The ARC of Satori

Satori, the heir-apparent to the infamous IOT malware Mirai, was discovered by researchers in December 2017. The word “satori” means “enlightenment” or “understanding” in Japanese, but the evolution of the Satori malware has brought anything but clarity. Each new version offers a fresh combination of targeted platforms, propagation techniques, and attack types. Contrasted with traditional software, in which features are added incrementally, Satori seems to go both forward and backward. Digging into the history will provide insight into this continually evolving threat.

A Short History of IOT Malware

Headlines about massive DDoS attacks first captured the public’s attention on IOT security in late 2016. The malware responsible, Mirai, didn’t target Windows machines like most threats – it targeted weaknesses in IOT devices and other embedded systems. These devices make great DDoS zombies, since often they run a stripped-down version of Linux, are directly connected to the Internet, and have limited security features.

Mirai, and its many copycats, operate with similar principles:

  • Propagation – Infected devices will attempt to infect other, randomly chosen, devices. Mirai started by using common username/password pairs via the antiquated telnet protocol. Later versions would use platform-specific vulnerabilities, like command-injection bugs in the web interface of home routers, to spread.
  • Command-and-control – Once infected, the bot – in addition to propagating – would periodically check-in to a command-and-control site for updates and attack commands.
  • Attack – Once instructed by the command-and-control, bots would launch a coordinated flood of attack traffic directed at the victim. This can be a flood of TCP packets with specific flags set, UDP packets, HTTP requests, or other more complicated attacks.

The authors of Mirai eventually published the source code to the malware. With it, anyone who knows how to use a compiler could setup their own command-and-control site and quickly build their own Mirai botnet. Those with more technical know-how could add features like new propagation methods, command-and-control protocols, and new attack types.


Researchers first discovered Satori in December 2017 and other versions of it have been identified since. The initially discovered version of Satori distinguished itself from Mirai in that its propagation method targeted two vulnerabilities in IOT devices – a “zero-day” in Huawei’s home gateway and a previously-known command execution vulnerability in Realtek’s UPNP SOAP interface. Both were clearly intended to target two very specific types of devices, unlike the more agnostic Mirai, which would infect any device with a default or easily guessable telnet username and password. Although there is evidence Satori re-used at least some of the public Mirai code, its precise targeting was what caught the eye of researchers.

To perhaps further muddy the waters, other versions of Satori do indeed use telnet to propagate, but with a more sophisticated list of usernames and passwords.

Every IOT malware including Satori is delivered to a victim in a compiled, ready-to-run format. That means a Linux executable compiled specifically for the architecture of the victim. For instance – an ARM device cannot run an executable compiled for x86 processors. Before delivering its payload, both Mirai and Satori poke and prod the victim to determine which pre-compiled version of the Mirai binary to download and execute. Satori raised the bar by introducing new architectures – superh and ARC. It’s unclear whether the actors behind Satori did this because they knew a vulnerable population existed, or only hoped that it did.

Below is a chart showing the similarities and differences, based on ASERT analysis, between the three most recent variants of Satori. Complementary information, including additional IoC’s, can be found in [1]-[5]. Variant 1 is not included due to its lack of functionality as discussed in [1].

We distinguish the fourth variant of Satori, in part, because it appears to be the first known ARC malware. Adding the capability to run on the ARC chip set greatly expands the potential botnet population. According to [6], an article that was written in 2014, “ARC processor IP cores have been licensed by more than 190 companies and are used in more than 1.5 billion products a year.” Furthermore, now that this new ground has been broken, it paves the way for other malware authors to target that architecture.

DDoS Mitigation

Since the variants of Satori all leverage different subsets of the Mirai DDoS attack codebase, longstanding Mirai-based DDoS mitigation advice still applies. See for example the ASERT Blog entitled Mirai IoT Botnet Description and DDoS Attack Mitigation [7]. Arbor customers can also obtain detailed Arbor product-specific mitigation advice by requesting the latest ASERT Mirai threat advisory from their account team or Arbor ATAC.

Additionally, the continued expansion of DDoS-capable malware to different processor architectures further emphasizes the need for network operators to adopt network BCPs. While Mirai showed an affinity for IPTV cameras and DVRs with weak passwords, threat actors are rewarded for targeting devices others have not. As malware authors expand to ARC and other embedded processors, DDoS-capable malware can subvert a wider range of Internet-connected devices such as phones, gaming consoles, etc. Network operators must re-think their defensive strategies to also protect against compromised internal devices including those which can’t be tracked down by following a cable. The collateral damage due to scanning and outbound DDoS attacks alone can be crippling if network architectural and operational best current practices (BCPs) are not proactively implemented. BCP references can be found at [8] and [9].


While the impact of IOT malware is self-evident, the threat landscape is constantly evolving. The weakest-of-the-weak, default usernames and passwords, have already been abused and attackers move on to more bountiful fruit – exploitable vulnerabilities in devices themselves. This reflects the harbinger that Mirai brought the world in 2016 – IOT devices are insecure and will be abused. We expect the three principles of IOT malware – propagation, command-and-control, and attacks – to remain the same, but become more sophisticated and evolved over time.



Go to Source
Author: ASERT team

The Many Tentacles of the Necurs Botnet


Over the past five years the Necurs botnet has established itself as the largest purveyor of spam worldwide. Necurs is responsible for emailing massive amounts of banking malware, ransomware, dating spam, pump-n-dump stock scams, work from home schemes, and even cryptocurrency wallet credential phishing. Necurs sends so much spam that at times Necurs’ spam campaigns can make up more than 90% of the spam seen by Cisco Talos in one day.

To conduct a deeper analysis of Necurs, Talos extracted 32 distinct spam campaigns sent by Necurs between August 2017 and November 2017. The result was a collection of over 2.1 million spam messages, sent from almost 1.2 million distinct sending IP addresses in over 200 countries and territories.

Necurs Recipients

From an email marketing and delivery perspective, Necurs doesn’t appear to be too sophisticated. Necurs’ recipient database includes email addresses that have been harvested online, commonly deployed role-based accounts, as well as email addresses that appear to have been auto-generated. These are among the worst, most unreliable sources for obtaining email addresses, and any legitimate email marketer wouldn’t last a day mailing to addresses such as these. Of course, an illegitimate botnet such as Necurs has no such concerns. For many months the email addresses in Necurs database seemed to be largely static; Necurs hasn’t actively added any new addresses for at least the past year, possibly two years or more. In November of 2017, Necurs stopped mailing to many of the autogenerated accounts.

At one of my personal domains, Necurs has been seen mailing to addresses such as ‘equifax@’ –an email address that was originally stolen from Equifax years before the 2017 breach. Necurs also often mails to ‘thisisatestmessageatall@’, another email address I generated and put into the wild, long ago. There are also variations on other legitimate addresses, for example ‘aeson@’, ’20jaeson@’, and ‘eson@’ which are all variations on my address ‘jaeson@’. The number 20 was present at the beginning of many of Necurs recipients. Hex 20 corresponds with the space character and is used in percent-encoding, etc. This provides further indication of the harvested nature of these addresses.

Other addresses in Necurs’ mailing list appear to have been auto-generated. For example ‘EFgUYsxebG@’, ‘ZhyWaTmu@’, and ‘MTAyOvoYkx@’ have never been aliases at my domain that I’ve ever used, and the only mail these accounts ever receive comes from Necurs.

Necurs email received at an auto-generated email address

From our set of Necurs’ spam messages, Talos extracted only the user alias portion of the To: address. There are numerous email aliases, such as role-based addresses, that appear to be in Necurs’ recipient DB across many different recipient domains. Strangely, the list also included some odd email aliases deployed at multiple domains such as ‘unity_unity[0-9]@’, ‘petgord32truew@’, ‘iamjustsendingthisleter@’, ‘docs[0-9]@’, and others.

Email alias and the number of domains in our data in which that alias was found

Interestingly, some of these same strange aliases can be found on Project Honeypot’s list of the Top Dictionary Attacker Usernames, though it is unclear whether Necurs obtained their aliases from this list, or whether these aliases made Project Honeypot’s list as a result of Necurs’ spamming activity.

Project Honeypot’s Top Dictionary Attacker Usernames

Necurs Sending IPs

Next, Talos extracted the sending IP addresses responsible for transmitting Necurs’ spam emails, and we grouped the data according to geographical location. Rather than being uniformly distributed worldwide, a majority of Necurs’ nodes were concentrated among just a few countries –India (25.7% of total spam), Vietnam (20.3% of total spam), and Iran (7.3% of total spam). More than half (51.3%) of the sending IP addresses in our data came from just these three countries. In contrast, other large industrialized nations were only responsible for tiny fraction of the spam. For example, the United States, was home to 6,314 (less than 1%) of Necurs sending IPs. The country of Russia was only attributed to 38 sending IP addresses out of a nearly 1.2 million total sender IPs!

