.Count of C2s Country name 64 UNITED STATES 49 KAZAKHSTAN 35 ECUADOR 32 UNITED KINGDOM 24 CANADA 15 CHINA 12 COLOMBIA 7 POLAND 7 NEW ZEALAND 6 PERU 6 INDONESIA 6 BRAZIL 6 BOLIVIA 6 ARGENTINA 5 RUSSIAN FEDERATION 5 INDIA 4 HONG KONG 4 AUSTRALIA 3 SPAIN 2 SAUDI ARABIA 2 MALAYSIA 2 ITALY 2 GERMANY 2 FRANCE 2 EGYPT 1 UKRAINE 1 THAILAND 1 SWEDEN 1 SINGAPORE 1 ROMANIA 1 PARAGUAY 1 MOROCCO 1 LITHUANIA 1 KENYA 1 JAPAN 1 IRELAND 1 HUNGARY 1 DENMARK 1 CZECH REPUBLIC 1 CYPRUS 1 Other 1 BELGIUM 1 AZERBAIJAN
The largest amount of identified servers was in the US, Kazakhstan and Ecuador. Unfortunately, we can’t be sure that the servers in a certain country are used by that specific country’s LEAs; however, it would make sense for LEAs to put their C&Cs in their own countries in order to avoid cross-border legal problems and the seizure of servers. Nevertheless, several IPs were identified as “government” related based on their WHOIS information and they provide a good indication of who owns them.Mobile modules
It was a well-known fact for quite some time that HackingTeam products included malware for mobile phones. However, these were rarely seen. In particular, the Android and iOS Trojans have never been identified before and represented one of the remaining blank spots in the story. Earlier this year, we discovered a number of mobile malware modules coming from HackingTeam for the following platforms:
- Windows Mobile
All these modules are controlled by the same configuration type, which is a good indication that they are related and belong to the same product family.
Certainly, our main interest during the analysis of the mobile modules was in iOS and Android, due to their popularity. The iOS module works only on jailbroken devices. Here is a description of the main functionality of the iOS module:
- Control of Wi-Fi, GPS, GPRS
- Recording voice
- E-mail, SMS, MMS
- Listing files
- Visited URLs
- Cached web pages
- Address book
- Call history
- List of apps
- SIM change
- Live microphone
- Camera shots
- Support chats, WhatsApp, Skype, Viber
- Log keystrokes from all apps and screens via libinjection
The Android module is protected by the DexGuard optimizer/obfuscator and is therefore extremely difficult to analyze. However, we discovered (see the trace below) that the sample has all the functionality of the iOS module listed above - plus support for hijacking information from the following applications:
Another aspect of particular interest to us was the way the malware samples are installed on mobile devices. We discovered several modules that infect mobile devices connected to infected Windows or Mac OS X computers.
As already mentioned, the iOS module can only be used on jailbroken devices. That is why the iOS infector uses the AFP2 protocol to transfer. The "infector" has a nice GUI that enables installation if there is physical access to the victim's device or remote admin access to an infected computer.
List of Apple devices supported by the iOS infector
After successfully connecting, the iOS infector copies several files to iOS and runs an install.sh file:
As mentioned above, remote admin access to an infected computer is one of the possible ways for the malware to be installed on a connected mobile device. The fact that only jailbroken iOS devices are supported can be a limiting factor. However, this is not a huge problem since an attacker can also run a jailbreaking tool such as Evasi0n via the same infected computer. In this case the only thing that can protect a user from a remote jailbreak and infection is the mobile device’s passcode. However, if the device is unlocked while connected to the infected computer, it can be infected by the attacker.
Another interesting mobile infector is the one for BlackBerry devices, which uses the JavaLoader application to load malware samples on BB 4.5 and 5.0. In its disassembled code, we found a path to the PDB debug file, which appears to have been mistakenly forgotten by the authors. The original project was located in the ‘C:\HT\RCSBlackBerry\Workspace\RCS_BB_Infection_Agent\’ when this malware was created.
In this latest installment of our ongoing research, we uncovered a huge infrastructure that is used to control the RCS malware implants. Our latest research has indentified mobile modules that work on all well-known mobile platforms, including as Android and iOS. These modules are installed using infectors - special executables for either Windows or Macs that run on already infected computers. They translate into complete control over the environment in and near a victim’s computer. Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target - which is much more powerful than traditional cloak and dagger operations.
