Targeted information stealing attacks in South Asia use email, signed binaries

May 20, 2013 Leave a comment

In the past few months, we have analyzed a targeted campaign that tries to steal sensitive information from different organizations throughout the world, but particularly in Pakistan. During the course of our investigations we uncovered several leads that indicate this threat has its origin in India and has been going on for at least two years. The journey began with a code-signing certificate and an exploit and the scope of the investigation has widened ever since. In this blog post, we will highlight several interesting artifacts of the campaign, but more will be revealed in my upcoming presentation at the 7th International CARO Workshop in mid-May.

Code signing certificate

For part of this campaign a code signing certificate was used to sign malicious binaries and improve their potential to spread. This certificate was issued in late 2011 to an Indian company called Technical and Commercial Consulting Pvt. Ltd., based in New Delhi.
Code signing cert used to improve the spread of malware
When we started our investigation, the certificate had been revoked for files signed after March 31st 2012. We contacted VeriSign with evidence that this certificate had been used maliciously since it was issued and they promptly revoked the certificate unconditionally. Overall, we found more than 70 signed malicious binaries using this certificate. Since each signed sample comes with an authoritative timestamp, it is possible to draw a timeline depicting when these binaries were produced:

Figure 1 Timeline of signing times. Black lines represent one sample signing time

From the information we gathered, the attackers were actively signing malicious binaries from March until June 2012. Then, there is a gap in the timeline, from the beginning of July until the beginning of August 2012. We then see another spike in certificate usage (even though it had already been revoked) in August and September 2012. There are several possible explanations as to why there is a gap during the summer of 2012, but it is likely that this was the off-season for both the attackers and their targets.

Although the investigation started with this code signing certificate, we then discovered several similar unsigned samples that were used in this campaign. Some of them were collected as far back as early 2011.

Droppers and decoy documents

The first infection vector we saw was using the famous CVE-2012-0158 vulnerability. This vulnerability can be exploited by a specially crafted Microsoft Office documents and allows arbitrary code execution. In the case we analyzed, a two-stage shellcode is executed when the user opens an RTF document. First, the shellcode sends information about the system to the domain feds.comule.com and then downloads a malicious binary from digitalapp.org.

The other infection vector we found used PE files disguised as Microsoft Word or PDF documents, most likely distributed through email. When the user executes the file, the malicious program downloads and executes additional malicious binaries (more on these executables below). To evade suspicion by the victim, a decoy Word document is shown to the user. We have identified several different documents that followed different themes.

One of these themes is the Indian armed forces. We do not have inside information as to which individuals or organizations were really targeted by these files. However, based on our detection metrics, it is our assumption that people and institutions in Pakistan were targeted.

The text in this first document seems to be a collage of various sources. The fake PDF document was delivered through a self-extracting archive called “pakistandefencetoindiantopmiltrysecreat.exe”:


This other PDF document was delivered through an executable called “pakterrisiomforindian.exe”:

In this case, the text comes from the Asian Defence blog, a blog aggregating Asian military news. Our telemetry data shows that this file was first seen in August 2011 on a system in Pakistan.

Payloads

We found many different types of payloads installed by the droppers, all of them were geared towards exfiltrating data from an infected computer to the attackers’ servers. The following table groups the binaries in different families and details their general characteristics.

Category Description
Downloader Downloads executables from C&C and executes them.
Document uploader Searches and uploads documents (csv, pdf, doc, docx, xlsx, etc) found in the trash and in the “My Documents” folder.
System information gathering Sends information about the infected system to the C&C using GET requests. It uses WMI to gather information on the infected system such as: Antivirus installed on machine; OS version; Presence of files to upload
Keylogger Records keystrokes and sends log to attacker server using POST requests.
Screenshot Takes a screenshot of the desktop and sends it to the C&C.
Connect-back shell Continually tries to connect back to an hardcoded IP address and allows the attacker to open a remote command shell.
Public Tools We found two public tools (WebPassView and Mail PassView) from NirSoft and signed by the malicious certificate. These legitimate tools can be used to recover passwords used in email clients or stored in browsers.
Self-replication through removable drives Monitors removable drive insertion events and copies different malware files to the inserted drive. It tries to lure the user into executing one of the copied files by renaming it with an existing folder name and hiding the latter.