Number of spam messages sent per country

Talos also analyzed the individual spam campaigns in order to determine how often the sending IP addresses were reused from campaign to campaign. We found very little infrastructure reuse. In fact, none of the sending IP addresses in our data were seen across all thirty-two of the campaigns we extracted. Only three sending IP addresses could be found across thirty of Necurs’ spam campaigns. The vast, vast majority of sending IP addresses, 937,761 (78.6% of the total), were only ever seen in a single Necurs spam campaign! This means that Necurs botnet is large enough to conduct attacks over several months without substantial reuse of most sending nodes –an impressive feat.

Number of unique IP addresses vs. how many campaigns in which they appeared

Necurs Spam Campaigns

Typically email campaigns from Necurs fall into one of two categories: high-volume weekday campaigns, or low volume continuous campaigns. Necurs has occasionally been seen sending high volume campaigns on weekends, but the vast majority of the time high volume campaigns are limited to the business week only. The mailing list database Necurs is using seems to be segmented, such that the high volume campaigns use one subset of email addresses from the DB, and the low volume campaigns use a different set of email addresses.


Below is an example of a pump-n-dump stock spam sent on April 12th, 2017 by Necurs touting the stock symbol QSMG, Quest Management Incorporated. On the following day the price of QSMG peaked at $2.33, probably netting the criminals a tidy gain on their initial investment. QSMG is currently worth less than $0.02.

A message touting the penny stock, QSMG
QSMG was at $2.33 on April 13. Currently it is worth less than $0.02


Necurs also sends dating spam. Recent dating spam have arrived without any URLs in the body, except a mailto: link to an email address. Current dating campaigns have involved the free email provider, but other previous dating campaigns have taken advantage of similar free email services such as Necurs’ dating campaigns have also been known to include HTML links to fast-fluxed domains, or sometimes compromised websites (WordPress, etc.).

Necurs dating spam featuring an email address at

If you respond to one of these dating messages, you may be enrolled in a Russian dating website such as In this case, the criminals are making money by referring new users to these dating sites. Most likely they are being paid on an affiliate model.

Marmeladies is one of the dating sites to which victims who reply are directed


Of course one of Necurs’ most well-known payloads is ransomware. Necurs has been one of the biggest distributors of the Locky ransomware. Locky also works on an affiliate model. Inside of each locky sample, in the metadata, is an affiliate ID, which is always the same (3) for Necurs mailings. Most of the time, very little investment is made in the design of the messages themselves, as in the following example.

A typical ransomware campaign from Necurs


The rise (and fall) in the value of digital currencies such as Bitcoin and Etherium has not escaped the attention of the Necurs criminals. They have been seen conducting attack campaigns using domains designed to look similar to legitimate wallet management websites. In the email below, note the extra word ‘my’ in the domain ‘’.

This domain is registered to appear similar to the real Etherium wallet management site,

Recently, the Necurs attackers have drawn from previous stock pump-n-dump scams to come up with a relatively new tactic related to cryptocurrency. They had a spam campaign pumping Swisscoin (SIC).

A Necurs spam email encouraging recipients to buy Swisscoin (SIC)


Necurs was recently sending a low volume job spam campaign which includes links to freshly registered domains. For example, in the email below, sent October 30th 2017, we can see they are using a link to the domain, ‘’. (The affiliate id in the URL is always the same)

An example of a low volume, job-related spam campaign from Necurs



Checking the whois record for this domains we see the following registration details. Note the registrant email ‘’. This is an attempt by the threat actors to convince the casual observer that the domain is somehow registered through a third party whois privacy protection service. Email accounts are free to the public, and in this instance the attackers have simply generated the alias ‘whois-agent’ for their use in registering domains.

A review of the domains registered to ‘’ yields 399 domains (from DT as of January 17, 2018). The list of domains registered to ‘’ reads like a who’s-who of criminal activity.

Among some of the more notable domains we can see obvious phishing domains:

Typo-squattish domains targeting cryptocoin-related sites:

Fake Flash Player Update domains:

Even domains intended to masquerade as government resources:

A review of some of the domains in passive DNS gives us some other important clues. While most domains are only registered for the minimum of one year, the attackers have chosen to maintain the registration for a longer time on other domains such as ‘’. That domain is home to an online marketplace for buying and selling stolen credit card numbers, stolen ssh account credentials and more.

‘’ is a website dedicated to buying and selling stolen credit card numbers

Passive DNS also reveals instances where the attackers have hosted domains belonging to different registrants on the same IP address. For example, when Talos analyzed the passive DNS records for one of the attacker’s domains: ‘’ we found that this domain was hosted on a single IP address for a couple months in late 2016 before being parked. When we reviewed the other domains living on that same IP address we saw a bit of a pattern, and most importantly, some of these domains were NOT in the list of domains owned by ‘’.


When we check the registration information for one of the above domains ‘’, we find that there is a different registrant. This time the email address used to register the domain was ‘’. Just as with the ‘’ address, this is an attempt to appear to a casual observer that the domain is protected by whois privacy protection when in reality this email account appears to be under the direct control of the attackers themselves.

Reviewing the list of 1103 domains (Domain Tools as of January 17, 2018) associated with the ‘’ email address we see much of the same illicit activity we saw before.

More phishing domains:

More domains targeting cryptocoin-related resources:

Similar themed, fake Flash Player updates:

We even see targeting of government resources, just as we did with the other registrant account:


Checking the registration on some of the domains associated with ‘’, we can find some domains in which there are other registrants and the whois-privacy@ address is simply an Administrative and Technical Contact. This reveals an additional registrant email address employed by the attackers, ‘’.

According to Domain Tools (as of January 17, 2017), that email address is associated with over 2500 domains. Most of the domains belonging to this registrant email appeared to be domainer-style domains located at TLDs such as .bid and .top, but we also see a heavy dose of illegitimate looking domains in the set as well.

Some typical ‘Domainer’-ish domains:

Illegitimate Domains:


We can associate even more registrant email accounts with these same threat actors using similar techniques. While researching passive DNS for one of the domains we found previously, ‘’, we ran across something very interesting. That particular domain was hosted October 21, 2017 on the IP address which belongs to Alibaba as part of their cloud hosting product. When we analyze all the other domains which have been hosted on that same IP we see many domains that belong to the registrant email addresses we already knew about, ‘’ and ‘’. However we also see several domains associated with different registrants.


Looking at the list of domains found on this same Alibaba IP we find the domain ‘’. This domain is registered to the registrant email address, ‘’. This registrant has registered 125 domains (Domain Tools as of January 17, 2018), many of which have been linked to malicious activities. According to these links, domains associated with this registrant email have been used as part of the Rig Exploit Kit infrastructure. The domain, ‘’, was hosted on the Alibaba IP address on October 19, 2017 –only two days before the IP was used to host domains belonging to ‘’.


The domain ‘’ belongs to the registrant email address ‘’. The ‘’ domain was hosted on the IP on October 25th through October 30th, 2017 –also very close to the timeframe in which we saw the IP hosting the other malicious domains.

As of January 16, 2017, DomainTools attributes 918 domains to the registrant email address ‘’. Among some of the domains associated with this address we find gems such as:


The domain ‘’ is registered to ‘’. A Google search for this domain produces this linkat Hybrid Analysis and indicates that this particular domain was contacted as part of a piece of malware. At Virus Total, 50/68 antivirus engines detect this particular sample as malicious.


Searching Google for this registrant email address yields multiple links to malware that reaches out to domains owned by ‘’. Virus Total corroborates this information showing 48 and 53 antivirus detections respectively.


Reaching out through various contacts, Talos was able to confirm that, in fact, a single Alibaba cloud instance was controlling this same IP address for the entire time period from October 19, 2017 through October 30, 2017. Is this IP address some part of a criminal domain hosting service? Or is it that a single nefarious enterprise is behind all of these various registrant email accounts and their associated domains? Only the criminals involved in this enterprise can say for certain. Talos continues to monitor this situation with an eye towards further deciphering the business model deployed by these miscreants.


Now that Necurs is back from their regular holiday break they are attempting to fill our inboxes with junk mail and malware once again. On one hand, the size of the Necurs botnet, and its ability to send from different nodes in every campaign makes it difficult to defend against; Standard IP address blacklists are ineffective against such tactics. Fortunately for network defenders, the fact that Necurs does relatively little to curate their recipient database limits the damage they can do. There are only so many times the same recipients will fall for Necurs’ same, repetitive tricks. We can expect that Necurs will continue to try variations on some of their tried and true attacks, and so user education against these threats remains paramount.

Go to Source
Author: Talos Group

The Service You Can’t Refuse: A Secluded HijackRAT

In Android world, sometimes you can’t stop malware from “serving”
you, especially when the “service” is actually a malicious Android
class running in the background and controlled by a remote access tool
(RAT). Recently, FireEye mobile security researchers have discovered
such a malware that pretends to be a “Google Service Framework” and
kills an anti-virus application as well as takes other malicious actions.

In the past, we’ve seen Android malware that execute privacy leakage,
banking credential theft, or remote access separately, but this sample
takes Android malware to a new level by combining all of those
activities into one app. In addition, we found the hacker has designed
a framework to conduct bank hijacking and is actively developing
towards this goal. We suspect in the near future there will be a batch
of bank hijacking malware once the framework is completed. Right now,
eight Korean banks are recognized by the attacker, yet the hacker can
quickly expand to new banks with just 30 minutes of work.

