Techie Feeds

ShadowBrokers fails to collect 1M bitcoins – releases stolen information

Malwarebytes - Mon, 04/10/2017 - 17:49

ShadowBrokers finally made good on their promise to release the decryption key to unlock the stolen ‘auction’ file purportedly filled with NSA hacking tools.

Over the weekend, the hacking group ShadowBrokers released the decryption key for the ‘auction’ file that was included in the dump of information from last summer that the group claimed they acquired from Equation Group – reportedly a well-known hacking team responsible for highly sophisticated malware campaigns such as Flame and Stuxnet and possibly associated with certain 3-letter government agencies.

While the group’s get-rich-quick plan to sell the auction file for the astronomical asking price of 1M bitcoins (roughly $1,186,510,000.00 US Dollar as of today) may have ended with spectacular failure, the team has made good on their promise to ultimately release the stolen information should the requested payoff not be received. It’s difficult, if not impossible for us to verify the claims from the hackers or to place attribution to the appropriate group, but there are interesting bits of information contained within the archive and we will document some of the early discoveries here.

The release of the key came in a highly politicized tirade directed to President Donald Trump touching on everything from Obamacare and Goldman Sachs, to Syria, Steven Bannon, and John McCain. The epic rant discusses the Alien and Sedition Act of 1798, Social Collectivism, White Privilege, Russia, and even Magog (I had to look it up too. It seems most applicable to the Islam interpretation of the word. Courtesy of Wikipedia). For the inference of being American citizens and in the eyes of any High School English teacher, it’s a cringe-worthy read filled with grammatical, spelling, and punctuation errors (although, good use of the Oxford comma), and seems to use a variety of written dialects and cultural references throughout. All of which appear to be deliberate false-flags to help conceal the identity of the person/group associated with the original attack.

 

Exploits

There are a number of tools in the dump with notes and code that indicate possible exploits against various software and products. A majority of the files seem to target Linux and Solaris-based servers. Though many of the exploits are dated from many years ago, some as far back as 2003, it’s possible they are still usable on legacy systems. While we can’t confirm the authenticity of the following exploits, we will provide a small snippet from the collection below.

ElatedMonkey is a local privilege escalation exploit against the cPanel Remote Management Web interface current through at least version 24:

 

ElginGamble is a ‘public’ vulnerability affecting Linux 2.6.13 – 2.6.17.4 to create a cron script capable of spawning a root shell:

 

PTrace/ForkPTY is a kernel exploit affecting Linux 2.2 – 2.4:

 

EngageNaughty is an Apache and SSL exploit:

 

EasyStreet appears to be some sort of UDP exploit utilizing sendmail:

 

EBBSHAVE is a vulnerability affecting Solaris RPC services version 2.10:

 

EXCELBERWICK is a remote exploit against xmlrpc.php on Unix based systems:

 

Tools

Aside from the partial selection of exploits posted above, the dump also contains a number of tools, utilities, and scripts to deploy once successful exploitation of the system occurs.

 

Strifeworld is a TCP session recorder that dates from 2001:

 

EndlessDonut helps deploy monitoring agents and to maintain a clean record:

 

Ys.auto is an encompassing script that assists with the deployment of various RATs and system monitors. It’s a curious footnote that the Ford Motor Company IP address appears within a number of files under the ‘example’ section:

 

ELECTRICSLIDE.pl is a PERL script, that as pointed out by x0rz, impersonates a Chinese browser with a fake accept-language:

 

A number of documents reference the deployment of RATs (Remote Access Trojans) to compromised machines. The vast majority of these files appear to target various Solaris, Linux, and FreeBSD clients – just based off their naming conventions. Additional analysis of these files will surely be published in coming days:

 

There also appears to be a number of tools, documents, or scripts that reference cell phone information.

Cdrprint.pl is a script that takes CDR records and makes them pretty. CDR records are data records that are created when call information or other telecommunications transactions (text messages) passes through a processing facility or device. These are accompanied by ‘definition’ files, which to the best of my understanding, helps parse the collected data for specific phones:

 

Within the targets.py file, there are strings and IP addresses relating to the Russian division of Sprint Telecom:

 

The information contained in this dump is extensive and it will take security researchers some time to digest. While many of the exploits appear to be public and quite old, it’s not out of the realm of possibility these vulnerabilities aren’t still useful on legacy systems.

But after spending ample time on a weekend pouring over the data, I fail to find the value in ShadowBrokers initial asking price of 1M bitcoins for an archive filled with publicly known (and probably patched) vulnerabilities dating as far back as 2003. Nothing appears to be more recent than 2013, so the information is likely obsolete and possibly not even used. This appears to be either a massive failure on the part of ShadowBrokers or a giant prank done for the lulz as there is no way they could have possibly thought this sort of information was worth anywhere near what was being asked.  But there is still a lot of information to be analyzed, so time may prove otherwise to this initial assessment.  We will continue to analyze the included information and Windows based files and update this post if new information becomes available.

Regardless, another public disclosure of valuable information reminds us once again the value in OPSEC and secure data retention.

The post ShadowBrokers fails to collect 1M bitcoins – releases stolen information appeared first on Malwarebytes Labs.

Categories: Techie Feeds

USPS-themed malspam now delivering 1-2-3 knock-out

Malwarebytes - Mon, 04/10/2017 - 15:00

We’ve detected an uptick in USPS-themed malspam walloping users with a 1-2-3 knock-out of nasty malware designed to infiltrate your system and steal all your most valuable information. This malware-laced email is actively being distributed with various Subject and Body messages containing references to missing and/or late USPS parcels.

Example of USPS-themed malspam

Should receivers of this mail be convinced of the content and validity of the enclosed message, and thus, be inclined to unpack the included file titled “Delivery-Details.zip” and then proceed against all better known judgement to launch the included JavaScript file titled Delivery-Details.js, they will be subjected to a slew of malware designed to commandeer their PC and steal their most valuable financial information.

Deobfuscated Javascript showing server addresses

 

This particular downloader, known by some as JS/Nemucod or simply JS/Downloader by others, is a well-known JavaScript downloader that is sent out via spam email. Historically this downloader will install 1 or 2 different malware families to infected machines, but the most recent campaign has upped that to 3 different malware families being installed post-detonation.

Shows installed payloads

The 3 malware families are all different in their design but make no mistake about it, all 3 will compromise your security and put your financials at risk.

Trojan.Nymaim is first to come down the line using filename exe1[1].exe. This Trojan provides attackers with remote access to infected machines allowing for everything, from the collection of banking credentials to backdoor functionality allowing attackers full use of the machine.

Trojan.Nymaim at execution

Trojan.Kovter comes down next in the form of exe2[1].exe and using a fancy WinAmp icon and NullSoft description. Trojan.Kovter is known as fileless malware by its ability to execute code directly through the registry. This Trojan also has the ability to steal personal information, download additional malware, or grant attackers full use of the machine. The below image shows how Trojan.Kovter manages it’s ‘fileless’ capabilities with the use of Javascript commands embedded within the Windows registry.

Finally, exe3[1].exe is identified as Trojan.Boaxxe, which as you may guess is also a Trojan with backdoor and stealing capabilities. This Trojan scans the PC for any trace of information deemed valuable by the creators and transmits this information to the attacker’s server for use in further attacks. Information is saved in the form of encrypted registry strings that are continuously updated by the malware.

Information harvesting

 

Taken together, these 3 malware families will take hold of your machine, drain your bank accounts, and leave you high and dry. So just be wary of suspicious looking shipping notices arriving via email and never install files received in email without certainty of their origin.

But should you find yourself curious by the contents of this email message and tempted to install the included Javascript file in the attempts of finding that lost USPS package, then have no worries because you can rest assured that Malwarebytes has your back.

 

IOC’s:

Delivery-Details.js  –  877480DBDE4FCFF9E21E294EF6B64E50

Exe1[1].exe – F22807784588C2117457634494943729

Exe2[1].exe – B10A08A1ACB1B42CA91032EBED613A2A

Exe3[1].exe – 423213BD6A167D4B7DEEC18E7B18E13E

The post USPS-themed malspam now delivering 1-2-3 knock-out appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (Apr 03 – Apr 09)

Malwarebytes - Mon, 04/10/2017 - 14:59

Last week, we gave an overview of what might happen once the bill the US Congress passed in late March takes effect; familiarized readers with the “3-2-1 rule”, which is very helpful in protecting valuable data against ransomware, and pushed out a follow up post on Diamond Fox, a bot used by the Nebula exploit kit. In case you want a refresher of part 1, click here.

Lead analyst Jérôme Segura documented a malvertising campaign affecting users of iOS, a notable deviation of potential targets. Users were enticed to download a ‘free’ VPN app called My Mobile Secure via rogue ads on Torrent sites.

Finally, our experts dished out a list of the five dumbest cyber threats that (unfortunately) work.

