Inside a Twitter ‘Pornbot’ Campaign

Flashpoint analysts recently investigated the trend of adult entertainment-themed Twitter bots known as pornbots, which post tweets with hashtags containing popular brand names alongside random, unrelated terms. The observed set of pornbots appears to be a mix of compromised accounts and accounts specifically created to advertise pornography. As such, organizations mentioned in these bots’ pornographic advertising campaigns on Twitter may suffer reputational damage in addition to distorted social media engagement campaign metrics.

Image 1: Sample of tweets containing brand hashtags and random terms. Brand names have been sanitized

Image 1: Sample of tweets containing brand hashtags and random terms. Brand names have been sanitized.

In recent years, Twitter has become a primary form of external, two-way communication and engagement for organizations across all sectors. For example, companies often use hashtags to monitor the spread and reception of marketing campaigns and sponsored events. More crucially, emergency services may use hashtag tracking to gain real-time insight into current situations during natural disasters and other crises. In a worst-case scenario, pornbots or other spambots could identify a trending hashtag and distort the conversation by sharing unrelated or false information.

Image 2: Three sample pornbot Twitter accounts using the same profile picture. Each pornbot has a different username, bio, and join date, and each bio contains a link to a different adult entertainment website. However, these adult entertainment websites were hosted on common servers.

Image 2: Three sample pornbot Twitter accounts using the same profile picture. Each pornbot has a different username, bio, and join date, and each bio contains a link to a different adult entertainment website. However, these adult entertainment websites were hosted on common servers.

Flashpoint analysts identified three distinct sets of pornbots using identical hashtags, indicating they were likely part of the same organized campaign. While similar in appearance and often using a common set of profile pictures across the groups, each promoted a different adult website. However, the three adult websites linked to the sample profiles shown above were hosted on one of two common servers, which may indicate the pornbots share a common origin. Flashpoint analysts did not detect any malicious files on the servers hosting the websites advertised by the pornbots.

Advertising Methods

Flashpoint analysts observed two primary methods of advertising across the pornbot accounts:

• Hashtagged tweets: The first advertising method utilized hashtags followed by random risqué buzzwords and a link to an adult dating or video website, often featuring online “cam girls” or escort services.

• Link in bio and pinned tweet: The second advertising method includes multiple accounts sharing similar bios and pinned tweets, which contain links to adult content sites.

Image 3: Example of the first method of advertising adult entertainment sites, whereby links are included within hashtagged tweets.

Image 3: Example of the first method of advertising adult entertainment sites, whereby links are included within hashtagged tweets.

 Image 4: Example of a pornbot account using the second advertising method, whereby links to adult websites are included in the bio and the pinned tweet.

Image 4: Example of a pornbot account using the second advertising method, whereby links to adult websites are included in the bio and the pinned tweet.

Identifying Pornbots

Image 5: Sample guide to identifying pornbots and spambots.

Image 5: Sample guide to identifying pornbots and spambots.

Over the course of their investigation, Flashpoint analysts noted several common traits that can be used to identify pornbots and other spambots:

• Reused profile images: The profile pictures used by the observed pornbots were all obtained from public profiles on open-source websites, primarily Instagram and Pinterest. Reverse searches using Google Images indicated these stolen images were resused by multiple pornbots.

• Systematic coordination: Related sets of pornbots systematically coordinated their tweets. One pornbot would post a tweet containing a hashtag, and other pornbots within its group would subsequently post tweets containing the same hashtag, followed by random and unrelated terms. 

• Many tweets, but few followers: Each of the observed pornbots posted tweets at a rapid cadence, with some posting more than 50 times per day. Most of the observed pornbot accounts boasted more than 10,000 tweets, but typically had fewer than 200 followers. Similarly, most of the pornbots were following fewer than 200 other users. 

Image 6: Example of a reverse Google Images search revealing use of a single profile image across multiple pornbot accounts.

Image 6: Example of a reverse Google Images search revealing use of a single profile image across multiple pornbot accounts.

Image 7: Example of systemically coordinated tweeting among pornbots.

Image 7: Example of systemically coordinated tweeting among pornbots.

Pornbot Mitigation Best Practices

The following mitigation measures may help reduce the number of pornbots and spambots using brand names. These steps may also reduce the number of false detections and aid in validating social media metrics:

• Challenge social media teams to identify and block pornbots and spambots following company social media accounts. This action impacts the bots’ ability to capture and retweet relevant and branded tweets.

• Require social media teams to report these accounts through Twitter’s abuse function.

• Implement response actions to react to large campaigns, such as social media teams and cyber threat teams notifying each other when activity is detected.

The post Inside a Twitter ‘Pornbot’ Campaign appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Trojan.APT.Seinup Hitting ASEAN

1. Executive Summary

The FireEye research team has recently identified a number of spear
phishing activities targeting Asia and ASEAN. Of these, one of the
spear phishing documents was suspected to have used a potentially
stolen document as a decoy. The rich and contextual details (body and
metadata) which are not available online lead us to believe this was
stolen. This decoy document mentioned countries such as Brunei,
Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore,
Thailand, and Vietnam, which leads us to suspect that these countries
are targeted. As the content of this decoy document is suspected to be
a stolen sensitive document, the details will not be published.

This malware was found to have used a number of advance techniques
which makes it interesting:

  1. The malware leverages Google Docs to perform redirection to
    evade callback detection. This technique was also found in the
    malware dubbed “Backdoor.Makadocs” reported by Takashi
    Katsuki (Katsuki, 2012).
  2. It is heavily equipped with a
    variety of cryptographic functions to perform some of its functions
    securely.
  3. The malicious DLL is manually loaded into memory
    which hides from DLL listing.

As depicted in the diagram below, the spear phishing document (which
exploits CVE-2012-0158) creates a decoy document and a malware dropper
named exp1ore.exe. This dropper will then drop wab.exe (Address Book
Application) and wab32res.dll (malicious DLL) inside the temp folder.
By running wab.exe, the malicious DLL named wab32res.dll (located
within the same folder) will be loaded using DLL side-loading
technique. This will in turn install a copy of wab32res.dll as
msnetrsvw.exe inside the windows directory to be registered as Windows
service. By registering as a Windows service, it allows the malware to
survive every reboot and persist on the network.

1.MalwareFlow

Figure 1 Infection Flow

This malware is named “Trojan.APT.Seinup” because one of its export
functions is named “seinup”. This malware was analysed to be a
backdoor that allows the attacker to remote control the infected system.

2.ExportedFunctions

Figure 2 Exported Functions

2. Related APT Domain and MD5

Based on our threat intelligence and reverse-engineering effort,
below are some related domain and MD5 sums. Please note that some of
the domain/IP association may change.

2.1. Related Domain

Domain/URL IP Country Comments

elizabearden.com
elizabearden.com

124.172.243.211
124.172.243.211

CN
CN
Registrar:
XIN NET TECHNOLOGY CORPORATIONEmail:
liangcheng04@sina.com
Registrar: XIN NET
TECHNOLOGY CORPORATIONEmail: liangcheng04@sina.com

dnsserviceonline.com
dnsserviceonline.com

50.117.115.83
50.117.115.84
50.117.120.235
69.46.84.51
50.117.115.83
50.117.115.84
50.117.120.235
69.46.84.51

CN
CN
Registrar:
XIN NET TECHNOLOGY CORPORATIONEmail:
liangcheng04@sina.com
Registrar: XIN NET
TECHNOLOGY CORPORATIONEmail: liangcheng04@sina.com

symteconline.com
symteconline.com

175.100.206.183
175.100.206.183

CN
CN
Registrar:
XIN NET TECHNOLOGY CORPORATIONEmail:
Smartwise9851@yahoo.com
Registrar: XIN NET
TECHNOLOGY CORPORATIONEmail: Smartwise9851@yahoo.com

winshell.net
winshell.net

58.64.190.34
58.64.190.34

HK
HK
Registrar:
SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO.,
LTD.Email:
richardmatind@yahoo.com

Registrar: SHANGHAI
MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO., LTD.Email:

richardmatind@yahoo.com


philnewsonline.com
philnewsonline.com

50.93.198.128
50.93.198.128

US
US
Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

www.info-week.com
www.info-week.com

173.254.197.213
173.254.197.213

US
US
Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

go-twitter.com
go-twitter.com

50.93.198.113
50.93.198.113

US
US
Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

2.2. Associated Files

Name MD5 Comments

Spear-phishing document and decoy
document
Spear-phishing document and
decoy document
CONFIDENTIAL CONFIDENTIAL
CONFIDENTIAL
CONFIDENTIAL

iexp1ore.exe
iexp1ore.exe

137F3D11559E9D986D510AF34CB61FBC
137F3D11559E9D986D510AF34CB61FBC

Dropper
Dropper

wab.exe
wab.exe

CE67AAA163A4915BA408B2C1D5CCC7CC
CE67AAA163A4915BA408B2C1D5CCC7CC

Benign Address Book Application
Benign Address Book
Application

wab32res.dll
wab32res.dll

FB2FA42F052D0A86CBDCE03F5C46DD4D
FB2FA42F052D0A86CBDCE03F5C46DD4D

Malware to be side loaded when wab.exe is
launched.
Malware to be side loaded
when wab.exe is launched.

msnetrsvw.exe
msnetrsvw.exe

FB2FA42F052D0A86CBDCE03F5C46DD4D
FB2FA42F052D0A86CBDCE03F5C46DD4D

Malware to be installed as a service. Note: This is
the same as wab32res.dll.
Malware to be installed as
a service. Note: This is the same as wab32res.dll.



baf227a9f0b21e710c65d01f2ab01244
baf227a9f0b21e710c65d01f2ab01244

Calls to www.elizabearden.com:80
Calls to
www.elizabearden.com:80



0845f03d669e24144df785ee54f6ad74
0845f03d669e24144df785ee54f6ad74

Calls to www.dnsserviceonline.com:80

Calls to
www.dnsserviceonline.com:80



d64a22ea3accc712aebaa047ab818b07
d64a22ea3accc712aebaa047ab818b07

Calls to www.elizabearden.com:80
Calls to
www.elizabearden.com:80



56e6c27f9952e79d57d0b32d16c26811
56e6c27f9952e79d57d0b32d16c26811

Calls to www.elizabearden.com:80
Calls to
www.elizabearden.com:80



cdd969121a2e755ef3dc1a7bf7f18b24
cdd969121a2e755ef3dc1a7bf7f18b24

Calls to www.elizabearden.com:80
Calls to
www.elizabearden.com:80



709c71c128a876b73d034cde5e3ec1d3
709c71c128a876b73d034cde5e3ec1d3

Calls to www.dnsserviceonline.com:80

Calls to
www.dnsserviceonline.com:80

3. Interesting Technical Observations

3.1. Redirection Using Google Docs

By connecting the malicious server via Google Docs, the malicious
communication is protected by the legitimate SSL provided by Google
Docs (see Figure below). One possible way to examine the SSL traffic
is to make use of a hardware SSL decrypter within an organisation.
Alternatively, you may want to examine the usage pattern of the users.
Suppose a particular user accesses Google Docs multiple times a day,
the organization’s Incident Response team may want to dig deeper to
find out if the traffic is triggered by a human or by malware.