Although the IP addresses we have captured don’t reveal who the
attacker is, as the computer of the IP might be a victim as well, we
have found from the UI that both the malware developer and the victims
are Korean speakers.

Fig. 1. The structure of the HijackRAT malware.
Fig. 1. The structure of the HijackRAT malware.

The package name of this new RAT malware is “com.ll” and appears as
“Google Service Framework” with the default Android icon. Android
users can’t remove the app unless they deactivate its administrative
privileges in “Settings.” So far, the Virus Total score of the sample
is only five positive detections out of 54 AV vendors [1]. Such new
malware is published quickly partly because the CNC server, which the
hacker uses, changes so rapidly.

Fig. 2. The Virus Total detection of the malware
sample. [1]
Fig. 3. The fake “Google Service Framework” icon
in home screen.

A few seconds after the malicious app is installed, the “Google
Services” icon appears on the home screen. When the icon is clicked,
the app asks for administrative privilege. Once activated, the
uninstallation option is disabled and a new service named “GS” is
started as shown below. The icon will show “App isn’t
installed.” when the user tries to click it again and removes
itself from the home screen.

Fig. 4. The background service of the malware.
Fig. 4. The background service of the malware.

The malware has plenty of malicious actions, which the RAT can
command, as shown below.


Within a few minutes, the app connects with the CNC server and begins
to receive a task list from it:


The content is encoded by Base64 RFC 2045. It is a JSONObject with
content: {“task”: {“0”: 0}}, when decoded. The
server IP,, is located in Hong Kong. We cannot tell if
it’s the hacker’s IP or a victim IP controlled by the RAT, but the URL
is named after the device ID and the UUID generated by the CNC server.

The code below shows how the URL of the HTTP GET request is constructed:



The task list shown above will trigger the first malicious action of
“Upload Phone Detail.” When executed, the user’s private information
will be uploaded to the server using HTTP POST request. The
information contains phone number, device ID, and contact lists as
shown below in the network packet of the request:


When decoded, the content in the red and blue part of the PCap are
shown below respectively:

1. The red part:


2. The blue part:


The contact list shown above is already highly sensitive, yet,
if the user has installed some banking applications, the malware
will scan for them too.

In a testing device, we installed the eight Korean bank apps as
shown below:

Fig. 5. The eight banking apps.
Fig. 5. The eight banking apps.

When this was done,  we found the value of
“banklist” in the PCap is no longer listed as N/A anymore:


The “banklist” entry in the PCap is filled with the short names
of the banks that we installed. There is a map of the short names
and package names of the eight banking apps installed on the phone:


The map of the banks is stored in a database and used in another
malicious action controlled by the CNC server too.


In this malicious action, the CNC server sends a command to
replace the existing bank apps. The eight banking apps require the
installation of “com.ahnlab.v3mobileplus,” which is a popular
anti-virus application available on Google Play. In order evade any
detections, the malware kills the anti-virus application before
manipulating the bank apps. In the code as shown below, Conf.LV is
the “com.ahnlab.v3mobileplus” being killed.


Then, the malware app parses the banking apps that the user has
installed on the Android device and stores them in the database
under /data/data/com.ll/database/simple_pref. The red block below
shows the bank list stored in the database:


Once the corresponding command is sent from the RAT, the
resolvePopWindow() method will be called and the device will pop a
Window with the message: “The new version has been released. Please
use after reinstallation.”


The malware will then try to download an app, named after
“update” and the bank’s short name from the CNC server,
simultaneously uninstalling the real, original bank app.


In the code shown above, “mpath” contains the CNC server IP
( and path (determined by the RAT); “mbkname” is the
bank name retrieved from the SQL lite database. The fake APK (e.g.
“updateBH.apk”) is downloaded from the CNC server, however
we don’t know what the fake apps look like because during the research
the command for this malicious action was not executed from the RAT.
Yet the source of the “update*.apk” is definitely not certified by the
banks and might be harmful to the Android user.


When the command to “update” is sent from the RAT, a similar app –
“update.apk” is downloaded from the CNC server and installed in the
Android phone:



When the command to upload SMS is received from the RAT, the SMS of
the Android phone will be uploaded to the CNC server. The SMS has been
stored in the database once received:



Then the SMS is read from the database and uploaded to the CNC server
once the command is received:



Similarly, when the sending SMS command is received, the contact list
is sent through SMS.



Interesting enough, we found a partially finished method called “Bank
Hijack.” The code below partially shows how the BankHijack method
works. The malware reads the short bank name, e.g. “NH”, and then
keeps installing the updateNH.apk from the CNC server until it’s of
the newest version.


So far the part after the installation of the fake app is not
finished yet. We believe the hacker is having some problems finishing
the function temporarily.


As shown above, the hacker has designed and prepared for the
framework of a more malicious command from the CNC server once the
hijack methods are finished. Given the unique nature of how this app
works, including its ability to pull down multiple levels of personal
information and impersonate banking apps, a more robust mobile banking
threat could be on the horizon.




Go to Source
Author: Jinjian Zhai

Darwin’s Favorite APT Group


The attackers referred to as APT12 (also known as IXESHE, DynCalc,
and DNSCALC) recently started a new campaign targeting organizations
in Japan and Taiwan. APT12 is believed to be a cyber espionage group
thought to have links to the Chinese People’s Liberation Army. APT12’s
targets are consistent with larger People’s Republic of China (PRC)
goals. Intrusions and campaigns conducted by this group are in-line
with PRC goals and self-interest in Taiwan. Additionally, the new
campaigns we uncovered further highlight the correlation between APT
groups ceasing and retooling operations after media exposure, as APT12
used the same strategy after compromising the New York Times in Oct
2012. Much like Darwin’s theory of biological evolution, APT12 been
forced to evolve and adapt in order to maintain its mission.

The new campaign marks the first APT12 activity publicly reported
since Arbor Networks released their blog “Illuminating
The Etumbot APT Backdoor.
” FireEye refers to the Etumbot
backdoor as RIPTIDE. Since the release of the Arbor blog post, FireEye
has observed APT12 use a modified RIPTIDE backdoor that we call
is the second time FireEye has discovered APT12 retooling after a
public disclosure
. As such, FireEye believes this to be a common
theme for this APT group, as APT12 will continue to evolve in an
effort to avoid detection and continue its cyber operations.

FireEye researchers also discovered two possibly related campaigns
utilizing two other backdoors known as THREEBYTE and WATERSPOUT. Both
backdoors were dropped from malicious documents built utilizing the
“Tran Duy Linh” exploit kit, which exploited CVE-2012-0158. These
documents were also emailed to organizations in Japan and Taiwan.
While APT12 has previously used THREEBYTE, it is unclear if APT12 was
responsible for the recently discovered campaign utilizing THREEBYTE.
Similarly, WATERSPOUT is a newly discovered backdoor and the threat
actors behind the campaign have not been positively identified.
However, the WATERSPOUT campaign shared several traits with the
RIPTIDE and HIGHTIDE campaign that we have attributed to APT12.


From October 2012 to May 2014, FireEye
observed APT12 utilizing RIPTIDE, a proxy-aware backdoor that
communicates via HTTP to a hard-coded command and control (C2) server.
RIPTIDE’s first communication with its C2 server fetches an encryption
key, and the RC4 encryption key is used to encrypt all further communication.


Figure 1: RIPTIDE HTTP GET Request Example

In June 2014, Arbor
Networks published an article
describing the RIPTIDE backdoor
and its C2 infrastructure in great depth. The blog highlighted that
the backdoor was utilized in campaigns from March 2011 till May 2014.

Following the release of the article, FireEye observed a distinct
change in RIPTIDE’s protocols and strings. We suspect this change was
a direct result of the Arbor blog post in order to decrease detection
of RIPTIDE by security vendors. The changes to RIPTIDE were
significant enough to circumvent existing RIPTIDE detection rules.
FireEye dubbed this new malware family HIGHTIDE.

HIGHTIDE Malware Family

On Sunday August 24, 2014 we observed a
spear phish email sent to a Taiwanese government ministry. Attached to
this email was a malicious Microsoft Word document (MD5:
f6fafb7c30b1114befc93f39d0698560) that exploited CVE-2012-0158. It
is worth noting that this email appeared to have been sent from
another Taiwanese Government employee, implying that the email was
sent from a valid but compromised account.



Figure 2:  APT12 Spearphishing Email

The exploit document dropped the HIGHTIDE backdoor with the
following properties:

MD5 6e59861931fa2796ee107dc27bfdd480
Size 75264 bytes
Complie Time 2014-08-23 08:22:49
Import Hash ead55ef2b18a80c00786c25211981570

The HIGHTIDE backdoor connected directly to If you
compare the HTTP GET request from the RIPTIDE samples (Figure 1) to
the HTTP GET request from the HIGHTIDE samples (Figure 3) you can see
the malware author changed the following items:

  • User Agent
  • Format and structure
    of the HTTP Uniform Resource Identifier (URI)


Figure 3: HIGHTIDE GET Request Example

Similar to RIPTIDE campaigns, APT12 infects target systems with
HIGHTIDE using a Microsoft Word (.doc) document that exploits
CVE-2012-0158. FireEye observed APT12 deliver these exploit documents
via phishing emails in multiple cases. Based on past APT12 activity,
we expect the threat group to continue to utilize phishing as a
malware delivery method.

