Wonknu: A Spy For The 3rd ASEAN-US Summit

In the era of APT’s, it feels like something is amiss when there is a forum of governments and no malware arises. But the 3rd ASEAN-United States Summit on 21 November 2015 did not disappoint.

A few days before the Kuala Lumpur summit, a subdomain under asean.org for the ASEAN Secretariat Resource Centre (ARC) was compromised. Malicious code was appended to the compromised script file, which redirected a visitor to 43.240.119.35. (At the moment, this malicious script is not accessible.)

Redirection Traffic

Redirection Traffic

While still compromised, the ARC website also hosted an archive with the filename: the 3rd ASEAN Defence Ministers’ Meeting.rar. This contained malware that we detect as Backdoor:W32/Wonknu.A.

Wonknu is signed by Awarebase Corp., an information management solutions company whose customers include those from the Defense sector.

Wonknu Cert

Wonknu Cert

The malware drops a copy of itself to the system as c:\programdata\kav.exe. It then connects to 43.240.119.40:443 and functions as a backdoor that is able to accept the following commands:

  • GetsSysteminfo – Retrieve version information.
  • GetDiskInfo – Retrieve disk drive information.
  • GetFileList – Retrieve directory listing.
  • DownloadFile – Download file.
  • UpFile – Upload file.
  • RunExeFile – Run an executable file.
  • FileData – Write data to file.
  • DelFile – Delete a file.
  • NewDir – Create a directory.
  • CmeShell – Run a command from the shell.
  • Terminate Process
  • Enumerate Process

We tried to search for similar samples and found another one that used the same certificate.

Signed downloader

Signed downloader

This malware was first seen sometime around early August of this year. During that time, it could be downloaded from sft.spiritaero.com (Spirit AeroSystems is one of the largest producers of commercial aerostructures).

This malware pretends to be a Java file, Javaw.exe Version 6.0.0.105 to be exact. The original Java file was modified to include malicious code that downloads a file from 178.79.181.246. The downloaded file will be saved as Java_Down.exe on the affected machine. This URL is also currently inaccessible.

Downloader Code

Downloader Code

In addition, we’ve also found that this particular IP hosted Jquery.js, similar to the case above, but at the moment we are unable to obtain a copy of it as well.

URLs and IPs:
43.240.119.40:443
http://arc.asean.org/the%203rd%20ASEAN%20Defence%20Ministers'%20Meeting.rar
http://43.240.119.35/arc/Jquery.js
http://178.79.181.246/microsoft/Java_Down.exe
http://178.79.181.246/microsoft/jquery.js
https://sft.spiritaero.com/java/javaws.exe
Filenames:
the 3rd ASEAN Defence Ministers' Meeting.rar
the 3rd ASEAN Defence Ministers' Meeting.exe
c:\programdata\kav.exe
Java_Down.exe
Hashes:
a096a44aee0f0ff468c40488eab176d648b1c426
068fa495aa6f5d6b4e0f45c90042a81eecdaec2c
Detections:
Backdoor:W32/Wonknu.A
Trojan-Downloader:W32/Wonknu.B


Oops!… Dell Did It Again

Bad news: Dell has installed a rogue root CA on customer PCs.

Why is it bad? Because it’s trivial to perform man-in-the-middle attacks against any computer with the cert installed. Dan Goodin has an excellent writeup here.

Dell explained late yesterday evening that the cert “was intended to provide the system service tag to Dell online support”.

Response to Concerns Regarding eDellroot Certificate

Wait… where have we heard something like that before?

Back in April. Regular readers of News from the Lab will recall that Dell had some remote code execution issues via “Dell System Direct” in April 2015.

Here’s the (somewhat) good news: Dell Foundation Services appears to be far less prevalent than Dell System Direct.

Want to check if you have eDellRoot installed?

As Dan Tentler suggests, hit this site: https://edell.tlsfun.de/



Paper: C&C-As-A-Service

Artturi Lehtiö, a researcher on our Threat Intelligence team, recently presented a paper on abusing third-party web services as C&C channels at VB2015.

C&C-As-A-Service: Abusing Third-Party Web Services As C&C Channels

Here’s the abstract:

A secure, reliable and undetectable method of communicating with and controlling malware is essential for modern malware operations. But designing, implementing and maintaining your own communication infrastructure isn’t an easy task. Coincidentally, malware operators aren’t the only ones interested in secure and reliable communication. Popular web services also want to provide their customers with a secure and reliable service. Add to that the fact that popular web services generate large amounts of indistinguishable web traffic to blend into and it starts to sound irresistible. Unsurprisingly then, recent years have seen a growing trend among malware operators of abusing third-party web services such as Twitter, Facebook, and Gmail as command and control channels.

