Malware RSS Feed
We have recently come across a method of getting personal information that was interesting from the technical point of view. Our customer received an email saying that someone had used his Live ID to distribute unsolicited email, so his account would be blocked. The email suggested that, to prevent the account from being blocked, the customer should follow the link and fulfill the service’s new security requirements.
This sounds very much like a typical phishing email. The victim is expected to click on the link that will take him to a fake site imitating the official Windows Live page, enter data which will be sent to the scammers, etc. However, to our surprise, the link from the scam email actually led to the Windows Live website and the cybercriminals did not make any attempt to get the victim’s login and password. Their scam was much more sophisticated than that.The scam
Then why is it dangerous to follow the link if it does lead to the official Microsoft service?
The scam email
This is because the Live ID account can also be used for authorization with other services – Xbox LIVE, Zune, Hotmail, Outlook, MSN, Messenger, OneDrive, etc. The attack does not result in the fraudster getting direct access to these services on behalf of his victim, but it does enable the attacker to steal personal information contained in the user profiles for these services and subsequently use it for fraudulent purposes.
Having followed the link in the email, we are taken to the official live.com service, where we are asked to authenticate using our login and password.
After successful authentication, the user’s login and password are not intercepted by the fraudsters as one might suppose (and as it usually happens); the user does get authenticated on live.com. But after this they receive a curious prompt from the service:
Some application requests permission to automatically log into our account, view our profile information and contact list and access the list of e-mail addresses. By clicking “Yes” we assign it these rights – in effect providing its creators with our personal information, our contacts’ email addresses, our friends’ nicknames and real names, etc.
Do not give the right to access your personal data to applications that you do not know or trustTweet
Since in this case we know nothing about the application or its authors, we can only assume that the data collected will be used for fraudulent purposes. Once again – the login and password do remain confidential.How it works
Technically, this is not very complicated. There is a special open protocol for authorization, OAuth, which allows resource owners to give third parties limited access to their protected resources without sharing their credentials. The protocol is commonly used by the developers of web applications for social networks if these applications require some data for their operation, such as the ability to access the contact list. It is convenient for users because once they are authenticated with the service they do not have to enter their credentials every time an application requests authorization.
This is the first time we have come across a phishing email used by fraudsters to put these techniques into practiceTweet
The security flaws of the OAuth protocol have been known for quite a while: in early 2014, a student from Singapore described possible techniques for stealing user data after authentication. However, this is the first time we have come across a phishing email used by fraudsters to put these techniques into practice.
In our case, after clicking on the link hxxps://login.live.com/oauth20_authorize.srf?client_id=00xxx4142735&scope=wl.signin%20wl.basic%20wl.emails%20wl.contacts_emails&response_type=code&redirect_uri=hxxp://webmail.code4life.me/hot/oauth-hotmail.php, which was received in a scam email, a user is taken to the authentication page where (s)he is asked to assign certain rights to an application. The list of rights requested is encoded in the link’s parameters. If the user agrees, (s)he is redirected to a landing page (hxxp://webmail.code4life.me/hot/oauth-hotmail.php) whose URL includes an “access token” (hxxp://webmail.code4life.me/hot/oauth-hotmail.php?code=36cef237-b8f6-9cae-c8e4-ad92677ba) after the “code” parameter, which is then intercepted by the application right from the address bar. The “access token” is then used by the application to access protected resources. It is worth noting that the capabilities offered by OAuth are not limited to authentication and authorization. A token received during authorization can be used for integrating a web service’s or social network’s functionality into your own resource, including the ability to read and write posts, access the news feed, the Wall, etc.Link parameters
If you take a closer look at the link, you can see the following parameters: wl.signin, wl.basic, wl.emails, and wl.contacts_emails. These parameters are used to encode the permission levels requested by the application:
- wl.signin – single sign-in enabling users who are logged into Windows Live to automatically log into any web site that supports this type of authorization;
- wl.basic gives permission to read basic information in the user profile, such as the user’s nickname, first and last name, sex, age, country of residence, as well as giving access to the user’s contact list;
- wl.emails – gives reading access to the user’s personal, preferred and business email addresses;
- wl.contacts_emails gives access to the email addresses of all people on the user’s contact list.
There are many other parameters, which give permissions to access the user’s and their contacts’ photos, date of birth, the list of meetings and important events. In fact, a scammer can use this information to create a person’s profile, including information on what the user’s activities are when going out, the user’s friends and people (s)he meets, etc. This profile can then be used for criminal purposes.
The victim's information is gathered in order to send spam or to launch spear phishing attacksTweet
Further research enabled us to find a few similar phishing emails containing links to the official Microsoft service. In all cases, attackers asked the user to provide the same information (profile data, email addresses, contacts). Only the addresses of the landing pages hosting the scammers’ application were different.
It should be noted that some applications designed for social networks also use the OAuth protocol.
Example of rights assigned to an application on Facebook
An application created by scammers might request the victim’s permission to publish posts and pictures on the Wall, to read and send private messages, to add entries in guest books. These features can be used to distribute spam or links to phishing or malicious sites.Conclusion
In the case discussed above, information is most likely gathered in order to send spam to the contacts in the victim’s address book or to launch spear phishing attacks.