MD5 File Name Exploit
73f493f6a2b0da23a79b50765c164e88 議程最新修正及注意事項.doc CVE-2012-0158
f6fafb7c30b1114befc93f39d0698560 0824.1.doc CVE-2012-0158
eaa6e03d9dae356481215e3a9d2914dc 簡易名冊0全國各警察機關主官至分局長.doc CVE-2012-0158
06da4eb2ab6412c0dc7f295920eb61c4 附檔.doc CVE-2012-0158
53baedf3765e27fb465057c48387c9b6 103年第3屆通訊錄.doc CVE-2012-0158
00a95fb30be2d6271c491545f6c6a707 2014 09 17 Welcome Reception for Bob
and Jason_invitation.doc
4ab6bf7e6796bb930be2dd0141128d06 產諮會_Y103(2)委員會_從東協新興國家崛起(0825).doc CVE-2012-0158

Figure 4: Identified exploit documents for HIGHTIDE 

When the file is opened, it drops HIGHTIDE in the form of an
executable file onto the infected system.

RIPTIDE and HIGHTIDE differ on several points: executable file
location, image base address, the User-Agent within the GET requests,
and the format of the URI. The RIPTIDE exploit document drops its
executable file into the C:Documents and Settings{user}Application
DataLocation folder while the HIGHTIDE exploit document drops its
executable file into the C:DOCUMENTS and SETTINGS{user}LOCAL
SETTINGSTemp folder. All but one sample that we identified were
written to this folder as word.exe. The one outlier was written as winword.exe.

Research into this HIGHTIDE campaign revealed APT12 targeted
multiple Taiwanese Government organizations between August 22 and 28.

THREEBYTE Malware Family

On Monday August 25, 2014 we observed a different spear phish email
sent from to a technology company located in
Taiwan. This spear phish contained a malicious Word document that
exploited CVE-2012-0158. The MD5 of the exploit document was e009b95ff7b69cbbebc538b2c5728b11.

Similar to the newly discovered HIGHTIDE samples documented above,
this malicious document dropped a backdoor to C:DOCUMENTS and
SETTINGS{user}LOCAL SETTINGSTempword.exe. This backdoor had the
following properties:

MD5 16e627dbe730488b1c3d448bfc9096e2
Size 75776 bytes
Complie Time 2014-08-25 01:22:20
Import Hash dcfaa2650d29ec1bd88e262d11d3236f

This backdoor sent the following callback
traffic to video[.]csmcpr[.]com:


Figure 5:  THREEBYTE GET Request Beacon

The THREEBYTE spear phishing incident (while not yet attributed)
shared the following characteristics with the above HIGHTIDE campaign
attributed to APT12:

  • The THREEBYTE backdoor was compiled two
    days after the HIGHTIDE backdoors.
  • Both the THREEBYTE and
    HIGHTIDE backdoors were used in attacks targeting organizations in
  • Both the THREEBYTE and HIGHTIDE backdoors were
    written to the same filepath of C:DOCUMENTS and
    SETTINGS{user}LOCAL SETTINGSTempword.exe.
  • APT12 has
    previously used the THREEBYTE backdoor.

WATERSPOUT Malware Family

On August 25, 2014, we observed another round of spear phishing
emails targeting a high-technology company in Japan. Attached to this
email was another malicious document that was designed to exploit
CVE-2012-0158. This malicious Word document had an MD5 of
499bec15ac83f2c8998f03917b63652e and dropped a backdoor to
backdoor had the following properties:

MD5 f9cfda6062a8ac9e332186a7ec0e706a
Size 49152 bytes
Complie Time 2014-08-25 02:10:11
Import Hash 864cd776c24a3c653fd89899ca32fe0b

The backdoor connects to a command and control server at icc[.]ignorelist[.]com.

Similar to RIPTIDE and HIGHTIDE, the WATERSPOUT backdoor is an
HTTP-based backdoor that communicates with its C2 server.

//<5 digit number>/<4 character string>.php?_id=<43 character string>= HTTP/1.1Accept: image/jpeg, application/x-ms-application,
image/gif, application/xaml+xml, image/pjpeg,
application/x-ms-xbap, */*

User-Agent: Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;
.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
.NET4.0C; .NET4.0E)


Cache-Control: no-cache

Figure 6: Sample GET request for WATERSPOUT backdoor

Although there are no current infrastructure ties to link this
backdoor to APT12, there are several data points that show a possible
tie to the same actors:

  • Same initial delivery method (spear
    phishing email) with a Microsoft Word Document exploiting

      • The same “Tran Duy Linh” Microsoft
        Word Exploit Kit was used in delivery of this backdoor.

        • Similar Targets were
          observed where the threat actors utilized this

          • Japanese Tech Company
          • Taiwanese Government Organizations
          • Organizations in the Asia-Pacific Region that are of
            Interest to China
        • The
          WATERSPOUT backdoor was written to the same file path as the
          HIGHTIDE backdoors:

          • C:DOCUMENTS and
            SETTINGS{user}LOCAL SETTINGSTempword.exe
          • C:DOCUMENTS and SETTINGS{user}LOCAL
        • WATERSPOUT was compiled within two days of the last
          HIGHTIDE backdoor and on the same day as the THREEBYTE
        • APT12
          closely monitors online media related to its tools and
          operations and reacts when its tools are publicly
        • APT12 has the ability to adapt quickly to
          public exposures with new tools, tactics, and procedures
        • Public disclosures may result in an immediate
          change in APT12’s tools. These changes may be temporary and
          FireEye believes they are aimed at decreasing detection of
          their tools until a more permanent and effective TTP change
          can be implemented (e.g., WATERSPOUT).

    Although these points do not
    definitively tie WATERSPOUT to APT12, they do indicate a
    possible connection between the WATERSPOUT campaign, the
    THREEBYTE campaign, and the HIGHTIDE campaign attributed to


    FireEye believes the change from
    RIPTIDE to HIGHTIDE represents a temporary tool shift to
    decrease malware detection while APT12 developed a completely
    new malware toolset. These development efforts may have resulted
    in the emergence of the WATERSPOUT backdoor.


    Figure 7: Compile dates for all three malware

    APT12’s adaptations to public disclosures
    lead FireEye to make several conclusions about this threat

    Though public disclosures resulted in APT12
    adaptations, FireEye observed only a brief pause in APT12
    activity before the threat actors returned to normal activity
    levels. Similarly, the public disclosure of APT12’s intrusion at
    the New York Times also led to only a brief pause in the threat
    group’s activity and immediate changes in TTPs. The pause and
    retooling by APT12 was covered in the Mandiant
    2014 M-Trends report
    . Currently, APT12 continues to target
    organizations and conduct cyber operations using its new tools.
    Most recently, FireEye observed HIGHTIDE at multiple
    Taiwan-based organizations and the suspected APT12 WATERSPOUT
    backdoor at a Japan-based electronics company. We expect that
    APT12 will continue their trend and evolve and change its
    tactics to stay ahead of network defenders.

    Note: IOCs
    for this campaign can be found here.

Go to Source
Author: Ned Moran

A coin miner with a “Heaven’s Gate”

You might call the last two years the years of ransomware. Ransomware was, without a doubt, the most popular type of malware. But at the end of last year, we started observing that ransomware was losing its popularity to coin miners. It is very much possible that this trend will grow as 2018 progresses.

From the point of view of the victim, this is a huge relief, because miners are not as much of a threat as ransomware. They slow down the system, yes, but once you get rid of them you can continue using your computer as before. No data is stolen, or lost as in the case with a ransomware infection.

From the point of view of a malware researcher, miners are so far disappointing. They don’t give enough interesting material for a deeper analysis, mostly because they are based on well-known open source components with little or no obfuscation.

However, from time to time, we find coin miners incorporating interesting tricks. In one recent sample, we observed a technique called “Heaven’s Gate” that allows the malware to make injections to 64-bit processes from 32-bit loaders. This trick is not new—its introduction is dated to 2009—but it’s curious to see it implemented in this new sample captured in wild.

Those who are beginners in malware analysis can read on for a guide about what Heaven’s Gate is and how to approach analyzing it.

Analyzed samples

This sample was found in the continuation of the Ngay campaign (more about it here). A background check on similar samples lead me to the article of @_qaz_qaz, who described an earlier campaign with a similar sample. However, his analysis skipped details on the Heaven’s Gate technique.

Behavioral analysis

To observe the mentioned injection, we must run the sample on a 64-bit system. We can see that it runs an instance of notepad, with parameters typical for mining cryptocurrency:

Looking at the in-memory strings in ProcessExplorer, we can clearly see that it is not a real notepad running, but the xmrig miner:

So, at this moment we’re confident that the notepad’s image has been replaced in memory, most probably by the RunPE (Process Hollowing) technique.

The main dropper is 32-bit, but it injects a payload into a 64-bit notepad:

The fun part is that this type of injection is not supported by the official Windows API. We can read/write the memory of 32-bit processes from a 64-bit application (using Wow64 API), but not the other way around.