This paper explores the multitude of ways in which modern malware abuses third-party web services as command and control channels. Through real life examples – from common cybercrime to targeted nation-state espionage – the paper provides a comprehensive overview of both the methods employed by malware and the web services most commonly abused. This paper further analyses the benefits and disadvantages that are provided to malware operators when they abuse third-party web services as command and control channels. Finally, this paper also examines the challenges that such methods pose to the detection and prevention of malware.

Slides from Artturi’s presentation can be downloaded at Virus Bulletin.

And the paper from here: C&C-As-A-Service. [PDF]



Security Cloud White Paper: How Do We Handle Customer Data?

How F-Secure Labs handles customer data is of the utmost importance for those of us who work here. We would therefore like to invite you to read our latest white paper which details our back end technology a.k.a. “Security Cloud” [PDF].

Security Cloud: F-Secure Labs Security Technology White Paper

The paper explains the purpose, function and benefits of our technology and explains the safeguards taken when processing customer-sourced information.

F-Secure Security Cloud Purpose, Function and Benefits.



Linux.Encoder.1: We Are Accept Only Bitcoins

There’s a new crypto-ransom scheme currently in-the-wild targeting Linux-based systems. It’s called “Linux.Encoder.1” by the folks at Dr.Web. Basically, instead of setting up phishing sites or exploit kit redirects on vulnerable web-servers, the Linux.Encoder.1 extortionists are targeting the web-server owners directly by encrypting their content.

As a consequence, Google is indexing numerous victims.

Here’s a copy of the extortion note via Google’s cache.

README_FOR_DECRYPT.txt

Nice FAQ.

We are accept only Bitcoins. - http://memegenerator.net/instance2/2810855

“Can I pay another currency?”

“No.”

So, hopefully victims of Linux.Encoder.1 have backups… or else they’ll be forced to acquire a Bitcoin. No word yet on whether or not the extortionists will honor payment with an actual decryption key. And their Tor hidden service is currently offline. Which is less then promising.

Edited To Add:

Daavid Hentunen, a researcher on our Threat Intelligence team, estimates the extortionists have made €11934 in 1 month.



Halloween RAT: NanoCore Served Via PageFair Service

Over the weekend, PageFair, a counter ad-block solutions provider, was compromised via a spearphishing attack. The attackers performed a password reset which gave them access to PageFair’s account on a Content Distribution Network (CDN) service. The attackers then replaced PageFair’s Javascript to a malicious one:

Malicious Javascript: ads.min.js

This is what was shown to visitors of websites that used this PageFair service:

Fake Flash Player Warning

Fake Flash Player Warning

To give you a feel of how popular PageFair is, at least in terms of our user base, we pulled out hit statistics and found that it is ranked at 293 for the past 14 days. That’s higher than flickr.com (295), spotify.com (399), steampowered.com (406) and paypal.com (413). So this domain is quite a celebrity, which explained the spike that we saw during the breach.

Telemetry

Telemetry

During that time, we saw the malicious adobe_flashplayer_7.exe (6ad0393f506bc6e0a84f1325b3d75cca019c21bc) downloaded from these locations:

  • 75.126.160.35
  • 192.155.192.104
  • 184.173.28.170
  • 184.173.28.174
  • 184.173.28.175
  • 184.173.28.176
  • 168.1.88.118

The malware served from these links is a RAT called NanoCore. NanoCore provides plugins such as those related to Network, Security products and Surveillance.

NanoCore Plugins

The C&C of the particular malware sample related to the PageFair compromise was alotpro2.dynu.com (45.35.34.148).

Network Events

Network Events

Users that had our product enabled were protected against this threat at the time of the compromise through the detection Trojan:W32/Golroted.6ad0393f50!Online.

For more information about the PageFair breach and the status, you may read more about it from this link.



The Contents Of This CryptoWall Zip File Cost $1,000

“Payment is made successfully.”

This is CryptoWall’s Decrypter Service after ransom has been paid.

Payment is made successfully.

And this (decrypt.zip) is what you get for your money Bitcoin.

The contents of decrypt.zip.

It’s really not much to look at. But without a copy of your keys… you’ll never decrypt your files.

Which is probably why the FBI says:

To be honest, we often advise people just to pay the ransom.

Don’t want to find yourself needing to follow the FBI’s advice?

Then do this:

  • Back up your stuff!
  • Uninstall software and/or disable browser plugins that you don’t use.
  • Keep the software that you do use up to date.