To avoid falling victim to scammers, do not follow links received by email or in private messages on social networks. Most importantly, do not give the right to access your personal data to applications that you do not know or trust. Before you agree, carefully read the descriptions of the account access rights which the application will get and assess the threat level. You can also search the Internet for information and feedback on the application requesting these rights. Any social networking site or web service also allows users to view the rights of currently installed applications in account/profile settings and cancel some of the permissions if necessary.
Example of Google access rights assigned to an application
If you have found out that an application is already distributing spam or malicious links on your behalf, you can send a complaint to the administration of the social networking site or web service and the application will be blocked. If you want to log on to a service or social networking site, it is best to go directly to the official website by manually entering its address in the browser. And, of course, keep the databases of your antivirus software with integrated anti-phishing protection up to date.
For over half a decade, the Naikon APT waged multiple attack campaigns on sensitive targets throughout South-eastern Asia and around the South China Sea. It maintained a heavy offensive focus on Myanmar, Vietnam, Singapore, the Philippines, Malaysia, and Laos. Targets and victims included ASEAN governmental agencies and government departments, investment enterprises, military, law enforcement and border control organizations, embassies, university faculties and others.
Parts of the campaigns have been publicly discussed according to the nature of their tools. For example, the MsnMM backdoors started out with internal names like “WinMM” and “SslMM”, and their file naming spoofed MSN Talk and Msn Gaming Zone. The backdoor term “naikon” was derived from the User-Agent string “NOKIAN95″. But msnMM, naikon, sakto, and rarstone backdoors are all used by the same actor that we call the Naikon APT. Their second stage tools largely remained unknown.
The Naikon attackers attempted to exfiltrate sensitive geo-political, military, and economic data; to intercept communications and to maintain surveillance on their victims throughout the MsnMM campaigns. Their toolset and techniques changed over time in many minor ways, and appear to be run by Chinese-speaking individuals. The group’s infrastructure, reliant on web apps located mostly via dynamic dns domains, overlapped across these campaigns. As previously described, the APT’s methods and technologies are simple, but highly effective against its targets’ defenses. We do not find 0-days here.
Much of Naikon’s spear-phish and decoy document content, as well as its deployment, coincided approximately with highly-charged geopolitical events. The consistent list of military, economic, and political targets gave away the actor’s interests. Naikon’s earliest campaigns deployed the exe_exchange, winMM, and sys10 backdoors, and the codebase was later built out into more custom tools. The MsnMM campaigns were waged into the start of 2014, and then dropped off before picking up again later in the year and into 2015.
Regarding interaction with other APTs, it’s interesting to note that Naikon APT victims overlap with Cycldek APT victims. Cycldek is another persistent, but weaker APT. In addition, not only does the APT30 target profile match the Naikon APT, its toolset also features minor but noticeable similarities. And the later Naikon campaigns led to an all out APT v APT confrontation with the Hellsing APT, when “the empire struck back.”
Although aspects of the malware set have been discussed on some blogs and in other papers, there hasn’t been an accurate report bringing together details of the MsnMM, Sys10, and Naikon campaigns as the work of one crew, the Naikon APT. Finally, while this report looks into their past activity, the Naikon APT remains active, deploying a more recent codebase. The top targets for 2015 that we are aware of include organizations in Myanmar, Cambodia, Vietnam, Thailand, and Laos.
Our recent report, “The Chronicles of the Hellsing APT: the Empire Strikes Back” began with an introduction to the Naikon APT, describing it as “One of the most active APTs in Asia, especially around the South China Sea”. Naikon was mentioned because of its role in what turned out to be a unique and surprising story about payback. It was a Naikon attack on a Hellsing-related organization that first introduced us to the Hellsing APT. Considering the volume of Naikon activity observed and its relentless, repeated attack attempts, such a confrontation was worth looking into, so we did.
The Naikon group was spear-phished by an actor we now call "Hellsing"Tweet
The Naikon APT aligns with the actor our colleagues at FireEye recently revealed to be APT30, but we haven’t discovered any exact matches. It is hardly surprising that there is an element of overlap, considering both actors have for years mined victims in the South China Sea area, apparently in search of geo-political intelligence.
The Naikon group has for 5 years mined victims, apparently in search of geo-political intelligenceTweet
This Naikon report will be complemented by a follow-on report that will examine the Naikon TTP and the incredible volume of attack activity around the South China Sea that has been going on since at least 2010.
Noteworthy operational and logistical characteristics of this APT include:
- At least five years of high volume, high profile, geo-political attack activity
- Geographical focus – per-country, individual operator assignment and proxy presence
- Dynamic, well organized infrastructure
- Reliance on an externally developed, consistent set of tools comprising a full-featured backdoor, a builder, and an exploit builder
- High success rate in infiltrating national organisations in ASEAN countries
In the spring of 2014, we noticed an increase in the volume of attack activity by the Naikon APT. The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos and China.
An attack typically starts with an email carrying an attachment that contains information of interest to the potential victim. The document may be based on information from open sources or on proprietary information stolen from other compromised systems.
This bait “document”, or email attachment, appears to be a Word document, but is in fact an executable file with a double extension exploiting CVE-2012-0158 so it can execute code without the user’s knowledge or consent. When the executable is launched, spyware is installed on the victim computer at the same time as a decoy document is displayed to the user; fooling them into thinking they have simply opened a document.Configuration
The Naikon tool of choice generates a special, small, encrypted file which is 8,000 bytes in size, and contains platform-independent code to be injected into the browser along with configuration data. With the help of a start-up module, this whole file is injected into the browser memory and decrypts the configuration block containing the following:
- C&C server
- Ports and path to the server
- User-agent string
- Filenames and paths to its components
- Hash sums of the user API functions
The same code then downloads its main body from the C&C server using the SSL protocol, loads it independently from the operating system functions and, without saving it to the hard drive, hands over control to the XS02 function. All functionality is handled in memory.