Below are notable news stories and security-related happenings:

  • Facebook Turns To Image Recognition to Thwart Revenge Porn. “Revenge porn is the province of the jilted and the jealous, the malicious and the envious. Typically it happens when two people in a relationship share intimate or sexual pictures or videos via text or email; post-break-up, or in the hands of ‘frenemies,’ this content may be posted publicly as payback for heartbreak or other perceived transgressions. It can be enormously damaging for victims, especially younger teen girls.” (Source: InfoSecurity Magazine)
  • IoT Malware Starts Showing Destructive Behavior. “Hackers have started adding data-wiping routines to malware that’s designed to infect internet-of-things and other embedded devices. Two attacks observed recently displayed this behavior but likely for different purposes.” (Source: CSO)
  • New Malware Deliberately Destroys Unsecured IoT Devices. “Cybersecurity experts are warning of a new type of malware strain that uses known default user credentials to attack unsecured Internet of Things (IoT) devices and destroy them, reports Bleeping Computer. Discovered by cybersecurity firm Radware, BrickerBot has two versions – BrickerBot.1 and BrickerBot.2 – and was found to be active since March 20, targeting only Linux BusyBox-based devices with Telnet ports left open.” (Source: Dark Reading)
  • 20,000-bots-strong Sathurbot Botnet Grows By Compromising WordPress Sites. “A 20,000-bots-strong botnet is probing WordPress sites, trying to compromise them and spread a backdoor downloader Trojan called Sathurbot as far and as wide as possible.” (Source: Help Net Security)
  • “iCloud Mail” Phishing Emails Doing Rounds. “The latest email phishing campaign targeting Apple users is aimed at gathering as much information as possible from unfortunate victims. The email, made to look like it comes from Apple, bids targets welcome to iCloud Mail, but warns that the company has been unable to confirm their account information, and that their account has, therefore, been suspended.” (Source: Help Net Security)
  • Matrix Ransomware Spreads To Other PCs Using Malicious Shortcuts. “Brad Duncan, a Threat Intelligence Analyst for Palo Alto Networks Unit 42, has recently started seeing the EITest campaign use the RIG exploit kit to distribute the Matrix ransomware. While Matrix has been out for quite some time, it was never a major player in terms of wide spread distribution.” (Source: Bleeping Computer)
  • Hackers Empty ATMs By Drilling One Small Hole. “Hackers are using a combination of low and high-tech attacks to make ATMs spit out cash, according to Kaspersky researcher Igor Soumenkov, who presented this novel attack at this year’s Security Analyst Summit, taking place in St. Maarten this week.” (Source: Bleeping Computer)
  • Hackers Steal $30M from IRS Via Student Loan Tool. “Hackers managed to breach the IRS’s Data Retrieval Tool, which is used by parents to transfer financial information for their kids using the Free Application for Federal Student Aid. The system has been shut down until the IRS can figure out which of the requests were made by legitimate students, and which were made by criminals.” (Source: Softpedia)
  • Update Your iPhone To Avoid Being Hacked Over Wi-Fi. “It’s only been five days since Apple’s last security update for iOS, when dozens of serious security vulnerabilities were patched. As we mentioned last week, the recent iOS 10.3 and Mac OS 10.12.4 updates included numerous fixes dealing with ‘arbitrary code execution with kernel privileges’.” (Source: Sophos’ Naked Security Blog)
  • Wonga Data Breach Puts Up To 245,000 UK Current And Former Customers At Risk. “If you are one of those affected, my advice is to be very wary of unsolicited phone calls and emails that might be from scammers attempting to exploit the information. You would also be wise to keep a close eye on your finances for any unexpected transactions.” (Source: Graham Cluley’s Blog)

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (Apr 03 – Apr 09) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The top 5 dumbest cyber threats that work anyway

Malwarebytes - Sat, 04/08/2017 - 15:00

The common conception of cyber attacks is kind of like bad weather: ranging from irritating to catastrophic, but always unpredictable. Hackers are simply too sophisticated to draw any reliable judgments on and we shouldn’t try. As it turns out, some hackers are fairly predictable in their successful use of really dumb attacks. Here’s a few.

1. The Browser Locker

Browser locker, better known as the fake blue screen of death, spraying gibberish errors at the user and imploring them to call an Indian boiler room to be scammed an average of $500. Some feature tweaks by the major browsers have pushed tech support scammers into more creative iterations, including registry hacks to replace the windows shell itself with a locker. But the browser locker still exists in bulk and still draws victims. Some lockers show some ingenuity, like manipulating the browser’s history function, but most are some variation of:

 

For x in range (a lot) {

Alert(“You have a virus, please call Scam Number”)

}

 

It’s a piece of novice level code that has caused hundreds of millions in losses. Mitigations are wide-ranging, including adblockers (most browser lockers are delivered via malvertising), turning off Javascript in the browser, not downloading software from third-party app stores, and simply force quitting a locked browser.

2. DDOS Extortion

With DDoS bots for sale, sometimes on the clearnet, denial of service itself is not the most sophisticated of attacks. DDoS extortion is one notch lazier; an attacker will simply send an email to a corporate security staff threatening massive attacks if a bitcoin ransom isn’t paid immediately. Given that the ransom in question has tended to be relatively low, companies in industries requiring continuous uptime have sometimes shrugged their shoulders and paid. If this happens to you, talk to your service provider to work out mitigations; don’t talk to the attacker.

3. SQL Injection

SQL Injection takes a modicum of technical skills to pull off, from finding the vulnerable site to executing and safely exfiltrating dumped files or data. So why is this a dumb attack? Because it was first publically discussed in 1998. It was in the OWASP top 10 in 2007 and 2010. It was #1 on the OWASP top 10 in 2013. This is a known, predictable attack with extensive mitigations, so continuing to see it so frequently is profoundly dumb.

4. Business Email Compromise

Sometimes, bosses are jerks. Sometimes when a boss is a jerk, their subordinates are too frightened to question an order from the boss, regardless of how out of character it might be. Attackers have weaponized this cliché of the business world by posing as the aforementioned jerk boss and demanding that large amounts of money be wired to overseas accounts as soon as possible. This scam, which is not much more complicated than shouting “Give me money!” is called Business Email Compromise and has cost US victims $960,708,616 since 2013. There is a reasonably simple mitigation against business email compromise: if you are a boss, don’t be a jerk. Environments, where individual contributors are comfortable asking the boss for clarification if they give an unusual order, stand a much better chance of defending against this attack.

5. Macro Malware

In the old days, MS Office had macros enabled by default. This made for a great malware delivery vector, with malicious attachments that would run all sorts of arbitrary code when opened.  Eventually, Microsoft had enough and switched Office macro support to off by default. Criminals have gotten around this restriction by simply asking the user to enable macros and thereby the malicious code. Here’s the technique cropping up in 2014, and here it is again last month. The defense against macro malware is to not enable macros, no matter how politely an attacker asks. More broadly, a collaborative document editing environment that eliminates the need to pass files around the office can defend against a wide variety of malicious attachments.

In summary, a great many cyber threats are not sophisticated nation-state level, well thought out attacks. The bulk, in fact, tends to be the least effort required for success, which sometimes turns out to be not very much effort at all.

The post The top 5 dumbest cyber threats that work anyway appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malvertising on iOS pushes eyebrow-raising VPN app

Malwarebytes - Thu, 04/06/2017 - 17:10

There is a preconceived idea that malvertising mostly affects the Windows platform. Certainly, when it comes to malicious adverts, Internet Explorer is a prime target for malware infections. However, malvertising can produce different outcomes adapted to the device the user is running.

Case in point, we discovered this scareware campaign that pushes a ‘free’ VPN app called My Mobile Secure to iOS users via rogue ads on popular Torrent sites. The page plays an ear-piercing beeping sound and claims your device is infected with viruses.

“We have detected that your Mobile Safari is (45.4%) DAMAGED by BROWSER TROJAN VIRUSES picked up while surfing recent corrupted sites.”

Such alerts on mobile devices are not new and sadly common place via many ad networks these days. Usually, aggressive affiliates remunerated per lead will use these kinds of tactics to drive traffic to game apps or even tech support scams.

Thankfully for the latter, Apple has released an update to their mobile operating system (iOS 10.3.1) to avoid so-called “browser lockers” via incessant JavaScript popups that prevented users from closing the offending page. Having said that, social engineering attacks such as the one above are still active and prey on the surprise effect or culpability someone may experience after browsing sites with pirated material.

Network traffic

This malvertising chain starts off with an ad call from Propeller Ads Media, goes through Real Time Bidding (RTB) via AdMetix, is redirected to RevenueHits, and finishes off with scammy advertisers.

‘Free’ VPN app

This fake website advertises the MyMobileSecure VPN to remove “infected applications and files”. Tapping on ‘Remove Virus’ opens up the App Store to download this app.

The MyMobileSecure developer, VoiceFive is a comScore, Inc. company, “a leading global market research company that studies and reports on Internet trends and behavior.” In order to activate the free VPN app, users must join the MobileXpression research community, and this is where things get interesting.

From mymobilescure.com: “The MobileXpression email account is a part of the software download package for iPhones and iPads. The email account is there to provide you with a better way to stay in touch with MobileXpression and also make sure our software works correctly.”

If the product is free, you are the product

According to their website, MobileXpression is a market research panel designed to understand the trends and behaviors of people using the mobile Internet. This seems a bit peculiar when applied to a VPN product, whose goal is to precisely anonymize your online activity by encrypting your data from your ISP, government, bad guys, etc.

As an aside, the topic of VPNs is particularly hot at the moment, on the heels of an upcoming bill (S.J. Res. 34) that would allow Internet Service Providers (ISPs) to sell data about your online habits to advertisers. Many people are rushing into installing the first VPN they can get their hands on, which is a terrible idea considering many companies out there are very shady and far worse than your own ISP.

Free does not mean Open Source or risk-free for that matter. But the fact of the matter is that people tend to gravitate towards free products, especially if those are pushed aggressively via hungry advertisers. For this reason, users should pay even more attention before installing a free app.

If the reason you want to install a VPN is because you are truly worried about your online privacy, then you really ought to read the fine print. This particular VPN app has some concerning statements:

If you shop around for other VPN providers, you will see the exact opposite when it comes to data collection and logging. Here are some examples:

  • [VPN x] never logs where you go on the Internet. If anyone asks, the best we can do is shrug our shoulders.
  • [VPN y] makes it impossible to identify the type of traffic or protocol you are using, even for your ISP.
  • [VPN z] doesn’t store any connection logs whatsoever. In addition, we do not log bandwidth usage, session data or requests to our DNS servers.

Some even provide Bitcoin as a mode of payment to completely anonymize the registration process, via a throwaway email address for example.

VPN providers and trust

Often times, affiliates are not properly policed and we observe scare tactics to force the installation of various pieces of software. It’s important to note that those affiliates are normally distinct from the software vendors themselves, but scammy behaviors end up reflecting poorly on everyone.

In this particular case, one cannot help but feel that this VPN application comes with some serious baggage and unfortunately the average user will not take the time to review the fine details. If the intent is to use a VPN to anonymize your online activities, this does almost the opposite.

One statement from mobileXpression is particularly striking:

We make commercially viable efforts to automatically filter confidential personal information such as UserID, password, credit card numbers, and account numbers. Inadvertently, we may collect personal information about our panelists; and when this happens, we make commercially viable efforts to purge our database of such information.