The information stolen from an infected computer is uploaded to the attacker’s server unencrypted. The decision not to use encryption is puzzling considering that adding basic encryption would be easy and provide additional stealth to the operation. The screenshot below shows a typical keylogger log:

The logs are very verbose and display the active window, the characters typed and the special keys in brackets. Since these logs are sent unencrypted, it is easy to detect the presence of an infected machine on your network by examining your HTTP network traffic.

In terms of persistence, many binaries we have analyzed add an entry in the Windows startup menu with a deceptive name. The screen shot below shows an example of such a startup menu:

While this technique allows the different components of the attack to be launched after each system reboot, it cannot be labelled as stealthy. Since targeted attacks usually try to stay under the radar as long as possible, we were surprised to see this technique used in this case.

C&C infrastructure

Most of the analyzed binaries contain a URL from which additional components are downloaded or to which an infected system’s content is uploaded. Sometimes, the C&C URL appears unencrypted in the binary. Other times, it is trivially encoded using a simple one-character rotation (ROT-1) as depicted below:

“gjmftbttpdjbuf/ofu” encrypted to “filesassociate.net”

We uncovered more than 20 domains linked to this campaign. While some still had an active DNS record, most of them did not resolve to an IP address. Using historical data around these domains, we were able to discover where these sites were hosted. It turns out that almost a third of all domains were hosted by OVH. This web hosting service has a reputation for hosting malware and spam content. In a recent HOSTExploit report it was ranked number 5 in the top 50 hosts for concentration of malicious activity served from an Autonomous System.

Most of the domain names are very close to real site or company names. This is a common tactic to try to conceal the true purpose of the C&C server. Two examples are “wearwellgarments.eu” and “secuina.com”. The former is very close to a real website called “wearwellgarments.com” while the latter looks like a misspelling of information security firm Secunia.

Origins of the malicious files

Analyzing this campaign allowed us to identify a few key indicators pointing to the geographic origin of these malicious files. We believe they all come from India. First, the code signing certificate was issued to an Indian company. In addition, all the signing timestamps are between 5:06 and 13:45 UTC, which is consistent with 8-hour work shifts falling between 10:36 and 19:15 in Indian Standard Time. This might seem a bit late, but considering that signing the binary is the last step in the development effort, it is likely that the malware authors were living in this time zone.

We also found several strings in the binaries that are related to Indian culture. In several scripts, a variable called ramukaka is used:

Ramu Kaka is a typical Bollywood-style servant in a house. Considering that this variable is responsible for achieving persistence on the system, this definition is a good fit.

The most compelling argument is found in our telemetry data. We found that many malware variants tied to this campaign appeared in the same location over a very small period of time. Each variant had only minor differences from each other, strongly suggesting an attempt by a malware creator to evade detection by our product. These files all appeared in the same region of India.

Infection statistics

Our telemetry data shows that Pakistan is heavily affected by this campaign. The following graph shows the detection distribution we have observed for all the malicious files we linked to this campaign in the last two years.

Thanks to our sinkholing of three domain names used by this campaign, we were also able to gather statistics on the geographical location of infected hosts.

As one can see, the regional distribution presented in the last two graphs is very different. Ukraine and Kazakhstan account for three quarters of all IP addresses seen during the sinkholing operation. This difference can be explained by the possibility that unique domains are only for specific sub-operation in this campaign. If that was the case, the sinkhole data we are seeing would only be a very partial view of the whole campaign.

Conclusion

This post examined evidence of a far-reaching targeted campaign aimed at different targets throughout the world. Our analysis indicates that the entire campaign originates from India. Although we have seen a number of infections throughout the world, it seems that the most prominent target is Pakistan. Targeted attacks are all too common these days, but this one is certainly noteworthy for its failure to employ advanced tools to conduct its campaigns. String obfuscation using simple rotation (a shift cipher), no cryptography used in network communication, persistence achieved through the startup menu and use of existing, publicly-available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks. On the other hand, maybe they see no need to implement stealthier techniques because the simple ways still work.