There are, however, some unofficial solutions to this, such as the technique called “Heaven’s Gate.”

Heaven’s Gate overview

The Heaven’s Gate technique was first described in 2009, by a hacker nicknamed Roy G. Biv. Later, many adaptations were created, such as a library Wow64ext  or, basing in it, W64oWoW64. In the blog post from 2015, Alex Ionescu described mitigations against this technique.

But let’s have a look at how it works.

Running 32-bit processes on 64-bit Windows

Every 32-bit process that runs on a 64-bit version of Windows runs in a special subsystem called WoW64 that emulates the 32-bit environment. We can explain it as a 32-bit sandbox that is created inside a 64-bit process. So, first the 64-bit environment for the process is created. Then, inside it, the 32-bit environment is created. The application is executed in this 32-bit environment and it has no access to the 64-bit part.

If we scan the 32-bit process from outside, via the 64-bit scanner, we can see that it has inside both 32 and 64 DLLs. Most importantly, it has two versions of NTDLL: 32-bit (loaded from a directory SysWow64) and 64-bit (loaded from a directory System32):

However, the 32-bit process itself can’t see the 64-bit part and is limited to using the 32-bit DLLs. To make an injection to a 64-bit process, we’d need to use the 64-bit versions of appropriate functions.

Code segments

In order to access the forbidden part of the environment, we need to understand how the isolation is made. It turns out that it’s quite simple. The 32- and 64-bit code execution is accessible via a different address of the code segment: 32-bit is 0x23 and 64-bit is 0x33.

If we call an address in a typical way, the mode that is used to interpret it is the one set by default. However, we can explicitly request to change it using assembler instructions.

Inside the miner: the Heaven’s Gate implementation

I will not do a full analysis of this miner because it has already been described here. Let’s jump directly to the place where the fun begins. The malware checks its environment, and if it finds that it’s running on a 64-bit system, it takes a different path to make an injection into a 64-bit process:

After some anti-analysis checks, it creates a new, suspended 64-bit process (in this case, it is a notepad):

This is the target into which the malicious payload is going to be injected.

As we discussed before, in order to inject the payload into a 64-bit process, we need to use the appropriate 64-bit functions.

First, the loader takes a handle to a 64-bit NTDLL:

What happens inside this function get_ntdll requires some deeper explanation. As a reference, we can also have a look at the analogical code in the ReWolf’s library.

To get access to the 64-bit part of the process environment, we need to manipulate the segments selectors. Let’s see how our malware enters the 64-bit mode:

This code seems to be directly copied from the open source library:

The segment selector 0x33 is pushed on the stack. Then, the malware calls the next line: (By this way, the next line’s address is also pushed on the stack.)

An address that was pushed is fixed by adding 5 bytes and set after the retf :

At the end, the instruction RETF is called. RETF is a “far return,” and in contrast to the casual RET, it allows to specify not only the address where the execution should return, but also the segment. It takes as arguments two DWORDs from the stack. So, when the RETF is hit, the actual return address is:


Thanks to the changed segment, the code that starts at the specified address is interpreted as 64-bit. So, the code that is visible under the debugger as 32-bit…

…is, in reality, 64-bit.

For the fast switching of those views, I used a feature of PE-bear:

And this is how this piece of code looks, if it is interpreted as 64-bit:

So, the code that is executed here is responsible for moving the content of the R12 register into a variable on the stack, and then switching back to the 32-bit mode. This is done for the purpose of getting 64bit TEB (Thread Environment Block), from which next we fetch the 64-bit Process Environment Block (PEB) —check the analogical code.

The 64-bit PEB is used as a starting point to search the 64-bit version of NTDLL. This part is implemented in a casual way (a “vanilla” implementation of this technique can be found here) using a pointer to the loaded libraries that is one of the fields in the PEB structure. So, from PEB we get a field called Ldr:

Ldr is a structure of the type _PEB_LDR_DATA. It contains an entry called InMemoryOrderModuleList:

This list contains all the loaded DLLs that are present in the memory of the examined process. We browse through this list until we find the DLL of our interest that, in this case, is NTDLL. This is exactly what the mentioned function get_ntdll does. In order to find the appropriate name, it calls the following function—denoted as is_ntdll_lib—that checks the name of the library character-by-character and compares it with ntdll.dll. It is an equivalent of this code.

If the name matches, the address to the library is returned in a pair of registers:

Once we found NTDLL, we just needed to fetch addresses of the appropriate functions. We did this by browsing the exports table of the DLL:

The following functions are being fetched:

  • NttUnmapViewOfSection
  • NtGetContextThread
  • NtAllocateVirtualMemory
  • NtReadVirtualMemory
  • NtWriteVirtualMemory
  • NtSetContextThread

As we know, those functions are typical for RunPE technique. First, the NtUnmapViewOfSection is used to unmap the original PE file. Then, memory in the remote process is allocated, and the new PE is written. At the end, the context of the process is changed to start the execution from the injected module.

The addresses of the functions are saved and later called (similarly to this code) to manipulate the remote process.


So far, authors of coin miners don’t show a lot of creativity. They achieve their goals by heavily relying on open-source components. The described case also shows this tendency – they made use of a ready made implementation.

The Heaven’s Gate technique has been around for several years. Some malware use it for the purpose of being stealthy. But in case of this coin miner, authors probably aimed rather to maximize performance by using a payload version that best fit the target architecture.

The post A coin miner with a “Heaven’s Gate” appeared first on Malwarebytes Labs.

Go to Source
Author: hasherezade

Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware inRecent Campaign


FireEye researchers recently observed threat actors leveraging
relatively new vulnerabilities in Microsoft Office to spread Zyklon
HTTP malware. Zyklon has been observed in the wild since early 2016
and provides myriad sophisticated capabilities.

Zyklon is a publicly available, full-featured backdoor capable of
keylogging, password harvesting, downloading and executing additional
plugins, conducting distributed denial-of-service (DDoS) attacks, and
self-updating and self-removal. The malware may communicate with its
command and control (C2) server over The Onion Router (Tor) network if
configured to do so. The malware can download several plugins, some of
which include features such as cryptocurrency mining and password
recovery, from browsers and email software. Zyklon also provides a
very efficient mechanism to monitor the spread and impact.

Infection Vector

We have observed this recent wave of Zyklon malware being delivered
primarily through spam emails. The email typically arrives with an
attached ZIP file containing a malicious DOC file (Figure 1 shows a
sample lure).

The following industries have been the primary targets in this campaign:

  • Telecommunications
  • Insurance
  • Financial Services

Figure 1: Sample lure documents

Attack Flow

  1. Spam email arrives in the
    victim’s mailbox as a ZIP attachment, which contains a malicious DOC
  2. The document files exploit at least three known
    vulnerabilities in Microsoft Office, which we discuss in the
    Infection Techniques section. Upon execution in a vulnerable
    environment, the PowerShell based payload takes over.
  3. The
    PowerShell script is responsible for downloading the final payload
    from C2 server to execute it.

A visual representation of the attack flow and execution chain can
be seen in Figure 2.

Figure 2: Zyklon attack flow

Infection Techniques


This vulnerability was discovered
by FireEye
in September 2017, and it is a vulnerability we have
observed being exploited in the wild.

The DOC file contains an embedded OLE Object that, upon execution,
triggers the download of an additional DOC file from the stored URL
(seen in Figure 3).

Figure 3: Embedded URL in OLE object


Similarly, we have also observed actors leveraging another newly discovered
vulnerability (CVE-2017-11882) in Microsoft Office. Upon opening the
malicious DOC attachment, an additional download is triggered from a
stored URL within an embedded OLE Object (seen in Figure 4).

Figure 4: Embedded URL in OLE object

Figure 5: HTTP GET request to download
the next level payload

The downloaded file, doc.doc, is XML-based and contains a
PowerShell command (shown in Figure 6) that subsequently
downloads the binary Pause.ps1.

Figure 6: PowerShell command to download
the Pause.ps1 payload

Dynamic Data Exchange (DDE)

Dynamic Data Exchange (DDE) is the interprocess communication
mechanism that is exploited to perform remote code execution. With the
help of a PowerShell script (shown in Figure 7), the next payload
(Pause.ps1) is downloaded.

Figure 7: DDE technique used to download
the Pause.ps1 payload

One of the unique approaches we have observed is the use of dot-less
IP addresses (example: hxxp://258476380).

Figure 8 shows the network communication of the Pause.ps1 download.

Figure 8: Network communication to
download the Pause.ps1 payload

Zyklon Delivery

In all these techniques, the same domain is used to download the
next level payload (Pause.ps1), which is another PowerShell
script that is Base64 encoded (as seen in Figure 8).

The Pause.ps1 script is responsible for resolving the APIs
required for code injection. It also contains the injectable
shellcode. The APIs contain VirtualAlloc(), memset(), and
CreateThread(). Figure 9 shows the decoded Base64 code.

Figure 9: Base64 decoded Pause.ps1

The injected code is responsible for downloading the final payload
from the server (see Figure 10). The final stage payload is a PE
executable compiled with .Net framework.