Retrieve Command

Figure 3 Retrieve Command via Google Docs

Below is the code that is used to construct a URL that retrieves
command via Google Docs. First, the malicious URL is constructed and
then encoded. Next, the malware simply leverages the Google Docs
viewer to retrieve the command from the malicious server (see Figure
below). 4.GoogleDocs

Figure 4 View Command via GoogleDocs

3.2. Zero-Skipping XOR Encryption

The shellcode encryption technique is fairly standard. The shellcode
has a decryption stub which decrypts its body using the XOR key 0x9E,
and this shellcode is used to extract exp1ore.exe(malware) and Wor.doc
(benign document).

The exp1ore.exe and Wor.doc were found within the spear phishing
document encrypted using the same key (0xFC) and technique. The XOR
key decrypts only a non-zero byte (see Figure 5). This prevents
statistical methods of recovering the XOR key. The encrypted
executable file and benign document were identified to be located
inside the spear phishing document at offsets 0x2509 and 0x43509 respectively.

5.ZeroSkipping

Figure 5 Zero Skipping XOR Encryption

Even though statistical methods may not be useful in identifying the
XOR key as the zero bytes are not encrypted, we could use some of the
“known” strings below to hunt for the XOR key in this situation. By
sliding the known string across the array of bytes to perform a
windowed XOR, the key would be revealed when the encoded data is XORed
with the known string.

  • “This program cannot be run in DOS mode”
  • “KERNEL32.dll”
  • “LoadLibraryA”

3.3. Deployment of Various Cryptographic Functions

3.3.1. Secure Callback

The malware performs the callback in a secure manner. It uses a
custom Base64 map to encode its data, and creates a salted digital
thumbprint to allow validation of data.

Below describes the steps to validate a callback using an example of
the following URL:

hxxp://www.elizabearden.com/waterphp/BYyH.php?dEIXozUlFzx=

5P

&wDq=

6QeZky42OCQOLQuZ6dC2LQ7F56iAv6GpH6S+w8npH5oAZk==

&k4fJdSp7=

cc3237bc79192a096440faca0fdae10

&GvQF2lotIr5bT2=

349118df672db38f9e65659874b60b27

The URL could be generalised as follows:

Domain/?=
<A’>
&=
<B’>
&=
<C’>
&=
<D’>

The definition of A’, B’, C’ and D’ are as follows:

Let H be the function which encodes binary into hexadecimal
characters prepend with “%”, if it is not alphanumeric, dash,
underscore or dot
.

Let B64 be the base 64 encoder using the following custom map, “URPBnCF1GuJwH2vbkLN6OQ/5S9TVxXKZaMc8defgiWjmo7pqrAstyz0D+El3I4hY”.

Let PT be the plain text which is in the form of
“[]:{1}”,
where HostName and IPAddress are string, and RunType is a character.

Let A be the random of 3 to 7 characters, and A’ = H(A)

Let B be B64 (PT), and B’ = H(B)

Let C be 32 char deliminator, and C’ = H(C)

Let D be H( MD5 ( salt  + MD5 ( B64(PT) + A + C )  )   ), salt =
“%^^*HFH)*$FJK)234sd2N@C(JGl2z94cg23”  , and D’ = H(D)

Hence, in this case, the specific malicious URL could be applied as follows:

Domain/  =  http://www.elizabearden.com/waterphp/BYyH.php

A’ = “5Pb

B’ = “6QeZky42OCQOLQuZ6dC2LQ7F56iAv6GpH6S%2Bw8npH5oAZk==

C’ = “cc3237bc79192a096440faca0fdae107

D’ = “

349118df672db38f9e65659874b60b27

(This is the digital signature)

The hash could be verified as follow:

B64(PT) + A + C =
“6QeZky42OCQOLQuZ6dC2LQ7F56iAv6GpH6S+w8npH5oAZk==” +  “5Pb” + “cc3237bc79192a096440faca0fdae107”

MD5 (B64(PT) + A + C) = “766cf9e96c1a508c59f7ade1c50ecd28”

MD5 (salt + MD5(B64(PT) + A + C))   = MD5 (
“%^^*HFH)*$FJK)234sd2N@C(JGl2z94cg23” + “766cf9e96c1a508c59f7ade1c50ecd28”)


= 349118df672db38f9e65659874b60b27
(This equals to D’, which means verified)

The encoded plain text (B) could be recovered:

B64(PT) = “6QeZky42OCQOLQuZ6dC2LQ7F56iAv6GpH6S+w8npH5oAZk==”;

PT = “MY_COMPUTER_NAME[F]:192.168.1.1{1}”, where “MY_COMPUTER_NAME”
is the hostname, ‘F’ is the run type, “192.168.1.1” is the IP address.

Note: This example is mocked up using a dummy computer name and IP address.

The python code below could be used to decode the custom encoded
string (see Figure below).

6.PythonCode

Figure 6 Python to Decode a Custom Base 64

3.3.2. Random Generator Using Mersenne Twister Algorithm

The malware was found to perform a callback at random intervals so
as to evade network investigation when looking for network connections
that are performed in a regular interval. Additionally, even the name
of the parameters in the get string have a random length and name,
which makes it hard to create a fix signature to detect such callbacks
(see ‎3.3.1 to understand how a callback is created).

7.Mersenne_twister

Figure 7 Mersenne Twister Algorithm Seeding function

 3.4. In-Memory Only Malicious Code

On the disk, the malicious code is either encrypted or compressed to
evade scanning using signature rules. Only upon being loaded into
memory, does the malicious code (that appears to be in the form of a
DLL) get manually loaded without the use of Windows 32 API. In this
way, when an investigation is performed, the malicious DLL is not
revealed. Additionally, it makes it much harder for analysis to be performed.

8.ZC_Loader

Figure 8 Segments in the memory which contains the malicious code

Taking a deeper look at the decrypted malicious code, this malware
was found to contain at least the following functions:

  • Download file
  • Download and execute or load
    library
  • Change sleep duration
  • Open and close
    interactive sessions

4. Conclusion

Malware is increasingly becoming more contextually advanced. It
attempts to appear as much as possible like legitimate software or
documents. In this example, we would conclude the following.

  1. A potentially stolen document was used as a decoy document to
    increase its credibility. It is also a sign that the compromised
    organisations could be used as a soft target to compromise their
    business partners and allies.
  2. It is important to put a stop
    to the malware infection at the very beginning, which is the
    exploitation phase. Once a network is compromised, it is
    increasingly harder to detect such threats.
  3. Anti-incident
    response/forensic techniques are increasingly used to evade
    detection. It would require a keen eye on details and a wealth of
    experience to identify all these advance techniques.

5. Works Cited

Carnegie Mellon University. (n.d.). Retrieved from http://www.cs.cmu.edu/~fp/courses/15122-f10/misc/rand/mersenne.c0

Katsuki, T. (19 Nov, 2012). Malware Targeting Windows 8 Uses
Google Docs.
Retrieved from http://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs-0

I would like to thank several colleagues for their significant
contributions on this post: Darien Kindlund, Ned Moran, Nart
Villeneuve, and Thoufique Haq.

Go to Source
Author: Chong Rong Hwa

Malware Callbacks

Today we released our first-ever analysis of malware callbacks. Our
report can be accessed here: http://www2.fireeye.com/WEB2013ATLReport.html.

FireEye monitored more than 12 million malware communications seeking
instructions—or callbacks—across hundreds of thousands of infected
enterprise hosts, capturing details of advanced attacks as well as
more generic varieties during the course of 2012. Callback activity
reveals a great deal about an attacker’s intentions, interests and
geographic location. Cyber attacks are a widespread global activity.
We’ve built interactive maps that highlight the presence of malware
globally:  http://www.fireeye.com/cyber-attack-landscape/.

Our key findings:

  • Malware has become a multinational activity. Over the past
    year, callbacks were sent to command and control (CnC) servers in 184
    countries—a 42 percent increase when compared to 130 countries in 2010.
  • Two key regions stand out as hotspots driving advanced cyber
    attacks: Asia and Eastern Europe.
    Looking at the average
    callbacks per company by country, the Asian nations of China, South
    Korea, India, Japan, and Hong Kong accounted for 24 percent. Not far
    behind, the Eastern European countries of Russia, Poland, Romania,
    Ukraine, Kazhakstan, and Latvia comprised 22 percent. (North America
    represented 44 percent but this is due to CnC servers residing in the
    United States to help attackers with evasion.)
  • The majority of Advanced Persistent Threat (APT) callback
    activities are associated with APT tools that are made in China or
    that originated from Chinese hacker groups
    . By mapping the DNA
    of known APT malware families against callbacks, FireEye Malware
    Intelligence Lab discovered that the majority of APT callback
    activities—89 percent—are associated with APT tools that are made in
    China or that originated from Chinese hacker groups. The main tool is
    Gh0st RAT.
  • Attackers are increasingly sending initial callbacks to servers
    within the same nation in which the target resides
    . To improve
    evasion, hackers are increasingly placing CnC servers within target
    nations. At the same time, this fact gives a strong indicator of which
    countries are most interesting to attackers.
  • Technology organizations are experiencing the highest rate of APT
    callback activity
    . With a high volume of intellectual property,
    technology firms are natural targets for attackers and are
    experiencing heavy APT malware activity.
  • For APT attacks, CnC servers were hosted in the United States 66
    percent of the time, a strong indicator that the U.S. is still the
    top target country for attacks
    . As previously mentioned,
    attackers increasingly put CnC servers in the target country to help
    avoid detection. With such a high proportion of CnC servers, by a wide
    margin, the U.S. is subject to the highest rate of malware attacks.
    This is likely, due to a very high concentration of intellectual
    property and digitized data that resides in the U.S.
  • Techniques for disguising callback communications are evolving.
    To evade detection, CnC servers are leveraging social networking sites
    like Facebook and Twitter for communicating with infected machines.
    Also, to mask exfiltrated content, attackers embed information inside
    common files, such as JPGs, to give network scanning tools the
    impression of normal traffic.
  • Attack patterns vary substantially globally:
  • South Korean firms experience the highest level of callback
    communications per organization
    . Due to a robust internet
    infrastructure, South Korea has emerged as a fertile location for
    cybercriminals to host their CnC infrastructure. For example, FireEye
    found that callbacks from technology firms are most likely to go to
    South Korea.
  • In Japan, 87 percent of callbacks originated and stayed in
    country
    . This may give an indication of the high value of Japanese
    intellectual property.
  • In Canada, 99 percent of callbacks exited the country. In the U.K.,
    exit rates were 90 percent
    . High exit rates indicate attackers
    are unconcerned about detection. In Canada and the U.K., attackers
    appear to be unconcerned about detection and pursue low-hanging fruit opportunistically.