The main module is a remote administration utility. Using SSL, the module establishes a reverse connection to the C&C server as follows: it sets up an outgoing connection to the C&C server and checks if there is a command that it should execute. If there is, it executes the command and returns the result to the C&C. There are 48 commands in the module’s repertoire, which a remote operator can use to effectively control the victim computer. This includes taking a complete inventory, downloading and uploading data, installing add-on modules, or working with the command line.
The main module supports 48 commands, which the attackers can use to control the victim machineTweet
Here is the complete list of commands:0 CMD_MAIN_INFO 1 CMD_PROCESS_REFRESH 2 CMD_PROCESS_NAME 3 CMD_PROCESS_KILL 4 CMD_PROCESS_MODULE 5 CMD_DRIVE_REFRESH 6 CMD_DIRECTORY 7 CMD_DIRECTORY_CREATE 8 CMD_DIRECTORY_CREATE_HIDDEN 9 CMD_DIRECTORY_DELETE 10 CMD_DIRECTORY_RENAME 11 CMD_DIRECOTRY_DOWNLOAD 12 CMD_FILE_REFRESH 13 CMD_FILE_DELETE 14 CMD_FILE_RENAME 15 CMD_FILE_EXECUTE_NORMAL 16 CMD_FILE_EXECUTE_HIDDEN 17 CMD_FILE_EXECUTE_NORMAL_CMD 18 CMD_FILE_EXECUTE_HIDDEN_CMD 19 CMD_FILE_UPLOAD 20 CMD_FILE_DOWNLOAD 21 CMD_WINDOWS_INFO 22 CMD_WINDOWS_MESSAGE 23 CMD_SHELL_OPEN 24 CMD_SHELL_CLOSE 25 CMD_SHELL_WRITE 26 CMD_SERVICE_REFRESH 27 CMD_SERVICE_CONTROL 28 CMD_PROGRAM_INFO 29 CMD_UNINSTALL_PROGRAM 30 CMD_REGESTRY_INFO 31 CMD_ADD_AUTO_START 32 CMD_MY_PLUGIN 33 CMD_3RD_PLUGIN 34 CMD_REG_CREATEKEY 35 CMD_REG_DELETEKEY 36 CMD_REG_SETVALUE 37 CMD_REG_DELETEVALUE 38 CMD_SELF_KILL 39 CMD_SELF_RESTART 40 CMD_SELF_CONFIG 41 CMD_SELF_UPDATE 42 CMD_SERVER_INFO 43 CMD_INSTALL_SERVICE 44 CMD_FILE_DOWNLOAD2 45 CMD_RESET 46 CMD_CONNECTION_TABLE 47 48 49 CMD_HEART_BEAT
Several modifications of the main module exist. There are no fundamental differences between modifications; it’s just that extra features get added to the latest versions, such as compression and encryption of transmitted data, or the piecemeal download of large files.d085ba82824c1e61e93e113a705b8e9a 118272 Aug 23 18:46:57 2012 b4a8dc9eb26e727eafb6c8477963829c 140800 May 20 11:56:38 2013 172fd9cce78de38d8cbcad605e3d6675 118784 Jun 13 12:14:40 2013 d74a7e7a4de0da503472f1f051b68745 190464 Aug 19 05:30:12 2013 93e84075bef7a11832d9c5aa70135dc6 154624 Jan 07 04:39:43 2014 CC-Proxy-Op
C&C server operations are characterized by the following:
- Low maintenance requirements
- Organized geo-specific task assignments
- Different approaches to communication
The C&C servers required only a few operators to manage the entire network. Each operator appears to have focused on their own particular set of targets, because a correlation exists between C&C and the location of targets/victims.
There is a geo-specific correlation between the location of Nikon C&Cs and that of targets/victimsTweet
Communication with victim systems changed depending on the target involved. In some cases, a direct connection was established between the victim computer and the operator system. In other cases, the connection was established via dedicated proxy servers installed on dedicated servers rented in third countries. In all likelihood, this additional setup was a reaction to the network administrators in some targets limiting or monitoring outbound network connections from their organizations.