@5ean5ullivan



SLocker Versus Marshmallow

Android ransomware SLocker recently began taking advantage of Android Lollipop flaws in a very serious (and devious) way. But how does SLocker fare against Android Marshmallow?

First, let’s take look at SLocker versus Lollipop.

Malvertising is typically used to bait men (yeah, probably just men) into downloading an app called “Porn Droid”.

Porn Droid app

Typically all-too-common sorts of overreaching permissions are requested.

PornPro app permissions

So that’s a small social engineering barrier at best.

PornPro permissions continued

If you have a good security app installed, you’ll see something such as this.

This app contains a virus

But if you don’t, and open the app, this is the prompt you’ll receive.

Disguised request for admin permissions

Update patch installation

That “Continue” button? It’s obfuscating a request for device administrator permissions. (A very big flaw, indeed.) And if you click to continue, SLocker will use its newly acquired admin privileges to launch its extortion scheme.

FBI-themed ransomware.

Slocker's FBI Warning

Slocker's FBI Warning

Slocker's FBI Warning

The FBI apparently accepts “PayPal My Cash” to pay the fine extortion.

PayPal My Cash

In its effort to intimidate the victim, SLocker takes a forward facing photo.

This example is pointed towards the ceiling above Zimry’s desk.

Slocker tries to take a picture.

And a PRISM logo is thrown in for good measure.

FBI Mission: PRISM

It’s worth mentioning at this point that it seems surprisingly easy to grant administrator rights to Android applications. Apple’s iOS requires a passcode for setting up something such as basic as a VPN. But Android only requires a simple “yes” to a prompt for administrator rights.

A good best computer security practice is to run as “user” from a restricted profile which limits installations. Applications seeking administrator rights then need to be installed from the “admin” profile and require a passcode. So we attempted to configure a restricted profile for ordinary use but found it difficult to manage. Android’s restricted profiles are designed for and focus on parental control and tablets. Setting up an additional profile on our test phone didn’t really result in the sort of device management we wanted. It only created an additional profile, not a restricted one.

By comparison, Apple’s iOS Restrictions are much more useful even for the primary device user.

But now…

How does Android Marshmallow fare against SLocker?

Good news! SLocker’s “continue” obfuscation fails on a phone running Marshmallow and so you’ll see just what giving administrator rights entails. It’s bad. The power to erase all data, to change the screen lock, and to set storage encryption. In other words, if you give SLocker administrators rights… you’re done. If the phone’s data isn’t backed up, there’s no getting it back other than giving into the extortioners.

Activate Device Administrator

But then the bad news: Android Marshmallow was released on October 5th and isn’t yet prevalent. So SLocker likely has a viable attack vector for quite some time to come.

Hashes:

0f25cefa85a0822a08ad23caca24a622fbf4aef0
12dc90592c1945fe647d04902b2707e756e88037
25311dfbc4961a661494a2767d2fb74c532539cc
68e7879074b9e2635d895616d4862383fe5960db
84b541957d7e42b4b7d95763fb48d03fcca21ffd
c0784e974da5b7e82e9921763f957e1f3ec024e7

 

Analysis of  Trojan:Android/Slocker.BJ provided by Zimry Ong.



Dridex Takedown

The UK National Crime Agency together with the FBI and the US Department of Justice recently filed charges against the author of Bugat/Cridex/Dridex. Andrey Ghinkul was arrested on August 28, 2015 in Cyprus and the US is now seeking his extradition. Dridex has reportedly caused multi-million dollar losses to financial institutions and businesses globally.

Dridex is known to propagate via Microsoft Word documents which pretend to be legitimate but contain malicious macro code. These macros will eventually download an executable from its C&C and/or a compromised website. F-Secure has generic detection (Trojan:W97M/MaliciousMacro.GEN) that specifically looks for malicious macros inside Office document files.

As the authorities are cleaning up the Dridex botnet, detections for malicious macros has been felt and a spike can be seen in our back end statistics.

F-Secure customers are protected by our Hydra (scanning engine) and DeepGuard (behavioral-based) technologies.

Virus and spyware history Trojan:W97M/MaliciousMacro.GEN

Trojan:W97M/MaliciousMacro.GEN detected.

F-Secure Internet Security, Harmful file removed

Harmful file removed.

Besides having generic signature detection of malicious macros, our DeepGuard behavioral engine also blocks. Two layers of protection are better than one.

F-Secure Internet Security, Application blocked

Application blocked for bad behavior.

A document dropping an executable? Yeah, that’s never a good thing.