Go to Source
Author: Rob Rachwald

The Service You Can’t Refuse: A Secluded HijackRAT

In Android world, sometimes you can’t stop malware from “serving”
you, especially when the “service” is actually a malicious Android
class running in the background and controlled by a remote access tool
(RAT). Recently, FireEye mobile security researchers have discovered
such a malware that pretends to be a “Google Service Framework” and
kills an anti-virus application as well as takes other malicious actions.

In the past, we’ve seen Android malware that execute privacy leakage,
banking credential theft, or remote access separately, but this sample
takes Android malware to a new level by combining all of those
activities into one app. In addition, we found the hacker has designed
a framework to conduct bank hijacking and is actively developing
towards this goal. We suspect in the near future there will be a batch
of bank hijacking malware once the framework is completed. Right now,
eight Korean banks are recognized by the attacker, yet the hacker can
quickly expand to new banks with just 30 minutes of work.

Although the IP addresses we have captured don’t reveal who the
attacker is, as the computer of the IP might be a victim as well, we
have found from the UI that both the malware developer and the victims
are Korean speakers.

Fig. 1. The structure of the HijackRAT malware.
Fig. 1. The structure of the HijackRAT malware.

The package name of this new RAT malware is “com.ll” and appears as
“Google Service Framework” with the default Android icon. Android
users can’t remove the app unless they deactivate its administrative
privileges in “Settings.” So far, the Virus Total score of the sample
is only five positive detections out of 54 AV vendors [1]. Such new
malware is published quickly partly because the CNC server, which the
hacker uses, changes so rapidly.

Fig. 2. The Virus Total detection of the malware
sample. [1]
Fig. 3. The fake “Google Service Framework” icon
in home screen.

A few seconds after the malicious app is installed, the “Google
Services” icon appears on the home screen. When the icon is clicked,
the app asks for administrative privilege. Once activated, the
uninstallation option is disabled and a new service named “GS” is
started as shown below. The icon will show “App isn’t
installed.” when the user tries to click it again and removes
itself from the home screen.

Fig. 4. The background service of the malware.
Fig. 4. The background service of the malware.

The malware has plenty of malicious actions, which the RAT can
command, as shown below.

8commands

Within a few minutes, the app connects with the CNC server and begins
to receive a task list from it:

get

The content is encoded by Base64 RFC 2045. It is a JSONObject with
content: {“task”: {“0”: 0}}, when decoded. The
server IP, 103.228.65.101, is located in Hong Kong. We cannot tell if
it’s the hacker’s IP or a victim IP controlled by the RAT, but the URL
is named after the device ID and the UUID generated by the CNC server.

The code below shows how the URL of the HTTP GET request is constructed:

code-get

– “UPLOAD PRIVACY DETAILS”

The task list shown above will trigger the first malicious action of
“Upload Phone Detail.” When executed, the user’s private information
will be uploaded to the server using HTTP POST request. The
information contains phone number, device ID, and contact lists as
shown below in the network packet of the request:

post

When decoded, the content in the red and blue part of the PCap are
shown below respectively:

1. The red part:

post-pcap-decrypt1

2. The blue part:

post-pcap-decrypt2

The contact list shown above is already highly sensitive, yet,
if the user has installed some banking applications, the malware
will scan for them too.

In a testing device, we installed the eight Korean bank apps as
shown below:

Fig. 5. The eight banking apps.
Fig. 5. The eight banking apps.

When this was done,  we found the value of
“banklist” in the PCap is no longer listed as N/A anymore:

8banks-pcap

The “banklist” entry in the PCap is filled with the short names
of the banks that we installed. There is a map of the short names
and package names of the eight banking apps installed on the phone:

table

The map of the banks is stored in a database and used in another
malicious action controlled by the CNC server too.

– “POP WINDOW”

In this malicious action, the CNC server sends a command to
replace the existing bank apps. The eight banking apps require the
installation of “com.ahnlab.v3mobileplus,” which is a popular
anti-virus application available on Google Play. In order evade any
detections, the malware kills the anti-virus application before
manipulating the bank apps. In the code as shown below, Conf.LV is
the “com.ahnlab.v3mobileplus” being killed.

killav

Then, the malware app parses the banking apps that the user has
installed on the Android device and stores them in the database
under /data/data/com.ll/database/simple_pref. The red block below
shows the bank list stored in the database:

db8banks

Once the corresponding command is sent from the RAT, the
resolvePopWindow() method will be called and the device will pop a
Window with the message: “The new version has been released. Please
use after reinstallation.”

code-popwindow

The malware will then try to download an app, named after
“update” and the bank’s short name from the CNC server,
simultaneously uninstalling the real, original bank app.

code-install

In the code shown above, “mpath” contains the CNC server IP
(103.228.65.101) and path (determined by the RAT); “mbkname” is the
bank name retrieved from the SQL lite database. The fake APK (e.g.
“updateBH.apk”) is downloaded from the CNC server, however
we don’t know what the fake apps look like because during the research
the command for this malicious action was not executed from the RAT.
Yet the source of the “update*.apk” is definitely not certified by the
banks and might be harmful to the Android user.

– “UPDATE”

When the command to “update” is sent from the RAT, a similar app –
“update.apk” is downloaded from the CNC server and installed in the
Android phone:

code-update

– “UPLOAD SMS”

When the command to upload SMS is received from the RAT, the SMS of
the Android phone will be uploaded to the CNC server. The SMS has been
stored in the database once received:

code-uploadsms

code-savesms

Then the SMS is read from the database and uploaded to the CNC server
once the command is received:

code-uploadsmscnc

– “SEND SMS”

Similarly, when the sending SMS command is received, the contact list
is sent through SMS.

code-sendsms

– “BANK HIJACK”

Interesting enough, we found a partially finished method called “Bank
Hijack.” The code below partially shows how the BankHijack method
works. The malware reads the short bank name, e.g. “NH”, and then
keeps installing the updateNH.apk from the CNC server until it’s of
the newest version.

code-hijack

So far the part after the installation of the fake app is not
finished yet. We believe the hacker is having some problems finishing
the function temporarily.

code-hijack-half

As shown above, the hacker has designed and prepared for the
framework of a more malicious command from the CNC server once the
hijack methods are finished. Given the unique nature of how this app
works, including its ability to pull down multiple levels of personal
information and impersonate banking apps, a more robust mobile banking
threat could be on the horizon.

REFERENCE

__________________________________________________

[1] https://www.virustotal.com/intelligence

Go to Source
Author: Jinjian Zhai

Darwin’s Favorite APT Group

Introduction

The attackers referred to as APT12 (also known as IXESHE, DynCalc,
and DNSCALC) recently started a new campaign targeting organizations
in Japan and Taiwan. APT12 is believed to be a cyber espionage group
thought to have links to the Chinese People’s Liberation Army. APT12’s
targets are consistent with larger People’s Republic of China (PRC)
goals. Intrusions and campaigns conducted by this group are in-line
with PRC goals and self-interest in Taiwan. Additionally, the new
campaigns we uncovered further highlight the correlation between APT
groups ceasing and retooling operations after media exposure, as APT12
used the same strategy after compromising the New York Times in Oct
2012. Much like Darwin’s theory of biological evolution, APT12 been
forced to evolve and adapt in order to maintain its mission.

The new campaign marks the first APT12 activity publicly reported
since Arbor Networks released their blog “Illuminating
The Etumbot APT Backdoor.
” FireEye refers to the Etumbot
backdoor as RIPTIDE. Since the release of the Arbor blog post, FireEye
has observed APT12 use a modified RIPTIDE backdoor that we call
HIGHTIDE. This
is the second time FireEye has discovered APT12 retooling after a
public disclosure
. As such, FireEye believes this to be a common
theme for this APT group, as APT12 will continue to evolve in an
effort to avoid detection and continue its cyber operations.

FireEye researchers also discovered two possibly related campaigns
utilizing two other backdoors known as THREEBYTE and WATERSPOUT. Both
backdoors were dropped from malicious documents built utilizing the
“Tran Duy Linh” exploit kit, which exploited CVE-2012-0158. These
documents were also emailed to organizations in Japan and Taiwan.
While APT12 has previously used THREEBYTE, it is unclear if APT12 was
responsible for the recently discovered campaign utilizing THREEBYTE.
Similarly, WATERSPOUT is a newly discovered backdoor and the threat
actors behind the campaign have not been positively identified.
However, the WATERSPOUT campaign shared several traits with the
RIPTIDE and HIGHTIDE campaign that we have attributed to APT12.

Background

From October 2012 to May 2014, FireEye
observed APT12 utilizing RIPTIDE, a proxy-aware backdoor that
communicates via HTTP to a hard-coded command and control (C2) server.
RIPTIDE’s first communication with its C2 server fetches an encryption
key, and the RC4 encryption key is used to encrypt all further communication.

riptide-wireshark

Figure 1: RIPTIDE HTTP GET Request Example

In June 2014, Arbor
Networks published an article
describing the RIPTIDE backdoor
and its C2 infrastructure in great depth. The blog highlighted that
the backdoor was utilized in campaigns from March 2011 till May 2014.

