Spear phishing email is a major worry to any organization. Messages that appear legitimate and specific fool us more often than random phishing attempts. Exploits that use patched vulnerabilities delivered via spear phishing email are one of the most successful combinations used by attackers to infiltrate targeted organizations and gain access to confidential information.

During the last month, McAfee Labs researchers have uncovered targeted attacks carried out via spear phishing email against a French company. We have seen email sent to a large group of individuals in the organization. The attachments exploit the recently patched RTF vulnerability CVE-2014-1761 and the previously patched ActiveX control vulnerability CVE-2012-0158. Both of these vulnerabilities have been popular in several ongoing targeted attacks.

The preceding spear phishing emails come from attackers using the French Yahoo and Laposte email services and possibly impersonating employees of the targeted organization.

RTF Vulnerability

These exploits target the recently discovered RTF zero-day vulnerability CVE-2014-1761. The flaw lies in the value of the “ListOverrideCount,” which is set to 25.

However, according to Microsoft’s RTF specifications this value should be either 1 or 9. This error eventually causes an out-of-bounds array overwrite that results in incorrect handling of the structure by Word and leads to the attacker’s controlling an extended instruction pointer (EIP).

Shellcode

McAfee Labs researchers discovered that all the bytes of the shellcode, the return oriented programming (ROP) chain, are directly controlled by the attacker and come straight from the RTF structure. Here is a high-level view of how the ROP chain is formed:

Next we see a snapshot of the parsed RTF structure in memory leading to the control of the EIP:

Successful execution of the shellcode opens the decoy document and drops the malware svohost.exe in the %TEMP% directory and then connects to the control server.

(McAfee Labs researchers Haifei Li and Xie Jun have already blogged on the technical details of the vulnerability and the shellcode.)

In this cycle of spear phishing attacks we’ve also seen email targeting the same organization with attachments that exploit the two-year-old CVE -2012-0158 vulnerability. The malicious payload arrives in the innocuous-sounding article.doc.

The following API trace gives an idea of the sequence of activities once the exploit is launched on the system:

Payload Analysis

Our analysis of the dropped binary reveals that it was specifically written to gather information about the network of the target organization as well as the configuration of the endpoint—leading us to believe that this is a spear phishing reconnaissance. The payload seems to have been compiled on April 9:

The malware starts by retrieving the %Temp% path and prepares to log the communication with its control server in the file %Temp%explorer.exe.

Subsequently, the malware collecting following information:

• Hostname
• Username
• System type by resolving IsWOW64Process AP
• Current TCP and UDP connections and open ports
  •     Organizational information from the registry key:
  •         HKLM/Software/Microsoft/WindowsNT/CurrentVersion,
  •         Productname,
  •         CSDVersion,
  •         CurrentVersion,
  •         CurrentBuildNumber,
  •         RegisteredOrganization,
  •         RegisteredOwner
• Current running system services
• Installed software from the registry key:
  •     HKLM/Software/Microsoft/Windows/CurrentVersion/Uninstall
• Information about network adapters, IP configuration, netcard numbers, IP mask, gateway, DHCP server, DHCP host, WINS server, and WINS host

Here is a high-level snapshot of the malware’s information gathering code:

Encryption is primarily done using the SYSTEMTIME structure. It forms the repetitive 256-byte key using SYSTEMTIME information, shown below:

The malware converts the key into 16 bytes to encrypt the information.

Once the buffer has been encrypted, it connects to the control server sophos.skypetm.com.tw.

Command and Control Research

During our analysis of this exploit, sophos.skypetm.com.tw resolved to the IP address 66.220.4.100. located in the Fremont, California. McAfee sensors first observed the outbound traffic to this domain on January 27, at which time it resolved to 198.100.113.27, located in Los Angeles.

From our passive DNS data, we found following MD5 hashes connecting to the same domain resolving to 198.100.113.27.

The whois record reveals that the skypetm.com.tw domain has been registered under the email ID longsa33@yahoo.com. This ID also registered the domain avstore.com.tw, which has been used as the control server.

We have seen several other malware binaries communicating with the various subdomains of skypetm.com.tw and avstore.com.tw. All of them have been identified as “PittyTiger” malware, which appears in numerous CVE-2012-0158 exploits used in recent targeted attacks. The same payload was used in the “Tomato Garden” APT campaign, uncovered in June 2013, against Tibetan and Chinese democracy activists.

Additional domains related to this attack:
• 63.251.83.36
• 64.74.96.242
• 69.251.142.1
• 218.16.121.32
• 61.145.112.78
• star.yamn.net
• 216.52.184.230
• 212.118.243.118
• bz.kimoo.com.tw
• mca.avstore.com.tw

McAfee Product Coverage

McAfee coverage for CVE 2014-1761 is detailed here. McAfee Advance Threat Defense provides zero-day detection for CVE 2012-0158.

As usual, exercise extreme caution when opening documents from unknown sources and use the latest versions of software.

I would like to thank my colleague S. R. Venkatachalabathy for assistance in this research.

The post Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities appeared first on McAfee.

The W32/Worm-AAEH family (aliases: Beebone, VObfus, Changeup) of Trojans/downloaders/worms has been notorious for consistently morphing itself and switching control servers since June 2009. In June 2013, the AAEH worm made its biggest cosmetic change since 2009 by packaging an entire encrypted binary (containing all the malicious W32/Worm-AAEH code) inside its signature cryptor, which previously held only RC4-encrypted strings. Although minor details such as the amount of obfuscation and number of RC4 rounds have changed over time for the outer packed layer, the essential algorithm of using RC4 with a random string concatenated with a 32-bit decimal number as the key for the algorithm remained constant.

However, that changed on July 21, 2014, when we observed the control server shut down temporarily for four and a half hours. When the server returned, it served the malware packed with the new cryptor. Although both cryptors were created with Visual Basic, use RC4 for encryption, and are based on RunPE to inject the decrypted binary, the structure of the packer, code, and obfuscation is quite different. For example, as we see in the following image, the encrypted data in the older packer was randomly inserted within the first section of the file. The new packer stores the encrypted data in the overlay area of the sample and sandwiches all encrypted content and their decryption keys with markers.

The new cryptor (which we have seen before to deliver other malware) used to deliver W32/Worm-AAEH  is the same cryptor used by spammer components in the Dofoil family of downloaders.  This similarity seems to be more than just chance because both families slightly modified their cryptor samples on July 23 at roughly the same time and with identical changes. Both malware families prefixed the overlay markers with the same byte (0×05 in this case). Both samples are exactly the same and differ only in the RC4 key and (of course) the encrypted content.

