In the era of APT’s, it feels like something is amiss when there is a forum of governments and no malware arises. But the 3rd ASEAN-United States Summit on 21 November 2015 did not disappoint.
A few days before the Kuala Lumpur summit, a subdomain under asean.org for the ASEAN Secretariat Resource Centre (ARC) was compromised. Malicious code was appended to the compromised script file, which redirected a visitor to 126.96.36.199. (At the moment, this malicious script is not accessible.)
While still compromised, the ARC website also hosted an archive with the filename: the 3rd ASEAN Defence Ministers’ Meeting.rar. This contained malware that we detect as Backdoor:W32/Wonknu.A.
Wonknu is signed by Awarebase Corp., an information management solutions company whose customers include those from the Defense sector.
The malware drops a copy of itself to the system as c:\programdata\kav.exe. It then connects to 188.8.131.52:443 and functions as a backdoor that is able to accept the following commands:
We tried to search for similar samples and found another one that used the same certificate.
This malware was first seen sometime around early August of this year. During that time, it could be downloaded from sft.spiritaero.com (Spirit AeroSystems is one of the largest producers of commercial aerostructures).
This malware pretends to be a Java file, Javaw.exe Version 184.108.40.206 to be exact. The original Java file was modified to include malicious code that downloads a file from 220.127.116.11. The downloaded file will be saved as Java_Down.exe on the affected machine. This URL is also currently inaccessible.
In addition, we’ve also found that this particular IP hosted Jquery.js, similar to the case above, but at the moment we are unable to obtain a copy of it as well.
18.104.22.168:443 http://arc.asean.org/the%203rd%20ASEAN%20Defence%20Ministers'%20Meeting.rar http://22.214.171.124/arc/Jquery.js http://126.96.36.199/microsoft/Java_Down.exe http://188.8.131.52/microsoft/jquery.js https://sft.spiritaero.com/java/javaws.exe
the 3rd ASEAN Defence Ministers' Meeting.rar the 3rd ASEAN Defence Ministers' Meeting.exe c:\programdata\kav.exe Java_Down.exe
Bad news: Dell has installed a rogue root CA on customer PCs.
Why is it bad? Because it’s trivial to perform man-in-the-middle attacks against any computer with the cert installed. Dan Goodin has an excellent writeup here.
Dell explained late yesterday evening that the cert “was intended to provide the system service tag to Dell online support”.
Wait… where have we heard something like that before?
Back in April. Regular readers of News from the Lab will recall that Dell had some remote code execution issues via “Dell System Direct” in April 2015.
Here’s the (somewhat) good news: Dell Foundation Services appears to be far less prevalent than Dell System Direct.
Want to check if you have eDellRoot installed?
As Dan Tentler suggests, hit this site: https://edell.tlsfun.de/
Here’s the abstract:
A secure, reliable and undetectable method of communicating with and controlling malware is essential for modern malware operations. But designing, implementing and maintaining your own communication infrastructure isn’t an easy task. Coincidentally, malware operators aren’t the only ones interested in secure and reliable communication. Popular web services also want to provide their customers with a secure and reliable service. Add to that the fact that popular web services generate large amounts of indistinguishable web traffic to blend into and it starts to sound irresistible. Unsurprisingly then, recent years have seen a growing trend among malware operators of abusing third-party web services such as Twitter, Facebook, and Gmail as command and control channels.
This paper explores the multitude of ways in which modern malware abuses third-party web services as command and control channels. Through real life examples – from common cybercrime to targeted nation-state espionage – the paper provides a comprehensive overview of both the methods employed by malware and the web services most commonly abused. This paper further analyses the benefits and disadvantages that are provided to malware operators when they abuse third-party web services as command and control channels. Finally, this paper also examines the challenges that such methods pose to the detection and prevention of malware.
Slides from Artturi’s presentation can be downloaded at Virus Bulletin.
And the paper from here: C&C-As-A-Service. [PDF]
How F-Secure Labs handles customer data is of the utmost importance for those of us who work here. We would therefore like to invite you to read our latest white paper which details our back end technology a.k.a. “Security Cloud” [PDF].
The paper explains the purpose, function and benefits of our technology and explains the safeguards taken when processing customer-sourced information.
There’s a new crypto-ransom scheme currently in-the-wild targeting Linux-based systems. It’s called “Linux.Encoder.1” by the folks at Dr.Web. Basically, instead of setting up phishing sites or exploit kit redirects on vulnerable web-servers, the Linux.Encoder.1 extortionists are targeting the web-server owners directly by encrypting their content.
As a consequence, Google is indexing numerous victims.