This summarizes the issue quite clearly: said data should never be collected in the first place because some very unfortunate things can happen once it is logged in a database. Haven’t there been enough data breaches lately to be seriously concerned with what kind of data a company may collect (inadvertently or not)?

Choosing the right VPN application these days has become very challenging due to the renewed interest in online privacy (there are other reasons people buy VPNs as well, such as to bypass geo-restrictions from services like Netflix, the BBC, etc). It’s important to take the time to review the companies behind those products, their policies, and real reviews, not fake or sponsored ones. At the end of the day, you are placing your data and trust in someone else’s hands.

Kudos to CloudFlare for terminating the scareware domain in less than five minutes.

IOCs: onclkds.com xml.admetix.com clk1005.com inclk.com browserloading.com giveawaywins.com securecheckapp.com 206.54.163.50 173.239.53.20 173.192.117.80 108.168.157.87 52.29.11.13 104.31.67.144 104.28.17.3

The post Malvertising on iOS pushes eyebrow-raising VPN app appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Diamond Fox – part 2: let’s dive in the code

Malwarebytes - Thu, 04/06/2017 - 15:00

In a previous post we made an initial analysis of a Diamond Fox bot delivered by the Nebula Exploit Kit (more about the campaign can be found here). We described the way to unpack the protection layer in order to get the core, written in Visual Basic, that can be decompiled. In this second part of the series, we will take a deeper look into the code and analyze the bot’s features and code design.

Analyzed samples

988e9fa903cc2fbb80e7221072fb2221 – Diamond Fox Crystal (final VB payload)

3ef960da3e4bc4bc7c05d02fbf121d4e – old Diamond Fox (final VB payload)

Changelog

In the release that is sold on the black market, the authors included a changelog describing all versions up to the current one (codenamed Crystal). Below, you can see the related fragment:

Crystal Version [+] Loader core recoded [+] Improved Size: 17.5 kb [+] Added unlimited panel list [+] Added domain generation algorithm [+] Added RunOne startup [+] Added Polices startup [+] Added auto-screenshots [+] added Install redirects [+] Added Anti-WinPcap [+] Added Anti-Virustotal VM [+] Added Anti-Emulation [-] Removed Anti-Wine [-] Moved Startup Persistance to Persistance [+] Added Botkiller [+] Added Anti-Avast Sandbox [+] Added PE configuration storage [+] Improved Configuration preview [+] Added optional usb spread on lite bot [+] Added RDP plugin [+] Added VNC Grabber [+] Added remote shell [+] Added Close bot command [+] Added Shutdown PC command [+] Improved web panel installer [+] Added Restart PC command [+] Added more bot selection options on tasks [+] Improved task manager [+] Added search on reports [+] Improved panel settings [+] Added Layer7 DDoS [+] Added reports bars statistics [+] Added New/dead bots per week statistics [+] Updated Geodata [+] Added Bot remover tool [+] Added DGA tool [+] Improved real-time notifications on panel [+] Added Desktop/Laptop Detection [+] Added administrator detection [+] Improved bot full information [+] Added mark as favorite [-] removed %PROGRAMFILES% installation path [+] added %USERPROFILE% installation path [-] removed %WINDIR% installation path [+] added %LOCALAPPDATA% installation path [-] Removed winlogon startup [+] Added schtaks startup [-] Removed Anti-apateDNS [-] Removed Anti-Norman [-] Removed Anti-wiresshark [-] Removed Xor Encryption [+] Added captcha on web panel login [+] Added antibruter forcer on web panel login [+] Added new panel logo [+] Improved Crypto wallet stealer (+24) [+] Improved Homepage changer (added internet explorer) [+] Improved Keylogger(added clipboard detector and window title trigger) [+] Improved bot speed [+] Improved bot compatibility [+] Improved bot stability [-] Removed Services tab on web panel [+] Added protected folder on installation [+] Now the webpanel can be installed on windows without errors Decompiling

As we mentioned in the previous post, Diamond Fox is written in Visual Basic and after unpacking it can be decompiled by VB Decompiler. Unfortunately, the results of the decompilation are not fully accurate and some parts of the code are difficult to analyze. However, we can still figure out the most important actions performed by the malware.

We provided a partially cleaned version of the decompiled code: https://gist.github.com/hasherezade/79de1509c8565ec7496cd554092df6f8#file-module1-vb.

Execution flow

Diamond Fox starts its execution from decrypting and parsing the configuration – in this edition, it is stored in the section “L!NK“. Then, depending on the configuration, some further features are enabled or disabled. For example, it may deploy defensive checks – against sandboxes and Virtual Machines.

The stored parameters are encrypted and they are decrypted at runtime – however, the decryption function is no longer a simple XOR known from the previous versions:

(see a partially cleaned version of this function: https://gist.github.com/hasherezade/79de1509c8565ec7496cd554092df6f8#file-decrypt-vb )

Along with the features that can be enabled or disabled depending on the configuration, Diamond Fox offers features that are controlled from the CnC.

Reading response from the CnC:

Parsing commands and executing appropriate actions (commands are identified by numbers – from 0 to 25):

Features

Let’s have a look inside the code and follow the features mentioned by the authors.

[+] Loader core recoded

The code of the malware has been reorganized and its big portions have been rewritten. It can be noticed at first sight if we decompile the new version and compare it versus the old one. In the current version everything is in one module, while in the previous cases the code was subdivided into various modules.

Old Diamond Fox decompiled (fragment):

We can see the code subdivided on modules with descriptive names, making analysis easier. In the new version, we will not find this familiar layout.

Decompiled code of Diamond Fox Crystal (the new one):

The new version introduced a different way of storing the configuration. Now, the encrypted configuration is in the dedicated section named “L!NK“.

[+] Added domain generation algorithm

In the analyzed sample this feature was not enabled and the CnC address was static. However, looking at the code we can find a domain generation algorithm (DGA) is based on the current date:

(see a partially cleaned version of this function: https://gist.github.com/hasherezade/79de1509c8565ec7496cd554092df6f8#file-domain_generate-vb)

[+] Added Anti-Emulation

Checking if the sample is not running in a VM or sandbox by attempting to load DLLs associated with the virtual environment:

  • vboxmrxnp
  • SbieDll
  • snxhk
  • pthreadVC

It comes also with a set of blacklisted volume serial numbers, identifying popular sandboxes:

  • AC79B241
  • 70144646
  • 6C78A9C3
[+] Added Desktop/Laptop Detection

Checking if it is running on the laptop by testing battery presence:

[+] Added PE configuration storage

The section L!NK is used not only to store initial configuration, but also some fetched data.

The random ID of the bot is generated and stored:

[+] Improved Crypto wallet stealer (+24)

We can find in the code strings used to search several crypto wallets:

MultiBit, Armory, Electrum, digital, -LTC, MultiDoge, BitcoinDark, Unobtanium, Dash, Bit, Lite, Name, PP, Feather, Nova, Prime, Terra, Dev, Anon, Pay, World, Quark, Infinite, Doge, Asic, Lotto, Dark, Mona

Analyzing the code deeper, we find that first the .wallet files are searched:

The found data is grabbed and passed into another function:

That function is responsible for posting the grabbed content to the CnC server:

[+] Added captcha on web panel login

We can observe it if we try to follow the address of the CnC captured during the behavioral analysis. Indeed, near to the credential fields we can see a very simple captcha:

[+] Added new panel logo

The authors of Diamond Fox put a lot of effort to make a graphic design attractive for the user. This time, the panel comes with a set of logos that are randomly changing on page refresh. This feature may seem fancy and redundant in a malware; however, it shows the effort put on the user experience.

[+] Improved Keylogger(added clipboard detector and window title trigger)

As we saw during behavioral analysis, Diamond Fox generates neatly formatted reports about captured users’ activities. They include Clipboard content and the title of the main window, where the particular text was typed:

Conclusion

Diamond Fox Crystal has been solidly refactored in comparison to the older versions. Removing descriptive modules’ names made analysis more difficult. Due to the change in the method of encrypting configuration, now retrieving its content is not as trivial.

Overall, Diamond Fox comes with typical features that we can expect from the stealer. In spite of some improvements, the code quality is still nothing impressive.

Appendix

https://www.cylance.com/a-study-in-bots-diamondfox – about an elder version of Diamond Fox

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.

The post Diamond Fox – part 2: let’s dive in the code appeared first on Malwarebytes Labs.

Categories: Techie Feeds

3, 2, 1, GO! Make backups of your data!

Malwarebytes - Wed, 04/05/2017 - 15:00

With the recent proliferation of ransomware, a type of malware that encrypts your data and holds it hostage until payment is received, what should be done to protect valuable data?

One of the best defences against this threat is having a good backup strategy. This protects your data against all sorts of unpleasant mishaps. How frequently you make them, what you make them to, where they are stored, as well as deploying the automation required to maintain said backup regimen is also crucial. We should all be familiar with making backups, but there is a useful rule of thumb called the “3-2-1 rule”.

A good backup regimen could mean the difference between surviving a catastrophic event such as ransomware or shutting down the business. Let’s use an example file called “Important_stuff.txt” to explain how this all works.

3 Different copies!

For an effective backup plan, you should have at least 3 different copies of this file. A good example would be:

  • One on a workstation, stored locally for editing or on a local server, for ease of access.
  • One stored on a cloud backup solution.
  • One stored on a long-term storage such as a drive array, replicated offsite, or even an old school tape drive.

This diversity of backups is there to ensure your documents are available with added redundancy. If the hard drive on your workstation fails, you have a backup on the server. Server down? The cloud copy is still an option.

If the ransomware did its thing while the server share was mounted to your workstation, it might also be encrypted. Here the cloud copy would save the day.

This is the reason why having 3 different copies is a good idea.

 

2 Different forms of media!

In the example given above, we had 3 copies of our file. The type of media this file is saved to is also important. The hard drive of the workstation and the external share are the fundamentally the same, but the cloud storage is different, as is the tape drive and the disk.

The different media rule most probably harkens back to the days of tape drive backups. If your backup regimen lacked diversity and consisted of only tape drives, it was vulnerable to a failure of the tape drive reader.