Following the release of the article, FireEye observed a distinct
change in RIPTIDE’s protocols and strings. We suspect this change was
a direct result of the Arbor blog post in order to decrease detection
of RIPTIDE by security vendors. The changes to RIPTIDE were
significant enough to circumvent existing RIPTIDE detection rules.
FireEye dubbed this new malware family HIGHTIDE.

HIGHTIDE Malware Family

On Sunday August 24, 2014 we observed a
spear phish email sent to a Taiwanese government ministry. Attached to
this email was a malicious Microsoft Word document (MD5:
f6fafb7c30b1114befc93f39d0698560) that exploited CVE-2012-0158. It
is worth noting that this email appeared to have been sent from
another Taiwanese Government employee, implying that the email was
sent from a valid but compromised account.

 

riptide-spear

Figure 2:  APT12 Spearphishing Email

The exploit document dropped the HIGHTIDE backdoor with the
following properties:

MD5 6e59861931fa2796ee107dc27bfdd480
Size 75264 bytes
Complie Time 2014-08-23 08:22:49
Import Hash ead55ef2b18a80c00786c25211981570

The HIGHTIDE backdoor connected directly to 141.108.2.157. If you
compare the HTTP GET request from the RIPTIDE samples (Figure 1) to
the HTTP GET request from the HIGHTIDE samples (Figure 3) you can see
the malware author changed the following items:

  • User Agent
  • Format and structure
    of the HTTP Uniform Resource Identifier (URI)

riptide2-wireshark

Figure 3: HIGHTIDE GET Request Example

Similar to RIPTIDE campaigns, APT12 infects target systems with
HIGHTIDE using a Microsoft Word (.doc) document that exploits
CVE-2012-0158. FireEye observed APT12 deliver these exploit documents
via phishing emails in multiple cases. Based on past APT12 activity,
we expect the threat group to continue to utilize phishing as a
malware delivery method.

MD5 File Name Exploit
73f493f6a2b0da23a79b50765c164e88 議程最新修正及注意事項.doc CVE-2012-0158
f6fafb7c30b1114befc93f39d0698560 0824.1.doc CVE-2012-0158
eaa6e03d9dae356481215e3a9d2914dc 簡易名冊0全國各警察機關主官至分局長.doc CVE-2012-0158
06da4eb2ab6412c0dc7f295920eb61c4 附檔.doc CVE-2012-0158
53baedf3765e27fb465057c48387c9b6 103年第3屆通訊錄.doc CVE-2012-0158
00a95fb30be2d6271c491545f6c6a707 2014 09 17 Welcome Reception for Bob
and Jason_invitation.doc
CVE-2012-0158
4ab6bf7e6796bb930be2dd0141128d06 產諮會_Y103(2)委員會_從東協新興國家崛起(0825).doc CVE-2012-0158

Figure 4: Identified exploit documents for HIGHTIDE 

When the file is opened, it drops HIGHTIDE in the form of an
executable file onto the infected system.

RIPTIDE and HIGHTIDE differ on several points: executable file
location, image base address, the User-Agent within the GET requests,
and the format of the URI. The RIPTIDE exploit document drops its
executable file into the C:Documents and Settings{user}Application
DataLocation folder while the HIGHTIDE exploit document drops its
executable file into the C:DOCUMENTS and SETTINGS{user}LOCAL
SETTINGSTemp folder. All but one sample that we identified were
written to this folder as word.exe. The one outlier was written as winword.exe.

Research into this HIGHTIDE campaign revealed APT12 targeted
multiple Taiwanese Government organizations between August 22 and 28.

THREEBYTE Malware Family

On Monday August 25, 2014 we observed a different spear phish email
sent from lilywang823@gmail.com to a technology company located in
Taiwan. This spear phish contained a malicious Word document that
exploited CVE-2012-0158. The MD5 of the exploit document was e009b95ff7b69cbbebc538b2c5728b11.

Similar to the newly discovered HIGHTIDE samples documented above,
this malicious document dropped a backdoor to C:DOCUMENTS and
SETTINGS{user}LOCAL SETTINGSTempword.exe. This backdoor had the
following properties:

MD5 16e627dbe730488b1c3d448bfc9096e2
Size 75776 bytes
Complie Time 2014-08-25 01:22:20
Import Hash dcfaa2650d29ec1bd88e262d11d3236f

This backdoor sent the following callback
traffic to video[.]csmcpr[.]com:

threebyte-wireshark

Figure 5:  THREEBYTE GET Request Beacon

The THREEBYTE spear phishing incident (while not yet attributed)
shared the following characteristics with the above HIGHTIDE campaign
attributed to APT12:

  • The THREEBYTE backdoor was compiled two
    days after the HIGHTIDE backdoors.
  • Both the THREEBYTE and
    HIGHTIDE backdoors were used in attacks targeting organizations in
    Taiwan.
  • Both the THREEBYTE and HIGHTIDE backdoors were
    written to the same filepath of C:DOCUMENTS and
    SETTINGS{user}LOCAL SETTINGSTempword.exe.
  • APT12 has
    previously used the THREEBYTE backdoor.

WATERSPOUT Malware Family

On August 25, 2014, we observed another round of spear phishing
emails targeting a high-technology company in Japan. Attached to this
email was another malicious document that was designed to exploit
CVE-2012-0158. This malicious Word document had an MD5 of
499bec15ac83f2c8998f03917b63652e and dropped a backdoor to
C:DOCUMENTS and SETTINGS{user}LOCAL SETTINGSTempword.exe. The
backdoor had the following properties:

MD5 f9cfda6062a8ac9e332186a7ec0e706a
Size 49152 bytes
Complie Time 2014-08-25 02:10:11
Import Hash 864cd776c24a3c653fd89899ca32fe0b

The backdoor connects to a command and control server at icc[.]ignorelist[.]com.

Similar to RIPTIDE and HIGHTIDE, the WATERSPOUT backdoor is an
HTTP-based backdoor that communicates with its C2 server.

GET
//<5 digit number>/<4 character string>.php?_id=<43 character string>= HTTP/1.1Accept: image/jpeg, application/x-ms-application,
image/gif, application/xaml+xml, image/pjpeg,
application/x-ms-xbap, */*

User-Agent: Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;
.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
.NET4.0C; .NET4.0E)

Host:

Cache-Control: no-cache

Figure 6: Sample GET request for WATERSPOUT backdoor

Although there are no current infrastructure ties to link this
backdoor to APT12, there are several data points that show a possible
tie to the same actors:

  • Same initial delivery method (spear
    phishing email) with a Microsoft Word Document exploiting
    CVE-2012-0158.

      • The same “Tran Duy Linh” Microsoft
        Word Exploit Kit was used in delivery of this backdoor.

        • Similar Targets were
          observed where the threat actors utilized this
          backdoor.

          • Japanese Tech Company
          • Taiwanese Government Organizations
          • Organizations in the Asia-Pacific Region that are of
            Interest to China
        • The
          WATERSPOUT backdoor was written to the same file path as the
          HIGHTIDE backdoors:

          • C:DOCUMENTS and
            SETTINGS{user}LOCAL SETTINGSTempword.exe
          • C:DOCUMENTS and SETTINGS{user}LOCAL
            SETTINGSTempwinword.exe
        • WATERSPOUT was compiled within two days of the last
          HIGHTIDE backdoor and on the same day as the THREEBYTE
          backdoor.
        • APT12
          closely monitors online media related to its tools and
          operations and reacts when its tools are publicly
          disclosed.
        • APT12 has the ability to adapt quickly to
          public exposures with new tools, tactics, and procedures
          (TTPs).
        • Public disclosures may result in an immediate
          change in APT12’s tools. These changes may be temporary and
          FireEye believes they are aimed at decreasing detection of
          their tools until a more permanent and effective TTP change
          can be implemented (e.g., WATERSPOUT).

    Although these points do not
    definitively tie WATERSPOUT to APT12, they do indicate a
    possible connection between the WATERSPOUT campaign, the
    THREEBYTE campaign, and the HIGHTIDE campaign attributed to
    APT12.

    Conclusion

    FireEye believes the change from
    RIPTIDE to HIGHTIDE represents a temporary tool shift to
    decrease malware detection while APT12 developed a completely
    new malware toolset. These development efforts may have resulted
    in the emergence of the WATERSPOUT backdoor.

    12-timeline

    Figure 7: Compile dates for all three malware
    families 

    APT12’s adaptations to public disclosures
    lead FireEye to make several conclusions about this threat
    group:

    Though public disclosures resulted in APT12
    adaptations, FireEye observed only a brief pause in APT12
    activity before the threat actors returned to normal activity
    levels. Similarly, the public disclosure of APT12’s intrusion at
    the New York Times also led to only a brief pause in the threat
    group’s activity and immediate changes in TTPs. The pause and
    retooling by APT12 was covered in the Mandiant
    2014 M-Trends report
    . Currently, APT12 continues to target
    organizations and conduct cyber operations using its new tools.
    Most recently, FireEye observed HIGHTIDE at multiple
    Taiwan-based organizations and the suspected APT12 WATERSPOUT
    backdoor at a Japan-based electronics company. We expect that
    APT12 will continue their trend and evolve and change its
    tactics to stay ahead of network defenders.

    Note: IOCs
    for this campaign can be found here.

Go to Source
Author: Ned Moran

Europe’s Hacktivists Set Sights on Political Entities

The tumultuous state of global politics that has come to define 2017 continues to shape the motivations and schemes of a wide range of adversaries. In October, CNBC reported two Czech election websites were hacked and that, after Catalonia’s independence referendum was ruled illegal, the website for Spain’s Constitutional Court was taken down by a DDoS attack. These are just two of many examples that align with a trend Flashpoint analysts have observed in recent months: the proliferation of hacktivist activity targeting European government and political entities.

In early September, Flashpoint analysts observed multiple hacktivist-fueled DDoS attacks against several websites belonging to ministries and individual public officials in multiple European countries. Although these campaigns have been characterized by DDoS attacks dispersed across central Europe, some actors have tended to concentrate their activity on certain countries. For example, analysts have observed that one Turkish nationalist group appears to be focused on targeting the websites of Belgian and Austrian political entities. This group has also indicated its intent to retaliate against any perceived anti-Turkish or anti-Muslim sentiment emanating from European political entities. In one instance, the group posted screenshots of successful DDoS attacks against Danish government institutions. They claim to have carried out the attacks due to perceived insults by Danish politicians against Islam.