Here’s a copy of the extortion note via Google’s cache.
“Can I pay another currency?”
So, hopefully victims of Linux.Encoder.1 have backups… or else they’ll be forced to acquire a Bitcoin. No word yet on whether or not the extortionists will honor payment with an actual decryption key. And their Tor hidden service is currently offline. Which is less then promising.
Edited To Add:
Daavid Hentunen, a researcher on our Threat Intelligence team, estimates the extortionists have made €11934 in 1 month.
This is what was shown to visitors of websites that used this PageFair service:
To give you a feel of how popular PageFair is, at least in terms of our user base, we pulled out hit statistics and found that it is ranked at 293 for the past 14 days. That’s higher than flickr.com (295), spotify.com (399), steampowered.com (406) and paypal.com (413). So this domain is quite a celebrity, which explained the spike that we saw during the breach.
During that time, we saw the malicious adobe_flashplayer_7.exe (6ad0393f506bc6e0a84f1325b3d75cca019c21bc) downloaded from these locations:
The malware served from these links is a RAT called NanoCore. NanoCore provides plugins such as those related to Network, Security products and Surveillance.
The C&C of the particular malware sample related to the PageFair compromise was alotpro2.dynu.com (184.108.40.206).
Users that had our product enabled were protected against this threat at the time of the compromise through the detection Trojan:W32/Golroted.6ad0393f50!Online.
For more information about the PageFair breach and the status, you may read more about it from this link.
“Payment is made successfully.”
This is CryptoWall’s Decrypter Service after ransom has been paid.
And this (decrypt.zip) is what you get for your
It’s really not much to look at. But without a copy of your keys… you’ll never decrypt your files.
Which is probably why the FBI says:
Don’t want to find yourself needing to follow the FBI’s advice?
Then do this:
First, let’s take look at SLocker versus Lollipop.
Malvertising is typically used to bait men (yeah, probably just men) into downloading an app called “Porn Droid”.
Typically all-too-common sorts of overreaching permissions are requested.
So that’s a small social engineering barrier at best.
If you have a good security app installed, you’ll see something such as this.
But if you don’t, and open the app, this is the prompt you’ll receive.
That “Continue” button? It’s obfuscating a request for device administrator permissions. (A very big flaw, indeed.) And if you click to continue, SLocker will use its newly acquired admin privileges to launch its extortion scheme.
The FBI apparently accepts “PayPal My Cash” to pay the
In its effort to intimidate the victim, SLocker takes a forward facing photo.
This example is pointed towards the ceiling above Zimry’s desk.
And a PRISM logo is thrown in for good measure.
It’s worth mentioning at this point that it seems surprisingly easy to grant administrator rights to Android applications. Apple’s iOS requires a passcode for setting up something such as basic as a VPN. But Android only requires a simple “yes” to a prompt for administrator rights.
A good best computer security practice is to run as “user” from a restricted profile which limits installations. Applications seeking administrator rights then need to be installed from the “admin” profile and require a passcode. So we attempted to configure a restricted profile for ordinary use but found it difficult to manage. Android’s restricted profiles are designed for and focus on parental control and tablets. Setting up an additional profile on our test phone didn’t really result in the sort of device management we wanted. It only created an additional profile, not a restricted one.
By comparison, Apple’s iOS Restrictions are much more useful even for the primary device user.
How does Android Marshmallow fare against SLocker?
Good news! SLocker’s “continue” obfuscation fails on a phone running Marshmallow and so you’ll see just what giving administrator rights entails. It’s bad. The power to erase all data, to change the screen lock, and to set storage encryption. In other words, if you give SLocker administrators rights… you’re done. If the phone’s data isn’t backed up, there’s no getting it back other than giving into the extortioners.
But then the bad news: Android Marshmallow was released on October 5th and isn’t yet prevalent. So SLocker likely has a viable attack vector for quite some time to come.
0f25cefa85a0822a08ad23caca24a622fbf4aef0 12dc90592c1945fe647d04902b2707e756e88037 25311dfbc4961a661494a2767d2fb74c532539cc 68e7879074b9e2635d895616d4862383fe5960db 84b541957d7e42b4b7d95763fb48d03fcca21ffd c0784e974da5b7e82e9921763f957e1f3ec024e7
Analysis of Trojan:Android/Slocker.BJ provided by Zimry Ong.
The UK National Crime Agency together with the FBI and the US Department of Justice recently filed charges against the author of Bugat/Cridex/Dridex. Andrey Ghinkul was arrested on August 28, 2015 in Cyprus and the US is now seeking his extradition. Dridex has reportedly caused multi-million dollar losses to financial institutions and businesses globally.