This scenario is where the main hard drive fails and the tape drive reader ALSO fails. As tape drives were a long-term storage option, it wouldn’t be uncommon for a new tape drive reader to become hard to source. This means trying to find a new or functioning reader could become difficult making your backups are inaccessible.

The takeaway is that media diversity is equally important. You could store “Important_stuff.txt” on multiple different media, just as long as all your eggs aren’t all in the same technological basket.

Having a diversity of media helps reduce the chances that all possible avenues of recovery will be inaccessible through equipment failure.

1 Copy stored offsite!

One copy of the backup should be stored offsite. If the head office burns down, it won’t matter how many backups you had. In our example, storing “Important_stuff.txt” on a tape drive and having it in a safety deposit box at your bank would negate the “office-burning-down” scenario as well as the perfect storm of ransomware encrypting everything.

Offsite copies will help mitigate a localized event.

 

A word on security.

You should make all best efforts to secure these backups. For an attacker, “Important_stuff.txt” is something that is immediately identified as a high-value item. Remember that if you store your backup in the cloud, the stuarts of this cloud could have access to them. Portable drives are, well… portable, and by this I mean they can be portable in someone else’s pocket!

  • Use strong passwords on that offsite cloud service. Select cloud backup solutions that are zero-knowledge. (The stuarts of the cloud don’t have access to your data in unencrypted form!)
  • Encrypt the data backed up to external solutions.
  • Store these backups in a safe place, preferably under lock and key.

The examples above where encryption is used are how it is beneficial, as opposed to how it is used by ransomware authors.

 

Good automation and discipline!

The single greatest obstacle to a proper 3-2-1 backup regimen is the discipline required to maintain it. A good way to mitigate this is to automate the backup process. The backing up of “Important_stuff.txt” should be transparent to its owner.

Having backups gives you the option to deny ransomware authors by choosing the painful option and restoring from backups…

You could also install our product to mitigate ransomware attacks. (This should not be thought of as a replacement for a good backup strategy!)

 

Payment must be the absolute last resort.

Any option other than paying the cybercriminals for a decryption key is preferable. This is why when we see news reports recommending paying the ransom we collectively shake our heads. Encouraging familiarity with the Bitcoin ecosystem isn’t bad at all. Crypto-currencies are fascinating. Having some stored on hand for a quick payment, however, implies a fundamental failure.

Remember, when you pay the bad guys, you reinforce the viability of these types of attacks. You are teaching them that ransomware works.

 

The post 3, 2, 1, GO! Make backups of your data! appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Your ISP, browsing history, and what to do about it

Malwarebytes - Tue, 04/04/2017 - 17:17

In late March, Congress approved a bill lifting restrictions imposed on ISPs last year concerning what they could do with information such as customer browsing habits, app usage history, location data, and Social Security numbers. They additionally absolved ISPs of the need to strengthen their existing customer data holdings against hackers and thieves. For more on the particulars of the bill, you can see reports on the Washington Post and Ars Technica. Given that the repealed restrictions hadn’t yet come into effect, the immediate impact of the new bill is somewhat unclear. But given what typically happens with massive stores of aggregated, location-specific customer data, the prognosis is not good.

So what’s the worst that can happen? Let’s run through a few probable outcomes:

Ad retargeting

We all might be familiar with this; when we buy a product online and then see ads for it relentlessly for a couple weeks thereafter. But with increased granularity of metadata, ad retargeting can be significantly more ‘effective.’ As an example, certain tech support scam companies prefer to draw their staff directly from complicit drug detoxes and rehabs, largely in order to ensure a compliant, desperate employee base. So the next time someone searches for help with an intractable heroin addiction, they might get targeted ads for unlicensed rehabs that come with a new job opportunity of scamming the elderly. Perhaps if my browser history correlates to those of low income or unemployed people, my ads would fill with work from home scams. Or low literacy search phrasing, in conjunction with low income, could get me directed to multi-level marketing scams. There are a cornucopia of ways to target the weak and vulnerable via metadata and it’s both legal and profitable.

 

Stalking

As we can see with many domestic violence cases, abusers have no compunction against using technology to stalk and harass their victims. A 2014 article by NPR surveyed a series of domestic violence shelters and found 75% of their clients had dealt with abusers monitoring them remotely using hidden mobile apps. Some ill-conceived apps have linked multiple sets of user data together, to create inadvertent ‘stalking apps’. Once search metadata is openly sold, a person suffering domestic abuse would have a hard time searching for a local shelter without their partner knowing about it. Even with new homes and new identities, a victim would have to live with the fear of their search patterns combined with IP address identifying them, permanently. Stalking via metadata has been seen as an issue before and it will most likely happen again.

 

Browser History Ransom

We’ve seen doxware in the wild before. But when the barrier to entry is lowered to simply having enough money to purchase the incriminating data in question, why wouldn’t more criminals get in on the game? As seen with ransomware and tech support scams, when technical limitations to a crime are removed, people willing to try it multiply exponentially. Ransoming a victim’s browser history would seem to be easy money.

 

Time to Breach

Essentially, once this data begins to be collected, stored, and prepared for sale, there is a stopwatch set for time to breach and dissemination of your data to the highest bidder on the dark web. Think that’s hyperbolic? In 2015 Comcast published the personal data of almost 75,000 California customers due to operator error. In a separate incident in the same year, 200,000 Comcast customers had their data sold on the dark web. In 2014, Comcast hadn’t patched their mail servers adequately and hackers made off with extensive credentials. Not to be outdone, Time Warner had their customers breached in incidents here and here. Cox Communications paid the FCC a $595,000 fine for breach of its customer data. Given the track record of handling customer data thus far, how long until the next breach?

But this is bad and I don’t want this?

Although options are limited and sometimes frustrating, there are some things you can do. To combat ad retargeting, an ad blocker works quite well. It’s awfully tough to be taken in by deceptive or fraudulent, or just too intrusive advertising if you can’t see it. However, many of the most reputable news sites rely on advertising for revenue, so they ask users to disable ad blockers in order to access content. This doesn’t really address the issue of shadowy third parties doing untoward things with your data, which brings us to…

Virtual Private Networks (VPNs)

Here be dragons, though, because many VPN providers are no more trustworthy than the ISPs that we all love so dearly. If you go to a VPN review site you can see the latest VPNs and how they stack up on quality criteria, which generally include, but are not limited to:

  • Do they keep logs of your activity?
  • How much identifiable data do they keep on you?
  • Do they have physical control over their own VPN servers?
  • What countries are their servers located in?

Check out some reviews of popular VPNs based on answers to these questions here. Another question that you should be asking is how much a VPN costs. Free ones generally find some unsavory ways to monetize your traffic, which is what you’re trying to avoid to begin with.

HTTPS Everywhere

This is a browser extension published by the Electronic Freedom Foundation. It forces websites to use a more secure HTTPS connection when the website supports it. Encrypting traffic in this way does not protect the specific websites you visit from your ISP, but it does obfuscate specific content that you’re accessing on that page. And as a browser extension, it’s fairly easy to install, and probably falls under the category of things you should be doing anyway. If you want to find out more about HTTPS Everywhere, check out their FAQ here.

Calling your congressman

Privacy is a developing issue. As technology advances, its ability to infringe on our privacy in irritating and sometimes dangerous ways can increase. Letting your representatives know that this is a concern can help prevent worse legislation in the future. If you’d like to make your opinion on online privacy known, you can find your representatives here and here.

In conclusion, strong online privacy can sometimes be an inconvenience for those of us trying to catch cybercriminals. But its loss hurts all of us. Whether you have ‘something to hide’ or not, your data and your identity belong to you. Why shouldn’t you control how it’s used?

The post Your ISP, browsing history, and what to do about it appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (Mar 27 – Apr 02)

Malwarebytes - Mon, 04/03/2017 - 15:00

Do we have blogs for you! Last week, we cracked open a big book of definitions on what packers, crypters, and protectors are, dug into preinstalled mobile Adware, and warned of World of Warcraft phishing involving “free” pets. Elsewhere, we explained what exploits actually are and why they’re a big deal, explained the workings of Sage ransomware, took a deep dive into a website compromise campaign, the money problems of tech support scammers, and advised you to avoid a night at the movies.

Below are notable news stories and security-related happenings:

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (Mar 27 – Apr 02) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Steam spammers have a night at the movies

Malwarebytes - Fri, 03/31/2017 - 15:00

Users of gaming platform Steam have the ability to upload images from games, post messages, and more besides, into their social network stream. They also have the option to upload game-related artwork. Spammers occasionally make use of this feature to sling some spam at the gaming masses.

We’ve spotted one such example in the wild, in the form of a profile claiming to be IMDB offering up free movies. Below you can see they’ve uploaded six decidedly non-game related images, all of which claim a movie is but a click away.

There’s also some spam text accompanying the various pictures in an attempt to gain some search engine juice and also to provide a link for would-be movie watchers to click on.

Some of the links are in the flavor text, a few are only viewable if you enlarge the image, and more still are posted as standalone comments underneath the original picture.

As for where they go, it’s worth noting that Steam’s link filter will warn people that they’re about to move away from Steam (generally, this is there to try and help deter phishing but also serves as fair warning for any other scam you can think of).

Should they continue on with their journey, they’ll end up in a variety of locations.

We looked at three links, which were:

movies.putlockervideos(dot)com/movie/127380/finding-dory(dot)html
free-movies-streaming(dot)com/movie/321612/beauty-and-the-beast(dot)html
watchstv(dot)xyz/?do=play&id=65854-3-3-60-Days-In-Watch-Online-Series

Of the three links, all of them initially land on a “Watch this movie” page with what appears to be a movie player embedded and various pieces of movie-related text scattered about the place.

After that, though:

1. One of our links took us to a survey page, which asks the visitor to fill in personal info on offers in return for “something”. It’s fair to say we’d be very cautious about doing this, as more often than not you never receive the desired prize(s) after handing over a bunch of PII.

2. Another link took us to a movie site which says “sign up for free”, but also wants you to pay a monthly billing fee to continue membership (we looked at the Terms & Conditions, but we couldn’t pin down an exact number).