While hacktivist groups are often considered less skilled than their cybercriminal and state-sponsored counterparts, the risks and resulting damages they can inflict are by no means novel. Typically motivated by fundamental and political differences of opinion, hacktivist campaigns have been known to disrupt, deface, or otherwise take down targeted websites, web-based services, networks, and infrastructure. Unfortunately, these types of damages became a reality for many following the recent hacktivist-fueled DDoS attacks that correlated with major 2017 elections in the United Kingdom, Germany, Russia, Czech Republic, and France. It appears that the polarizing effect of these elections continues to contribute to the heightened risks faced by various European political entities.

Flashpoint assesses with a moderate degree of confidence that hacktivist-fueled DDoS attacks against European political entities may continue in the coming months. While addressing hacktivist activity can be complex and challenging, organizations—not just in Europe, but worldwide—that integrate Business Risk Intelligence (BRI) into their security and risk strategies can and do mitigate these types of risks more effectively. By providing proactive visibility into rising geopolitical tensions, emerging hacktivist threats, and upcoming schemes, BRI enables organizations across all sectors to gain a decision advantage over a broad spectrum of hacktivists and other adversaries.

Want to learn more about the hacktivist DDoS landscape in Europe? Watch our Flash Talk on Turkish Hacktivism here.

The post Europe’s Hacktivists Set Sights on Political Entities appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model

Individuals who reuse login credentials across multiple sites are more susceptible to account checking attacks, which occur when threat actors use credentials stolen from past database breaches or compromises to gain unauthorized access to other accounts belonging to the same victims. However, the process of mining compromised data for correct username and password combinations requires significant computer processing power and proxy pool lists to be successful — a capability that is now exhibited by the Trickbot gang.

Considered to be the successor of the formidable Dyre banking Trojan gang, the Trickbot banking Trojan gang continues to evolve by adopting new attack methods and targeting various industries. While Trickbot predominantly targeted the financial industry, it has now expanded its targeting of other industries via its account checking activities; these are perpetrated through the backconnect SOCKS5 module enlisting victims as proxies. Enlisting victims as its proxies allows the gang to perform account checking activity with the same IP as its victims. The gang account checking operation requires a steady stream of new and “clean” proxies to make sure their activities wouldn’t get automatically blocked by companies’ automatic IP origin anti-fraud systems. Therefore, their existing infections are turned into account checking proxies.

Image 1: The process of Trickbot’s backconnect proxy account checking activity. In the first step, the Trickbot gang distributes email spam. In the second step, the victim opens the spam attachment. In the third step, Trickbot downloads and executes the payload from the payload server on the compromised machine. In the fourth step, the victim machine downloads the backconnect SOCKS5 proxy module from the module server. Then, the victim connects to the preconfigured gang’s backconnect server. Finally, the Trickbot gang connects to the victim enlisting their machine’s IP as its proxy for account checking activities via its backconnect SOCKS5 module.

The Trickbot gang continues to search for ways to monetize infections by adopting a hybrid attack model, which utilizes both Trickbot modular payloads and knowledgeable fraud operators. The Trickbot gang has also extended its operations to include account checking activity; such attacks are a combination of malware expertise and knowledgeable human operators. This hybrid approach allows Trickbot operators to launch account checking attacks leveraging infected victims as proxies.

Distributed through malicious Microsoft Office documents via email spam campaigns, Trickbot is notable for loading its backconnect SOCKS5 module bcClientDllTest onto compromised machines. This module is used extensively by the gang for account checking activity.

From Aug. 17 to the present, analysts observed close to 6,000 unique compromised machines associated with Trickbot SOCKS5 proxy module activities. Of these machines, more than 200 of them were actively enlisted for account checking fraud activities at any one time.

Image 2: The Trickbot SOCKS5 backconnect module contains authorization backconnect logic to check in to the backend.

Trickbot utilizes a backconnect communication protocol maintaining the following commands, which are used for client-server communications initially with the command prefix “c”:

● disconnect: Terminate the backconnect server connection
● idle: Maintain the client-server connection
● connect: connect to the backconnect server. The command must consist of the following parameters:

○ ip: Backconnect server’s IP address
○ auth_swith: Use authorization flag. If the value is set to “1”, the Trojan receives the auth_login and auth_pass parameters. If the value is “0”, the Trojan gets the auth_ip parameter. Otherwise, the connection will not be established.
○ auth_ip: Authentication IP address
○ auth_login: Authentication login
○ auth_pass: Authentication password

Image 3: A Trickbot victim connects to the Trickbot backconnect server.

There are three main Trickbot SOCKS5 server-client commands:

● c=idle
● c=disconnect
● c=connect

Trickbot victims create a sequence of GET requests to the server on gate[.]php:

● client_id=&connected=&server_port=&debug=

The server responds with a POST request with the following parameters if the connection needs to be established:

● c=connect&ip=&auth_swith=&auth_ip=&auth_login=&auth_pass=

If the connection needs to be terminated, the server will respond with c=disconnect.

Image 4: The Trickbot machine actively pings the server every 100 seconds.

Most notably, once compromised, Trickbot targets customers of financial institutions via webinjects and redirection attacks. The Trojan also uses victim IPs as proxies to leverage username and password combinations for account checking activity. The observed account checking activity mainly targets customers of companies in nine industries, most of those in gaming. Notably, some of the targets appear to be Russia-based companies.

Image 5: Trickbot account checking activities mainly target customers in nine industries.

Trickbot account checking activity is mainly directed to customers of U.S.- and Russia-based companies operating in the following industries:

● Gaming
● Technology
● Financial
● Entertainment
● Adult
● Social Media
● Retail
● Rewards
● Cryptocurrency

Likely leveraging commercial account checker tools, the Trickbot gang and its associates heavily utilize its victims’ IPs as proxies for account checking activity that imitates mobile device-based account logins. Their attacks leave various web applications artifacts such as spoofed user agent information and device information, indicating as if the activity was being performed leveraging mobile devices. Such mobile logins are meant to bypass traditional anti-fraud controls that are largely implemented to address web-based logins. In cybercriminals’ pursuit of targets, their attempts at evading anti-fraud systems are thus dictated by a company’s anti-fraud controls, which are in turn influenced by cybercriminal tactics, techniques, and procedures (TTPs). Analysts assess with moderate confidence the Trickbot operators will likely continue to monetize infections by turning victims’ IPs into proxies that subsequently fuel account checking activities.

The post Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Cybercriminal Abuse of Rewards Points

Cybercriminal interest in stolen data is not solely limited to financial or personally identifiable information. In fact, Flashpoint analysts have observed Deep & Dark Web chatter pertaining to the exploitation of rewards points programs, especially those associated with travel. This chatter aligns with cybercriminals’ interest in fraudulent booking services for hotels, airline tickets, and car rentals—all of which have proliferated in various underground communities over the past several years.

Actors who offer these illicit “booking services” typically obtain access to various types of travel rewards points—including frequent flyer miles—through compromised user accounts. Points can then be used to purchase rooms, flights, and car rentals through online booking services.

These services have become so widespread on one lower-tier Russian-language forum that the community has established its own group of members dedicated to cybercrime targeting hotels. One such member has been advertising their travel “booking service” on two lower-tier forums since December 2014. Through their service, users can order tickets to anywhere in the world; the only restriction is no domestic flights within Russia. Grateful customers regularly post photos taken on trips purchased through the actor’s offerings.

Image 1: A picture taken by a customer on a trip booked through a Russian-language “booking agency,” featuring a note referencing the vendor’s illicit services.

Image 1: A picture taken by a customer on a trip booked through a Russian-language “booking agency,” featuring a note referencing the vendor’s illicit services.

Beyond the Russian-language underground, rewards points abuse also occurs among English and Spanish-speaking cybercriminals. Similar Illicit booking services had been listed on the now-defunct AlphaBay Market since at least March 2015. These listings drove high demand—3,601 customers purchased one actor’s illicit hotel and car rental services between March 2015 and December 2016. To cash in on this trend, at least one vendor who was active on lower-tier Russian-language forums is known to have expanded their operations to AlphaBay Market in September 2016.

Today, similar services are available on various other English-language marketplaces.

Image 2: An English-language vendor offering both carded and non-carded flights for 25 percent of the total cost of the flight.

Image 2: An English-language vendor offering both carded and non-carded flights for 25 percent of the total cost of the flight.

Although now-defunct, the most prolific rewards point fraud service on the Spanish-language underground was an illicit “travel agency” that offered discounted tickets and reservations for flights, five-star hotels, car rentals, cruises, and other vacation activities such as tours. Clients were allowed and even encouraged to make these reservations in their own names, and reservations were able to be made anywhere from a month to only hours in advance. Much like the aforementioned Russian-language vendor, this Spanish-language “agency” would not book any domestic flights, stating that there was little money to be made there. Moreover, they would only book hotel reservations if the total cost was to be more than $200 USD. Interestingly, their prices were largely based on comparable hotel room listings advertised on surface web travel sites.

It should be noted that travel arrangements aren’t the only illicit use of stolen rewards points, which can often be used to purchase gift cards. One actor on AlphaBay Market was observed selling $100 USD gift cards for various retail and restaurant chains.

Cybercriminal abuse of rewards points has also been facilitated by the development of brute forcing software, which can be used to systematically check a large number of possible password combinations until the correct one is determined. After obtaining a user’s password through brute forcing, cybercriminals can potentially access any rewards points associated with the compromised accounts. A symbiotic relationship exists between the expanding presence of these tools and the marketplace for compromised credentials.

Image 3: The control panel of a brute forcing tool. Though rewards points are not the tool’s main focus, cybercriminals still showed interest in the tool for that purpose.

Image 3: The control panel of a brute forcing tool. Though rewards points are not the tool’s main focus, cybercriminals still showed interest in the tool for that purpose.

Image 4: Flashpoint has tracked mentions of "rewards points" (green line) and "non-carded"/"not carded" items (blue line) on Deep & Dark Web forums over the past five years. February 2017 saw the second highest number of mentions of "rewards points," while March 2017 saw the highest level of chatter for "non carded"/"not carded" items.

Image 4: Flashpoint has tracked mentions of “rewards points” (green line) and “non-carded”/”not carded” items (blue line) on Deep & Dark Web forums over the past five years. February 2017 saw the second highest number of mentions of “rewards points,” while March 2017 saw the highest level of chatter for “non carded”/”not carded” items.