Dridex is known to propagate via Microsoft Word documents which pretend to be legitimate but contain malicious macro code. These macros will eventually download an executable from its C&C and/or a compromised website. F-Secure has generic detection (Trojan:W97M/MaliciousMacro.GEN) that specifically looks for malicious macros inside Office document files.
As the authorities are cleaning up the Dridex botnet, detections for malicious macros has been felt and a spike can be seen in our back end statistics.
F-Secure customers are protected by our Hydra (scanning engine) and DeepGuard (behavioral-based) technologies.
Besides having generic signature detection of malicious macros, our DeepGuard behavioral engine also blocks. Two layers of protection are better than one.
A document dropping an executable? Yeah, that’s never a good thing.
Q: Are these Dridex activities all related to authorities taking down the botnet?
A: We don’t know.
Android 6.0 a.k.a. “Marshmallow” is now rolling out and its best new feature, from my point of view, is the introduction of a new permissions model.
Well-crafted applications can now ask for permissions as they are needed, rather than all at once during installation.
Apps designed for older versions of Android will still ask for numerous permissions upfront, but Marshmallow will allow for iOS-like granular control.
Not all apps will fail gracefully if permissions are denied.
But if for example you don’t want to use Facebook’s Find Friends feature, then there really shouldn’t be any need for the Facebook app to access your Contacts. I’d suggest denying various permissions and testing the “necessary evils” that you might have installed on your Marshmallow phone.
Conscientious developers will update their apps sooner than later.
And if they don’t… well, that’s what reviews are for. Right?
See all of the changes to Android 6.0 here.
Mikko missed VB2015 this year… allegedly. I've been to every Virus Bulletin conference since 1993 but missed #VB2015. Except according to this video I didn't… http://t.co/elfsizCn9B — Mikko Hypponen (@mikko) October 2, 20152015-10-05
On September 10, 2015 the US House (Select) Intelligence Committee held a hearing on World Wide Cyber Threats. In his opening statement, ranking member Adam B. Schiff commented on the purpose of the Protecting Cyber Networks Act – the US House’s version of CISA. Here’s the full relevant text. So there you have it, […]2015-09-29
The latest episode of Radiolab has what is without a doubt the best malware victim interview I’ve ever heard. Inna Simone’s computer was infected by CryptoWall late last year and based on her telling of it, the worst part of the experience was trying to buy the Bitcoin she needed to pay off the extortionists. […]2015-09-28
Today we release a new whitepaper on an APT group commonly referred to as “the Dukes”. We believe that the Dukes are a well-resourced, highly dedicated, and organized cyber-espionage group that has been working for the Russian government since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes […]2015-09-17
According to LinkedIn, 11 of my connections can introduce me to someone who “knows” Anna. I’m not so sure about that. According to IMDb, Anna Sentina is really Anna Akana. Maybe LinkedIn should start charging to “verify” recruiter accounts? At the moment, there’s zero overhead when creating a recruiter sockpuppet. Adding at least some amount […]2015-09-15
In December 2010, journalist Matt Thompson predicted a future in which “automatic speech transcription will become fast, free, and decent.” He called this future the “Speakularity” – playing on the concept of the technological singularity. In Thompson’s words: “So much of the raw material of journalism consists of verbal exchanges — phone conversations, press conferences, […]2015-09-14
Labs Fellow Edilberto Cajucom recently tested¹ our Freedome VPN‘s Tracking Protection feature to measure its effect on the page load speed and size of numerous popular sites. Here’s a graph of speed comparisons using a subset of sites from Alexa’s news category. As you can see, there’s quite a measurable effect on several sites; Huffington […]2015-09-11
Apple’s September Event 2015 takes place today so 9/9 = iOS 9 announcements. Apple is promising improved security with iOS 9. Implementing six-digit passcodes for Touch ID is one well publicized example. Security researcher Frederic Jacobs has an excellent summary of other documented changes on Medium. A small change that I’ve noticed while testing iOS […]2015-09-09
1. Introduction The Sofacy Group (also known as Pawn Storm or APT28) is well known for deploying zero-day exploits in their APT campaigns. For example, two recent zero-days used by the Sofacy Group were exploiting vulnerabilities in Microsoft Office CVE-2015-2424 and Java CVE-2015-2590. If the exploit is successful, it installs a Sofacy downloader component, which is different from […]2015-09-08
Our Freedome sales team ran a special promotion over the weekend and when I Tweeted about it, several people asked about the privacy of our payments processor. Short answer is this: we don’t get any access to your personal information. But what if you still don’t want to deal with ecommerce? No problem. You can […]2015-09-07