Although the cryptor was modified in the same way by both families, the embedded malware samples were unchanged. We don’t know whether the malware operators of both families are working together or use the same source to procure the cryptor. Other malware families, such as Cutwail, also use a similar cryptor.

The new cryptor is straightforward. It surrounds the encrypted content and RC4 keys with a marker. The first block in the overlay contains the key, the second contains encrypted “hexlified” position-independent RunPE injection code, and the final block contains the encrypted binary. The RunPE code uses a familiar injection technique using VirtualAllocEx, WriteProcessMemory, SetThreadContext to original entry point of decrypted binary (OEP), and ResumeThread from OEP.

McAfee customers are protected from both families by Dropper-FIR, Dropper-FJE, and other signatures.

Samples:

W32/Worm-AAEH new cryptor: 52AF3736510FD1A383CB2D0F7607D463
W32/Worm-AAEH old cryptor: 5629A1C24EE44EE771E14E0C21FB5A52
W32/Worm-AAEH padded overlay: 04AD6C631FDA0B7E388FC87F87A6346D
Dofoil padded overlay: AF9D96D85738DBD95974BB6A658B7158

The post W32/Worm-AAEH Replaces Cryptor With One Used by Dofoil Downloaders appeared first on McAfee.

Recently, the McAfee Advanced Exploit Detection System (AEDS) has delivered some interesting RTF files to our table. These RTFs have executables “attached” to the documents. Usually, some words in the documents try to convince users to click and run the attachments. The following figure shows the point at which a user clicks on the attachment.

This warning appears when a user tries to execute the attached malware.

Because there are strong warnings, we don’t see these threats as a problem. However, we strongly suggest users not run any of the files attached to these documents. McAfee antivirus products already provide detection against this type of attack.

Our story doesn’t end here. Just as we used AEDS to discover a potential security issue in PDFs, we have identified a suspicious (or maybe “interesting”) behavior while opening such an RTF: The attached file was dropped into the temporary folder of the current user (typically, in C:\Users\<username>\AppData\Local\Temp). The following figure shows the file reader.exe after it is dropped in the temporary folder for the particular RTF sample.

The file Reader.exe is dropped into the current user’s temporary folder when the RTF is opened.

We observed this behavior on Windows 7 and 8 with or without Office installed. (Using WordPad to open the RTF is enough to trigger the behavior.) We didn’t see the behavior on Windows XP.

The file is dropped through the “Package” ActiveX Control. The format looks like this:

The “Package” ActiveX Control is invoked by the RTF.

The registry information for the “Package” ActiveX Control:

CLSID: {F20DA720-C02F-11CE-927B-0800095AE340}
ProgID: Package
InProcServer32: %SystemRoot%\system32\packager.dll

During our tests, we observed the following:

• The filename as well as the content of the dropped file are controlled by the RTF
• Opening the RTF document is enough to trigger this behavior; no additional user interaction is required
• If the filename already exists in the temporary folder, the malware will drop as <filename> (2).<ext>. The current file will not be overwritten.
• When the document is closed, the dropped file is removed

This behavior allows anyone to drop an arbitrary file with an arbitrary filename into the temporary folder when the RTF document is opened. This certainly raises security concerns. The best practice for temporary files is to create unique filenames, such as using random filenames or creating an application-specific directory under the temporary folder. For example, Adobe Reader 11 uses the directory acrord32_sbx (C:\Users\<username>\AppData\Local\Temp\acrord32_sbx) for its various temporary file operations.

How could an attacker abuse this behavior?
Because most applications and the operating system frequently use the temporary folder and we don’t know how each program uses each temporary file, answering the question is difficult. Here are some thoughts.

• In some conditions, an application runs an executable from the temporary folder as long as the file exists. Certainly, opening the RTF could be dangerous in such conditions. This also applies to DLLs. In the real world, we expect that these conditions are infrequent. Instead, most applications will first create the executable or DLL (or overwrite it if the file is already there), and then run it.
• DLL-preloading problems. Some applications may create an executable in the temporary folder and execute it. In this situation, when the .exe has DLL-preloading problems, it will search for that named DLL in the temporary folder. If a DLL with the same name is placed in the temporary folder, the DLL will be loaded right away.
• Applications may rely on some specifically named nonexistent non-executable files for operations. When such a file is placed in the temporary folder, it may change the application’s behavior or program flow, bringing future security problems.

We call these situations vulnerable temp folder access. With the aid of the vulnerable temp folder access from other programs, an attacker could abuse this behavior to run arbitrary code on the victim’s system.

A typical attacking scenario would include the following steps:

• The attacker sends an RTF file to the victim.
• The victim opens it, and one or more specific files are dropped into the temp folder.
• If another program is accessing the temp folder in one of the vulnerable ways we discussed, code execution may occur automatically at this point. The document could contain some social-engineering text to convince the victim to perform future apparently safe actions, such as running legal applications.
• If the victim follows these instructions, successful exploitation may occur if the user action triggers one of the vulnerable accesses we discussed.

Therefore, to attack successfully, another program’s vulnerable access to the temp folder is a must. Sometimes the attack might require additional user interactions, sometimes not.

Are any attackers trying to exploit this behavior?
It’s hard to tell. A successful exploitation requires the attacker to learn, prior to the attack, whether the target has a vulnerable temp folder access as well as the details. Thus from an analyst’s point of view, examining the RTF samples is usually not enough to understand the attacker’s intention. For example, an RTF dropping Reader.exe into the temp folder could be just a “click to run” trick, or it could be an exploitation attempt of this behavior if the attacker knows that the target is running some programs accessing the Reader.exe in the temp folder in a vulnerable way.

We have seen some in-the-wild malicious RTFs drop files with “interesting” names:

CEH.exe
du.sfx.exe
FINCEN~2.EXE
inicio.bat
inv_875867001426_74653003.cpl
pastelyearendguidedm (3).exe
QUICKSHIPPINGDUEINVOICE.exe
Reader.exe
test.vir

Advanced persistent threats usually consist of learning the targets well before the attack occurs. We recommend to organizations with concerns about this issue to specially focus on sophisticated targeted attacks.

Keeping safe
If users always open RTFs with Microsoft Word, there is a workaround to disable the “Package” ActiveX Control through the Office kill bit. We have found that the problem is solved in Office by setting the following registry key/value.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{F20DA720-C02F-11CE-927B-0800095AE340}]
"Compatibility Flags"=dword:00000400


However, the preceding workaround won’t work for users who employ WordPad to open RTF documents. As we have said many times for document-based exploits, the best practice is to not open documents from untrusted sources. Close the document as soon as possible when you find it’s suspicious, and don’t follow any actions suggested in the document. These steps can reduce the chance of success of a potential attack.

Our investigation of suspicious behavior when handling RTF documents in Windows and Office shows that exploitation is not only about memory corruption or a single application or system; it’s a far broader concept. The breadth of exploitation poses challenges to organizations and security companies. McAfee is committed to meeting those challenges.

Thanks to Bing Sun, Chong Xu, Jun Xie, and Xiaoning Li (of Intel Labs) for their help with this research and investigation.

The post Dropping Files Into Temp Folder Raises Security Concerns appeared first on McAfee.

In 2012, my colleagues Deepak Gupta and Xiaoning Li explained in a white paper how some malware can operate at the kernel level to bypass Microsoft’s security for 64-bit Windows systems.

Today a small utility program named KPP-Destroyer can be found online.

Previous versions of KPP-Destroyer had some bugs on a Windows 8.1 computer, but the fourth release, posted on July 1, seems fully operational. When you run the tools, it asks for the boot sequence you wish to patch. In my test computer (with secure boot disabled) I had three options and asked the tool to act on the current one.

After a reboot, I had a new entry (Windows 8.1 Patched) in my multiboot menu:

Running BCDEDIT, I saw some changes:

A flag nointegritycheck is enabled to disable integrity checks. The file d6gt2rg.exe has taken the place of winload.exe. The default kernel (ntoskrnl.exe) has been replaced by  sei2f4v4g9.exe.

• When the flag nointegritycheck is enabled there is no warning when you attempt to install an unsigned driver. In this case, no integrity check allows the patched winload.exe to load. If you restore or disable the parameter (bcdedit /set nointegritychecks OFF) the boot fails and a blue screen explains the Automatic Repair process couldn’t repair your PC.
• To keep the original winload.exe (Windows Boot Loader), the patched version is given a random name (d6gt2rg.exe in this case) and added to the boot process. Its job is to load the patched ntoskrnl.exe, the core part of Windows. During this task, a code integrity check point (ImgpValidateImageHash) must be skipped. The malware does this by changing five bytes.

- Three bytes at offset 42D94h (to avoid ImgpValidateImageHash)

- Two bytes in the file header to correct the PE checksum

• Ntoskrnl.exe is also patched and saved under another random name (sei2f4v4g9.exe). To override the winload default selection of the kernel, the kernel option was set to point to the new filename.

In my test, three symbols for module ntoskrnl.exe were affected:

• nt!SeCompareSigningLevelsForAuditableProcess
• nt!SeValidateImageData
• nt!MiValidateSectionCreate (to bypass the return of the nt!SeValidateImageHeader call)

And finally, a single test with GMER alerting about numerous SSDT hooks proves that PatchGuard has been bypassed. (The following screen, from another test, shows the patched ntoskrnl.exe as 17h1kwrl4t.exe.)

Malware developers found ways to bypass PatchGuard for Windows 7, and now with this program we can see it is also possible to automate the job under Windows 8. Unfortunately, I am sure this process will be used in future malicious threats.

The post Malicious Utility Can Defeat Windows PatchGuard appeared first on McAfee.

One of the most common methods for distributing PC malware is the use of email spam messages that pose as tracking notifications from popular delivery companies such as DHL Express, FedEx, or UPS. The reason for this popularity is the malware’s effectiveness. Most of the time the victim receiving the message can’t resist opening the attachment file or clicking on a malicious link to know the current status of a hypothetical package. So many of us order items online these days that it’s easy to fall into the trap.

The same approach can be effectively applied to infect mobile devices. We see it currently happening with a spam campaign via short message service (SMS) targeting German users by using a fake DHL tracking notification to distribute Android malware.

Recently McAfee Labs received a mobile malware sample that is currently distributed as DHL.apk on the cloud storage service Dropbox. The complete URL is hidden using Google’s URL shortening service goo.gl and used in an SMS spam campaign with the following text in German:

“Ihr DHL Packung ist ihnen geliefert, verfolgen Sie online über http://goo.gl/<random>”
(“Your DHL package is delivered, track it online via …”)

Once the application is downloaded and installed, the following icon appears in the home launcher pretending to be the Google Service Framework application:

When the malware is executed for the first time, it will ask for device administrator privileges to make its removal or uninstalling difficult. The app also simulates the loading of data:

What the malware is actually doing, however, is starting a service in the background that will constantly contact a remote control server to request commands to perform any of the following actions:

• Leak sensitive device information (phone number, device model, IMEI, and IMSI)
• Send SMS messages using data (phone number and text) provided by the remote server
• Send a specific text message to all the phone and SIM contacts
• Steal the contact list

In addition to these actions, every time an SMS message is sent to the infected device (but not from any of the numbers from the victim’s contact list), it will be intercepted and forwarded to a remote server (located in Japan):

McAfee Mobile Security detects this threat as Android/SmsHnd.A and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.

The post ‘DHL’ SMS Spam Distributes Android Malware in Germany appeared first on McAfee.

Europe is currently under attack by spammers trying to get control of Android devices. In Germany the distribution method is via SMS (text) messages, as you can read in this recent McAfee Labs post, while in Poland there is an ongoing email spam campaign distributing a new variant of an Android remote access tool (RAT).

Recently McAfee Labs received a new mobile malware sample from a customer in Poland with the name Kaspersky_Mobile_Security.apk. It arrives as an attachment with the following phishing message:

Source: Zaufana Trzecia Strona

The email tries to scare a user with the following subject:

“Uwaga! Wykryto szkodliwe oprogramowanie w Twoim telefonie!”
(“Caution! Detected malware on your phone!”)

The body of the message states that the bank is providing the attached free mobile security application to detect malware that steals SMS codes (mTANs) for authorizing electronic transactions. However, the attached application is in fact a version of the Android RAT SandroRat, which was announced at the end of the last year in the Hacking Community HackForums. The RAT and its source code are for sale, making it accessible to everyone to create a custom version of this threat.

Just as any other Android RAT (such as AndroRAT), the malware can remotely execute several commands to perform any of the following actions:

• Steal sensitive personal information such as contact list, SMS messages (inbox, outbox, and sent), call logs (incoming, outgoing, and missed calls), browser history (title, link, date), bookmarks and GPS location (latitude and longitude).
• Intercept incoming calls and record those in a WAV file on the SD card to later leak the file.
• Update itself (or install additional malware) by downloading and prompting the user to install the file update.apk.
• Intercept, block, and steal incoming SMS messages.
• Send MMS messages with parameters (phone number and text) provided by the control server.
• Insert and delete SMS messages and contacts.
• Record surrounding sound and store it in an adaptive multi-rate file on the SD card to later send to a remote server.
• Open the dialer with a number provided by the attacker or execute USSD codes.
• Display Toast (pop-up) messages on the infected device.

A novel functionality of this threat is its ability to access the encrypted Whatsapp chats (available in the path /WhatsApp/Databases/msgstore.db.crypt5 on the SD card) and obtain the unique encryption key using the Google email account of the device to get the chats in plain text and store them in the file waddb.sr:

This decryption routine will not work with Whatsapp chats encrypted by the latest version of the application because the encryption scheme (crypt7) has been updated to make it stronger (using a unique server salt). Whatsapp users should update the app to the latest version.

Spam campaigns (via SMS or email) are becoming a very popular way to distribute Android malware, which can steal personal information or even obtain complete control of a device with a tools like SandroRAT. This attack gains credence with the appearance of a bank offering security solutions against banking malware, a typical behavior of legitimate banks.

McAfee Mobile Security detects this Android threat and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.

The post Android App SandroRAT Targets Polish Banking Users via Phishing Email appeared first on McAfee.

Last weekend, it was reported in China that an SMS worm was wildly spreading among Android mobile phones, with more than 500,000 devices infected. The malware spread by sending SMS texts to a phone’s contacts with a message body such as:

XXX看这个，http://cdn.<removed>.com/down/4279139/XXshenqi.com

This malware is much more than just a worm. It is actually a worm plus a Trojan. The Trojan component resides in another install package in the original one.

Once the malware is installed, it checks whether the Trojan is installed. If not, it ask the user to install it.

After installing, the malware sends a text message to a control server phone number, which we believe belongs to the author of this malware, to let him know that a new victim is infected.

The installation then asks the user to input his or her ID and name, which will also be posted to the control number.

The Trojan monitors incoming SMS messages, forwards all incoming SMS messages to the control number, and executes the following commands:

• readmessage: Reads all SMS messages, and send them to the malware author’s mail address
• sendmessage: Sends messages to the number in the message body
• test: Sends a test message to the malware author
• makemessage: Makes a fake message, and inserts it into the inbox
• sendlink: Sends the user’s contact list to the malware author’s email address

With the user’s identity card number, real name, and SMS messages, the malware author is one step closer to stealing the user’s bank account information, hijacking an online trade, or even transferring money. In China, some banks allow customers to access their accounts with an identity card number and password.

We have seen two versions of this sample. The payloads are almost the same, except that the first one has no payload for spreading, no worm function. It appears the author wanted to infect more devices by adding the worm.

McAfee Mobile Security detects both of these threats as Android/XShenqi.A.

According to reports, the author of this malware is a college student who created this malware just to prove he can do something. Seems like a curious way to impress people.

The post Chinese Worm Infects Thousands of Android Phones appeared first on McAfee.

One Trojan that just won’t go away is the remote access tool njRAT. Microsoft recently took down a leading domain associated with the malware, but that action did not come off as smoothly as the company hoped. We closely track this remote access tool (RAT) and see a rise in its popularity every year.

The malware is very popular in the Middle East with the Syrian Electronic Army and other hacktivists. There are plenty of tutorials and videos online that explain its use, thus making it the de facto choice for cyber espionage.

This RAT is coded using the Microsoft .Net framework and can remotely access a victim’s machine, operate the webcam, log keystrokes, steal credentials stored in browsers, upload and download files, and update itself. The malware has a GUI-based builder and controller tool that allows its users to create malicious binaries and remotely control all infected machines.

Tracking the control servers

A major aspect of this RAT is its popularity with dynamic domain name system (DNS) services such as no-ip.com. A dynamic DNS service is a method of automatically updating a name server in the DNS, often in real time, with the active DNS configuration of its configured hostnames, addresses, or other information.

This feature allows attackers without a dedicated static IP, such as DSL or broadband connection, to use a DNS-based hostname. This helps the malicious actors to use any IP or Internet connection and still keep the client connections alive.

Based on the activity we observed in our monitoring systems, here is a map of the global coverage of njRAT’s control servers during the last six months:

All the dots signify distinct IP addresses used by njRAT as a control server. The green dots signify active campaigns, which mean the attacker was controlling machines as we took this snapshot. Here is a close-up of its popularity in the Middle East:

Morocco, Algeria, and Iraq have the highest usage, with Algeria hosting the largest number of control server IPs (more than 4,000). The dynamic DNS service provider no-ip is owned by Vitalwerks, which offers various domain name options to its customers. During this period, we saw more than 80,000 unique domains used for njRAT that belonged to Vitalwerks. Here is the distribution:

Clearly, most njRAT users prefer using the domain no-ip.biz, which leads the pack with more than 47,000 distinct entries in our database.

Obfuscation and antivirus evasion

One of the reasons njRAT remains so popular is the Trojan’s ability to stay under the radar and prevent antivirus detections. There are plenty of obfuscation tools available for .Net that easily allow users to obfuscate the .Net binaries.

Similar to a packer, a .Net obfuscator tool renames the meta-information in the assembly code such that it is not possible for anyone to statically figure out the functions, yet they remain useful to execute the intended operations. The obfuscator was designed to protect against the reverse-engineering of .Net executables, but here it is put to use for nefarious purposes.

Plenty of tutorials on YouTube explain how to make an njRAT binary undetectable by antivirus solutions, and hence the success rate of infection with njRAT is pretty high. However, the network signature remains same. This is what we use to track the threat.

In the past year, we have collected more than 88,000 unique binaries. Using our advanced automation, we monitor this threat closely.

For a RAT, the preceding numbers are pretty high. They demonstrate how easy it is to build and deploy this malware. But what surprises us most is the count of samples received each month that have no antivirus detection:

The preceding chart of  samples are not detected by any antivirus vendor at the time of submission. We refer to these as zero-day samples. But from their network communication we can confirm that they all belong to the njRAT family. We have used the malware’s network signature to track this threat for more than a year.

Due to the plethora of tutorials and information, there are some popular obfuscators for njRAT. However, we also saw some of the binaries using custom obfuscation algorithms. Based on our analysis, we found that “RedGate SmartAssembly” was one of most popular obfuscators used with njRAT, followed by “Yano” and others:

Desktop antivirus solutions have limitations, and .Net obfuscation takes advantage of that. Every month we get samples of this malware that continue to evade antivirus software. The njRAT tool is still under development on various forums and its author continues to create new versions.

All McAfee Network Security Product (NSP) customers are already protected from this threat.

The post Trailing the Trojan njRAT appeared first on McAfee.

“Android Armour,” a malicious knockoff of Armor For Android, has been circulating for some time with no end in sight, perhaps due in part to advertisements over Yahoo’s ad network.  I happened to recently be served a couple myself.  The lure starts off with some alarming pop-up dialog prompts:

Which lead to fake scanning web pages:

And ultimately a prompt to download the Scan-For-Viruses-Now.apk application. (You should heed Android’s warning.)

Should the user proceed in installing the off-marketplace app (assuming the device has been configured to allow the installation of apps from unknown services), a copycat version of Armor For Android is executed.  The app proceeds to identify a phantom threat, which it is happy to remove for a mere $0.99 per day.

The certificate contained in the APK file is a tip-off, not that most victims would ever see it:
L=Blah
C=ZZ

The majority of Android malware is delivered through side channels rather than approved app stores. This serves a reminder to stay on the beaten path. Don’t take the bait offered by browser pop-up windows claiming to have discovered an infection on your device, but rather seek out reputable applications to verify your security.

Unique McAfee Mobile Security devices reporting detections of Android Armour malware over the past 30 days:

The post Yahoo Ads Serve Mobile Fake Alerts appeared first on McAfee.

Adobe Flash Player has been a boon to Android malware creators for a long time. These developers have taken advantage of Flash’s popularity to create premium SMS Trojans and droppers, as well as other types of malware. McAfee Labs has detected a common scam app–Android/Fladstep.B–on the Google Play store since the end of 2013. The malware tricks users into paying money via PayPal to install Flash Player. The malware is removed from the store every time it appears, but we have found that the same attacks are again on Google Play.

Multiple apps claiming to be installers of Flash Player have been published by several app developer accounts since the end of June. The malware is short lived, but the total download count of those apps amounts to more than 50,000, according to Google Play statistics. These apps were quickly removed, but they reappear soon with different names and developer accounts.

When launched, this scam app simply opens a web page that requests users to pay a €5 fee via PayPal to install Flash Player. The web page is hosted on a server located in Turkey in some apps and the United States in other apps. If the user pays the fee with the PayPal account, the web page shows a download link to Flash Player that is the legitimate URL of Adobe’s download site.

In short, victims are tricked into paying money for a free download. The scammer might claim that the installer app provides an “added value” to automatically detect the version of the Flash Player appropriate to the user’s Android OS version, but this version identification is easy to do by checking Adobe’s download site.

Another sin of this scam app is that the app’s description page on Google Play shows some screen images including one that implies the user can get both Flash Player and its “tutorial.” However, no tutorial is supplied, even to users who pay; they get exactly the same package as everyone else.

Last, paying with PayPal gives the user’s name and email address to the app developer, who can easily collect and abuse the personal information of these victims. Those who are careless enough to be scammed even once can easily be targeted in future scams.

Flash Player will continue to benefit malware authors due to its popularity. And this type of scam will continue because criminals can easily and directly get money from their victims using popular online payment services. Users should be very careful about the sellers of products when using online payments, for example, by checking that the name and contact information of the company or seller is explicitly displayed and that the product is really what they want to buy.

McAfee Mobile Security detects these Android scam apps as variants of Android/Fladstep, and also blocks browser access to websites hosting this scam.

The post Adobe Flash Player Installer Scams Reappear on Google Play appeared first on McAfee.

The most valuable asset for actors in cyberspace is trust. It is an important ingredient in successful business operations as well as in good governance. Trust and security are closely intertwined. One cannot exist without the other. Thus it is concerning that people at an increasing rate hesitate to trust the digital world. They are not sure whether operating in it is safe, online privacy exists, or digital infrastructure can be protected. Yet these hesitations can be allayed by improving cybersecurity.

The world is ever more digitized and networked, which are two aspects of globalization. Cyberspace is everywhere and brings people from all over the world in contact with one another. Digital infrastructure has become the backbone of contemporary society and enables us to connect to global flows of information, finance, people, and goods. Many basic functions of society pass through cyberspace or form an important part of these functions. The security of digital infrastructure is a crucial element for today’s decision makers in both public and private sectors.

Traditionally, providing security has been primarily a task of the state, but who should be responsible for safeguarding cyberspace? Who will build trust in it? Most of digital infrastructure is owned and operated by the private sector. Moreover, the majority of actors operating in the field of cybersecurity are private. The state has unique capabilities to provide security and maintain trust among people, for example, by mobilizing its unique resources and by passing and enforcing laws. Nonetheless, due to the vast size of digital infrastructure and its distributed ownership, the state cannot safeguard cyberspace on its own.

The relationship between trust and security is multidimensional. When there is certainty, people feel safe and know how to orient themselves. Trust is not needed. The question of trust becomes crucial only when ambivalence prevails and people need to make decisions based on probabilities. Without guarantees about the future, they need to be able to trust that things will happen as expected.

Trust is an important ingredient of security. Doubt leads to insecurity, whereas trust builds security. When there is no certainty, people seek additional security measures. In cyberspace, these measures usually refer to technical solutions to particular problems. In other words, security is produced through technology. However, addressing the question of trust this way is only part of the solution. Regulation—standards, laws, treaties, and good practices—that establishes rules of the game for cyberspace is also important. Yet the biggest challenge remains in people’s unawareness and lack of familiarity with digital technology. Thus the question of trust in technology has to be addressed too.

Enhancing trust in the digital world through improving cybersecurity can be done only in cooperation among different actors owning parts of and operating in cyberspace. Even if the state remains a central security actor in the establishment of online trust, it needs partners and collaborators. It also needs new kinds of security thinking in which it adopts the role of a coordinator, not merely that of a producer. Cooperation is not possible without mutual trust that can also be perceived from afar. Projecting mutual trust and the capability to cooperate have a reassuring impact on society.

It is the shared responsibility of all online actors to reinforce trust in the digital world. Thus it lies on everyone’s shoulders to strengthen cybersecurity. The state does its part by establishing national and international regulation and administrative structures needed for cooperation. It strengthens public-private partnerships and allocates powers both upward and downward to different actors. It strives to normalize people’s relationship to cyberspace and educates them to become smart e-citizens, shares information, provides services online, and counteracts threats in the digital world. It also uses market mechanisms, for example, purchasing power and the creation of incentives for companies, other organizations, and individuals to invest in cybersecurity.

Companies and organizations reinforce trust by participating in cooperative structures and information sharing, taking care of their own equipment, networks, and procedures, as well as influencing those of their partners. They train their personnel and participate in market self-regulation and standardization. By participating in trust-building, an organization can maximize its growth potential and manage risks that are included in attempts to take advantage of digital opportunities. It can build its brand and improve its reputation as a cybersecure actor. Good reputation and trust mean that customers buy products online and are confident that the organization keeps their data safe. Suppliers know that cooperative systems do not fail them. Individuals can increase their trust in cyberspace by getting interested in and informed about cybersecurity.

Finally, trust cannot be maintained by hiding information on security breaches or other information technology–related problems. An unwillingness to acknowledge and address problems does not produce security—only an illusion of it. Real digital security, and enhanced trust, can be gained through honesty, disclosure of problems, and rapidly addressing them.

The post Trust Is the Most Valuable Asset appeared first on McAfee.

Recently discovered, an Android vulnerability called Fake ID allows apps to impersonate other apps by copying their identity. Each app has its own unique identity, as defined by the developers, after they create their public/private key pair. This identity is a digital certificate used to cryptographically sign the app package (.apk file for Android) to be later verified by a tool or operating system for authenticity. Yet developers can copy an identity from another app, combine it with the new app’s identity to make a chain of certificates, attach that chain to the new app, and essentially “pose” as the former app. Given the nature of the vulnerability, it is likely that only malicious developers would conduct such activities. In addition, depending on which certificate details are copied, there could be a risk of the malicious application gaining more privileged access to the system or other running applications due to the trusted nature of some certificates.

At the heart of its security model, the Android operating system, like many other contemporary platforms, includes a component capable of verifying application packages via their signatures to ensure they match the app they are attached to. The Fake ID vulnerability fundamentally breaks this verification process and leaves the system unable to verify the authenticity of the certificate chain. This means that one application can claim to be issued by another application or identity. In theory the component should validate the certificate chain by checking the issuer signature of a child certificate against the public certificate of the issuer.

Depending on the behavior of the application installed–or of the certificate copied–and whether that has any default level of trust on the Android platform, data could be leaked from the device or other malicious activities could take place. Given the lack of warnings in all but the latest version of Android, a user would be none the wiser if an exploit had taken place.

Users of Android Versions 2.1, Eclair, through to 4.3, Jelly Bean, are vulnerable to this exploit, but the threat may depend on the hardware manufacturer or the applications on the system as to whether a malicious application could receive elevated privileges.

Google patched this vulnerability in the latest Android, Version 4.4.4, in April and has released the patch to OEMs. All users should make sure they have this version of Android on their devices or should take the measures noted below to make sure they’re not affected.

Depending on the hardware manufacturer and the version of Android, a user may be vulnerable to one or more privileged-attack vectors. Given that this problem relates to chains of certificates, a hacker could choose to include many certificates to cover all options, and more, in their specifically crafted malware.

1. Install updates: Update your Google Android device to the latest OS–Android 4.4.4. This may be out of your control due to the nature of customization by Google OEMs and telecommunication carriers.
2. Use security software: Especially if you cannot update your device to the latest version of Android, you could use a new tool provided by McAfee–Fake ID Detector–which enables you to quickly discover if your apps contain the exploit. Click here to download this free app. The McAfee Mobile Security suite will be able to check for the exploit in a future version, but the current version can protect against known malware samples using the vulnerability.
3. Avoid untrusted app stores: You should know and trust the sources of the applications you are installing. Google has put measures in place to check for this exploit in any app before it becomes available in the market place. Avoid installing applications from third-party market places and especially those attached to or linked to in emails or text messages.

The post Beware of Impostor Android Apps Using Fake ID appeared first on McAfee.

Some applications go too far in their attempt to get installed on users systems. Many of these fall into the potential unwanted program (PUP) category. One of these is MegaRapido, which primarily targets Brazilians. A recent sample we tested tries to connect to protectmedia.net, which is already marked as suspicious by McAfee SiteAdvisor. Instead of directly parsing the URL, this PUP uses the goo.gl redirection service to obscure its aim.

Late we have observed many other examples of suspicious software using goo.gl redirects to hide their tracks. Using goo.gl, PUPs and other malware try to evade static string-based URL checks by security vendors. On executing, a window appears asking the user to install DealPly add-ons.

. 

The only button provided is “Avançar” (Yes/I agree). Users have no option to decline this offer, abort the installation, or even minimize this window unless they click “Avançar.” This “forceful acceptance grant” is a borderline ransomware activity, which makes this software fall into the PUP category. After accepting the terms, users are asked to give contact details, only numbers from Brazil are deemed valid. However, even after providing a valid Brazilian number, an error message says that SMS sending to the particular number has failed.

Not stopping here, the latest variants have also embedded hardcode that attempts to uninstall certain security products to evade detection.

We found other redirect strings hidden in the binary; one logged us directly into their web-tracking account.

The following stats are taken from the Extreme web-tracking account of the PUP author.

From that account a lot of intelligence can be inferred. For example, we see the number of hits for this URL, more than 700,000 per month.

Next we see the top three culprits that lead users to the adware page. All of these are marked as suspicious by McAfee SiteAdvisor.

We can see that this particular adware concentrates on Brazil, with more than 12 million hits.

And that 99.9% of the users who landed on this adware page were using Internet Explorer.

McAfee detects these variants as MegaRapido and Midia. Based on hit count, these applications are very prevalent in the wild, and although not technically “malware” they can still annoy users. Keep your antimalware solution and website reputation add-on up to date to avoid being trapped by these PUPs.

The post Brazilian PUP Campaign MegaRapido Shows Unwanted Behavior appeared first on McAfee.

McAfee Labs has released their June 2014 Threat report and for the first time in history the McAfee “zoo” has grown beyond 200 million samples of known malware. Unfortunately it doesn’t stop there. We see a continued rise of malware, with 236 new samples detected every minute, or close to 4 every second – representing an annual growth of 49% since 2011.

The key findings from our June 2014 reports are as follows:

Flappy Bird, a game released in 2013 by Vietnam-based developer Nguyen Ha Dong, was the most downloaded free game on the iOS App Store at the end of January 2014. In February, Nguyen took down the game due to concerns over its addictive nature. Since then, numerous clones have appeared on various app stores. McAfee sampled 300 of those clones and found that 79% of them contained malware. Some of the malicious behaviors observed include, making calls, sending premium SMS, installing additional apps, tracking geo-locations and allowing root access to the device. Many hope that Nguyen will release a new version of the app which is less addictive by forcing players to take breaks. Unfortunately that won’t stop the clones transmitting malware entirely.

The other snake oil salesmen in the threat landscape are actually bad guys selling their wares to other bad guys. In a very good marketing campaign, the bad guys have convinced the other bad guys that they can make a fortune, in the form of Bitcoins, by adding a “currency-mining feature” to their botnets. And they’re selling them bot tools to do exactly that. The only problem is that our research has shown that it’s actually not viable due to the shortcoming of the hardware. On a positive side for users, the additional activity generated by botnets using the mining feature actually makes them more detectable!

Rootkits are those nasty little things that install themselves in front of the operating system and infect a system without most anti-virus software being aware of their existence. They do this by inserting themselves into drivers and other software which is loaded when the kernel boots up. With the move to more secure 64-bit systems and digital certificates there had been a decline in the rootkit tally since 2008. But now we’re seeing a resurgence, as hackers have cracked the more secure 64-bit systems and are frequently using stolen digital certificates to make their malware look legitimate. However, all is not lost as McAfee offers a Deep Defender product which, when deployed on Intel Xeon processors with vPro, detect those rootkits during boot up time.

Just like the quarters before, this quarter has proven to be no different, with an increase of 22% in mobile malware samples. In most cases, the malware is designed to steal sensitive information or send premium SMS messages. Not only is mobile malware taking advantage of standard platform features to do its sneaky stuff, it’s now becoming localized too. The  A Android malware takes the permission granted by the user to access the device and download additional software via the pay-to-download feature, which opens the floodgates to download significant amounts of other malware. And to make matters worse, the developers have even localized the malware into Japanese – ensuring it targets even more unsuspecting users.

Want to learn more? Download the McAfee Labs 2014 June Threat Report and find out what you need to do to stay a step-ahead.

The post More than 200 million known malware samples appeared first on McAfee.

In May, we wrote about the breach discovery gap, which is the time it takes IT security practitioners to discover a data breach after their systems have been compromised in a cyberattack. We made this critical point:

Stopping attacks before they breach and narrowing the breach discovery gap require the ability to detect threats at multiple points of attack across the enterprise. High cross-product detection effectiveness stops more attacks before they breach and shortens time to breach discovery and containment. It reduces false positives, which frees up IT security practitioners to focus on real issues, in-progress or imminent.

At the time, we had received a string of third-party test results showing that McAfee products were doing an excellent job detecting threats. But what has happened since that time? Are we continuing to deliver excellent test results?

The answer is most definitely Yes. Here are our most recent third-party test results:

June 2014

In the May-June AV-Test enterprise endpoint test, McAfee VirusScan Enterprise with ePO scored a new all-time high of 17.0 out of 18.0 points, with perfect scores in Protection and Usability. That is a full point higher than the already excellent March-April score of 16.0. McAfee VirusScan Enterprise with ePO has received AV-Test certification in all 18 tests since they began in August 2011.

In the AV-Test consumer endpoint test, McAfee Internet Security received the same high score as in the previous test—17.5 out of 18.0 points—again with perfect scores in Protection and Usability. McAfee Internet Security has now received AV-Test certification in the last 17 AV-Test consumer endpoint tests, dating to October 2011.

July 2014

For the fourth straight time, McAfee scored a perfect 13.0 out of 13.0 points in AV-Test’s July mobile security test. This means that McAfee Mobile Security received a perfect Detection Effectiveness score for Android malware, no false positives, full marks in the category of “important security features”, and perfect scores for performance and usability. McAfee Mobile Security has now achieved certification nine times by AV-Test.

These continuing results underline McAfee’s commitment to superior malware and threat detection, which is foundational to reducing the time to breach discovery and containment. Shortening the time criminals have to operate decreases the theft of intellectual property and customer data. It also reduces remediation costs, business risk, and the potential damage done to reputation, financial prospects, and operations.

For more information about these third-party test results, click here. You can also download an infographic here.

The post Detection Effectiveness: the Beat Goes On appeared first on McAfee.

During the past few days, the media has been abuzz with the massive celebrity photo leak nicknamed CelebGate 2014. The story started on August 31 when the first nude pictures appeared on a 4chan board. An alarming list of victims has been posted.

Fake or true, today almost 450 pictures and videos are circulating on 4chan, Reddit, or Imgur in connection with this story. A Google search for “CelebGate 2014” returns more than 1.4 million URLs. While some netsurfers work at posting them, website administrators work at deleting them.

The forums are inflamed, and dedicated websites are popping up to expose these photos.

And of course, malicious software is never far from such stories. Searching for these real or fake pictures is a dangerous sport. Behind the URLs you can discover via Google or dedicated forums, most of these paths are dangerous. Your chance of landing on a page that tests positive for spam, adware, spyware, viruses, or other malware is almost a sure thing.

My first two attempts infected my test computer.

After I disabled my antivirus for 10 minutes to easily browse, I was (not) surprised to detect 10 or more new infections (in the following case several Trojans).

In 2013, McAfee published a list of the 10 most dangerous celebrities. Today we appear to have a Top 100!

You should always be extra cautious when searching hot topics, which often lead to unwanted programs offered by unscrupulous companies or to malicious sites created by cybercriminals.

The post CelebGate: a Long, Dangerous List of Celebrities appeared first on McAfee.

In March, we wrote about changes that we were making to the McAfee Labs Threats Reports. Those changes included both format and content improvements. We wanted to make the Threats Reports more engaging, easier to understand, and simpler to navigate.

It’s now August, we’ve published three threats reports in the new format, and we’re interested in your feedback. If you’ve read any of our recent reports and would like to let us know what you think, please take a short, five-minute survey here.

***

The McAfee Labs Threats Report: August 2014 was published today and you can find it here. We now publish an infographic to accompany each report and the latest can be found here.

In the August report, we discuss three Key Topics:

Heartbleed’s aftermath: another cybercrime opportunity

By far the most important security event in the second quarter was the public disclosure of the “Heartbleed” vulnerability, which affected every IT organization. In this report, McAfee Labs explores how attackers are using lists of unpatched websites as target lists and then stealing sensitive information. As of this writing, more than 300,000 websites remain unpatched and vulnerable to this type of criminal activity, according to one source.

Phishing lures the unsuspecting: business users easily hooked

We also examine the exceedingly effective tactic of phishing, which exploits what is often the weakest link in a business’ cyber defense—human behavior. We tested business users’ ability to detect phishing though our McAfee Phishing Quiz and found that 80% of all test takers have fallen for at least one in seven phishing emails.

Operation Tovar: a big hit with a short life

Finally, we report on Operation Tovar, a takedown campaign conducted jointly among international law enforcement agencies and key IT security industry participants including McAfee. Although very successful, copycats have already begun to spring up, so the relief is only temporary.

Again, we thank you for your readership. We look forward to your feedback.

The post Checking the Pulse of McAfee Labs Threats Reports appeared first on McAfee.

At the AVAR conference in November, with the help of coauthor and independent security researcher Song Li, we will present our findings of an emerging mobile threat vector.

We have found that in a group of popular retail apps, such as Costco’s and Walgreens’ apps for Android, when a QR code is scanned using the app’s scanning feature, the app will pull content from the QR code’s URL. (Costco has recently released an updated app in which the QR code-scanning feature has been removed.) These apps are supposed to determine that the URL is from a trusted source. However, unlike browsers that enforce the same-origin policy, the policy validation implemented by these apps can be bypassed with a carefully crafted QR code. Such a QR code can trick the app into pulling malicious code and execute it within the app. We have posted a snippet of this research to demonstrate how sensitive user information–such as phone number, SIM card number, and user geolocation–can leak to attackers when the QR code is scanned.

As reported recently, Android has surpassed iOS as the largest operating system for mobile and tablet devices. And we’re not surprised that mobile threats are growing as well. As of today, McAfee has collected more than 6 million unique APKs (not counting inner components), of which 49% are potentially unwanted programs (PUPs) or malicious.

These APKs are signed by 495,000 unique certificates, indicating a large community of Android developers from both the legit market and the underground economy. We expect to collect more than 4 million accumulated legit Android apps by end of 2014.

Total number of Android apps, with projections for 2014.

As Google continues to raise the security bar, malicious apps may find it harder to sneak into Google Play or other app stores. Attackers have apparently aimed at alternative attack surfaces. First, more than 50% of Android devices are still running on Android 4.2 or earlier, without fixes for the majority of disclosed Android vulnerabilities. Second, OEM layer vulnerabilities have been discovered as well. Finally, apps such as the QR scanning attack we discuss have been observed as the chief security bottleneck. With each of these Android developers having to support multiple versions of the OS and to meet the time-to-market challenge in this fast-moving mobile space, it is hard for all app developers to make security their priority.

We in security industry try to raise customer and developer awareness and provide solutions. At AVAR we will share our insights, especially in app and device reputation. For more observations on mobile security, refer to the McAfee Labs Threats Reports.

Many thanks to my colleague Brad Stark for providing insightful Android malware statistical data.

The post ZebrAttack Creates Data Breach via Mobile OS, App Vulnerabilities appeared first on McAfee.

Often we see malware authors using encryption or obfuscation along with other techniques to modify the static contents of malware. They do this to evade static-based clustering and detection even though the behavior is the same. In many cases obfuscation also helps hide the threat’s malicious intentions from security researchers.

BackOff, a point-of-sale malware designed to steal banking login credentials, is one of the latest to use this method. BackOff creates a fake Oracle Java folder and then drops javaw.exe in the appdata folder, in which the malware binary is copied. This name mimics the legitimate Java file from Oracle. Because the malware is copied into appdata, the original version of the malware gets deleted. A log file (log.txt) is created to store all keystrokes. For example, if the victim types “testing 1 2 3 This is a test,” the log file will store it in the following fashion:

The malware not only stores time and date, but also includes case while logging the keystrokes of the victim. This makes sense because banking and other important credentials are generally case sensitive.

In an earlier variant there was no visible attempt to hide these behaviors. As we can see in the following strings related to the formation of the fake javaw.exe, the keylogging activity is visible in plaintext in the malware.

Some binaries of this malware were so user friendly that they had proper comments to make sure that even a script kiddie could make proper use of it. For example,  the following binary has the comment “edit with your URL” so that the keylogs can be uploaded to the controller’s site.

However, such open behavior is not the case in the most recent binaries. The new samples, despite behaving the same way, do not have any obvious static content. The following segment of the variant shows no understandable strings.

We found that the malware uses an extensive encryption algorithm to hide the data revealed in the older variant. The following shows a section of the decryption loop.

This code, expressed as a simple statement, reads:

 a[counter] = ( (a[counter+1]-v) and k) or  (( shiftleft (a[counter]-v, 4) xor key[i]) ) 

Where a[counter] is the encrypted array, key[i] is an array consisting of a hardcoded key that will be repeated once it is fully exhausted, and v is another fixed numeral that will change alternately for each cycle of the loop. In this case, for example, with odd iterations it is 0x6c, and for even it is 0×41. And k is a fixed constant.

After decryption we can observe that the control server is visible.

This site is blacklisted by McAfee SiteAdvisor.

McAfee provides generic coverage for both plain and encrypted variants of BackOff, respectively, as “BackOff!” and “EncBackOff!”

The post BackOff Malware Uses Encryption to Hide Its Intentions appeared first on McAfee.

Last year, we blogged about the actor known as Quarian, who is involved in targeted attacks. This individual or group has been active since at least 2011 and has targeted government agencies. The attacks use spear phishing campaigns with crafted .pdf and .doc files as bait for unsuspecting users.

Recently, we found a new sample that has been detected by hardly any security vendor. The new sample is a modified version of the common binary with reinforcements to prevent its replication in a sandbox if executed without any parameters.

When the sample is run without command-line parameters, it checks its presence with the following key, and then exits if the key is not present. This AppID check was not present in the version of the malware identified last year.

• HKCR\AppID\{A941329B-8B10-4060-BCEE-E323018DFFBB}

If the sample is run with a proper command-line parameter, however, it registers itself as a Type Library and Windows service.

Other enhancements include improved boot survival: Quarian registers itself as a Windows service, instead of as a Run entry in the previous version.

The new binary sample appears to have been compiled on March 20.

Quarian connects to the control server visitlink.dnsrd.com, which resolves to 172.246.8.66.

Its commands remain the same as in the previous variant:

• 0×1: Get host information–OS version, host name, IP address, username
• 0×2: Exit control server functions
• 0×3: Shut down the client
• 0×4: Run a file, possible backdoor
• 0×5: Obsolete, no longer used
• 0X6: Remote shell–used to interactively run commands
• 0X7: Extended control functions (FindFile, MoveFile, WriteFile, ReadFile, CreateProcess, DeleteFile)
• 0X10: Write to “cf” file to define sleep time

Most sandboxes will fail to detect this variant of Quarian because it shows no behavior unless a command-line argument is passed to it or the AppID entry is present.

Even though the latest Quarian has many changes (create service, ATL, TypeLib), McAfee Advanced Threat Defense can detect it using our newly enhanced static code-analysis engine, a.k.a. family classification.

The family classification engine provides a unique advantage over sandboxes that rely only on behavior and static file properties to detect malware. The similarity factor in family classification indicates the extent of code changes against the original. With many targeted attacks using new and previously unknown evasion techniques, the family classification engine within Advanced Threat Defense provides a unique differentiator.

The post Quarian Targeted-Attack Malware Evades Sandbox Detection appeared first on McAfee.