3. Possibly the worst of the bunch, this one suggests Finding Dory is available to watch.

Clicking the box, however, takes visitors to an Ad rotator URL which drops us off at a variety of non-child friendly links. Various adult webcams, surveys, and related sites all lie in wait.

So, you know, whoops.

Accounts such as the one pushing the above links tend to get deleted or cleaned up (if it’s been hijacked) fairly quickly. Don’t make life easier for the spammers – ignore all of their attempts to give you a night at the movies and report them to Steam. With any luck, they’ll be ejected from the cinema before the trailers are over.

 

Christopher Boyd

The post Steam spammers have a night at the movies appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tech support scammers and their banking woes

Malwarebytes - Thu, 03/30/2017 - 15:00

We all know about tech support scams by this point. We know how they cold call, lie their way into your computer, and steal your money. Unfortunately for the scammers, banks know this as well, making it quite difficult at times to maintain an account to store the criminal’s ill-gotten gains. So how does the enterprising criminal cash out with your money? Let’s take a look.

High-risk payment processors

When a business owner is involved with a line of work that traditional payment processors don’t want to be involved with—typically pornography, pharma, and gambling—they use high-risk processors. In exchange for the perceived higher risk of processing payments in industries known for fraudulent activity, the processor takes a higher fee. The traditional tech support scam model used to rely heavily on these companies, typically through an Indian intermediary to offer an extra layer of anonymity.

 

However, as the spotlight on tech support scams grew brighter and victims increasingly initiated chargebacks, high-risk processors have increasingly dropped overseas tech support companies in order to protect their relationships with more legitimate businesses, as well as the credit card companies who monitor customer chargeback rates. The processors that haven’t given up tech support yet tend to levy extra restrictions against overseas customers in their contractual agreements, as demonstrated in the example contract below.

 

 

So barred from traditional banks and losing access to high-risk processors, tech support scammers have gotten a little creative. An increasingly common method we’ve seen for payment is Apple or iTunes gift cards. The idea being the scammer gets a commodity that is easily laundered on the dark web and the victim sees Apple on their credit card statement, rather than FAKE COMPANY XYZ. This has the added benefit of making it extra tough for the victim to produce evidence that ties back to the scammer.

Apple has some pretty good advice on the subject here.

Suffice it to say, legitimate tech support companies do not do this. Malwarebytes has observed tech support scammers using Apple/iTunes gift cards, Amazon gift cards, Bitcoin, and even sending a FedEx guy to physically pick up a check. Non-standard payment methods like these are usually a pretty good signal that the tech support business in question has a hard time getting access to a credit card processor and you probably shouldn’t do business with them.

Lastly, scammers might collect payment using direct bank transfers via Automated Clearing House (ACH). Criminals love this method because it only requires two pieces of information to work—you account number and a routing number. Also, non-business victims only have 60 days to report losses in order to recover funds. More on ACH fraud here.

So if you’re ever on the phone with a support company that is insistent that you pay with third party gift cards, ask the operator, “Why can’t I use my credit card?” You might get some very creative answers. But the best defense when encountering this is to simply hang up the phone. If you’ve allowed the scammer remote access to your computer, close the window as well, or just disconnect your internet. For more on how to stay safe from tech support scams or find out more on what to do if you’ve had a run-in with them, check out our post here.

The post Tech support scammers and their banking woes appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Websites compromised in ‘Decimal IP’ campaign

Malwarebytes - Wed, 03/29/2017 - 23:00

When looking at malicious traffic, one of the things we are interested in are the hosts involved in a particular attack. For example, we check the hostnames or IP addresses that were serving up malicious code.

Before getting further, let’s define a few concepts to better understand the topic we are discussing today. A host name can be:

  • A domain name (i.e. http://example.com/)
  • A fully qualified domain name (i.e. http://test.example.com/)
  • An IP address (i.e. http://127.0.0.1/)

It’s not as usual, but IP addresses can indeed be directly used as the URL and when that happens it is called an IP-Literal Hostname (see Eric Lawrence’s post on this subject).

IP addresses (IPv4) follow the dot-decimal notation which is four numbers, each ranging from 0 to 255, separated by dots. But then, to make things a little more complicated, we have exceptions, such as the non-dotted IP literals, in decimal (http://2130706433/) or octal form (http://017700000001/).

This takes us to a recent infection chain for the RIG exploit kit where we came across such an occurrence. The host was:

http://1760468715

While for us humans it makes little sense that this could even resolve, Internet Explorer and Chrome (Edge doesn’t seem to) can handle it just fine and convert that into a proper IP address (104.238.158.235):

We observed websites that had been hacked and were pushing this non-orthodox URL via 302 redirects (the HTTP response code indicating that the site has moved to a new location):

HTTP/1.1 302 Found Server: nginx/1.10.1 Content-Type: text/html Content-Length: 0 Connection: keep-alive X-Powered-By: PHP/5.3.10-1ubuntu3.23 Access-Control-Allow-Origin: * Location: http://1760468715/ Vary: Accept-Encoding

This in turn leads to another redirector performing the final call to the RIG EK landing page and infecting the user with the Smoke Loader malware, as shown below:

Upon Googling for that particular string (1760468715), we can find many sites that have been injected with the Decimal IP redirect:

There is a thread on StackExchange about a website owner dealing with such an infection and trying to find how to locate it. Some folks suggest to grep the entire server for the incriminating string, while others recommend a complete wipe and reinstallation.

Perhaps the malicious actors are trying to avoid some IP filters or maybe make identification harder by using a less common URL format. In any case, Malwarebytes users are protected from accessing this rogue server, no matter how the URL is formatted.

And if you wonder about real life purposes of these non-dotted IP-literal URLs and want to participate in the debate, feel free to join this 16 year old thread:

IOCs:

Redirect:

Decimal IP:1760468715 IPv4 dot-decimal: 104.238.158.235

Payload (Smoke Loader):

4bed780a55e6179e4a1236444c34398af50d3bea39f86eb877089265f833bda5

The post Websites compromised in ‘Decimal IP’ campaign appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: Sage ransomware

Malwarebytes - Wed, 03/29/2017 - 15:00

Sage is yet another ransomware that has become a common threat nowadays. Similarly to Spora, it has capabilities to encrypt files offline. The malware is actively developed and currently, we are facing an outbreak of version 2.2. of this product.

Analyzed samples Distribution method

Most often, Sage is dropped by downloader scripts distributed via phishing e-mails (office documents with malicious macros or standalone JS files). In the analyzed case, the sample was dropped via a JavaScript file.

Behavioral analysis

After being deployed, Sage deletes the original sample and runs another copy, dropped in %APPDATA% (names of the dropped files are different for different machines – probably generated basing on GUID):

The dropped copy deploys itself once again, with a parameter ‘g’. Example:

"C:\Users\tester\AppData\Roaming\FkGtk5ju.exe" g

After finishing its work, that dropped copy is also being deleted with the help of a batch script dropped in the %TEMP% folder.

The content dropped in %TEMP% is shown on the below picture. We can see the batch scripts and the BMP that is being set as a wallpaper:

Sample contents of the batch scripts is given below. As we can see, the ping command is used to delay operations.

Just in case the system gets restarted before the encryption finished, Sage sets a link in the Startup folder, so that it can continue after the reboot:

However, if the ransomware successfully completed encryption process and deleted itself, the link is left abandoned.

After finishing, the wallpaper is changed. In version 2.2 the wallpaper looks very similar to 2.0, except the font is green instead of red:

At the end of the execution, the ransom note !HELP_SOS.hta opens automatically:

In addition to the written information, Sage 2.2 plays a voice message informing about the infection. It is deployed via WScript running the default Microsoft voice-to-speech service – just like in the case of Cerber.

Some content is left in %APPDATA%:

Encrypted files are added to the “sage”extension and their icons are changed:

Visualization of a file – before and after encryption:

Files with the same plaintext produce different ciphertexts, that leads to the conclusion that each file is encrypted with a new key.

Sage can work well without internet connection, however, if connected it sends data via UDP (similarly to Cerber):

The traffic is encrypted:

Page for the victim

The ransom note contains a link to the page for the victim. Encrypted and Base64 encoded key of the victim is passed via URL to the server of attackers. Example: http://7gie6ffnkrjykggd.onion/login/AQAAAAAAAAAAv4NRzsVPkfwPPWixq2mqtFwGWlZTeCDpL_BGPyeJFhDA

The key can be also pasted via field on the website:

Keep in mind that the first login on the page for the victim triggers the timer to start. From this moment, the countdown to the price increment is running.

The website is protected by a simple captcha and allows for a simple customization – the victim can choose one of the supported languages (currently 17):

The page contains typical information, such as the amount of ransom to be paid and further instructions:

The malware allows to test decryption capabilities by permitting the victim to upload some encrypted files (the size of the file must be lesser than 15 KB):

However, the result is not available instantly:

After some hours, the decrypted version of the uploaded file is indeed available to download:

Inside

Sage is delivered packed by various crypters. After defeating the first layer we obtain second PE file – the malicious core, that is not further obfuscated.

At the beginning of the execution, Sage generates the Victim ID/key and saves it in the .tmp file dropped in %APPDATA% folder. Then, it removes backups from the system:

Executed commands:

vssadmin.exe delete shadows /all /quiet bcdedit.exe /set {default} recoveryenabled no bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Sage enumerates through the files, and if they matched the defined criteria, they are getting encrypted. First, the malware creates a file with the same name as the attacked one, but with three dots at the end.

Both files coexist in the system until the encrypting is finished.

Then, the original file is deleted and the newly created one – renamed with the extension .sage:

At the end, only the .sage file is left:

What is attacked?