Here is a partial list of C&C servers and victim locations, demonstrating the geo-specific correlation:ID Jakarta linda.googlenow.in ID Jakarta admin0805.gnway.net ID Jakarta free.googlenow.in ID frankhere.oicp.net ID Bandung frankhere.oicp.net ID Bandung telcom.dhtu.info ID Jakarta laotel08.vicp.net JP Tokyo greensky27.vicp.net KH googlemm.vicp.net KH Phnom Penh googlemm.vicp.net MM peacesyou.imwork.net MM sayakyaw.xicp.net MM ubaoyouxiang.gicp.net MM Yangon htkg009.gicp.net MM kyawthumyin.xicp.net MM myanmartech.vicp.net MM test-user123.vicp.cc MY us.googlereader.pw MY net.googlereader.pw MY lovethai.vicp.net MY yahoo.goodns.in MY Putrajaya xl.findmy.pw MY Putrajaya xl.kevins.pw PH Caloocan oraydns.googlesec.pw PH Caloocan gov.yahoomail.pw PH pp.googledata.pw PH xl.findmy.pw PH mlfjcjssl.gicp.net PH o.wm.ggpw.pw PH oooppp.findmy.pw PH cipta.kevins.pw PH phi.yahoomail.pw SG Singapore xl.findmy.pw SG Singapore dd.googleoffice.in VN Hanoi moziliafirefox.wicp.net VN Hanoi bkav.imshop.in VN Hanoi baomoi.coyo.eu VN Dong Ket macstore.vicp.cc VN Hanoi downloadwindows.imwork.net VN Hanoi vietkey.xicp.net VN Hanoi baomoi.vicp.cc VN Hanoi downloadwindow.imwork.net VN Binh Duong www.ttxvn.net VN Binh Duong vietlex.gnway.net VN Hanoi www.ttxvn.net VN Hanoi us.googlereader.pw VN Hanoi yahoo.goodns.in VN Hanoi lovethai.vicp.net VN Hanoi vietlex.gnway.net XSControl – the Naikon APT’s “victim management software”
In the Naikon scheme, a C&C server is essentially specialized XSControl software running on the operator’s machine. It can be used to manage an entire network of infected clients. In some cases, a proxy is used to tunnel victim traffic to the XSControl server. A Naikon proxy server is a dedicated server that accepts incoming connections from victim computers and redirects them to the operator’s computer. An individual Naikon proxy server can be set up in any target country with traffic tunnelling from victim systems to the related C&C servers.
XSControl is written in .NET with the use of DevExpress. Its main capabilities are:
- Accept initial connections from clients
- Provide clients with the main remote administration module
- Enable them to remotely administer infected computers with the help of a GUI
- Keep logs of client activity
- Keep logs of operator activity
- Upload logs and files to an FTP server
The operator’s activity logs contain the following:
- An XML database of downloaded files, specifying the time of operation, the remote path and the local path
- A database of file names, the victim computer registry keys for the folders and sections requested by the operator
- A history of executed commands
Now let’s do an overview of one Naikon campaign, focusing on country “X”.
Analysis revealed that the cyber-espionage campaign against country X had been going on for many years. Computers infected with the remote control modules provided attackers with access to employees’ corporate email and internal resources, and access to personal and corporate email content hosted on external services.
Below is a partial list of organizations affected by Naikon’s “operator X’s” espionage campaign in country X.
- Office of the President
- Military Forces
- Office of the Cabinet Secretary
- National Security Council
- Office of the Solicitor General
- National Intelligence Coordinating Agency
- Civil Aviation Authority
- Department of Justice
- Federal Police
- Executive/Presidential Administration and Management Staff
A few of these organizations were key targets and under continuous, real-time monitoring. It was during operator X’s network monitoring that the attackers placed Naikon proxies within the countries’ borders, to cloak and support real-time outbound connections and data exfiltration from high-profile victim organizations.
In order to obtain employees’ credentials, operator X sometimes used keyloggers. If necessary, operator X delivered them via the remote control client. In addition to stealing keystrokes, this attacker also intercepted network traffic. Lateral movements included copying over and remotely setting up winpcap across desktop systems within sensitive office networks, then remotely setting up AT jobs to run these network sniffers. Some APTs like Naikon distribute tools such as these across multiple systems in order to regain control if it is lost accidentally and to maintain persistence.
The Naikon group took advantage of cultural idiosyncrasies in its target countriesTweet
Operator X also took advantage of cultural idiosyncrasies in its target countries, for example, the regular and widely accepted use of personal Gmail accounts for work. So it was not difficult for the Naikon APT to register similar-looking email addresses and to spear-phish targets with attachments, links to sites serving malware, and links to google drive.The empire strikes back
Every once in a while the Naikon group clashes with other APT groups that are also active in the region. In particular, we noticed that the Naikon group was spear-phished by an actor we now call “Hellsing”. More details about the cloak and dagger games between Naikon and Hellsing can be found in our blogpost: “The Chronicles of the Hellsing APT: The Empire Strikes Back”.
In January 2014 the New gTLD program of registration for new generic top-level domains designated for certain types of communities and organizations was launched. The main advantage of this program is the opportunity for organizations to choose a domain zone that is clearly consistent with their activities and the themes of their sites. The new business opportunities provided by the New gTLD program were enthusiastically endorsed by the Internet community, and active registration of new domain names is still ongoing.
Spammers and cybercriminals were quick to react: for them new domains are an excellent tool for promoting illegitimate campaigns. As a result, new domain zones almost immediately became an arena for the large-scale distribution of advertising spam, phishing and malicious emails. Cybercriminals either registered domains to spread spam mass mailings, hacked existing sites to place spam pages, or used these and other web resources in chains that redirect users to spam sites.
According to our observations, email traffic in Q1 2015 saw a considerable increase in the number of new domains that sent out spam of different content. In general there wasn’t much connection between the theme of the spam and the domain name, but in some cases there was an evident logical connection between them. For example, emails sent from the .work domains contained offers to carry out various types of work such as household maintenance, construction or equipment installation. Many of the messages from the .science domains were advertising schools that offer distance learning, colleges to train nurses, criminal lawyers and other professionals.