The new data we are publishing on HackingTeam’s RCS is extremely important because it shows the level of sophistication and scale of these surveillance tools. We like to think that if we’re able to protect our customers from such advanced threats, then we’ll sure have no trouble with lesser, more common threats like those posed by cybercriminals.Appendix:
MD5s of mobile infectors:
- 14b03ada92dd81d6ce57f43889810087 - BlackBerry infector
- 35c4f9f242aae60edbd1fe150bc952d5 - iOS infector
MD5s of Android samples:
MD5s of Windows samples:
List of active C2s on 19.06.2014:
RCS modules (using Kaspersky Lab’s classification names):
A lot of our everyday communication and commercial activities are now taking place online, the threat from cybercrime is increasing, targeting citizens, businesses and governments at a rapidly growing rate.
Organizations and individuals are worried about the increase of Cybercrime, not just because of financial damage, but loss of privacy and intellectual property, in addition to reputation problems.
Recent statistics have shown dramatic growth in the Cybercrime in the UAE. Emerging markets have long been of interest for Cyber criminals.
Official statistics from Dubai have shown a dramatic 88% increase in the number of electronic crime cases reported in 2013 compared to the year before. The cyber investigation department of Dubai Police received a total of 1,419 reports in 2013, 792 in 2012 and 588 in 2011.
The increase in the number of attacks in the UAE and the region is also reflected by the number of attacks and infection attempts detected by Kaspersky Security Network in the region. The KSN cloud network uses the latest intelligence technologies to enable the reporting and analysis of threats around the world.Kaspersky top Malware detections statistics for 2014 in the world Adware.Win32.Amonetize.heur 3,700,000+ Worm.VBS.Dinihou.r 1,800,000+ Virus.Win32.Sality.gen 1,780,000+ AdWare.Win32.BetterSurf.b 1,500,000+ AdWare.Win32.Yotoon.heur 1,500,000+ Exploit.Win32.CVE-2010-2568.gen 1,388,000+ Worm.Win32.Debris.a 1,094,000+ Trojan.Win32.Starter.lgb 1,007,000+ AdWare.Win32.Skyli.a 883,000+ Exploit.Java.Generic 850,000+ Trojan.Win32.AntiFW.b 829,000+ Virus.Win32.Nimnul.a 713,000+ Trojan.WinLNK.Runner.ea 676,000+ Why is cybercrime surging in the UAE?
The last few years have seen huge increase in the use of smart electronic devices and Internet services, all these devices are connected to the Internet.Increasing use of online services
According to recent statistics Internet penetration has reached 92% in the UAE. Most people now use online services, including the transfer of financial and personal information to fulfill their day-to-day needs, and the most popular services are as follows:
- E-Government transactions, e-bills
While the benefits of using online services are obvious, there are also threats that target user information.Smartphone Threats
Many people in the UAE and Gulf region have smart mobile devices. These have many benefits and allow anyone to easily access services and activities online. These devices are expensive, so users often wrongly assume they have some kind of default protection.
Android is the most targeted mobile platform. At Kaspersky Lab we now have more than 10 million unique Android malware samples in our databases.
In Q1 2014, more than 99% of all mobile malware targeted Android devices. Detections over the past three months included:
- 1 258 436 installation packages,
- 110 324 new malicious programs for mobile devices,
- 1 182 new mobile banking Trojans.
The huge increase in the use of online payment and e-services, in addition to the wide availability of unprotected smartphones, has encouraged cyber-criminals to target users with malware and phishing attacks affecting all types of devices.
Just like offline crime, money is a prime motive, especially when the risks of a criminal life are less apparent when you're hiding being a computer screen. The perception of low risk and high financial reward stimulates many cyber criminals to participate in identity theft and fraudulent activities.Personal Motivation
Human beings and the crimes they commit are often motivated by personal emotions and vendettas. From irritated employees to jealous boyfriends, many crimes have their roots in powerful passions.Ideological and Political Motivation
These kinds of attacks are carried out for moral, ideological or political reasons, damaging or disabling online services and networks to protest against individuals, corporations or governments. Anonymous group is a popular example of ideologically motivated hackers.The most dangerous attacks on users in the UAE Banking Malware
The UAE is a country well known for its concentration of financial resources. Banking malware targets user devices to steal financial information like credit card details and bank account passwords. The criminals then use this stolen information to transfer money from the compromised accounts.