Sage comes with a long list of the attacked extensions, that is hard-coded in the binary:

dat mx0 cd pdb xqx old cnt rtp qss qst fx0 fx1 ipg ert pic img cur fxr slk m4u mpe mov wmv mpg vob mpeg 3g2 m4v avi mp4 flv mkv 3gp asf m3u m3u8 wav mp3 m4a m rm flac mp2 mpa aac wma djv pdf djvu jpeg jpg bmp png jp2 lz rz zipx gz bz2 s7z tar 7z tgz rar ziparc paq bak set back std vmx vmdk vdi qcow ini accd db sqli sdf mdf myd frm odb myi dbf indb mdb ibd sql cgn dcr fpx pcx rif tga wpg wi wmf tif xcf tiff xpm nef orf ra bay pcd dng ptx r3d raf rw2 rwl kdc yuv sr2 srf dip x3f mef raw log odg uop potx potm pptx rss pptm aaf xla sxd pot eps as3 pns wpd wps msg pps xlam xll ost sti sxi otp odp wks vcf xltx xltm xlsx xlsm xlsb cntk xlw xlt xlm xlc dif sxc vsd ots prn ods hwp dotm dotx docm docx dot cal shw sldm txt csv mac met wk3 wk4 uot rtf sldx xls ppt stw sxw dtd eml ott odt doc odm ppsm xlr odc xlk ppsx obi ppam text docb wb2 mda wk1 sxm otg oab cmd bat h asx lua pl as hpp clas js fla py rb jsp cs c jar java asp vb vbs asm pas cpp xml php plb asc lay6 pp4 pp5 ppf pat sct ms11 lay iff ldf tbk swf brd css dxf dds efx sch dch ses mml fon gif psd html ico ipe dwg jng cdr aep aepx 123 prel prpr aet fim pfb ppj indd mhtm cmx cpt csl indl dsf ds4 drw indt pdd per lcd pct prf pst inx plt idml pmd psp ttf 3dm ai 3ds ps cpx str cgm clk cdx xhtm cdt fmv aes gem max svg mid iif nd 2017 tt20 qsm 2015 2014 2013 aif qbw qbb qbm ptb qbi qbr 2012 des v30 qbo stc lgb qwc qbp qba tlg qbx qby 1pa ach qpd gdb tax qif t14 qdf ofx qfx t13 ebc ebq 2016 tax2 mye myox ets tt14 epb 500 txf t15 t11 gpc qtx itf tt13 t10 qsd iban ofc bc9 mny 13t qxf amj m14 _vc tbp qbk aci npc qbmb sba cfp nv2 tfx n43 let tt12 210 dac slp qb20 saj zdb tt15 ssg t09 epa qch pd6 rdy sic ta1 lmr pr5 op sdy brw vnd esv kd3 vmb qph t08 qel m12 pvc q43 etq u12 hsr ati t00 mmw bd2 ac2 qpb tt11 zix ec8 nv lid qmtf hif lld quic mbsb nl2 qml wac cf8 vbpf m10 qix t04 qpg quo ptdb gto pr0 vdf q01 fcr gnc ldc t05 t06 tom tt10 qb1 t01 rpf t02 tax1 1pe skg pls t03 xaa dgc mnp qdt mn8 ptk t07 chg #vc qfi acc m11 kb7 q09 esk 09i cpw sbf mql dxi kmo md u11 oet ta8 efs h12 mne ebd fef qpi mn5 exp m16 09t 00c qmt cfdi u10 s12 qme int? cf9 ta5 u08 mmb qnx q07 tb2 say ab4 pma defx tkr q06 tpl ta2 qob m15 fca eqb q00 mn4 lhr t99 mn9 qem scd mwi mrq q98 i2b mn6 q08 kmy bk2 stm mn1 bc8 pfd bgt hts tax0 cb resx mn7 08i mn3 ch meta 07i rcs dtl ta9 mem seam btif 11t efsl $ac emp imp fxw sbc bpw mlb 10t fa1 saf trm fa2 pr2 xeq sbd fcpa ta6 tdr acm lin dsb vyp emd pr1 mn2 bpf mws h11 pr3 gsb mlc nni cus ldr ta4 inv omf reb qdfx pg coa rec rda ffd ml2 ddd ess qbmd afm d07 vyr acr dtau ml9 bd3 pcif cat h10 ent fyc p08 jsd zka hbk bkf mone pr4 qw5 cdf gfi cht por qbz ens 3pe pxa intu trn 3me 07g jsda 2011 fcpr qwmo t12 pfx p7b der nap p12 p7c crt csr pem gpg key

In order to access all the files without any interference, Sage searches and terminates any associated processes. Processes are identified by their names:

msftesql.exe sqlagent.exe sqlbrowser.exe sqlservr.exe sqlwriter.exe oracle.exe ocssd.exe dbsnmp.exe synctime.exe mydesktopqos.exe agntsvc.exe isqlplussvc.exe xfssvccon.exe mydesktopservice.exe ocautoupds.exe encsvc.exe firefoxconfig.exe tbirdconfig.exe ocomm.exe mysqld.exe mysqld-nt.exe mysqld-opt.exe dbeng50.exe sqbcoreservice.exe

As it is common in ransomware, some paths are excluded from the attack. In this case, blacklisted are not only system directories, but also others, related to popular games like “League of Legends”, “steamapps”, “GOG Games”, and etc.

tmp Temp winnt 'Application Data' AppData ProgramData 'Program Files (x86)' 'Program Files' '$Recycle Bin' '$RECYCLE BIN' Windows.old $WINDOWS.~BT DRIVER DRIVERS 'System Volume Information' Boot Windows WinSxS DriverStore 'League of Legends' steamapps cache2 httpcache GAC_MSIL GAC_32 'GOG Games' Games 'My Games' Cookies History IE5 Content.IE5 node_modules All Users AppData ApplicationData nvidia intel Microsoft System32 'Sample Music' 'Sample Pictures' 'Sample Videos' 'Sample Media' Templates

Some countries (recognized by keyboard layouts) are also excluded from the attack. Below is the function checking if the selected keyboard layout is present in the system:

Systems with the following keyboard layouts are omitted by Sage 2.2: Belarusian, Kazak, Ukrainian, Uzbek, Sakha, Russian, Latvian.

How does the encryption works?

Sage uses two cryptographic algorithms: Elliptic Curves and ChaCha20. ChaCha20 is used to encrypt content of each file, while ECC is used to protect the randomly generated keys.

Each random key is retrieved using a cryptographically secure generator (SystemFunction036). The filled buffer is preprocessed by a simple algorithm:

Victim ID

At the beginning of the execution, Sage creates a random buffer and encrypts it using ECC. The buffer created in the first round of encryption we will refer as a Victim ID and the output of the next rounds – as Encrypted Victim ID.

In the first round, the random value is encrypted using ECC, producing the Victim ID.

In the second round, the same random value is encrypted using ECC along with another buffer, that is hardcoded in the binary. The output is processed in the similar way like the random buffer:

In the third round, the resulting buffer is again encrypted by ECC – producing the Encrypted Victim ID.

Both output buffers are kept in the memory of the application and used further (also they are saved in the TMP file dropped in %APPDATA% folder).

The part highlighted on the screenshot is the Victim ID (after that, next 32 bytes are the Encrypted Victim ID):

The victim ID is also saved in the ransom note, in Base64* encrypted version:

*The character set is slightly modified in comparison to the classic Base64. In order to decode it as Base64 we must replace ‘-‘ with ‘+’ and ‘_’ with ‘/’ for example the ID: AQAAAAAAAAAAGwsZ-IAO5_pntzI3UnC8VweSZXaKQ0gTJ9PRS8AkiAnA is Base64: AQAAAAAAAAAAGwsZ+IAO5/pntzI3UnC8VweSZXaKQ0gTJ9PRS8AkiAnA

In addition, the Victim ID is also saved in each and every encrypted file:

The Encrypted Victim ID takes part in encrypting file’s content (as a key unique per victim).

File encryption

At the beginning of the file encrypting function, a new 32 bytes long key is generated (unique per each file).

The random number is encrypted with the help of ECC twice:

  • Individually – to make the key1 that is stored in the file
  • Along with the Encrypted Victim’s ID – to make the key2, used by ChaCha20

As we can see, the key2 is used to initialize the cryptographic function’s context. ChaCha20 can be recognized by typical constants used in the initialization function:

The file is encrypted chunk by chunk (the maximal chunk size is 0x20000) with the help of ChaCha20:

At the end of the file, the first derived key (key1) and some additional data is appended:

Appended data is separated from the encrypted file’s content by two hard-coded markers: 0x5A9EDEAD and 0x5A9EBABE

Markers at the end of the encrypted file:

After the first marker Sage stores the following information: Victim ID, Key1, size of the original file.

Network communication

Sage does not need any data from the CnC in order to work. However, as mentioned before, it may generate some UDP traffic. It is because it has capabilities to send some data about the attacked system. Depending on the configuration, the data may be sent either via UDP or via HTTP POST request. The data is encrypted before being sent – also with the help of ChaCha20 algorithm. In the observed case, the ChaCha20 key was a buffer filled with 0 bytes.

Examples of the data sent to the CnC

Sage sends the generated keys to the CnC, i.e.:

Compare with the buffer before encryption:

The same data is also formatted into a human-readable form, like shown below. However, so far we didn’t observed any use of this data. It may be some unfinished feature, that will be developed further in new versions of this product. Formatted equivalent of the above buffer:

[bin(33) 01CB3B94D965A389978A16035ED700C87A780088730989C24C581325340A866C4B, 4, { "v": 1, "gpk": bin(32) CB3B94D965A389978A16035ED700C87A780088730989C24C581325340A866C4B, "pk": bin(32) 2BB7BD5394B845629C90BB2B43D9655DC9C86347C4C695AB18150D7031B9E41F, }]

Other examples – collected information about the attacked machine:

[bin(33) 01CB3B94D965A389978A16035ED700C87A780088730989C24C581325340A866C4B, 3, { "s": { "w": { "v": [ 6, 1, false, false, 7601, 1, 0, ], "u": "tester", "p": "TESTMACHINE", }, "c": " Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz", "m": 232, "k": [68486165, 4026598409, 4026991637], }, "i": 12288, "w": null, }] Adding icons

Interesting and uncommon feature deployed by Sage is the change of icons for the used datatypes. Padlock icon is added to the encrypted files with the .sage extension and the key icon is added to the files with .hta extensions (that are used for the ransom notes). Icon change is implemented via setting appropriate registry keys:

Conclusion

Sage, similar to Spora, uses a complex way of deriving keys. So far, there is no solution that would allow recovering files without paying the ransom – that’s why we recommend focusing on prevention instead. Malwarebytes 3.0 Premium users are protected from Sage ransomware as long as it is installed prior to being infected.