SHA1 Hashes

CVE-2012-0158 RTF Document:                  3b1d9d65159bea24ab1060e5603f9e3c2d38d08d
pakterrisiomforindian.exe:                   d859f1cf99049f89258c1faa59dcd97f587e45ac
pakistandefencetoindiantopmiltrysecreat.exe: 1db89237ef786c7f22a8d4cd7eccda8f6286a6de
Downloader:                                  08ce405f0a0277de355454862b164ffd94a7ea36
Document uploader:                           DB22E7DEA0C1CAF203072693485DE4E4FD2CB56A
System information gathering:                0D610F3F51750EADCF426E10E6DE5313605400FA
Keylogger:                                   AE7B9CFB10CD65B98C59DC012D6726B66BE92897
Screenshot:                                  A0DD0B8FD0C98E917BFDC96182088CAB5505CCD2
Connect-back shell:                          09D4ECA67B1D071E57C5951D97FE9DD9C62F1580
Self-replication through removable drives:   20A29D1F89C07BAFBB4C61CE208531D68125C8E

Detection Names

Below are ESET threat names related to this case:

Win32/Agent.NLD worm
Win32/Spy.Agent.NZD trojan
Win32/Spy.Agent.OBF trojan
Win32/Spy.Agent.OBV trojan
Win32/Spy.KeyLogger.NZL trojan
Win32/Spy.KeyLogger.NZN trojan
Win32/Spy.VB.NOF trojan
Win32/Spy.VB.NRP trojan
Win32/TrojanDownloader.Agent.RNT trojan
Win32/TrojanDownloader.Agent.RNV trojan
Win32/TrojanDownloader.Agent.RNW trojan
Win32/VB.NTC trojan
Win32/VB.NVM trojan
Win32/VB.NWB trojan
Win32/VB.QPK trojan
Win32/VB.QTV trojan
Win32/VB.QTY trojan
Win32/Spy.Agent.NVL trojan
Win32/Spy.Agent.OAZ trojan

Filed under CyberThreats Daily Tagged with , ,

Press Clippings May 2013

May 16, 2013 Leave a comment

Click on thumbnails to view full articles.

.

IrishDev 16.05.2013

IrishDev 16.05.2013

.

The Irish Sun 16.05.2013

The Irish Sun 16.05.2013

.

Filed under ESET in the Press Tagged with

The Irish becoming serious about protecting laptops, less about other devices, but have no idea what data leakage is

May 15, 2013 Leave a comment

The latest research ESET Ireland did was about how covered Irish computers and devices are with antivirus and data leakage protection.

The research by ESET Ireland, was carried out on a thousand people. First we determined what sort of devices the Irish use to connect to the internet:

Am03

Then we found out 90% of Windows-based PC/Laptop users have antivirus installed, as do 63% of Mac users. Linux users, however, still feel confident they’re entirely invulnerable, as only 10% use antivirus protection. The picture is a bit grimmer among mobile users, as only 41% of Android users have their mobiles protected by antivirus, followed by 27% of iPhone users and 26% of Windows phone users.

Am01

But the picture completely changes when it comes to Data Leakage Protection. The Irish, so it seems, are barely aware of data leaks being a problem at all, as 74% answered they don’t know, while about a third of Linux users use some protective measures, as does one in four Windows/Mac users.

Am02

So, while malware awareness seems to have reached a certain satisfactory level among computer users, it is still lacking for mobile devices, even though mobile devices are as much targets of malware as are computers, since they’re increasingly used for accessing social media, various apps and offer various purchasing functionality, which could be compromised by malware, causing the victim direct financial damage.

More surprising is the complete lack of awareness about data leakage, particularly with the amount of coverage the media have already given various data leaks in the past. With BYOD (bring your own device) becoming increasingly popular, this could cause many companies’ sensitive data being at risk of getting lost or stolen.