Q1’s spam traffic also featured many emails sent from color domains like .pink, .red, or .black. Basically they were used to advertise Asian dating sites. At the same time, the top-level domains used in mass mailings exploiting the dating theme were generally empty and did not contain any content related to this subject. They were only used in the chain of redirects leading to the main sites. It should also be noted that the first-level domains of the main sites were created recently and are constantly changing, in contrast with their content, which is still designed according to the same typical spam patterns.
The second- and lower-level domains in such messages are usually generated automatically and appear in the form of a random combination of alphanumeric characters. Meanwhile we are still seeing well-known .com, .org, .info, etc. used as domain zones as well as ones from the New gTLD program.New domains, old themes
As for spam categories on new domains and Q1 spam in general insurance was one of the hottest topics, both in terms of the number of messages and the number of changing domains seen in mass mailings. This covers all types of insurance - life, health, property, cars, animals, and funeral insurance. Spam offering insurance services used newly-created top-level domains as well as compromised or expired ones. And even though the domains were new, spammers continued to use their old tricks, for example, they substituted domains of well-known organizations such as @ amazon.com or @ ebay.com in the From field.
The emails we came across generally followed the same template:
- very little text (the email generally contains a typical header consisting of several words which is exactly repeated in the body of the message)
- one or more links which load a brightly decorated picture (sometimes in parts) with all the necessary advertising data (a more detailed advertising text plus contacts: website address, phone number, company name)
- another long link that leads to a resource that corresponds to the content of the email
- additional ‘white noise’ text to bulk out the email
The latter consists of random phrases or single words in any language which may not be the same as the language of the mass mailing. This text is generally invisible to the reader of the email as it is written in white or pale color on a standard white background. This technique is used in many types of mass mailing.
The source code of a page containing a random set of words to ‘noise’ an emailSpammer tricks
To bypass antispam filtering scammers often noise emails with the large pieces of text written in white lettering on a standard white background to create the illusion of a non-spam text message.
In Q1 spammers exploited yet another technique, deliberating distorting spammer site addresses by writing them separately or adding extra characters. At the same time the message text always contained the name of a second-level domain where the spammer site is hosted, as well as instructions about how to use it with the domain zone: for example, "remove all the extra characters, and copy to the address bar" or "enter in the address bar without spaces". In fact, the addressee of the email is encouraged to create the address of spam site of his own and enter it in the address bar.
Spam is getting more and more dangerous for Internet users. Cybercriminals are coming up with new tricks and are also reverting to the well-known but now forgotten methods. Thus, in the first quarter of 2015 the fraudsters used spam to distributed macro viruses, programs written in the macro languages built into data processing systems (text and graphic editors, spreadsheets, etc.).
In the Q1 2015 Trojan-Banker.Win32.ChePro.ink was the malicious program most often distributed via emailTweet
Malicious emails contained attachments with a .doc or .xls extension. These launched the VBA script when the attachment was opened. This script downloaded and installed other malicious programs, such as the banking Trojan Cridex, in the system. The micro viruses registered by Kaspersky Lab belong to the Trojan downloaders: Trojan-Downloader.MSExcel.Agent, Trojan-Downloader.MSWord.Agent and Trojan-Downloader.VBS.Agent.
Basically, malicious attachments imitated various financial documents: notifications of a fine or a money transfer, unpaid bills, payments, orders and complaints, e-tickets, etc.
Among these fraudulent notifications were fake messages written on behalf of public services, stores, hotel, airlines and other well-known organizations.
One interesting example of a fake notification was the confirmation of payment sent allegedly on behalf of the employee of the leading British supplier of water coolers for offices. The design of the fake message was a perfect imitation of an official email containing full contact details, logos and legitimate links.
Earlier this year, we came across a mass mailing that contained malicious attachments in Microsoft Word or Excel. Instead of the promised detailed information, the attachment contained a Trojan downloader (Trojan-Downloader.MSExcel.Agent or Trojan-Downloader.MSWord.Agent) that downloaded and ran other malicious software. The emails in the mass mailing were based on a single template; only the sender address and the amount of money specified in the subject and the body of the message varied.
The content of the document with a macro virus may look like a set of random characters similar to an incorrect display of coding. Fraudsters use this technique as a pretext: under the pretense of correcting the coding they tried to convince their potential victims to enable macros because back in 2007 Microsoft disabled the automatic activation of macros in files for safety reasons.
In addition to the mass mailings in which the malicious script had been inserted as macros we came across emails in which the script had been inserted as an object. The authors of one of these emails informed recipients they should pay a debt within a week or face legal action that would bring additional financial expenses.
The attached file was also in Microsoft Word while the malicious VBS script (according to the Kaspersky Lab verdict - Trojan-Downloader.VBS.Agent.all) had been inserted into it as an object. To deceive the user the inserted script was displayed as an Excel file: the scammers used the icon of this program and added.xls to the name of the file.
The first macro virus was registered in August 1995 in MS Word "Concept" documents and quickly infected tens of thousands of computers around the world. Despite its 20-year history, this type of malware is still popular largely due to the fact that the VBA language developed to create macros is one of the most simple and accessible, but at the same time functional, programming languages.
The Top 3 countries most often targeted by mailshots: Great Britain, Brazil and USATweet
Most macro viruses are active not only when opening or closing the infected file but as long as the user is working with the editor (text or table). Macro viruses constitute a threat because they infect not only the initially opened file but any other files that are directly addressed.