Appendix

https://blog.fortinet.com/2017/02/02/a-closer-look-at-sage-2-0-ransomware-along-with-wise-mitigations  – Fortinet about Sage 2.0

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.

The post Explained: Sage ransomware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What are exploits? (And why you should care)

Malwarebytes - Wed, 03/29/2017 - 14:00

Exploits: they’re not your mama’s cyberthreats. At one point in the not-so-distant past, exploits were responsible for delivering 80 percent of malware to people’s systems. But exploits seem to be experiencing a lull today. Does this mean they’re gone for good and we can all let down our guard? Or is this simply the calm before the storm? Let’s break down this stealthy threat so you can not only know your enemy, but also be appropriately prepared should the exploit attacks return.

 

What is an exploit?

An exploit is a program or piece of code that finds and takes advantage of a security flaw in an application or system so that cybercriminals can use it for their benefit, i.e., exploit it.

Cybercriminals frequently deliver exploits to computers as part of a kit, or a collection of exploits, that is hosted on websites or hidden on invisible landing pages. When you land on one of these sites, the exploit kit automatically fingerprints your computer to see which operating system you are on, which programs and you have running, and most importantly, whether any of these have security flaws, called vulnerabilities. It is basically looking at your computer for weaknesses to exploit—not unlike the Trojans did with Achilles’ heel.

After discovering vulnerabilities, the exploit kit uses its pre-built code to essentially force the gaps open and deliver malware, bypassing many security programs.

So are exploits a form of malware? Technically, no. Exploits are not malware themselves, but rather methods for delivering the malware. An exploit kit doesn’t infect your computer. But it opens the door to let the malware in.

 

How do exploits attack?

People most often come across exploit kits from booby-trapped high-trafficked websites. Cybercriminals typically choose popular, reputable sites in order to reap the highest return on their investment. This means the news sites you read, the website you use to browse real estate, or the online store where you buy your books are all possible candidates. Sites such as yahoo.com, nytimes.com, and msn.com have been compromised in the past.

So you’re surfing the web, stopping by a website you love, and the compromised site redirects you in the background, without opening any new browser windows or alerting you in any other way so that you can be scanned for suitability for infection. Based on this, you are either selected for exploitation or discarded.

How is your favorite website compromised? In one of two ways: 1. A piece of malicious code is hidden in plain sight on the website (via good old-fashioned hacking) 2. An advertisement that is displayed on the website has been infected. These malicious ads, known as malvertising, are especially dangerous, as users don’t even need to click on the ad in order to be exposed to the threat. Both methods, hacked sites or malvertising, immediately redirect you (point your web browser) to an invisible landing page that is hosting the exploit kit. Once there, if you have vulnerabilities on your computer, it’s game over.

The exploit kit identifies vulnerabilities and launches the appropriate exploits in order to drop malicious payloads. These payloads (the malware) can then execute and infect your computer with all kinds of bad juju. Ransomware is a particular favorite payload of exploit kits these days.

 

Which software is vulnerable?

In theory, given enough time, every piece of software is potentially vulnerable. Specialist criminal teams spend lots of time pulling apart programs so they can find vulnerabilities. However, they typically focus on the applications with the highest user-base, as they present the richest targets. As with all forms of cybercrime, it’s a numbers game. Top application targets include Internet Explorer, Flash, Java, Adobe Reader, and Microsoft Office.

 

How security folks fight it

Software companies understand that the programs they develop may contain vulnerabilities. As incremental updates are made to the programs in order to improve functionality, looks, and experience, so too are security fixes made to close vulnerabilities. These fixes are called patches, and they are often released on a regular schedule. For example, Microsoft releases a cluster of patches for their programs on the second Tuesday of each month, known as Patch Tuesday.

Companies may also release patches for their programs ad-hoc when a critical vulnerability is discovered. These patches essentially sew up the hole so exploit kits can’t find their way in and drop off their malicious packages.

The problem with patches is they often aren’t released immediately after a vulnerability is discovered, so criminals have time to act and exploit. The other problem is that they rely on users downloading those “annoying” updates as soon as they come out. Most exploit kits target vulnerabilities that have already been patched for a long time because they know most people don’t update regularly.

For software vulnerabilities that have not yet been patched by the company who makes them, there are technologies and programs developed by cybersecurity companies that shield programs and systems known to be favorites for exploitation. These technologies essentially act as barriers against vulnerable programs and stop exploits in multiple stages of attack, that way, they never have a chance to drop off their malicious payload.

 

Types of exploits

Exploits can be grouped into two categories: known and unknown, also called zero-day exploits.

Known exploits are exploits that security researchers have already discovered and documented. These exploits take advantage of the known vulnerabilities in software programs and systems (that perhaps users haven’t updated in a long time). Security professionals and software developers have already created patches for these vulnerabilities, but it can be difficult to keep up with all the required patches for every piece of software—hence why these known exploits are still so successful.

Unknown exploits, or zero-days, are used on vulnerabilities that have not yet been reported to the general public. This means that cybercriminals have either spotted the flaw before the developers noticed it, or they’ve created an exploit before developers get a chance to fix the flaw. In some cases, developers may not even find the vulnerability in their program that led to an exploit for months, if not years! Zero-days are particularly dangerous because even if users have their software fully updated, they can still be exploited, and their security can be breached.

 

Biggest exploit offenders

The three exploit kits most active in the wild right now are named RIG, Neutrino, and Magnitude. RIG remains the most popular kit, and it’s being used in both malvertising and website compromising campaigns to infect people’s machines with ransomware. Neutrino is a Russian-made kit that’s been used in malvertising campaigns against top publishers, and it preys on Java vulnerabilities (also to deliver ransomware). Magnitude is using malvertising to launch its attacks as well, though it’s strictly focused on countries in Asia.

Two lesser-known exploit campaigns, Pseudo-Darkleech and EITest, are currently the most popular redirection vehicles using compromised websites. These offenders inject code into sites such as WordPress, Joomla, or Drupal, and automatically redirect visitors to an exploit kit landing page.

As with all forms of cyberthreats, exploits, their methods of delivery, and the malware they drop are constantly evolving. It’s a good idea to stay on top of the most common forms to make sure the programs they target are patched on your computer.

 

Current exploit kit landscape

Right now, the exploit scene is pretty bleak, which is a good thing for those in the security industry and, essentially, for anyone using a computer. This is because in June 2016, Angler, a sophisticated exploit kit that was responsible for nearly 60 percent of all exploit attacks the year before, was shut down. There hasn’t been any other exploit kit that’s built up the same level of market share since.

Threat actors have been a bit gun shy about running back to exploit kits, for fear of another Angler takedown. Once Angler was dismantled, cybercriminals turned their focus back to some more traditional forms of attack, including phishing and emails with malicious attachments (malspam). But rest assured, they’ll be back once a new, more reliable exploit kit proves effective in the black market.

 

How to protect against exploits

The instinct may be to take little to no action to protect against exploits, since there’s not a lot of exploit-related cybercriminal activity right now. But that would be like choosing not to lock your doors since there hasn’t been a robbery in your neighborhood in a year. A couple of simple security practices can help you stay ahead of the game.

First, make sure you keep your software programs, plugins, and operating systems updated at all times. This is done by simply following instructions when reminded by those programs that updates are ready. You can also check settings from time to time to see if there are patch notifications that may have fallen off your radar.

Second, invest in cybersecurity that protects against both known and unknown exploits. Several next-generation cybersecurity companies, including Malwarebytes, have started integrating anti-exploit technology into their products.

So you can either kick back and pray that we’ve seen the last of exploits. Or, you can keep your shields up by consistently updating your programs and operating systems, and using top-notch anti-exploit security programs. The smart money says exploits will be back. And when they return, you won’t have a weak heel to expose to them.

The post What are exploits? (And why you should care) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (Mar 20th – Mar 26th)

Malwarebytes - Tue, 03/28/2017 - 22:40

Last week, we investigated Twitter app scammers using stolen celebrity nudes as bait, explored the world of Chinese PUPs and backdoors, took a deep dive into a Ramnit campaign targeting people in the UK and Canada, and looked at a bout of SMS Phishing. We also examined the claims of hackers in relation to wiping Apple devices and poked around a tech support screenlocker scam.

Elsewhere:

Stay safe, everyone!

Malwarebytes Labs Team

The post A week in security (Mar 20th – Mar 26th) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

World of Warcraft phish campaign lures victims with free pet

Malwarebytes - Tue, 03/28/2017 - 15:00

A phishing campaign currently in circulation is attempting to bait World of Warcraft with the promise of free in-game pets. We’ve seen two variations on this so far, and it’s possible there’s more. Both of the below examples lead to the same phishing URL. As great as the promise of some free content is, this is nothing more than an attempt at stealing your gaming credentials.

One of the emails read as follows:

You are receiving this e-mail because Your friend has purchased World of Warcraft In-Game Pet: Brightpaw for you as a gift!
Claim Your Gift
To claim your gift, enter your Gift Key on the Battle.net? Account Management. You’ll be sent to the download page afterwards, if needed.

The second mail claims a “WoW mount mystic rune sabre” is up for grabs.

Keen Warcraft players will notice the email is branded with Battle(dot)net, the name of Blizzard’s online gaming service – but this name has just been retired, which may well set off a few alarm bells.

Both emails lead to a phish located at (deep breath):

us(dot)battle(dot)net(dot)login(dot)login(dot)xml(dot)account(dot)support(dot)password-verify(dot)html(dot)legion-game(dot)xyz/login/en/login(dot)html

The phish again touts the Battle(dot)net name and asks for an email and password.

Feel free to ignore this one and send it straight to your trash folder, there’s no free pets at the end of this path, just headaches and calls to customer support.

Christopher Boyd

The post World of Warcraft phish campaign lures victims with free pet appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: Preinstalled adware and sometimes worse

Malwarebytes - Mon, 03/27/2017 - 16:00

BLU manufactured mobile devices have been discovered with preinstalled adware known as Android/Adware.YeMobi.