So, mobile users should give installing an antivirus on their device some thought and all computer and mobile device users would be wise to start paying attention to information on data leakage a bit, if they wish to avoid related trouble.

Filed under Security Features Tagged with , ,

Cybersecurity is “as important” as nuclear deterrent, says top U.S. admiral

May 14, 2013 Leave a comment

Cybersecurity is among the top defense priorities of the United States, the U.S. Navy’s top admiral said this week – on the same level as strategic nuclear defense.

Admiral Jonathan Greenert, the Navy’s chief of operations, said that spending on cyber defense had continued even against a broader background of spending cuts.

Speaking to Reuters in Singapore before the Reuters Cybersecurity Summit in Washington this week, Greenert said, “The level of investment that we put into cyber in the department is as protected or as focused as it would be in strategic nuclear. It’s right up there, in the one-two area, above all other programs.”

Last week the Pentagon said for the first time that cyber attacks on the United States were directly attributable to China. “In 2012, numerous computer systems around the world, including those owned by the US government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military,” a Pentagon report said. China vigorously denied the reports, saying that the U.S. was “the real hacking empire.”

Greenert said that the Navy put particular importance on cybersecurity because its ships and planes depend heavily on computer networks.

“We’ve got to understand how to defend them, how to exploit them ourselves and how to, as necessary, be able to do offensive effects,” said Greenert. “Many people who look at the future of warfare say it’s bound to start in cyber. The first thing you’d want to do is shut down their sensors, interrupt their power grid, confuse them – and presumably guard against that kind of thing and recognize if it’s starting.”

Filed under CyberThreats Daily Tagged with ,

Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole

April 29, 2013 Leave a comment

Last week, our friends at Sucuri sent us a modified version of an Apache webserver redirecting some of its requests to the infamous Blackhole exploit packs. Sucuri has published a blog post on this attack.

Our analysis of this malware, dubbed Linux/Cdorked.A, reveals that it is a sophisticated and stealthy backdoor meant to drive traffic to malicious websites. We urge system administrators to check their servers and verify that they are not affected by this threat. Detailed instructions to perform this check are provided below. (You can find more about Blackhole here.)

In fact, Linux/Cdorked.A is one of the most sophisticated Apache backdoors we have seen so far. Although we are still processing the data, our Livegrid system reports hundreds of compromised servers. The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis. All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system.

Technical analysis of Linux/Cdorked

Here we provide the first technical analysis of Linux/Cdorked, which seems to be affecting hundreds of webservers right now. In the Linux/Cdorked binary all the important or suspicious strings are encrypted. As shown in the following image, a function is responsible for decrypting the strings on demand with a static XOR key.

The version of Linux/Cdorked that we have analyzed contains a total of 70 strings that are encoded this way. As shown in the following screenshot, the key used for encoding the data is 27A4E2DADAF183B51E3DA7F6C9E6239CDFC8A2E50A60E05F.

As mentioned before, Linux/Cdorked does not write any files on the disk. Instead, it allocates around six megabytes of shared memory to keep its state and configuration information. This memory block, a POSIX shared region of memory (shm), is used by all Apache subprocesses but can also be accessed by any other process since the malware authors didn’t limit its permission.  The following screenshot shows the (read, write for everyone) permission rights assigned to the shared memory region.

There are two ways the attacker can control the behavior of the backdoored server: through a reverse connect shell or through special commands, all of them are triggered via HTTP requests.

The Linux/Cdorked.A backdoor

The HTTP server is equipped with a reverse connect backdoor that can be triggered via a special HTTP GET request. It is invoked when a request to a special path is performed with a query string in a particular format, containing the hostname and port to connect. The client IP of the HTTP dialog is used as a key to decrypt the query string as a 4 byte XOR key. Additionally, IP specified in X-Real-IP or X-Forwarded-For headers will override the client IP as the XOR key. This means we can craft a X-Real-IP header that will in effect be a “\x00\x00\x00\x00” key. Query string also needs to be hex-encoded before sending.

While the shell is used by the attacker, the HTTP connection creating it is hung (the backdoor code does not implement forking). This implies that malicious shells can be found if one has access to the server and checks for long-running HTTP connections. On the other hand, the HTTP request does not appear in Apache’s log file due to the way the malicious code is hooked into Apache.