The active distribution of macro viruses via email is aided by the simplicity with which they can be created and by the fact that users are constantly working with text and spreadsheet applications – often without being aware of the potential danger of macro viruses.Malicious email attachments
Top 10 malicious programs sent by email, first quarter of 2015
In the first quarter of 2015 Trojan-Banker.Win32.ChePro.ink was the malicious program most often distributed via email, according to our ranking. This downloader, which was as low as the sixth position in last year’s ranking, is a CPL applet (a Control Panel component) that downloads Trojans designed to steal confidential financial information. Most malicious programs of this type are aimed at Brazilian and Portuguese banks.
Next came Trojan-Spy.HTML.Fraud.gen. As we have written before, this program is a fake HTML page which is sent via email, imitating an important notification from a large commercial bank, an online store, a software developer, etc.
In Q1 2015, the proportion of spam in email traffic was 59.2%, which is 6 p.p. lower than in the previous quarterTweet
Trojan-Downloader.HTML.Agent.aax and Trojan.HTML.Redirector.ci are in fourth and seventh positions respectively. Both are HTML pages which, when opened by users, redirect them to a rigged site. There, a victim is usually faced with a phishing page or is offered to download Binbot — a binary option trading bot, which has lately been popular on the net. The two malicious programs spread via email attachments and only difference between them is the link which redirects users to rigged sites.
Sixth comes Trojan.Win32.VBKrypt.sbds. It is just a common Trojan downloader designed to download a malicious file to the victim’s computer and run it.
Eighth and ninth places are occupied by downloaders from the Upatre family - Trojan-Downloader.Win32.Upatre.fbq и Trojan-Downloader.Win32.Upatre.fca, respectively, which are usually disguised as PDF or RTF documents. Their main task is to download, unpack and run additional applications.
It should be noted that if popular malware families rather than specific malicious programs are ranked, Upatre heads the Q1 rating. In most cases, malware from the Upatre family downloads the Dyre (aka Dyreza, Dyzap) banker, as a result of which this family also leads our rating of most widespread banking threats.
The Andromeda family, which headed last year’s rating, moved down to second position in Q1 2015. As we have mentioned before, these malicious programs allow cybercriminals to secretly control infected computers, which are often made part of a botnet.
The MSWord.Agent family occupies third position in the Top 10. These malicious programs are.doc files with an embedded macro written in Visual Basic for Applications (VBA), which runs on opening the document. It downloads and runs other malware, such as malicious programs from the Andromeda family.
In the Q1 2015 the USA remained the biggest source of spam, sending 14.5% of all unwanted mailTweet
Malware from the ZeuS/Zbot family, which are among the most popular and readily available programs used to steal banking information and therefore users’ money, came only seventh in Q1.Countries targeted by malicious mailshots
Distribution of email antivirus verdicts by country, Q1 2015
In the first quarter, there were major changes in the Top 3 countries most often targeted by mailshots. Brazil unexpectedly moved up to second place with 7.44% (compared to 3.55% in 2014), pushing Germany down in the ranking. Britain tops the rating (7.85%). The USA is in the third place (7.18%). Germany, which headed the rating for a long time, dropped to fourth position (6.05%).
It is also worth mentioning Australia: it climbed to sixth place in the first quarter with 4.12%.
As for Russia, on the one hand, it dropped two positions in the rating (from 8th to 10th), but on the other hand, the percentage of malicious programs targeting the territory of Russia increased in Q1 (from 3.24% in 2014 to 3 36% in the first quarter of 2015).Statistics Proportion of spam in email traffic
Proportion of spam in email traffic, October 2014 – March 2015
In Q1 2015, the proportion of spam in email traffic was 59.2%, which is 6 percentage points lower than in the previous quarter. The share of spam gradually decreased: the largest amount of spam was sent in January (61.68%) and the smallest in March (56.17%).Spam sources by country
Countries that were sources of spam, Q1 2015
In the first quarter of 2015 the USA remained the biggest source of spam, sending 14.5% of all unwanted mail. Russia was in second place with 7.27%. Ukraine came third with 5.56% of the world's spam.
Vietnam (4.82%), China (4.51%) and Germany (4.39%) followed the leaders of the rating. India brought up the rear in the Top 10 with 2.83% of all spam distributed worldwide.Spam email size
Spam email size distribution, Q4 2014 and Q1 2015
The distribution of spam emails by size remained stable. The leaders were very small emails of up to 2 KB (73.99%), which are easy to handle in mass mailings. The proportion of such emails decreased by 3.28 percentage points.
The proportion of emails in the size range of 2 KB — 5 KB increased by 5.4 percentage points, reaching 16.00%, while the percentage of spam in the 5-10 KB range decreased by 2.28 percentage points to 2.20%. The share of emails sized 10-20 KB saw hardly changed from the previous quarter.Phishing
In the first quarter of 2015, the Anti-Phishing system was triggered 50,077,057 times on computers of Kaspersky Lab users. This is 1 million times more than in the previous quarter.
For several quarters in a row, the largest percentage of users affected by phishing attacks was in Brazil, although in Q1 of 2015 the number (18.28%) was down by 2.74 percentage points.