Flashpoint analysts assess with a moderate degree of confidence that rewards points abuse will likely continue. That being said, businesses and everyday consumers alike can reduce the likelihood of their rewards points being stolen by practicing stringent password hygiene. Since brute forcing tools often used to access rewards points automatically test countless combinations of characters with the goal of identifying and entering the correct password, the difficulty of guessing a password increases exponentially along with its character length and complexity.

The post Cybercriminal Abuse of Rewards Points appeared first on Flashpoint.

Go to Source
Author: Flashpoint

BACKSWING – Pulling a BADRABBIT Out of a Hat

Executive Summary

On Oct. 24, 2017, coordinated strategic web compromises started to
distribute BADRABBIT ransomware to unwitting users. FireEye appliances
detected the download attempts and blocked our user base from
infection. During our investigation into the activity, FireEye
identified a direct overlap between BADRABBIT redirect sites and sites
hosting a profiler we’ve been tracking as BACKSWING. We’ve identified
51 sites hosting BACKSWING and four confirmed to drop BADRABBIT.
Throughout 2017, we observed two versions of BACKSWING and saw a
significant increase in May with an apparent focus on compromising
Ukrainian website. The pattern of deployment raises the possibility of
a strategic sponsor with specific regional interests and suggest a
motivation other than financial gain. Given that many domains are
still compromised with BACKSWING, we anticipate that there is a risk
that they will be used for future attacks.

Incident Background

Beginning on Oct. 24 at 08:00 UTC, FireEye detected and blocked
attempts to infect multiple clients with a drive-by download
masquerading as a Flash Update (install_flash_player.exe) that
delivered a wormable variant of ransomware. Users were redirected to
the infected site from multiple legitimate sites (e.g.
http://www.mediaport[.]ua/sites/default/files/page-main.js)
simultaneously, indicating a coordinated and widespread strategic web
compromise campaign.

FireEye network devices blocked infection attempts at over a dozen
victims primarily in Germany, Japan, and the U.S. until Oct. 24 at
15:00 UTC, when the infection attempts ceased and attacker
infrastructure – both 1dnscontrol[.]com and the legitimate websites
containing the rogue code – were taken offline.

BACKSWING Framework Likely Connected to BADRABBIT Activity

Strategic web compromises can have a significant amount of
collateral targeting. It is common for threat actors to pair a
strategic web compromise with profiling malware to target systems with
specific application versions or victims. FireEye observed that
BACKSWING, a malicious JavaScript profiling framework, was deployed to
at least 54 legitimate sites starting as early as September 2016.  A
handful of these sites were later used to redirect to BADRABBIT
distribution URLs.

FireEye iSIGHT Intelligence tracks two distinct version of BACKSWING
that contain the same functionality, but differ in their code styles.
We consider BACKSWING a generic container used to select attributes of
the current browsing session (User-Agent, HTTP Referrer, Cookies, and
the current domain). This information is then relayed to a “C2”
sometimes to referred to as a “receiver.” If the receiver is online,
the server returns a unique JSON blob to the caller which is then
parsed by the BACKSWING code (Figure 1).


Figure 1: BACKSWING Reply

BACKSWING anticipates the JSON blob to have two fields,
“InjectionType” (expected to be an integer) and “InjectionString”
(expected to be string containing HTML content). BACKSWING version 1
(Figure 2) explicitly handles the value of “InjectionType” into two
code paths:

  • If InjectionType == 1 (Redirect browser to URL)
  • If
    InjectionType != 1 (render HTML into the DOM)


Figure 2: Backswing Version 1

In Version 2 (Figure 3), BACKSWING retains similar logic, but
generalizes the InjectionString to be handled strictly to render the
reply into the DOM.


Figure 3: BACKSWING Version 2

Version 1:

  • FireEye observed the first version of BACKSWING in late 2016
    on websites belonging to a Czech Republic hospitality organization
    in addition to a government website in Montenegro. Turkish-tourism
    websites were also injected with this profiler.
  • BACKSWING
    v1 was commonly injected in cleartext to affected websites, but over
    time, actors began to obfuscate the code using the open-source
    Dean-Edwards Packer and injected it into legitimate JavaScript
    resources on affected websites. Figure 4 shows the injection
    content.
  • Beginning in May 2017, FireEye observed a number of
    Ukrainian websites compromised with BACKSWING v1, and in June 2017,
    began to see content returned from BACKSWING receivers.
  • In
    late June 2017, BACKSWING servers returned an HTML div element with
    two distinct identifiers. When decoded, BACKSWING v1 embedded two
    div elements within the DOM with values of
    07a06a96-3345-43f2-afe1-2a70d951f50a and
    9b142ec2-1fdb-4790-b48c-ffdf22911104. No additional content was
    observed in these replies.


Figure 4: BACKSWING Injection Content

Version 2:

  • The earliest that FireEye observed BACKSWING v2 occurred on
    Oct. 5, 2017 across multiple websites that previously hosted
    BACKSWING v1
  • BACKSWING v2 was predominantly injected into
    legitimate JavaScript resources hosted on affected websites;
    however, some instances were injected into the sites’ main
    pages
  • FireEye observed limited instances of websites hosting
    this version were also implicated in suspected BADRABBIT infection
    chains (detailed in Table 1).

Malicious profilers allow attackers to obtain more information about
potential victims before deploying payloads (in this case, the
BADRABBIT “flash update” dropper). While FireEye has not directly
observed BACKSWING delivering BADRABBIT, BACKSWING was observed on
multiple websites that were seen referring FireEye customers to
1dnsccontrol[.]com, which hosted the BADRABBIT dropper.

Table 1 highlights the legitimate sites hosting BACKSWING that were
also used as HTTP referrers for BADRABBIT payload distribution.

Compromised Website BACKSWING Receiver BACKSWING Version Observed BADRABBIT Redirect
blog.fontanka[.]ru Not Available Not Available 1dnscontrol[.]com
www.aica.co[.]jp http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com
www.fontanka[.]ru http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com
www.mediaport[.]ua http://172.97.69[.]79/i/ v1 1dnscontrol[.]com
www.mediaport[.]ua http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com
www.smetkoplan[.]com http://172.97.69[.]79/i/ v1 1dnscontrol[.]com
www.smetkoplan[.]com http://38.84.134[.]15/Core/Engine/Index/default v1 1dnscontrol[.]com
www.smetkoplan[.]com http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com

Table 1: Sites hosting BACKSWING profilers and
redirected users to a BADRABBIT download site

The compromised websites listed in Table 1 demonstrate one of the
first times that we have observed the potential weaponization of
BACKSWING. FireEye is tracking a growing number of legitimate websites
that also host BACKSWING underscoring a considerable footprint the
actors could leverage in future attacks. Table 2 provides a list of
sites also compromised with BACKSWING

Compromised Website BACKSWING Receiver BACKSWING Version
akvadom.kiev[.]ua http://172.97.69[.]79/i/ v1
bahmut.com[.]ua http://dfkiueswbgfreiwfsd[.]tk/i/ v1
bitte.net[.]ua http://172.97.69[.]79/i/ v1
bon-vivasan.com[.]ua http://172.97.69[.]79/i/ v1
bonitka.com[.]ua http://172.97.69[.]79/i/ v1
camp.mrt.gov[.]me http://38.84.134[.]15/Core/Engine/Index/two v1
Evrosmazki[.]ua http://172.97.69[.]79/i/ v1
forum.andronova[.]net http://172.97.69[.]79/i/ v1
forum.andronova[.]net http://91.236.116[.]50/Core/Engine/Index/two v1
grandua[.]ua http://172.97.69[.]79/i/ v1
grupovo[.]bg http://185.149.120[.]3/scholargoogle/ v2
hr.pensionhotel[.]com http://38.84.134[.]15/Core/Engine/Index/default v1
i24.com[.]ua http://172.97.69[.]79/i/ v1
i24.com[.]ua http://185.149.120[.]3/scholargoogle/ v2
icase.lg[.]ua http://172.97.69[.]79/i/ v1
montenegro-today[.]com http://38.84.134[.]15/Core/Engine/Index/two v1
montenegro-today[.]ru http://172.97.69[.]79/i/ v1
most-dnepr[.]info http://172.97.69[.]79/i/ v1
most-dnepr[.]info http://185.149.120[.]3/scholargoogle/ v2
obereg-t[.]com http://172.97.69[.]79/i/ v1
sarktur[.]com http://104.244.159[.]23:8080/i v1
sarktur[.]com http://38.84.134[.]15/Core/Engine/Index/default v1
school12.cn[.]ua http://172.97.69[.]79/i/ v1
sinematurk[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
vgoru[.]org http://172.97.69[.]79/i/ v1
www.2000[.]ua http://172.97.69[.]79/i/ v1
www.444android[.]com http://172.97.69[.]79/i/ v1
www.444android[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
www.aica.co[.]jp http://38.84.134[.]15/Core/Engine/Index/default v1
www.alapli.bel[.]tr http://91.236.116[.]50/Core/Engine/Index/two v1
www.ambilet[.]ro http://185.149.120[.]3/scholargoogle/ v2
www.andronova[.]net http://91.236.116[.]50/Core/Engine/Index/two v1
www.chnu.edu[.]ua http://172.97.69[.]79/i/ v1
www.dermavieskin[.]com https://bodum-online[.]gq/Core/Engine/Index/three v1
www.evrosmazki[.]ua http://172.97.69[.]79/i/ v1
www.hercegnovi[.]me http://38.84.134[.]15/Core/Engine/Index/two v1
www.len[.]ru http://185.149.120[.]3/scholasgoogle/ v2
www.montenegro-today[.]com http://38.84.134[.]15/Core/Engine/Index/two v1
www.montenegro-today[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
www.otbrana[.]com http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]be http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]cz http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]de http://172.97.69[.]79/i/ v1
www.pensionhotel[.]de http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]dk http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]nl http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]pl http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]ro http://46.20.1[.]98/scholargoogle/ v1
www.pensionhotel[.]sk http://38.84.134[.]15/Core/Engine/Index/default v1
www.sinematurk[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
www.t.ks[.]ua http://172.97.69[.]79/i/ v1
www.teknolojihaber[.]net http://91.236.116[.]50/Core/Engine/Index/two v1
www.uscc[.]ua http://172.97.69[.]79/i/ v1
www.vertizontal[.]ro http://91.236.116[.]50/Core/Engine/Index/three v1
www.visa3777[.]com http://172.97.69[.]79/i/ v1
www.www.pensionhotel[.]de http://38.84.134[.]15/Core/Engine/Index/default v1

Table 2: Additional sites hosting BACKSWING
profilers and associated receivers

The distribution of sites compromised with BACKSWING suggest a
motivation other than financial gain. FireEye observed this framework
on compromised Turkish sites and Montenegrin sites over the past year.
We observed a spike of BACKSWING instances on Ukrainian sites, with a
significant increase in May 2017. While some sites hosting BACKSWING
do not have a clear strategic link, the pattern of deployment raises
the possibility of a strategic sponsor with specific regional interests.