Redirection in Linux/Cdorked.A

When redirecting a client, the malware adds base64 encoded string to the query containing information like the original visited URL and whether or not the request was originally to a javascript file so the server could provide the right payload.

An example redirection looks like:

Location: hxxp://dcb84fc82e1f7b01. xxxxxxgsm.be/index.php?j=anM9MSZudmNiaW11Zj1jY3
Zja3FqdSZ0aW1lPTEzMDQxNjE4MjctMzYwNDUzNjUwJnNyYz0yMzImc3VybD13d3cuaW5mZWN0ZWRzZXJ2
ZXIuY29tJnNwb3J0PTgwJmtleT0xM0Q5MDk1MCZzdXJpPS9mb3J1bS93Y2YvanMvM3JkUGFydHkvcHJvdG
9hY3Vsb3VzLjEuOC4yLm1pbi5qcw==

After decoding, the following parameters appear:

js=1&nvcbimuf=ccvckqju&time=1304161827-360453650&src=232&surl=www.infectedserver
.com&sport=80&key=13D90950&suri=/forum/wcf/js/3rdParty/protoaculous.1.8.2.min.js

The “surl” parameter shows the infected host and the “suri” indicates what the original requested resource was.

After the redirection, a web cookie is set on the client so it is not redirected again. This cookie is also set if a request is made to a page that looks like an administration page. The backdoor will check if the URL, the server name, or the referrer matches any of the following strings : ‘*adm*’, ‘*webmaster*’, ‘*submit*’, ‘*stat*’, ‘*mrtg*’, ‘*webmin*’, ‘*cpanel*’, ‘*memb*’, ‘*bucks*’, ‘*bill*’, ‘*host*’, ‘*secur*’, ‘*support*’.  This is probably done to avoid sending malicious content to administrators of the website, making the infection harder to spot. The following screenshot shows part of the code responsible for handling the web cookie.

A few other conditions must be met before redirection happens; for example, a check is done for the presence of the Accept-Language, Accept-Encoding, and Referrer header.

Other Linux/Cdorked.A commands

We found 23 commands in Linux/Cdorked.A that can be sent to the server via a POST to a specially crafted URL. The request must also contain a cookie header starting with “SECID=”. The query string value must hold 2 hex encoded bytes that are encrypted with the client IP, using the same technique as the shell. The SECID cookie data will be used as arguments to some of the commands. We believe that the URLs to redirect clients are sent to the backdoor using this method. The redirection information will be stored encrypted in the allocated shared memory region. We also believe that the conditions for redirection are set this way, for example, a white list of user agents to redirect can be preconfigured and a black list of IPs to avoid redirection.

This is the complete list of commands found in the binary we have analysed:  ‘DU’, ‘ST’, ‘T1′, ‘L1′, ‘D1′, ‘L2′, ‘D2′, ‘L3′, ‘D3′, ‘L4′, ‘D4′, ‘L5′, ‘D5′, ‘L6′, ‘D6′, ‘L7′, ‘D7′, ‘L8′, ‘D8′, ‘L9′, ‘D9′, ‘LA’, ‘DA’.

Finally, some information about the status of the backdoor is returned in the ETag HTTP header, as shown in the screenshot below. We are still investigating the purpose of each of the commands and will publish our results as soon as the analysis is completed. In short, they all either add content to, or remove it from, the configuration in the shared memory region.

Linux/Cdorked.A Remediation

As previously mentioned, the permissions on the shared memory allocation are loose. This allows other process to access to memory. We have made a free tool (dump_cdorked_config.py) to allow systems administrators to verify the presence of the shared memory region and dump its content into a file. We also recommend using debsums for Debian or Ubuntu systems and `rpm –verify` for RPM based systems, to verify the integrity of your Apache web server package installation. (However, remember to temper this advice with the reality that the package manifest could have been altered by an attacker.) Checking for the presence of the shared memory is the recommended way to make sure you are not infected. We would be interested in receiving any memory dumps for further analysis.