Geography of phishing attacks*, Q1 2015
* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country
Top 10 countries by percentage of users attacked:Country % of users 1 Brazil 18.28 2 India 17.73 3 China 14.92 4 Kazakhstan 11.68 5 Russia 11.62 6 UAE 11.61 7 Australia 11.18 8 France 10.93 9 Canada 10.66 10 Malaysia 10.40
There was a noticeable increase in the proportion of users attacked in India (+1.8 pp). At the same time, we registered a slight decrease in the number of users attacked in Russia (-0.57 pp), Australia (-2.22 pp) and France (-2.78 pp).Organisations under attack
The statistics on phishing attack targets are based on the heuristic component of the Anti-Phishing system being triggered. The heuristic component of Anti-Phishing is triggered when the user follows a link to a phishing page information on which is not yet included in Kaspersky Lab databases, regardless of the way in which the page was reached – as a result of clicking on a link in a phishing email, a message on a social network or, for example, as a result of a malicious program’s operation. When the component is triggered, it displays a banner in the browser, warning the user of a possible threat.
Although the share of the “Email and search portals” category in the rating of organizations attacked by phishers diminished considerably in Q3 2014, the category (25.66%) still occupies the top position in the rating in 2015. The share of this category increased by a mere 0.40 percentage points from Q4 2014.
Distribution of organizations affected by phishing attacks, Q1 2015.
In the first quarter of 2015 the share of "Online shops" (9.68%) increased by 2.78 pp. Although the percentage of the "Online games" category (3.40%) rose by 0.54 percentage points, it yielded its place to the “IMS” category (3.92%), which saw its share grow by 1.69 pp.
In Q1 2015, we included a new category, “Delivery companies”, in our rating. Despite the fact that currently the contribution of this category is only 0.23%, it has recently demonstrated a growth (+0.04). In addition, DHL, one of the companies in this category, was among the Top 100 organizations most often attacked by phishers.
Distribution of phishing attacks on delivery companies, Q1 2015
In a number of emails the scammers offer users to purchase goods with delivery provided by a well-known logistics company. If you agree, they require an advance payment for delivery and provide fake invoices with the logo of the relevant delivery company. Having received the money, the fraudsters disappear.
Additionally, phishing messages sent on behalf of logistics firms often contain malicious attachments. Generally, an email includes a delivery notice; to receive the goods the recipients are expected either to open the attachment, which turns out to be malicious, or to go to the website and enter their personal data. The latter method is used to collect valid email addresses and other personal information of users.
Phishing email sent on behalf of FedEx
Phishing page imitating a DHL personal account login page
Phishing page imitating UPS personal account login page
Phishing page imitating FedEx personal account login pageTop 3 organizations attacked
The Top 3 organizations most often attacked by phishers remained the same as in the last quarter of 2014.Organization % of phishing links 1 Facebook 10.97 2 Google 8.11 3 Yahoo! 5.21
The top three organizations targeted by phishers are Facebook (+0.63 pp), Google (+1.51 pp) and Yahoo! (5.21%). The percentage of attacks on the latter continues to slowly decrease (-1.37 pp).Conclusion
The share of spam in email traffic in the first quarter of 2015 was 59.2%, which is 6 percentage points less than in the previous quarter. The percentage of spam gradually declined during the quarter.
Spam traffic in Q1 of 2015 included a large number of mass mailings with Microsoft Word or Excel attachments containing macro viruses. Fraudsters tried to lure users into opening malicious files by disguising them as various documents, including financial. The fake messages often imitated notifications from well-known organizations and services.
In Q1 of 2015 the results of the New gTLD program of registration for new generic top-level domains launched in 2014 became especially noticeable. The new domains are registered daily but not always for legitimate purposes. We expect further growth in the number of new top-level domains used in mass mailings. The increase in the volume of mass mailings sent from new domains which have evident logical connection between the type of goods and services advertised and the domain name is also possible, although this can hardly be considered a trend.
The three leading source countries for spam sent across the world are the USA (14.5%), Russia (7.27%) and Ukraine (5.56%).
In the Q1 2015 the Anti-Phishing system was triggered more than 50 mln timesTweet
In the first quarter of 2015 Trojan-Banker.Win32.ChePro.ink was the malicious program most often distributed via email, according to our ranking. The Upatre downloaders, which are used to download the Trojan banker Dyre/Dyreza, became the most popular malware family of Q1. Britain tops the rating of countries most often targeted by mailshots with 7.85% of all mail antivirus detections.
In Q1 2015, the Anti-Phishing system was triggered on the computers of Kaspersky Lab users 50,077,057 times. The largest percentage of users affected by phishing attacks was in Brazil.
Microsoft released a set of thirteen Security Bulletins (MS015-043 through MS015-055) to start off May 2015, addressing 38 vulnerabilities in a wide set of Microsoft software technologies. Three of these are rated critical for RCE and the rest of the May 2015 Security Bulletins are rated Important. Two of the critical Bulletins (043 and 044) are especially risky and address critical RCE vulnerabilities across all versions of supported Windows platforms.
- Internet Explorer (MS015-043) critical
- GDI+ drivers handling fonts (MS015-044) critical
- Windows Journal (MS015-045) critical
- Microsoft Office
- Sharepoint Server
- .NET Framework
- JScript and VBScript Scripting Engines
- MMC file format
- Schannel (Microsoft's network crypto libraries)
Most likely, your Windows systems are running at least a couple of those software packages, and will require a reboot after updating.