Q: Are these Dridex activities all related to authorities taking down the botnet?
A: We don’t know.



Marshmallow Moves Android Towards iOS-like Permissions

Android 6.0 a.k.a. “Marshmallow” is now rolling out and its best new feature, from my point of view, is the introduction of a new permissions model.

Well-crafted applications can now ask for permissions as they are needed, rather than all at once during installation.

Android Marshmallow App Permissions

Source: Google

Apps designed for older versions of Android will still ask for numerous permissions upfront, but Marshmallow will allow for iOS-like granular control.

Marshmallow App Permissions Facebook

Not all apps will fail gracefully if permissions are denied.

Marshmallow App Permissions Deny Warning

But if for example you don’t want to use Facebook’s Find Friends feature, then there really shouldn’t be any need for the Facebook app to access your Contacts. I’d suggest denying various permissions and testing the “necessary evils” that you might have installed on your Marshmallow phone.

Conscientious developers will update their apps sooner than later.

And if they don’t… well, that’s what reviews are for. Right?

Android 6.0 Changes

See all of the changes to Android 6.0 here.

@5ean5ullivan



VB2015

Mikko missed VB2015 this year… allegedly. I've been to every Virus Bulletin conference since 1993 but missed #VB2015. Except according to this video I didn't… http://t.co/elfsizCn9B — Mikko Hypponen (@mikko) October 2, 2015

2015-10-05

CISA Q&A

On September 10, 2015 the US House (Select) Intelligence Committee held a hearing on World Wide Cyber Threats. In his opening statement, ranking member Adam B. Schiff commented on the purpose of the Protecting Cyber Networks Act – the US House’s version of CISA. Here’s the full relevant text.   So there you have it, […]

2015-09-29

CryptoWall’s “Customer Journey” Sounds Like A Real Nightmare

The latest episode of Radiolab has what is without a doubt the best malware victim interview I’ve ever heard. Inna Simone’s computer was infected by CryptoWall late last year and based on her telling of it, the worst part of the experience was trying to buy the Bitcoin she needed to pay off the extortionists. […]

2015-09-28

The Dukes: 7 Years Of Russian Cyber-Espionage

Today we release a new whitepaper on an APT group commonly referred to as “the Dukes”. We believe that the Dukes are a well-resourced, highly dedicated, and organized cyber-espionage group that has been working for the Russian government since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes […]

2015-09-17

Another LinkedIn Sockpuppet

According to LinkedIn, 11 of my connections can introduce me to someone who “knows” Anna. I’m not so sure about that. According to IMDb, Anna Sentina is really Anna Akana. Maybe LinkedIn should start charging to “verify” recruiter accounts? At the moment, there’s zero overhead when creating a recruiter sockpuppet. Adding at least some amount […]

2015-09-15

Can the “Speakularity” Be Secured?

In December 2010, journalist Matt Thompson predicted a future in which “automatic speech transcription will become fast, free, and decent.” He called this future the “Speakularity” – playing on the concept of the technological singularity. In Thompson’s words: “So much of the raw material of journalism consists of verbal exchanges — phone conversations, press conferences, […]

2015-09-14

Freedome Tracking Protection Comparison

Labs Fellow Edilberto Cajucom recently tested¹ our Freedome VPN‘s Tracking Protection feature to measure its effect on the page load speed and size of numerous popular sites. Here’s a graph of speed comparisons using a subset of sites from Alexa’s news category. As you can see, there’s quite a measurable effect on several sites; Huffington […]

2015-09-11

Apple iOS 9 Security Features

Apple’s September Event 2015 takes place today so 9/9 = iOS 9 announcements. Apple is promising improved security with iOS 9. Implementing six-digit passcodes for Touch ID is one well publicized example. Security researcher Frederic Jacobs has an excellent summary of other documented changes on Medium. A small change that I’ve noticed while testing iOS […]

2015-09-09

Sofacy Recycles Carberp and Metasploit Code

1. Introduction The Sofacy Group (also known as Pawn Storm or APT28) is well known for deploying zero-day exploits in their APT campaigns. For example, two recent zero-days used by the Sofacy Group were exploiting vulnerabilities in Microsoft Office CVE-2015-2424 and Java CVE-2015-2590. If the exploit is successful, it installs a Sofacy downloader component, which is different from […]

2015-09-08

Buy Your Freedome With Cash Money

Our Freedome sales team ran a special promotion over the weekend and when I Tweeted about it, several people asked about the privacy of our payments processor. Short answer is this: we don’t get any access to your personal information. But what if you still don’t want to deal with ecommerce? No problem. You can […]

2015-09-07