Figure 10: Network traffic to download
final payload (words.exe)

Once executed, the file performs the following activities:

  1. Drops a copy of itself in
    %AppData%svchost.exesvchost.exe and drops an XML file, which
    contains configuration information for Task Scheduler (as shown in
    Figure 11).
  2. Unpacks the code in memory via process
    hollowing. The MSIL file contains the packed core payload in its
    .Net resource section.
  3. The unpacked code is Zyklon.

Figure 11: XML configuration file to
schedule the task

The Zyklon malware first retrieves the external IP address of the
infected machine using the following:

  • api.ipify[.]org
  • ip.anysrc[.]net
  • myexternalip[.]com
  • whatsmyip[.]com

The Zyklon executable contains another encrypted file in its .Net
resource section named tor. This file is decrypted and injected
into an instance of InstallUtiil.exe, and functions as a Tor anonymizer.

Command & Control Communication

The C2 communication of Zyklon is proxied through the Tor network.
The malware sends a POST request to the C2 server. The C2 server is
appended by the gate.php, which is stored in file memory. The
parameter passed to this request is getkey=y. In response to this
request, the C2 server responds with a Base64-encoded RSA public key
(seen in Figure 12).

Figure 12: Zyklon public RSA key

After the connection is established with the C2 server, the malware
can communicate with its control server using the commands shown in
Table 1.

Command Action
sign Requests system information
settings Requests settings from C2 server
logs Uploads harvested passwords
wallet Uploads harvested cryptocurrency wallet
proxy Indicates SOCKS proxy port opened
miner Cryptocurrency miner commands
error Reports errors to C2 server
ddos DDoS attack commands

Table 1: Zyklon accepted commands

The following figures show the initial request and subsequent server
response for the “settings” (Figure 13), “sign” (Figure 14), and
“ddos” (Figure 15) commands.

Figure 13: Zyklon issuing “settings”
command and subsequent server response

Figure 14: Zyklon issuing “sign” command
and subsequent server response

Figure 15: Zyklon issuing “ddos” command
and subsequent server response

Plugin Manager

Zyklon downloads number of plugins from its C2 server. The plugin
URL is stored in file in following format:

  • /plugin/index.php?plugin=<Plugin_Name>

The following plugins are found in the memory of the Zyklon malware:

  • /plugin/index.php?plugin=cuda
  • /plugin/index.php?plugin=minerd
  • /plugin/index.php?plugin=sgminer
  • /plugin/index.php?plugin=socks
  • /plugin/index.php?plugin=tor
  • /plugin/index.php?plugin=games
  • /plugin/index.php?plugin=software
  • /plugin/index.php?plugin=ftp
  • /plugin/index.php?plugin=email
  • /plugin/index.php?plugin=browser

The downloaded plugins are injected into WindowsMicrosoft.NETFrameworkv4.0.30319RegAsm.exe.

Additional Features

The Zyklon malware offers the following additional capabilities (via plugins):

Browser Password Recovery

Zyklon HTTP can recover passwords from popular web browsers, including:

  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
  • Opera
  • Chrome Canary/SXS
  • CoolNovo Browser
  • Apple Safari
  • Flock Browser
  • SeaMonkey
  • SRWare Iron Browser
  • Comodo Dragon
FTP Password Recovery

Zyklon currently supports FTP password recovery from the following
FTP applications:

  • FileZilla
  • SmartFTP
  • FlashFXP
  • FTPCommander
  • Dreamweaver
  • WS_FTP
Gaming Software Key Recovery

Zyklon can recover PC Gaming software keys from the following games:

  • Battlefield
  • Call
    of Duty
  • FIFA
  • NFS
  • Age of Empires
  • Quake
  • The Sims
  • Half-Life
  • IGI
  • Star Wars
Email Password Recovery

Zyklon may also collect email passwords from following applications:

  • Microsoft Outlook
  • Microsoft Outlook 2002/XP/2003/2007/2010/2013
  • Mozilla Thunderbird
  • Windows Live Mail 2012
  • IncrediMail, Foxmail v6.x – v7.x
  • Windows Live
  • MSN Messenger
  • Google Talk
  • GMail
  • PaltalkScene IM
  • Pidgin (Formerly Gaim)
  • Miranda Messenger
  • Windows Credential
License Key Recovery

The malware automatically detects and decrypts the license/serial
keys of more than 200 popular pieces of software, including Office,
SQL Server, Adobe, and Nero.

Socks5 Proxy

Zyklon features the ability to establish a reverse Socks5 proxy
server on infected host machines.

Hijack Clipboard Bitcoin Address

Zyklon has the ability to hijack the clipboard, and replaces the
user’s copied bitcoin address with an address served up by the actor’s
control server.

Zyklon Pricing

Researchers identified different versions of Zyklon HTTP being
advertised in a popular underground marketplace for the following prices:

  • Normal build: $75
  • Tor-enabled build: $125 (USD)
  • Rebuild/Updates:
    $15 (USD)
  • Payment Method: Bitcoin (BTC)


Threat actors incorporating recently discovered vulnerabilities in
popular software – Microsoft Office, in this case – only increases the
potential for successful infections. These types of threats show why
it is very important to ensure that all software is fully updated.
Additionally, all industries should be on alert, as it is highly
likely that the threat actors will eventually move outside the scope
of their current targeting.

At this time of writing, FireEye Multi Vector Execution (MVX)
 is able to recognize and block this threat. Table 2 lists
the current detection and blocking capabilities by product.

Detection Name Product Action
Malware.Binary.rtf EX/ETP/NX Block
Malware.Binary EX/ETP/NX Block
FE_Exploit_RTF_CVE_2017_8759 EX/ETP/NX Block
FE_Exploit_RTF_CVE201711882_1 EX/ETP/NX Block

Table 2: Current detection capabilities by
FireEye products

Indicators of Compromise

The contained analysis is based on the representative sample lures
shown in Table 3.

MD5 Name
d91bed734a8e98b52b8ab0c7fafc6573 accounts.doc
4bae7fb819761a7ac8326baf8d8eb6ab Courier.doc
eb5fa454ab42c8aec443ba8b8c97339b doc.doc
886a4da306e019aa0ad3a03524b02a1c Pause.ps1
04077ecbdc412d6d87fc21e4b3a4d088 words.exe

Table 3: Sample Zyklon lures

Network Indicators

Go to Source
Author: Swapnil Patil

Unpatched Oracle WebLogic Servers Infected with Cryptocurrency Software

By exploiting a known vulnerability on Internet-facing Oracle WebLogic servers, threat actors deployed cryptocurrency miners to Linux and Windows systems.

In December 2017, Secureworks® incident response (IR) analysts responded to multiple incidents where threat actors compromised vulnerable Internet-facing Oracle WebLogic servers on Linux and Windows systems to deploy cryptocurrency software. The unauthorized activity significantly impacted the performance of business-critical and client-facing applications. The continued inquiries about this activity in January 2018 suggest that many organizations have been affected.

Triage of the available data from compromised Linux systems revealed binary files in the /tmp directory consuming processing power and causing performance degradation. When analyzing infected hosts, IR analysts discovered a series of POST requests to /wls-wsat/CoordinatorPortType11 that resulted in an HTTP error code 500 (internal server error). The POST requests attempted to exploit WebLogic vulnerability CVE-2017-10271, which Oracle addressed in October 2017. According to the vulnerability description, this “easily exploitable” issue allows an “unauthenticated attacker with network access via HTTP to compromise [an] Oracle WebLogic Server.”

Examination of client environments revealed at least two variations of a Bash script downloaded after successful exploitation. The first variation (see Figure 1) instructs the impacted system to use Wget to download “72 . 11 . 140 . 178/files/l/default” (MD5: faca70429c736dbf0caf2c644622078f) and save it to /tmp/rcp_bh. Once downloaded, rcp_bh is executed to run in the background on the compromised system.

Figure 1. Bash function to download cryptocurrency software. (Source: Secureworks)

The second script variation creates two persistence mechanisms based on the impacted service account name. As shown in Figure 2, the Bash script prints the name of the user account running the script. If the account is root, then is downloaded to /etc/ and executed. If the user account is anything else, is downloaded to the /tmp directory and executed.

Figure 2. Bash script identifying user. (Source: Secureworks)

If is executed, it downloads and executes “nativesvc” from 207. 246 . 68 . 21. The script then establishes persistence on the compromised server by creating a cron job and modifying the rc.local file to continually check for the miner and download a new copy if the check fails. If is executed, it downloads and executes a cryptocurrency mining binary file named “river” from 207 . 246. 125 . 40 but does not create a persistence mechanism.

Windows hosts running vulnerable Oracle WebLogic servers have also been targeted. Observed attacks have downloaded open-source miners such as XMRig.

These incidents are representative of broader campaigns by financially motivated threat actors to deploy cryptocurrency mining software to large numbers of infected hosts. The market valuation of various cryptocurrencies and the ability to outsource resource costs associated with mining make this kind of activity attractive to threat actors. This type of activity will likely continue as long as cryptocurrency mining provides a return on investment for generating funds.

In addition to reviewing and applying the Oracle security update as appropriate, network defenders should implement the following mitigations. These mitigations also protect systems against other types of threats.