At the time of writing, the ESET Livegrid monitoring system is showing hundreds of webservers that seem to be affected by this backdoor with thousands of visitors being redirected to malicious content. We will publish more information on the scale and complexity of this operation in the days to come.

SHA1 of the analyzed binary: 24e3ebc0c5a28ba433dfa69c169a8dd90e05c429

By Pierre-Marc Bureau

Filed under CyberThreats Daily Tagged with , , ,

Boston Bombings Scams

April 16, 2013 Leave a comment

ESET Ireland have to issue practically the same warning whenever a tragedy occurs, but unfortunately it has to be done, as after every tragedy the same scams appear and people still fall for them and suffer financial damages and computer infections.

Shortly after the Boston Marathon tragedy news hit, an unverified Twitter account was already spotted asking for re-tweets, claiming that they will donate $1 for each. Though it was soon taken down, it was not the only one and in the coming days we expect many more scams to appear, all using the same tragedy as bait on their hook.

twitscam

Search engine poisoning is another favourite tactic by scammers, to direct people looking for information to their websites, where, again, several sorts of attacks are waiting for curious viewers.

Fake charity websites have appeared after every major disaster. While many get taken down quickly, some stay on just long enough to scam some compassionate people, trying to help the unfortunate victims.

Facebook posts, similar to the usual “I can’t believe what she did” fake videos, in this case offering “shocking unseen footage of blasts” or something similar, are the usual companions of pretty much every tragedy that has occurred in the recent years. These usually lead to survey scams or infected websites.

What to do?

If you want news on the matter, rely on known news sites and avoid unknown or shortened URLs as these may lead you to infected websites.

For charity aid, use known, trusted charities and preferably deal with them in person or on the phone.

Do not give your credit card number or any personal details to unknown websites asking you for them for any reason, whether it is charity donations, unlocking content, etc.

Be very careful about clicking “shocking footage” links on social media, as most footage is relayed by mainstream media anyway.

Do not repost or re-tweet chain letters or posts from unknown senders, as these often include malicious links and you can end up infecting your friends.

As always and with any online content, think before you click.

Filed under CyberThreats Daily Tagged with , , ,

ESET Smart Security Ranked Best Security Product in Stiftung Warentest – Leading German Consumer Testing Authority

April 9, 2013 1 Comment

ESET is proud to announce that fifth generation of it’s flagship  product ESET Smart Security has been recognized as the best internet security product by the highly respected German testing organization Stiftung Warentest. Millions of people in Germany rely on Stiftung Warentest’s independent expert product reviews to help them make well informed buying decisions.

The influential test published on the Stiftung Warentest website and in the April 2013 edition of the magazine highlighted ESET Smart Security’s advanced Firewall and light footprint “ESET offers good malware protection, one of the best firewalls and barely burdens the PC,” says Stiftung Warentest.  The resulting mark was the best of the 14 tested internet security software suites and ESET Smart Security demonstrated all round strength by being the only security package to receive the “good” mark in all separate testing categories: protection, firewall, usability, and system footprint.

ess

Good malware detection and protection is not enough these days. The combination of the right layers of protection such as Antivirus, Antispam, Firewall, Parental Control, and in Version 6 – Anti-Theft feature, provides the essential level of security. We are happy that Stiftung Warentest agrees with this philosophy which is proven by their outstanding evaluation,“ says Ignacio Sbampato, ESET Chief Sales & Marketing Officer.

Since the test ESET has further strengthed its products with the release of a new improved generation of its flagship products: ESET Smart Security 6 and ESET NOD32 Antivirus 6. ESET Smart Security 6 provides all-in-one internet security, while ESET NOD32 Antivirus 6 is a fast and powerful antivirus. The new generation provides even greater detection of infiltrations, improved cleaning and faster scanning due to the  enhanced engine. Furthermore, the ESET Social Media Scanner App also comes standard with ESET Smart Security 6 as well as ESET NOD32 Antivirus 6, offers protection against Facebook threats.

Filed under Other Tagged with , ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 32 other followers