The most popular banking malware in the UAE are as follows:
- Zeus (Windows)
- Carberp (Windows)
- mToken (Android)
Zeus and Carberp have long been popular malware for Windows computers and widely available public source code has enabled criminals to develop many variants of these. Zeus Gameover, the latest variant of Zeus has hit hard in the UAE, the third most affected country in the world. Zeus Gameover was taken down by the FBI and Microsoft on 2nd of June 2014.
mToken was first recognized and reported by the Intercrawler organization. This is a different type of malware that mainly targets Android devices. It is used to steal banking usernames and passwords, in addition to stealing SMS token messages from the banks. There were 513,000 mToken attacks in Q1 2014 in the GCC region according to statistics from the Telecommunications Regulatory Authority. The mToken disguises itself as a banking token generator for some of the most popular banks in KSA and UAE Most of its victims are in the United Arab Emirates and the Kingdom of Saudi Arabia.
Kaspersky Lab products have detected and blocked Zeus variants since 2010 and Mtoken variants since 2012.Ransomware: Lockers and Crypters
Lockers and Encrypters are ransomware trojans. An attack may come from several sources; one example is disguised as an authentic email attachment.
Some Lockers can be removed with no damage to the system or files, others harm files by encrypting them using RSA public-key cryptography where only the hackers have the keys to decrypt and recover the files.
The malware displays a message which offers to unlock/decrypt the device and data if a payment is made by a stated deadline (through either Bitcoin or a pre-paid coupon), and threatens to delete the key if the deadline passes.
Lockers and Encrypters mainly target Windows devices but recently we have seen versions for Android.
The total number of attacks from Jan-May 2014 is 12,713,890Top 3 Adware in the UAE in 2014 AdWare.Win32.BetterSurf.b 1,228,000+ AdWare.Win32.BrainInst.u 1,189,000+ AdWare.Win32.BHO.batb 680,000+ Top 3 malware attacks in the UAE in 2014 Virus.Win32.Sality.gen 378,000+ Net-Worm.Win32.Kido.ih 348,000+ Exploit.Win32.CVE-2010-2568.gen 339,000+
Sality virus: blocks some security functions and utilities on Windows computers. It also tries to download malware from other servers. It infects Windows files and copies itself to removable and remote drives.
Kido worm: also known as conficker, is malware that targets the Windows operating system, mainly attacking the MS08-067 vulnerability; it also uses dictionary attacks on administrator passwords to spread and create a botnet.
CVE-2010-2568 is one of the most popular weaknesses in the Microsoft Operating system. When exploited by malware attacks, it allows a user to execute code via shortcut file (.lnk) that is not properly handled by the operating system.
Sality virus, Kido worm and the CVE-2010-2568 exploit are legacy attacks which were used to infect millions of machines worldwide. They are still widespread because they can easily infect new machines or they are publicly available for the criminals to use which explains the high success rates if a device is not protected.
These recent statistics suggest that the most popular malware and adware in the UAE are not new:First Date of malware detection by Family BetterSurf adware Oct 2013 BrainInst adware Dec 2013 BHO adware Mar 2006 Sality virus Oct 2009 Kido worm Nov 2008 CVE-2010-2568 exploit Jul 2010
The main reasons why old attacks are still very successful are as follows:
- The absence of correct patching on the user operating systems
- The use of unlicensed software
- The lack of security software to protect the user devices against the latest threats
- The lack of good practices for handling smart devices, like good passwords and awareness on cyber security
Most malware works in stealth mode. It doesn't announce itself on a PC or mobile device, preferring to monitor and steal information and then use it to steal your money or reveal themselves while extorting money. In most cases criminals are not very interested in the information on most personal or business computers. But this data is vital to the owner, and criminals manipulate the need for confidentiality, integrity and availability to cause financial and reputational damage to victims.
The UAE has a diverse, cosmopolitan and multicultural society and the accelerated economic growth in the region has encouraged cyber-criminals to excessively target citizens, using and adapting the latest trends in global cybercrime.
The increasing number and complexity of threats targeting users and businesses in the UAE requires better protection and awareness to defend against various cyber-threats.
You can follow me on twitter: @mahasbini