BADRABBIT Components

BADRABBIT is made up of several components, as described in Figure 5.


Figure 5: BADRABBIT components

Install_flashPlayer.exe (MD5: FBBDC39AF1139AEBBA4DA004475E8839)

The install_flashplayer.exe payload drops infpub.dat (MD5:
C4F26ED277B51EF45FA180BE597D96E8) to the C:Windows directory and
executes it using rundll32.exe with the argument
C:Windowsinfpub.dat,#1 15. This execution format mirrors that of EternalPetya.

infpub.dat (MD5: 1D724F95C61F1055F0D02C2154BBCCD3)

The infpub.dat binary is the primary ransomware component
responsible for dropping and executing the additional components shown
in the BADRABBIT Components section. An embedded RSA-2048 key
facilitates the encryption process, which uses an AES-128 key to
encrypt files. The extensions listed below are targeted for encryption:

.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip

The following directories are ignored during the encryption process:

  • Windows
  • Program Files
  • ProgramData
  • AppData

The malware writes its ransom message to the root of each affected
drive with the filename Readme.txt.

The inpub.dat is capable of performing lateral movement via WMI or
SMB. Harvested credentials provided by an embedded Mimikatz executable
facilitate the infection of other systems on the network. The malware
contains lists of common usernames, passwords, and named pipes that it
can use to brute-force other credentials for lateral movement.

If one of four Dr.Web antivirus processes is present on the system,
file encryption is not performed. If the malware is executed with the
“-f” command line argument, credential theft and lateral movement are bypassed.

dispci.exe (MD5: B14D8FAF7F0CBCFAD051CEFE5F39645F)

The dispci.exe binary interacts with the DiskCryptor driver
(cscc.dat) to install the malicious bootloader. If one of three McAfee
antivirus processes is running on the system, dispci.exe is written to
the %ALLUSERSPROFILE% directory; otherwise, it is written to
C:Windows. The sample is executed on system start using a scheduled
task named rhaegal.

cscc.dat (MD5s: B4E6D97DAFD9224ED9A547D52C26CE02 or EDB72F4A46C39452D1A5414F7D26454A)

A 32 or 64-bit DiskCryptor
driver named cscc.dat facilitates disk encryption. It is installed in
the :Windows directory as a kernel driver service named cscc.

Mimikatz usage (MD5s: 37945C44A897AA42A66ADCAB68F560E0 or 347AC3B6B791054DE3E5720A7144A977)

A 32 or 64-bit Mimikatz variant is written a temporary file (e.g.,
651D.tmp) in the C:Windows directory and executed by passing a named
pipe string (e.g., \.pipe{8A93FA32-1B7A-4E2F-AAD2-76A095F261DC}) as
an argument. Harvested credentials are passed back to infpub.dat via
the named pipe, similar to EternalPetya.

BADRABBIT Compared to EternalPetya

The infpub.dat contains a checksum algorithm like the one used in
EternalPetya. However, the initial checksum value differs slightly:
0x87654321 in infpub.dat, 0x12345678 in EternalPetya. infpub.dat also
supports the same command line arguments as EternalPetya with the
addition of the “-f” argument, which bypasses the malware’s credential
theft and lateral movement capabilities.

Like EternalPetya, infpub.dat determines if a specific file exists
on the system and will exit if found. The file in this case is
cscc.dat. infpub.dat contains a wmic.exe lateral movement capability,
but unlike EternalPetya, does not contain a PSEXEC binary used to
perform lateral movement.

Both samples utilize the same series of wevtutil and fsutil commands
to perform anti-forensics:

wevtutil cl Setup & wevtutil cl
System & wevtutil cl Security & wevtutil cl Application
& fsutil usn deletejournal /D %SYSTEMDRIVE%

FireEye Detections

Product Detection Names
NX,EX,AX,FX,ETP malware.binary.exe,
Trojan.Ransomware.MVX, Exploit.PossibleWaterhole.BACKSWING
HX BADRABBIT RANSOMWARE (FAMILY),
Gen:Heur.Ransom.BadRabbit.1,
Gen:Variant.Ransom.BadRabbit.1
TAP WINDOWS METHODOLOGY [Scheduled Task
Created], WINDOWS METHODOLOGY [Service Installation], WINDOWS
METHODOLOGY [Audit Log Cleared], WINDOWS METHODOLOGY [Rundll32
Ordinal Arg], WINDOWS METHODOLOGY [Wevtutil Clear-log],
WINDOWS METHODOLOGY [Fsutil USN Deletejournal], WINDOWS
METHODOLOGY [Multiple Admin Share Failures]

We would like to thank Edward Fjellskål for his assistance with
research for this blog.

Indicators

File: Install_flashPlayer.exe
Hash:
FBBDC39AF1139AEBBA4DA004475E8839
Description:
install_flashplayer.exe drops infpub.dat

File: infpub.dat
Hash: 1D724F95C61F1055F0D02C2154BBCCD3
Description: Primary ransomware component

File: dispci.exe
Hash: B14D8FAF7F0CBCFAD051CEFE5F39645F
Description: Interacts with the DiskCryptor driver (cscc.dat) to
install the malicious bootloader, responsible for file decryption.

File: cscc.dat
Hash: B4E6D97DAFD9224ED9A547D52C26CE02 or
EDB72F4A46C39452D1A5414F7D26454A
Description: 32 or 64-bit
DiskCryptor driver

File: .tmp
Hash:
37945C44A897AA42A66ADCAB68F560E0 or
347AC3B6B791054DE3E5720A7144A977
Description: 32 or 64-bit
Mimikatz variant

File: Readme.txt
Hash: Variable
Description: Ransom note

Command: system32rundll32.exe C:Windowsinfpub.dat,#1 15
Description: Runs the primary ransomware component of BADRABBIT. Note
that “15” is the default value present in the malware and may be
altered by specifying a different value on command line when executing install_flash_player.exe.

Command: %COMSPEC% /c schtasks /Create /RU SYSTEM /SC ONSTART /TN
rhaegal /TR “<%COMSPEC%> /C Start “”
“” -id
Description: Creates
the rhaegal scheduled task

Command: %COMSPEC% /c schtasks /Create /SC once /TN drogon /RU
SYSTEM /TR “%WINDIR%system32shutdown.exe /r /t 0 /f” /ST

Description: Creates the drogon scheduled task

Command: %COMSPEC% /c schtasks /Delete /F /TN drogon
Description: Deletes the drogon scheduled task

Command: %COMSPEC% /c wswevtutil cl Setup & wswevtutil cl System
& wswevtutil cl Security & wswevtutil cl Application &
fsutil usn deletejournal /D :
Description: Anti-forensics

Scheduled Task Name: rhaegal
Scheduled Task Run:
“<%COMSPEC%> /C Start “”
“” -id
&& exit”
Description: Bootloader interaction

Scheduled Task Name: drogon
Scheduled Task Run:
“%WINDIR%system32shutdown.exe /r /t 0 /f”
Description: Forces a reboot

Service Name: cscc
Service Display Name: Windows Client Side
Caching DDriver
Service Binary Path: cscc.dat

Embedded usernames from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)
Administrator
Admin
Guest
User
User1
user-1
Test
root
buh
boss
ftp
rdp
rdpuser
rdpadmin
manager
support
work
other user
operator
backup
asus
ftpuser
ftpadmin
nas
nasuser
nasadmin
superuser
netguest
alex
Embedded passwords from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)
Administrator
administrator
Guest
guest
User
user
Admin
adminTest
test
root
123
1234
12345
123456
1234567
12345678
123456789
1234567890
Administrator123
administrator123
Guest123
guest123
User123
user123
Admin123
admin123Test123
test123
password
111111
55555
77777
777
qwe
qwe123
qwe321
qwer
qwert
qwerty
qwerty123
zxc
zxc123
zxc321
zxcv
uiop
123321
321
love
secret
sex
god
Embedded pipe names from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)
atsvc
browser
eventlog
lsarpc
netlogon
ntsvcs
spoolss
samr
srvsvc
scerpc
svcctl
wkssvc

Yara Rules

rule FE_Hunting_BADRABBIT {
meta:version=”.2″
filetype=”PE”
author=”ian.ahl
@TekDefense & nicholas.carr @itsreallynick”
date=”2017-10-24″
md5 =
“b14d8faf7f0cbcfad051cefe5f39645f”
strings:
// Messages
$msg1 =
“Incorrect password” nocase ascii wide
$msg2 = “Oops! Your files have been encrypted.”
ascii wide
$msg3 = “If you see this text,
your files are no longer accessible.” ascii wide
$msg4 = “You might have been looking for a way to
recover your files.” ascii wide
$msg5 =
“Don’t waste your time. No one will be able to recover
them without our” ascii wide
$msg6 =
“Visit our web service at” ascii wide
$msg7 = “Your personal installation key#1:” ascii
wide
$msg8 = “Run DECRYPT app at your
desktop after system boot” ascii wide
$msg9
= “Password#1” nocase ascii wide
$msg10 = “caforssztxqzf2nm.onion” nocase ascii
wide
$msg11 = /partition (unbootable|not
(found|mounted))/ nocase ascii wide