Behavior of YeMobi

The incriminating behavior of adware YeMobi is its ability to launch the default browser on a mobile device and use it to display ads. There is an unusual element to this as well—it only displays ads while the Google Play store app is running.  As seen in the code below, if com.android.vending (the Google Play store app) is active, activity MessageLoadDetail is loaded.  Activity MessageLoadDetail then goes onto to display ads.

The rise of preinstalled malware

Buying a new phone only to find it comes preinstalled with adware or even more dangerous malware is frustrating.  Trust us, it’s just as frustrating not being able to remove these apps for our customers.

With the ease of selling online, Android devices re-imaged with custom ROMs(“Read-Only Memory”) containing preinstalled shady/malicious apps are starting to appear more and more on the online marketplace.  Sellers can easily re-image an Android device with a custom ROM which replaces the default operating system—typically stored in read-only memory. Sellers then turn around and sell these devices for cheap online.

Just like when installing apps, it’s important to buy your mobile device from trusted sources.  Avoid buying devices online from untrusted sellers/stores; even if the price is hard to pass up.

Disabling YeMobi and other preinstalled apps

In order to keep essential operating system apps from being removed on Android devices, you cannot uninstall preinstalled apps. However, you can disable some preinstalled apps—like Adware YeMobi. Simply go into settings > apps, find the YeMobi app, open its settings, and disable it via the Disable button.

Finding preinstalled malware on your device can be tricky—a mobile scanner can assist with finding them for you. Malwarebytes Anti-Malware Mobile detects Adware YeMobi along with other preinstalled malware and can be found for FREE on Google Play.

As always, stay safe out there!

The post Mobile Menace Monday: Preinstalled adware and sometimes worse appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: Packer, Crypter, and Protector

Malwarebytes - Mon, 03/27/2017 - 15:00

In this article, we will try to explain the terms packer, crypter, and protector in the context of how they are used in malware. Bear in mind that no definitions for these categories are set in stone and that they all have overlap and that there are exceptions to the rules. But this is the classification that makes sense to me.

What they all have in common is their goal

The payload, which is the actual malware that the threat actor wants to run on the victims’ computers, is protected against reverse engineering and detection (by security software). This is done by adding code that is not strictly malicious, but only intended to hide the malicious code. So the goal is to hide the payload from the victim and from researchers that get their hands on the file.

Packers

This usually is short for “runtime packers” which are also known as “self-extracting archives”. Software that unpacks itself in memory when the “packed file” is executed. Sometimes this technique is also called “executable compression”. This type of compression was invented to make files smaller. So users wouldn’t have to unpack them manually before they could be executed. But given the current size of portable media and internet speeds, the need for smaller files is not that urgent anymore. So when you see some packers being used nowadays, it is almost always for malicious purposes. In essence to make reverse engineering more difficult, with the added benefit of a smaller footprint on the infected machine.

Crypters

The crudest technique for crypters is usually called obfuscation. A more elaborate blog post on that is Obfuscation: Malware’s best friend. Obfuscation is also used often in scripts, like javascripts and vbscripts. But most of the time these are not very hard to bypass or de-obfuscate. More complex methods use actual encryption. Most crypters do not only encrypt the file, but the crypter software offers the user many other options to make the hidden executable as hard to detect by security vendors as possible The same is true for some packers. An in-depth analysis of one crypter (as an example) can be found in our blog post Malware Crypters – the Deceptive First Layer. Another thing you will find in that post is the expression FUD (Fully Undetectable) which is the ultimate goal for malware authors. Being able to go undetected by any security vendor is the holy grail for malware authors. But if they can go undetected for a while and then easily change their files again once they are detected, they will settle for that.

Protectors

A protector in this context is software that is intended to prevent tampering and reverse engineering of programs. The methods used can, and usually will, include both packing and encrypting. That combination plus some added features makes what is usually referred to as a protector. So a researcher will be faced with protective layers around the payload, making reverse engineering difficult.

A completely different approach, which also falls under the umbrella of protectors, is code virtualization, which uses a customized and different virtual instruction set every time you use it to protect your application. Of these protectors there are professional versions that are used in the gaming industry against piracy. But the technique itself has also made its way into malware, more specifically ransomware. Which enables ransomware that doesn’t need a C&C server to communicate the encryption key. The protection is so efficient that the encryption key can be hardcoded into the ransomware. An example is Locky Bart that uses WProtect, an open-source code-virtualization project.

Summary

We discussed several techniques to protect malware against analysis, hoping to make sense of the different names that are in use for this class of programs.

The post Explained: Packer, Crypter, and Protector appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Advanis tech support screenlocker

Malwarebytes - Fri, 03/24/2017 - 15:00

Recently we noticed a change on one of the domains that we monitor because they are known to host files related to tech support scams and involved in browlocks, fake alerts, and screenlockers.

The domain and the screenlocker

At the moment the installer is being pushed by InstallCapital which is a pay-per-install network .

The domain hosting the installer is called installreports[dot]com and this time we found it was hosting a tech support screenlocker we dubbed Advanis after the folder it creates in the Windows directory and the entry it creates in the list of installed programs and features.

MT is the name of the main executable. The one that shows the screenlocker. Here it is probably short for “Market Tools”, which is the name of the Windows form.

Resolution

@TheWack0lian found this code snippet –

–telling us that the screenlocker could be minimized by using the “Backspace” key. Once you have done that, removal is no problem. A full removal guide for Advanis can be found on our forums.

File details

SHA 256 of the installer 30a32cb629d2a576288b4536d241b6e90f0540c3275288bfd4982233e12d182f

Malwarebytes web protection module blocks the domain and detects the installer as Trojan.TechSupportScam.

The advertised number on the lockscreen leads back to the domain getfixpc[dot]net.

Attribution

Finding out who is behind a threat is not always easy, but we think we have a solid case for this one.

Meet Baskar K.

He registered the domain installreports[dot]com with the email address: brgs@outlook.in.

Using his own name and providing his phone number and physical address.

The same personal data was used to register brmediahub.com

That domain is listed as the homepage at the stackoverflow profile I posted a screenshot of.

For the same physical address we also found an email address baskark****@outlook.com that has been used to register a host of dubious domains:

  • latestnewsalert.us
  • pruet.us
  • homemaderecipes.us
  • biou.us
  • mijay.us
  • unlimitedgames.us
  • topchickenrecipes.us
  • searchweathernow.us
  • newsnowonweb.us
  • healtyrecipesbyjones.us
  • localnewsdaily.us
  • topnewsnow.us
  • mathgamesfree.us
  • loginprotector.us
  • todaynewsup.us
  • topnewsguide.us
  • womenshoppingstore.us
  • onlineloginaccounts.us
  • onlineloginaccount.us
  • downloadsnow.us
  • brglobalservices.com

Those are all blocked now by Malwarebytes Web Protection Module.

Safe surfing!

Thanks to TheWack0lian and William Tsing for their additional research.

 

Pieter Arntz

The post Advanis tech support screenlocker appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New targeted attack against Saudi Arabia Government

Malwarebytes - Thu, 03/23/2017 - 22:26

A new spear phishing campaign is targeting Saudi Arabia governmental organizations. The attack originates from a phishing email containing a Word document in Arabic language. If the victim opens it up, it will not only infect their system but send the same phishing document to other contacts via their Outlook inbox.

We know that at least about a dozen Saudi agencies were targeted. As with most email-borne attacks, this one leverages social engineering to execute malicious code via a Macro.

Document overview: Macro might run executable Contains obfuscated macro code Loads DLL into its own memory Runs dropped executable Macro might read system main characteristics Runs existing executable Macro might overwrite file Access Windows sensitive data: Windows Address Book Suspicious delay Starts macro code when document is opened Searches inside certificate store database Gathers system main data (MachineGuid, ComputerName, SystemBiosVersion ...) Check user main folders path Access Windows sensitive data: Windows Profiles information Contains macro Contains macro with create file functionalities Drops .EXE file Drops .DLL file Access Windows sensitive data: certificates

A quick analysis with oletools shows us the sections within the macro:

The payload is embedded in the macro as Base64 code. It uses the certutil program to decode the Base64 into a PE file which is then executed:

Binary overview: Searches inside certificate store database Loads DLL into its own memory Gathers system main data (MachineGuid, ComputerName, SystemBiosVersion ...) Access Windows sensitive data: Windows Profiles information Access Windows sensitive data: Windows Address Book Drops .DLL file Drops .EXE file Access Windows sensitive data: certificates

Let’s take a look at the dropped binary itself. It is coded in .NET and not obfuscated. Here’s the encrypted payload:

Decrypting it we can see the main payload (neuro_client.exe renamed to Firefox-x86-ui.exe here) and two helper DLLs: 

It sets persistence for auto-relaunch via the Task Scheduler:

The purpose of this piece of malware appears to be stealing information and uploading it to a remote server:

We can see that stolen data is then POSTed to a server at webmail.ecra.gov.sa (Official Saudi Press Agency) although by the time we checked, the server was no longer responding:

According to reports from sources, Malwarebytes Anti-Exploit blocked the targeted attack proactively without the use of signature updates thanks to its Application Behavior protection layer for all consumer and corporate users of Malwarebytes. Malwarebytes Anti-Malware also detects and remediates the threat completely.

We will continue to analyze this threat and update the post at a later time with more information.

IOCs:

Word dropper:

MD5: 3cd5fa46507657f723719b7809d2d1f9 SHA256: a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9

Binary payload:

MD5: 4ed42233962a89deaa89fd7b989db081 SHA256: a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1639b0b873

Payload names:

C:\ProgramData\*\*-x86-ui.exe with * being one of these: firefox|chrome|opera|abby|mozilla|google|hewlet|epson|xerox|ricoh|adobe|corel|java|nvidia|realtek|oracle|winrar|7zip|vmware|juniper|kaspersky|mcafee|symantec|yahoo|goog

Network communications:

mail.spa.gov.sa/ews/exchange/exchange.asmx webmail.ecra/ews/exchange/exchange.asmx 62.149.118.67 85.194.112.9

The post New targeted attack against Saudi Arabia Government appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds