Today’s Best Email

Software engineers automate everything…

A farewell message generated using a Markov chain model trained on past farewell emails.

Goodbye “Markov”!


LinkedIn Sockpuppets Are Targeting Security Researchers

Multiple LinkedIn accounts recently targeted numerous security specialists in an attempt to map their social graphs. Several of our researchers received these LinkedIn invitations themselves and Daavid from our Threat Intelligence team decided to investigate.

Here’s an example of one so-called “recruiter” account.

Jennifer White's LinkedIn profile

Who is this woman?

Areas of interest include pen testing and social engineering? You don’t say.

“Jennifer” supposedly works for Talent Src a.k.a. Talent Sources.

Talent Src's LinkedIn page.

(Note its specialties.)

A reverse image search shows that Talent Source’s logo isn’t original.

Google Images result for Talent Source's logo.

Google Images result for Talent Source’s logo.

And its Twitter account uses an egg. (Lazy.)


Here are Jennifer’s supposed colleagues…

The employees of Talent Source.

The “employees” of Talent Source.

Each recruiter account is focused on a particular type of specialist.

Reverse image searches of Alex, John, Monika, and Silvia yielded no results… at first. Daavid flipped the images and then located mirror copies on Instagram as well as some legitimate LinkedIn profiles. Reverse image search engines would do well to offer mirror searches as an option. We weren’t able to locate the source of Jennifer’s photo.

And now, Jennifer and the other recruiter accounts are gone.

This seems to be the modus operandi of whomever is behind these accounts, as Fox-IT’s Yonathan Klijnsma explained on Twitter.

(Or attractive male.)

Discouragingly, Daavid discovered that one of Jennifer’s connections gave her a bunch of endorsements for skills that the account clearly didn’t deserve based on the published work history. At least, not unless retailers are training clerks to reverse engineer software. When asked about it, the connection (an employee of a large US-based defense contractor) admitted that it was a bad habit to give out such endorsements without really knowing the other person.


If you look back to the employee list, you’ll see that “Hannah” was focused on security executives. Let’s hope none of them gave away any important details.


You’ve Got Robot Mail

I listened to the BBC World Service’s Click podcast this morning during my commute and learned that Posti (Finland’s postal services provider) is testing drone delivery.

Source: Posti

Posti has a video of the “robottikopteri” in action on its YouTube channel.

Coincidentally, on my walk home last night, I heard the sound of a quadcopter flying around somewhere my neighborhood. A telling sign of the times? Will we all soon need to get used to the overhead drone of UAVs?

For a deeper discussion on the many possibilities, pros and cons, that may result from drone/UAV tech, check out these episodes of Click:


Trackers Are Out Of Control

Modern web analytics and tracking are completely out of control. And it’s not even a privacy issue for me at this point – it’s more about usability. Trackers are practically recreating the “dial-up Internet” experience. (Ask your parents, kids.) It’s 2015 – but a lot of websites load like it’s 1999.

And it seems like the problem turns up just about everywhere these days.

Let’s take a look at a well known brick and mortar retailer’s website using Ghostery for visualization. Here’s the US localization of Ikea’s website, with third-party cookies enabled.

Ikea's US localization with third-party cookies allowed.

Ikea’s US localization with third-party cookies allowed. (Firefox 40 for Windows.)

According the Ghostery, 9 different tracker resources are loading. (I use Ghostery for visualization, not for blocking.) Okay, fair enough.

Now here’s the Finnish localization of Ikea’s website, with third-party cookies not allowed.

Ikea's Finnish localization with third-party cookies disabled.

Ikea’s Finnish localization with third-party cookies disabled.

According to Ghostery, 11 different trackers are loading. But remember… this is with no third-party cookies. So what happens when third-party cookies are enabled?

38 more trackers come join the party!

Ikea's Finnish localization with third-party cookies allowed.

Ikea’s Finnish localization with third-party cookies allowed.

That’s 49 trackers in total. (Feels just a bit excessive, no?)

I really don’t get this, I just want to do some window-shopping before I visit the physical store.

But anyway…

If an opening set of trackers are allowed to load successfully and to drop their cookies, they’ll often go fetch more resources, and that slows down your browsing as a result.

I typically disallow all third-party cookies in my efforts to block trackers. This very rarely creates any conflicts for me. However, one of my colleagues has tested this setting and discovered that he cannot sign-in to sites such as Sony’s PlayStation Network. (But for that I’d recommend a using a second browser.) So factor that in mind.

In your primary browser, I recommend setting “accept third-party cookies” to “never”.

Here’s Firefox 40 for Windows.


Firefox > Options > Privacy

Here’s the settings in Chrome 44 for Windows.


Chrome > Settings > Show advanced settings > Content settings

And here are the settings for iOS 9.

iOS 9 Settings, Safari, Privacy & Security

iOS 9 > Settings > Safari > Privacy & Security

I use “Allow from Current Website Only” in iOS.

iOS 9 Settings, Safari, Privacy & Security, Block Cookies

iOS 9 > Settings > Safari > Privacy & Security > Block Cookies

And then of course, you can also block tracking resources on the network side via a VPN with tracking filters.

Ikea's Finnish localization with third-party cookies allowed, using Freedome.

Ikea’s Finnish localization with third-party cookies allowed, using Freedome.

As you can see above, our Freedome VPN reduces the number of trackers that attempt to load to a mere two. Much better.

Whatever approach you opt for, killing trackers as early as possible will yield a better browsing experience.

Happy hunting.


Visiting INTERPOL’s New Complex

INTERPOL's Global Complex for Innovation in SingaporeMe and Su Gim Goh from our Malaysian lab had a chance this week to visit INTERPOL’s new Global Complex for Innovation which is located in Singapore. Inside, a fleet of analysts from around the world investigate international crime – including cyber-crime.

While we can’t go into details, it was nevertheless impressive to see the level of expertise their staff had on things like Tor and Bitcoin.

Signing off,


Amazon Says No To Flash Ads

Flash-based malvertising has run amok lately. So it was only a matter to time before something like this was announced:

“Beginning September 1, 2015, Amazon no longer accepts Flash ads on, AAP, and various IAB standard placements across owned and operated domains.”

Amazon Advertising Technical Guidelines

Amazon Advertising Technical Guidelines.

Amazon is doing more than banning Flash. For example…

  • Content must only come from the serving ad server’s domain
  • Named domains only, no raw IP addresses are allowed
  • Display URL must be the actual destination, no redirects

And more.

This is a very good move on Amazon’s part and hopefully other companies will follow suit sooner than later. Flash-based ads are now an all-too-common security risk. Everybody will be better off without them.


It’s A Trap!

Be careful out there. Simple bait often works best…

Here’s a example of some current spam with an Excel file attachment named:

Payment instruction & Swift.xls
Payment instruction & Swift.xls

“Payment” spam with a Macro-based malware attachment.

The Excel file attachment contains malicious Macro programming which will attempt to download and install DarkComet RAT. F-Secure detects this attachment (and others like it) as W97M.Downloader.C.

Nasty stuff.

About the bait… this spam message ended up in my “Bulk” folder. Why? Because I use rules to sort away messages that aren’t directly addressed to me. And by using the Bcc: field, the would-be attacker ensured that this particular message ended up in my least trusted folder. What about you – and more importantly – the person who handles payments within your organization? Would they open and execute this trap? Possibly so, they’re only human.

Reduce the chance of human error, disable macros in Office files.


About The Security Content Of iOS 8.4.1

Whenever there’s a new version of iOS, I always like to know more about the security updates.

Apple Support hosts the main Apple security updates page. From there you can find the update information for iOS 8.4.1, which addresses 71 vulnerabilities.

iOS 8.4.1 security.

Four of the 71 CVE addressed by iOS 8.4.1.

This update is not very large in file size, so all things considered, it’s probably worth applying the update even though iOS 9 is forthcoming.

You can download the update on your iOS device via: Settings > General > Software Update.


Malware On The Water

Duke APT Group’s Latest Tools: Cloud Services and Linux Support

Recent weeks have seen the outing of two new additions to the Duke group’s toolset, SeaDuke and CloudDuke. Of these, SeaDuke is a simple trojan made interesting by the fact that it’s written in Python. And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we have observed from the Duke group. While SeaDuke is a single – albeit cross-platform – trojan, CloudDuke appears to be an entire toolset of malware components, or “solutions” as the Duke group apparently calls them. These components include a unique loader, downloader, and not one but two different trojan components. CloudDuke also greatly expands on the Duke group’s usage of cloud storage services, specifically Microsoft’s OneDrive, as a channel for both command and control as well as the exfiltration of stolen data. Finally, some of the recent CloudDuke spear-phishing campaigns have born a striking resemblance to CozyDuke spear-phishing campaigns from a year ago.

Linux support added with the cross-platform SeaDuke malware

Last week, both Symantec and Palo Alto Networks published research on SeaDuke, a newer addition to the arsenal of trojans being used by the Duke group. While older malware by the Duke group has always been written with a combination of the C and C++ programming languages as well as assembly language, SeaDuke is peculiarly written in Python with multiple layers of obfuscation. This Python code is usually then compiled into Windows executables using py2exe or pyinstaller. However, the Python code itself has been designed to work on both Windows and Linux. We therefore suspect, that the Duke group is also using the same SeaDuke Python code to target Linux victims. This is the first time we have seen the Duke group employ malware to target Linux platforms.

SeaDuke cross-platform support

An example of the cross-platform support found in SeaDuke.

A new set of solutions with the CloudDuke malware toolset

Last week, we also saw Palo Alto Networks and Kaspersky Labs publish research on malware components they respectively called MiniDionis and CloudLook. MiniDionis and CloudLook are both components of a larger malware toolset we call CloudDuke. This toolset consists of malware components that provide varying functionality while partially relying on a shared code framework and always using the same loader. Based on PDB strings found in the samples, the malware authors refer to the CloudDuke components as “solutions” with names such as “DropperSolution”, “BastionSolution” and “OneDriveSolution”. A list of PDB strings we have observed is below:


The first of the CloudDuke components we have observed is a downloader internally called “DropperSolution”. The purpose of the downloader is to download and execute additional malware on the victim’s system. In most observed cases, the downloader will attempt to connect to a compromised website to download an encrypted malicious payload which the downloader will decrypt and execute. Depending on the way the downloader has been configured, in some cases it may first attempt to log in to Microsoft’s cloud storage service OneDrive and retrieve the payload from there. If no payload is available from OneDrive, the downloader will revert to the previously mentioned method of downloading from compromised websites.

We have also observed two distinct trojan components in the CloudDuke toolset. The first of these, internally called “BastionSolution”, is the trojan that Palo Alto Networks described in their research into “MiniDionis”.  Interestingly, BastionSolution appears to functionally be an exact copy of SeaDuke with the only real difference being the choice of programming language. BastionSolution also makes significant use of a code framework that is apparently internally called “Z”. This framework provides classes for functionality such as encryption, compression, randomization and network communications.

BastionSolution trojan

A list of classes in the BastionSolution trojan, including multiple classes from the “Z” framework.

Classes from the same “Z” framework, such as the encryption and randomization classes, are also used by the second trojan component of the CloudDuke toolset. This second component, internally called “OneDriveSolution”, is especially interesting because it relies on Microsoft’s cloud storage service OneDrive as its command and control channel. To achieve this, OneDriveSolution will attempt to log into OneDrive with a preconfigured username and password. If successful, OneDriveSolution will then proceed to copy data from the victim’s computer to the OneDrive account. It will also search the OneDrive account for files containing commands for the malware to execute.

OneDriveSolution trojan

A list of classes in the OneDriveSolution trojan, including multiple classes from the “Z” framework.

All of the CloudDuke “solutions” use the same loader, a piece of code whose primary purpose is to decrypt the embedded, encrypted solution, load it in memory and execute it. The Duke group has often employed loaders for their malware but unlike the previous loaders they have used, the CloudDuke loader is much more versatile with support for multiple methods of loading and executing the final payload as well as the ability to write to disk and execute additional malware components.

CloudDuke spear-phishing campaigns and similarities with CozyDuke

CloudDuke has recently been spread via spear-phishing emails with targets reportedly including organizations such as the US Department of Defense. These spear-phising emails have contained links to compromised websites hosting zip archives that contain CloudDuke-laden executables. In most cases, executing these executables will have resulted in two additional files being written to the victim’s hard disk. The first of these files has been a decoy, such as an audio file or a PDF file while the second one has been a CloudDuke loader embedding a CloudDuke downloader, the so-called “DropperSolution”. In these cases, the victim has been presented with the decoy file while in the background the downloader has proceeded to download and execute one of the CloudDuke trojans, “OneDriveSolution” or “BastionSolution”.

NDI decoy

Example of one of the decoy documents employed in the CloudDuke spear-phishing campaigns. It has apparently been copied by the attackers from here.

Interestingly, however, some of the other CloudDuke spear-phishing campaigns we have observed this July have born a striking resemblance to CozyDuke spear-phishing campaigns seen almost exactly a year ago, in the beginning of July 2014. In both spear-phishing campaigns, the decoy document has been the exact same PDF file, a “US letter fax test page” (28d29c702fdf3c16f27b33f3e32687dd82185e8b). Similarly, the URLs hosting the malicious files have, in both campaigns, purported to be related to eFaxes. It is also interesting to note, that in the case of the CozyDuke-inspired CloudDuke spear-phishing campaign, the downloading and execution of the malicious archive linked to in the emails has not resulted in the execution of the CloudDuke downloader but in the execution of the “BastionSolution” component thereby skipping one step from the process described for the other CloudDuke spear-phishing campaigns.

decoy fax

The “US letter fax test page” decoy employed in both CloudDuke and CozyDuke spear-phishing campaigns.

Increasingly using cloud services to evade detection

CloudDuke is not the first time we have observed the Duke group use cloud services in general and Microsoft OneDrive specifically as part of their operations. Earlier this spring we released research on CozyDuke where we mentioned observing CozyDuke sometimes either directly use a OneDrive account to exfiltrate stolen data or alternatively CozyDuke downloading Visual Basic scripts that would copy stolen files to a OneDrive account and sometimes even retrieve files containing additional commands from the same OneDrive account.

In these previous cases the Duke group has only used OneDrive as a secondary communication channel but still relied on more traditional C&C channels for most of their actions. It is therefore interesting to note that CloudDuke actually enables the Duke group to rely solely on OneDrive for every step of their operation from downloading the actual trojan, passing commands to the trojan and finally exfiltrating stolen data.

By relying solely on 3rd party web services, such as OneDrive, as their command and control channel, we believe the Duke group is trying to better evade detection. Large amounts of data being transferred from an organization’s network to an unknown web server easily raises suspicions. However, data being transferred to a popular cloud storage service is normal. What better way for an attacker to surreptitiously transfer large amounts of stolen data than the same way people are transferring that same data every day for legitimate reasons. (Coincidentally, the implications of 3rd party web services being used as command and control channels is also the subject of an upcoming talk at the VirusBulletin 2015 conference).

Directing limited resources towards evading detection and staying ahead of defenders

Developing even a single multipurpose malware toolset, never mind many, requires time and resources. Therefore it seems logical to attempt to reuse code such as supporting frameworks between different toolsets. The Duke group, however, appear to have taken this a step further with SeaDuke and the CloudDuke component BastionSolution, by rewriting the same code in multiple programming languages. This has the obvious benefits of saving time and resources by providing two malware toolsets, that while similar on the inside, appear completely different on the outside. This way, the discovery of one toolset does not immediately lead to the discovery of the second toolset.

The Duke group, long suspected of ties to the Russian state, have been running their espionage operation for an unusually long time and – especially lately – with unusual brazenness. These latest CloudDuke and SeaDuke campaigns appear to be a clear sign that the Duke’s are not planning to stop any time soon.

F-Secure detects CloudDuke as Trojan:W32/CloudDuke.B and Trojan:W64/CloudDuke.B.



Compromised servers used for command and control:


Compromised websites used to host CloudDuke:



This content was originally posted here.

I, For One, Welcome Our New Platforming Overlords

Latest attempt to inject Mario with AI is unnerving: ~ Mario is apparently the form of the destructor. #singularity — Sean Sullivan (@5ean5ullivan) January 20, 2015