  • Disable unnecessary services, including internal network protocols such as SMBv1 if possible. Remove applications that do not serve a legitimate business function, and consider restricting access to integral system components such as PowerShell that cannot be removed but are unnecessary for most users.
  • Review and apply appropriate security updates for operating systems and applications in a timely manner.
  • Apply the principle of least privilege for system and application credentials, limiting administrator-level access to authorized users and contexts. For Windows systems, consider a solution such as Microsoft’s Local Administrator Password Solution (LAPS) to simplify and strengthen password management.
  • If possible, implement endpoint and network security technologies and centralized logging to detect, restrict, and capture malicious activity. Managing outbound network connections through monitored egress points can help to identify outbound cryptocurrency mining traffic, particularly unencrypted traffic using non-standard ports.

The indicators in Table 1 are associated with this threat. Note that IP addresses can be reallocated. The domains and IP addresses may contain malicious content, so consider the risks before opening them in a browser.

Indicator Type Context
faca70429c736dbf0caf2c644622078f MD5 hash Linux cryptocurrency miner
f79a2ba735a988fa6f65988e1f3d39684727bdc4 SHA1 hash Linux cryptocurrency miner
bbc6f1e5f02b55fab111202b7ea2b3ef7b53209f6ce53f27d7f16c08f52ef9ac SHA256 hash Linux cryptocurrency miner
9d4356274ca394807ae0a6ad82afe2a2 MD5 hash Linux cryptocurrency miner
b19ca7fec674543311214c25078ad7a4e1916253 SHA1 hash Linux cryptocurrency miner
5a788286f82fc78d01dbe2e11776aed1e90b604c12eb826986973e412e0714de SHA256 hash Linux cryptocurrency miner
/tmp/rcp_bh Filename Linux cryptocurrency miner on disk
/tmp/nativesvc Filename Linux cryptocurrency miner on disk
/tmp/river Filename Linux cryptocurrency miner on disk
/tmp/watch-smartd Filename Linux cryptocurrency miner on disk
/tmp/Carbon Filename Linux cryptocurrency miner on disk
pool . minexmr . com Domain name Associated with cryptocurrency mining activity
pool . supportxmr . com Domain name Hosting cryptocurrency mining software
72 . 11 . 140 . 178 IP address Hosting cryptocurrency mining software
207 . 246 . 68 . 21 IP address Hosting cryptocurrency mining software
191 . 101 . 180 . 84 IP address Hosting downloader scripts for cryptocurrency mining software
207 . 246 . 125 . 40 IP address Hosting cryptocurrency mining software

Table 1. Indicators for this threat.

Go to Source
Author: Incident Response Team

North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign

Insikt Group

Click here to download the complete analysis as a PDF.

Key Judgements

  • North Korean government actors, specifically Lazarus Group, continued to target South Korean cryptocurrency exchanges and users in late 2017, before Kim Jong Un’s New Year’s speech and subsequent North-South dialogue.
  • This campaign also targeted South Korean college students interested in foreign affairs and part of a group called “Friends of MOFA” (Ministry of Foreign Affairs).
  • The malware employed shared code with Destover malware, which was used against Sony Pictures Entertainment in 2014 and the first WannaCry victim in February 2017.
  • The dropper in this campaign exploited a known Ghostscript vulnerability, CVE-2017-8291. The exploit implementation includes Chinese terms possibly signifying an attempted false flag or a Chinese exploit supplier.

Executive Summary

North Korea continued to target South Korea through late 2017 with a spear phishing campaign against both cryptocurrency users and exchanges, as well as South Korean college students interested in foreign affairs. The malware in this campaign utilizes a known Ghostscript exploit (CVE-2017-8291) and is tailored to target only users of a Korean language word processor, Hancom’s Hangul Word Processor.


North Korean state-sponsored cyber operations are largely clustered within the Lazarus Group umbrella. Also known as HIDDEN COBRA by the U.S. government, Lazarus Group has conducted operations since at least 2009, when they launched a DDoS attack on U.S. and South Korean websites utilizing the MYDOOM worm. Until 2015, Lazarus Group cyber activities primarily focused on South Korean and U.S. governments and financial organizations, including destructive attacks on South Korean banking and media sectors in 2013 and the highly publicized attack on Sony Pictures Entertainment in 2014.

Beginning in 2016, researchers discovered a shift in North Korean operations toward attacks against financial institutions designed to steal money and generate funds for the Kim regime.

Recorded Future Lazarus Group Intel Card

Lazarus Group in Recorded Future.

By 2017, North Korean actors had jumped on the cryptocurrency bandwagon. The first known North Korean cryptocurrency operation occurred in February 2017, with the theft of $7 million (at the time) in cryptocurrency from South Korean exchange Bithumb. By the end of 2017, several researchers had reported additional spear phishing campaigns against South Korean cryptocurrency exchanges, numerous successful thefts, and even Bitcoin and Monero mining. North Korea also utilized Bitcoin for the global WannaCry ransomware attack in mid-May, forcing victims to pay ransom in Bitcoin.

Threat Analysis

Insikt Group researchers regularly follow North Korean threat actors through a variety of methods, one of which includes proactive monitoring of attack vectors based on software disproportionately adopted in South Korea. Using this methodology, we identified a recent Lazarus Group malware campaign, which likely began late Fall 2017. Lazarus Group operations target a wide swath of countries and verticals, with a particular interest in South Korean targets.

Recent reporting regarding North Korean attacks against cryptocurrency exchanges and using Pyeongchang Olympics as a lure describe techniques that are unusual for the Lazarus Group. These include leveraging PowerShell, HTA, JavaScript, and Python, none of which are common in Lazarus operations over the last eight years. The campaign we discovered showcases a clear use of Lazarus TTPs to target cryptocurrency exchanges and social institutions in South Korea.

This campaign leveraged four different lures and targeted Korean-speaking users of the Hangul Word Processor (.hwp file extension), a Korean-language word processing program utilized widely in South Korea. North Korean state-sponsored actors have used Hangul exploits (CVE-2015-6585) and malicious .hwp files in the past, including during a phishing campaign in early 2017, to target South Korean users.

Beyond Korean-speaking HWP users, targets of this campaign appear to be users of the Coinlink cryptocurrency exchange, South Korean cryptocurrency exchanges at large (or at least those that are hiring), and a group called “Friends of MOFA” (Ministry of Foreign Affairs), which is a group of college students from around South Korea with “a keen interest in foreign affairs.”

Prompts on Coinlink

Payload shows two prompts from, the first tells the user their password is incorrect, the second asks for their email address.

The first cryptocurrency-focused lure appears designed to obtain the emails and passwords of users of Coinlink, a cryptocurrency exchange run by the South Korean electronic stock exchange KOSDAQ.

The second and third appear to be resumes stolen from two actual South Korean computer scientists, both with work experience at South Korean cryptocurrency exchanges.

The fourth document was lifted from a blog run by the South Korean group “Friends of MOFA” detailing a Korean Day celebration in late September 2017 during which President Moon Jae-in spoke about the importance of the Korean diaspora and the upcoming Winter Olympics in Pyeongchang.

Document From Friends of MOFA Blog Post

This document is from a blog post from the “Friends of MOFA” (Ministry of Foreign Affairs) detailing a Korean Day celebration attended by President Moon Jae-in.1

Technical Analysis

This campaign relies on a known Ghostscript exploit (CVE-2017-8291) that can be triggered from within an embedded PostScript in a Hangul Word Processor document.

Recorded Future Timeline of CVE-2017-8291 Exploitation

Timeline of CVE-2017-8291 exploitation.

Screenshot of Function Names in the PostScript

Screenshot of the function names utilized in the PostScript.

Our initial finding focused on “로그인 오류.hwp“ or “Korean Day” lure, but once we created a signature for the particular implementation of the PostScript, we found three additional lure documents in a public malware repository tied together by the use of this exploit: two CVs and a cryptocurrency exchange-themed lure. All were created in the span of a month from mid-October to late November. Despite a nearly identical delivery mechanism (with the exception of altered 4-byte XOR keys), the payloads (when recoverable) were different in each case.

It’s worth noting that the function names used in the PostScript are transliterated Chinese words. While “yima” (decode) and “yaoshi” (key) appear appropriate in their functional context, the word “yinzi” (factor/money) does not. The latter may be obscure technical slang or be a misuse signifying a potential false flag.

This would not be the first time the Lazarus Group used foreign-language terms to misdirect attribution efforts; BAE researchers discovered transliterated Russian terms in previous Lazarus operations. However, an alternate explanation may point to a Chinese exploit supplier or the language competency of the developer.

The attack chain occurs in multiple stages with the PostScript deobfuscating a first stage shellcode that’s been XORed with a hardcoded four-byte key. The shellcode in turn triggers the GhostScript vulnerability in order to execute an embedded DLL that has also been XORed. A PwnCode.Club blogpost details the deobfuscation of the shellcode and loading of the DLL into memory.

Lazarus malware families (like Hangman, Duuzer, Volgmer, SpaSpe, etc.) overlap, likely as the result of the developers cutting-and-splicing an extensive codebase of malicious functionality to generate payloads as needed. This erratic composition make the Lazarus intrusion malware difficult to identify and group or cluster, unless they are analyzed at the level of code similarity.