This round of IE memory corruption vulnerabilities enable remote code execution across all versions of the browser and supported Windows OS, IE6 - IE11. Even Internet Explorer 11 on Windows 8.1 maintains the flawed code, leading many to anticipate Microsoft's new approach to web browser security in the upcoming Microsoft Edge: Building a safer browser.
Another issue enables RCE in Windows Journal, a note-taking application first written for XP Tablet associated with .jnt files. To disable the app, it seems that you can simply disable the "Tablet PC Options Components" Windows Feature on Vista or Windows 7, but you are without the Control Panel option on Windows 8.x. On Windows 8 and above systems, it looks like you can remove the .jnt file association in the registry, or, you can deny access to journal.exe with a couple of shell commands:
takeown.exe /f "%ProgramFiles%\Windows Journal\Journal.exe"
icacls.exe %ProgramFiles%\Windows Journal\Journal.exe" /deny everyone:(F)
And finally, another couple of font handling GDI+ vulnerabilities are patched, this time in the DirectWrite library handling for both OpenType (cve-2015-1670) and TrueType (cve-2015-1671) fonts. It's 1671 that enables RCE on Windows systems running SilverLight, Lync, Live Meeting, Microsoft Office 2007 and 2010, supported .Net framework versions, and all the supported Windows operating system versions, including Windows 2008 and 2012 R2 Server Core. Depending on your OS, the patches can touch on a set of files, not just win32k.sys driver code:
According to Microsoft, "When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers". Which may be mincing words, because Microsoft's cve-2015-1671 vulnerability acknowledgement listed the Threat Research Manager at FireEye. That disclosure detail may add urgency to updating this vulnerability for some organizations.
The Australian Signals Directorate Top35 list of mitigation strategies shows us that at least 85% of intrusions could have been mitigated by following the top four mitigation strategies together. These are: application whitelisting, updating applications, updating operating systems and restricting administrative privileges. Kaspersky Lab has technological solutions to cover the first three of these (i.e. all the technology-based strategies) as well as the most of the others from Top35 ASD’s list.
Many respected technology-focused organizations have already developed strategies for coping with targeted attacks. Gartner, for example, has issued guidelines for dealing with social engineering techniques, including keeping pace with an evolving threat landscape through ongoing information security education1. While no ICT infrastructure can ever be 100% secure, there are reasonable steps every organization can take to significantly reduce the risk of a cyber-intrusion.
Among all the available strategies, here at Kaspersky Lab we consider the Australian Signals Directorate (ASD) document to be the best publicly available guidelines from a government organization on how to successfully fight APTs. But we don’t just like this list of strategies; we also want to make sure that Kaspersky Lab technologies cover as many of them as possible. Please check the list below. Bear in mind, of course, that not all technologies have something in common with security software:
The Australia’s Signals Directorate’s full Mitigation Strategies list comprises 35 points.
This list of mitigation strategies can be roughly divided into four logical types, according to the implementation approach:Measures Brief description Administrative Training, physical security Networking These measures are easier to implement at a network hardware level System administration The OS contains everything needed for implementation Specialized security solutions Specialized security software is applicable
Through comprehensive, detailed analysis of local attacks and threats, ASD has found that at least 85 per cent of the targeted cyber-intrusions it responds to could be mitigated by four basic strategies. Three of them are related to specialized security solutions. Kaspersky Lab products include technological solutions to cover these first three major strategies:
- Use application whitelisting to help prevent malicious software and unapproved programs from running
- Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office
- Patch operating system vulnerabilities
- Restrict administrative privileges to operating systems and applications, based on user duties2.
In addition, over half of the ASD list could be implemented using our specialized information security solutions. Take a look at the strategies (those related to specialized security solutions) mapped to Kaspersky Lab technologies. We have highlighted the ones that ASD believes account for 85% mitigation:ASD rank Mitigation strategy, short name Kaspersky Lab technologies 1 Application whitelisting Dynamic whitelisting 2 Patching application vulnerabilities Vulnerability Assessment and Patch Management 3 Patching OS vulnerabilities 5 User application configuration hardening Web control (blocking scripts in web-browsers) , Web Anti-Virus 6 Automated dynamic analysis of email and web content Mail Anti-Virus and Web Anti-Virus, Security for Mail Server, Security for Internet Gateway, DLP for Mail and Collaboration add-ons 7 OS generic exploit mitigation Automatic Exploit Prevention 8 HIDS/HIPS System Watcher and Application Privilege Control 12 Software-based application firewall for incoming traffic Advanced Firewall 13 Software-based application firewall for outgoing traffic Advanced Firewall 15 Computer event logging Kaspersky Security Center 16 Network activity logging Kaspersky Security Center 17 E-mail content filtering Kaspersky Security for Mail Sever 18 Web content filtering Web Control 19 Web domain whitelisting Web Control 20 Block spoofed e-mails Anti-Spam 22 AV software using heuristics and automated Internet-based reputation ratings Anti-Malware 26 Removable and portable media control Device Control 29 Workstation inspection of Microsoft Office files Anti-Malware 30 Signature-based AV software Anti-Malware
ASD Strategies that can be implemented effectively using Kaspersky Lab’s product range.
For more detailed data about ASD strategies please consult the mitigation strategies document in the Securelist encyclopedia: part 1, part 2 and part 3. We hope that this information will be useful for system administrators, CIO/CISOs and researchers fighting targeted cyber intrusions.