// File
references
$fref1 =
“C:\Windows\cscc.dat” nocase ascii wide
$fref2 = “\\.\dcrypt” nocase ascii wide
$fref3 = “Readme.txt” ascii wide
$fref4 = “\Desktop\DECRYPT.lnk” nocase ascii
wide
$fref5 = “dispci.exe” nocase
ascii wide
$fref6 =
“C:\Windows\infpub.dat” nocase ascii wide
// META
$meta1 =
“http://diskcryptor.net/” nocase ascii wide
$meta2 = “dispci.exe” nocase ascii wide
$meta3 = “GrayWorm” ascii wide
$meta4 = “viserion” nocase ascii wide
//commands
$com1 = “ComSpec” ascii
wide
$com2 = “\cmd.exe” nocase ascii
wide
$com3 = “schtasks /Create” nocase
ascii wide
$com4 = “schtasks /Delete /F /TN
%ws” nocase ascii wide
condition:
(uint16(0) == 0x5A4D)
and
(8 of
($msg*) and 3 of ($fref*) and 2 of ($com*))
or
(all of ($meta*) and 8 of ($msg*))

rule FE_Trojan_BADRABBIT_DROPPER
{
meta:
author =
“muhammad.umair”
md5 =
“fbbdc39af1139aebba4da004475e8839”
rev = 1
strings:
$api1 =
“GetSystemDirectoryW” fullword
$api2 = “GetModuleFileNameW” fullword
$dropped_dll = “infpub.dat” ascii fullword
wide
$exec_fmt_str = “%ws
C:\Windows\%ws,#1 %ws” ascii fullword wide
$extract_seq = { 68 ?? ?? ?? ?? 8D 95 E4 F9 FF FF 52 FF
15 ?? ?? ?? ?? 85 C0 0F 84 C4 00 00 00 8D 85 A8 ED FF FF 50 8D
8D AC ED FF FF E8 ?? ?? ?? ?? 85 C0 0F 84 AA 00 00 00 }
condition:
(uint16(0) == 0x5A4D and
uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB
and all of them
}

rule
FE_Worm_BADRABBIT
{
meta:
author = “muhammad.umair”
md5 = “1d724f95c61f1055f0d02c2154bbccd3”
rev = 1
strings:
$api1 =
“WNetAddConnection2W” fullword
$api2 = “CredEnumerateW” fullword
$api3 = “DuplicateTokenEx” fullword
$api4 = “GetIpNetTable”
$del_tasks = “schtasks /Delete /F /TN drogon” ascii
fullword wide
$dropped_driver =
“cscc.dat” ascii fullword wide
$exec_fmt_str = “%ws C:\Windows\%ws,#1 %ws” ascii
fullword wide
$iter_encrypt = { 8D 44 24 3C
50 FF 15 ?? ?? ?? ?? 8D 4C 24 3C 8D 51 02 66 8B 31 83 C1 02 66
3B F7 75 F5 2B CA D1 F9 8D 4C 4C 3C 3B C1 74 07 E8 ?? ?? ?? ??
}
$share_fmt_str =
“\\%ws\admin$\%ws” ascii fullword wide
condition:
(uint16(0) == 0x5A4D and
uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB
and all of them
}

rule
FE_Trojan_BADRABBIT_MIMIKATZ
{
meta:
author =
“muhammad.umair”
md5 =
“37945c44a897aa42a66adcab68f560e0”
rev = 1
strings:
$api1 =
“WriteProcessMemory” fullword
$api2 = “SetSecurityDescriptorDacl” fullword
$api_str1 = “BCryptDecrypt” ascii fullword
wide
$mimi_str = “CredentialKeys”
ascii fullword wide
$wait_pipe_seq = { FF 15
?? ?? ?? ?? 85 C0 74 63 55 BD B8 0B 00 00 57 57 6A 03 8D 44 24
1C 50 57 68 00 00 00 C0 FF 74 24 38 4B FF 15 ?? ?? ?? ?? 8B F0
83 FE FF 75 3B }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550)
and filesize < 500KB and all of them
}

rule FE_Trojan_BADRABBIT_DISKENCRYPTOR
{
meta:
author =
“muhammad.umair”
md5 =
“b14d8faf7f0cbcfad051cefe5f39645f”
rev = 1
strings:
$api1 =
“CryptAcquireContextW” fullword
$api2 = “CryptEncrypt” fullword
$api3 = “NetWkstaGetInfo” fullword
$decrypt_seq = { 89 5D EC 78 10 7F 07 3D 00 00 00 01 76 07 B8
00 00 00 01 EB 07 C7 45 EC 01 00 00 00 53 50 53 6A 04 53 8B F8
56 89 45 FC 89 7D E8 FF 15 ?? ?? ?? ?? 8B D8 85 DB 74 5F
}
$msg1 = “Disk decryption
progress…” ascii fullword wide
$task_fmt_str = “schtasks /Create /SC ONCE /TN
viserion_%u /RU SYSTEM /TR “%ws” /ST
%02d:%02d:00″ ascii fullword wide
$tok1
= “\\.\dcrypt” ascii fullword wide
$tok2 = “C:\Windows\cscc.dat” ascii fullword
wide
condition:
(uint16(0) ==
0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize
< 150KB and all of them
}

Go to Source
Author: Barry Vengerik

“Ultimate Anonymity Services” Shop Offers Cybercriminals International RDPs

Dark Web marketplaces selling access to compromised Remote Desktop Protocol (RDP) servers have become increasingly popular in the cybercriminal ecosystem over the past several years. UAS — which stands for “Ultimate Anonymity Services” — is one such popular cybercriminal RDP shop that has been online since February 16, 2016.  UAS offers SOCKs proxies in addition to over 35,000 brute forced RDPs for sale.

Image 1: The first post by the UAS team on their website, written in English and Russian, details the gang's motivations for setting up their RDP shop. The post, translated from the original Russian, reads: 

Image 1: The first post by the UAS team on their website, written in English and Russian, details the gang’s motivations for setting up their RDP shop. The post, translated from the original Russian, reads: 

Hello all!!! Today we opened our service, into which we invested a lot of time and effort. Right now, we have bruteforced RDP-servers for sale at very low prices, as well as SOCKS. Soon, we’ll be offering SSH-tunnels, VPN, and Shells for sale. We hope you will like us, and that you will find everything you are looking for!!!! We will always be happy to listen to your suggestions regarding the functionality and design of the service, as well as suggestions for improvements, etc. Write using our ticket system…

P.S. Before using our service we strongly recommend that you familiarize yourself with our rules and pricing. Just like in the real world, ignorance of the law does not absolve you of responsibility, same here, not knowing our rules does not excuse you from responsibility if you break them.

UAS offers RDPs sourced from countries across the world; however, in keeping with Eastern European cybercriminal norms, the shop does not offer RDPs from the Commonwealth of Independent States (CIS). Flashpoint analysts evaluated sample data from a variety of countries to determine targeting across the globe and discovered that China, Brazil, India, Spain, and Colombia appear to be among the countries with the greatest number of RDPs for sale on UAS:

• China — 7,216 RDPs

• Brazil — 6,143 RDPs

• India — 3,062 RDPs

• Spain — 1,335 RDPs

• Colombia — 929 RDPs 

Image 2: Flashpoint analysts evaluated the number of RDPs offered for sale for more than thirty sample countries. 

Image 2: Flashpoint analysts evaluated the number of RDPs offered for sale for more than thirty sample countries 

Flashpoint analysts assess with a low degree of confidence that the aforementioned countries may have a higher number of exposed RDPs due to lax cybersecurity hygiene involving remote connection monitoring.

Additionally, UAS offers approximately 300 U.S.-based RDPs. Flashpoint investigated various RDP servers available within the United States and determined that most of the RDPs are geographically aggregated across a few specific zip codes. Such concentration possibly indicates opportunistic exploitation of a handful of companies utilizing multiple RDPs; it is likely that these companies have lax security measures, leading to a greater number of vulnerable RDPs.

Image 3: Flashpoint analysis reveals a concentration of compromised RDPs across only four geographic regions within the United States. 

Image 3: Flashpoint analysis reveals a concentration of compromised RDPs across only four geographic regions within the United States

 The most popular U.S. zip codes in the UAS dataset are as follows:

• 20146 – Ashburn, Virginia — 52 RDPs

• 43085 – Franklin County, Ohio — 52 RDPs

• 94043 – Santa Clara County, California — 43 RDPs

• 97086 – Clackamas County, Oregon — 36 RDPs

• 94536 – Alameda County, California — 30 RDPs

In line with their research on the xDedic dataset (xDedic is another major RDP shop available to cybercriminals and a UAS competitor), Flashpoint analysts discovered RDPs sourced from healthcare, education, and government entities for sale on UAS.

RDPs sold on UAS are priced around $10 USD regardless of country of origin, victim operating system, administrative rights, or other factors. By contrast, xDedic sells RDPs at a minimum of around $10 USD, with prices sometimes reaching upwards of $100 USD. Flashpoint analysts did not determine what conditions and factors influence this discrepancy in prices between the two shops.

Interestingly, UAS lays out their pricing model for their RDPs in their FAQ section. The pricing is as follows:

Image 4: Pricing model for UAS RDPs

Image 4: Pricing model for UAS RDPs

Other factors can increase the price of a compromised RDP on UAS, such as an RDP with an open port 25 or an RDP added to the site less than five hours prior. Altogether, the maximum price for an RDP on UAS is $15 USD.

Flashpoint’s analysis of Deep & Dark Web (DDW) chatter revealed interest in both UAS and xDedic on many Russian-language forums, as well as on one prominent French-language forum.

Assessment

Compromised RDP servers are used both as instruments of anonymity and also oftentimes as a means of providing direct access to victim networks. Over the past several years, Flashpoint analysts have discovered that various hospitality, retail, and online payment services have been breached as a result of criminal syndicates utilizing fraudulently obtained RDP access.

As RDPs are set up for remote access to an office’s resources, they provide an initial vector into the target organization. By elevating privileges, threat actors can pivot from the environment to which the RDP server provided access to other, more target-rich environments. This could potentially allow actors access to proprietary internal documents or resources, as well as entry points in which to drop various payloads. The types of vulnerabilities present and the ways in which they can be exploited depend on the threat actor’s specific capability, motivation, targeting, and goals.

Preemptive measures to protect one’s organization against RDP exploitation include conducting audits and reviews of any externally accessible RDP connections to organization networks. RDP access should be protected by a strong and complex password in order to frustrate threat actors’ potential efforts to brute force access to corporate environments.

Overall, Flashpoint assesses with moderate confidence that UAS’s lower prices may contribute to the growing popularity of the shop among cybercriminals. Indeed, Flashpoint analysts’ predicative forecasting determined that cybercriminal interest in UAS will likely continue growing.  

Image 5: Predictive models forecast that cybercriminal chatter on UAS is rising.

Image 5: Predictive models forecast that cybercriminal chatter on UAS will likely continue rising

The post “Ultimate Anonymity Services” Shop Offers Cybercriminals International RDPs appeared first on Flashpoint.

Go to Source
Author: Flashpoint