Upon deobfuscating the payloads, we found 32-bit DLLs built in part on the Destover malware code. Destover has been used in a number of North Korea-attributed operations: most infamously against Sony Pictures Entertainment in 2014, the Polish banking attacks in January 2017, and the first WannaCry victim in February 2017.

This campaign relies on multiple payloads fashioned out of the Destover infostealer code to collect information about the victim system and exfiltrate files. Each payload contains an embedded 64-bit version of itself. The payloads accompanying the newer cryptocurrency exchange-themed lure docs compiled a month after the Korean Day payload further obfuscate their functionality by resolving imports at runtime.

This type of obfuscation is common in the Lazarus Hangman malware family. They also rely entirely on IPs (rather than domains) for their command-and-control infrastructure, a tactic likely borne of the use of hacked servers for infrastructure.


This late 2017 campaign is a continuation of North Korea’s interest in cryptocurrency, which we now know encompasses a broad range of activities including mining, ransomware, and outright theft. Outside of the May WannaCry attack, the majority of North Korean cryptocurrency operations have targeted South Korean users and exchanges, but we expect this trend to change in 2018. We assess that as South Korea responds to these attempted thefts by increasing security (and possibly banning cryptocurrency trading) they will become harder targets, forcing North Korean actors to look to exchanges and users in other countries as well.

Further, while this campaign and toolset are specific to the Hangul Word Processor, the vulnerability it exploited (CVE-2017-8291) is not. This vulnerability is for the Ghostscript suite and affects a wide range of products, and while this particular version is triggered from within an embedded PostScript in an HWP document, it could easily be adapted to other software.

As South Korean exchanges harden their networks and the government imposes stricter regulatory controls on cryptocurrencies, exchanges and users in other countries should be aware of the increased threat level from North Korean actors.

To see the indicators of compromise associated with this analysis, download the appendix.

1Note: All Korean language translations provided by Gerald Kim.

The post North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign appeared first on Recorded Future.

Go to Source
Author: Juan Andres Guerrero-Saade and Priscilla Moriuchi

Skygofree — a Hollywood-style mobile spy

Most Trojans are basically the same: Having penetrated a device, they steal the owner’s payment information, mine cryptocurrency for the attackers, or encrypt data and demand a ransom. But some display capabilities more reminiscent of Hollywood spy movies.

We recently discovered one such cinematic Trojan by the name of Skygofree (it doesn’t have anything to do with the television service Sky Go; it was named after one of the domains it used). Skygofree is overflowing with functions, some of which we haven’t encountered elsewhere. For example, it can track the location of a device it is installed on and turn on audio recording when the owner is in a certain place. In practice, this means that attackers can start listening in on victims when, say, they enter the office or visit the CEO’s home.

Another interesting technique Skygofree employs is surreptitiously connecting an infected smartphone or tablet to a Wi-Fi network controlled by the attackers — even if the owner of the device has disabled all Wi-Fi connections on the device. This lets the victim’s traffic be collected and analyzed. In other words, someone somewhere will know exactly what sites were looked at and what logins, passwords, and card numbers were entered.

The malware also has a couple of functions that help it operate in standby mode. For example, the latest version of Android can automatically stop inactive processes to save battery power, but Skygofree is able to bypass this by periodically sending system notifications. And on smartphones made by one of the tech majors, where all apps except for favorites are stopped when the screen is turned off, Skygofree adds itself automatically to the favorites list.

The malware can also monitor popular apps such as Facebook Messenger, Skype, Viber, and WhatsApp. In the latter case, the developers again showed savvy — the Trojan reads WhatsApp messages through Accessibility Services. We have already explained how this tool for visually or aurally impaired users can be used by intruders to control an infected device. It’s a kind of “digital eye” that reads what’s displayed on the screen, and in the case of Skygofree, it collects messages from WhatsApp. Using Accessibility Services requires the user’s permission, but the malware hides the request for permission behind some other, seemingly innocent, request.

Last but not least, Skygofree can secretly turn on the front-facing camera and take a shot when the user unlocks the device — one can only guess how the criminals will use these photos.

However, the authors of the innovative Trojan did not dispense with more mundane features. Skygofree can also to intercept calls, SMS messages, calendar entries, and other user data.

The promise of fast Internet

We discovered Skygofree recently, in late 2017, but our analysis shows the attackers have been using it — and constantly enhancing it — since 2014. Over the past three years, it has grown from a rather simple piece of malware into full-fledged, multifunctional spyware.

The malware is distributed through fake mobile operator websites, where Skygofree is disguised as an update to improve mobile Internet speed. If a user swallows the bait and downloads the Trojan, it displays a notification that setup is supposedly in progress, conceals itself from the user, and requests further instructions from the command server. Depending on the response, it can download a variety of payloads — the attackers have solutions for almost every occasion.

Forewarned is forearmed

To date, our cloud protection service has logged only a few infections, all in Italy. But that doesn’t mean that users in other countries can let their guard down; malware distributers can change their target audience at any moment. The good news is that you can protect yourself against this advanced Trojan just like any other infection:

  1. Install apps only from official stores. It’s wise to disable installation of apps from third-party sources, which you can do in your smartphone settings.
  2. If in doubt, don’t download. Pay attention to misspelled app names, small numbers of downloads, or dubious requests for permissions — any of these things should raise flags.
  3. Install a reliable security solution — for example, Kaspersky Internet Security for Android. This will protect your device from most malicious apps and files, suspicious websites, and dangerous links. In the free version scans must be run manually; the paid version scans automatically.

  1. We recommend that business users deploy Kaspersky Security for Mobile — a component of Kaspersky Endpoint Security for Business — to protect the phones and tablets employees use at work.

Go to Source
Author: Anna Markovskaya

Flaw in Popular Transmission BitTorrent Client Lets Hackers Control Your PC Remotely

There’s a critical weakness in the widely used Transmission BitTorrent app that allows websites to execute malicious code on some users’ computers. That’s according to a researcher with Google’s Project Zero vulnerability reporting team, who also warns that other BitTorrent clients are likely similarly susceptible.

Researcher Tavis Ormandy published the proof-of-concept attack code last week, along with a detailed description of the underlying vulnerability it exploited. Normally, Project Zero withholds publication of such details for 90 days or until the developer has released a fix. In this case, however, Ormandy’s private report to Transmission included a patch that completely fixed the vulnerability. The researcher went ahead and disclosed the vulnerability last Tuesday—only 40 days after the initial report—because Transmission developers had yet to apply it. Ormandy said the publication would allow Ubuntu and other downstream projects to independently install the fix.

“I’m finding it frustrating that the Transmission developers are not responding on their private security list,” Ormandy wrote in Tuesday’s public report. “I suggested moving this into the open so that distributions can apply the patch independently.”

A Transmission development official told Ars that he expected an official fix to be released “ASAP” but was not specific. He said the vulnerability was present only when users enabled remote access and disabled password protection. He said people who run the unpatched version of Transmission as a daemon should ensure they have enabled password protection.

DNS rebinding strikes again

Ormandy’s proof-of-concept attack exploits a Transmission function that allows users to control the BitTorrent app with their Web browser. The researcher said most people don’t enable password protection because they assume the JSON RPC interface can only be controlled by someone with physical access to the computer running Transmission. Using a hacking technique known as domain name system rebinding, Ormandy devised a way that the Transmission interface can be remotely controlled when a vulnerable user visits a malicious site. He said he confirmed his exploit works on Chrome and Firefox on Windows and Linux and that he expects other platforms and browsers are also affected.

Attackers can exploit the flaw by creating a DNS name they are authorized to communicate with and then making it resolve to the localhost name of the vulnerable computer. In a separate posting publishing the patch, Ormandy wrote:

  1. A user visits, which has an <iframe> to a subdomain the attacker controls.
  2. The attacker configures their DNS server to respond alternately with (an address they control) with a very low TTL.
  3. When the browser resolves to, they serve HTML that waits for the DNS entry to expire (or force it to expire by flooding the cache with lookups), then they have permission to read and set headers.

Among the things an attacker can do is change the Torrent download directory to the user’s home directory. The attacker could then command Transmission to download a Torrent called “.bashrc” which would automatically be executed the next time the user opened a bash shell. Attackers could also remotely reconfigure Transmission to run any command of their choosing after a download has completed. Ormandy said the exploit is of “relatively low complexity, which is why I’m eager to make sure everyone is patched.”

In a tweet, Ormandy said the vulnerability was the “first of a few remote code execution flaws in various popular torrent clients.” He didn’t name the other apps because the 90-day Window hasn’t closed yet.

While last week’s disclosure has the most immediate consequences for Transmission users, its lessons about the dangers of DNS rebinding are broadly applicable to people using a wide range of apps.

“I regularly encounter users who don’t accept that websites can access services on localhost or their intranet,” Ormandy wrote. “These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine—but somehow believe that accessing a website ‘transfers’ execution somewhere else. It doesn’t work like that, but this is a common source of confusion.”

Go to Source
Author: Dan Goodin