Search the Community

Static Malware Analysis Starting here, I would like to share the results of my recent research into malware analysis. We will begin with some basics and proceed to advanced levels. In this first installment, we will discuss the techniques involved in static analysis of malware. I will also include some files for illustrative purposes in this document. Before we directly move onto the analysis part, let us set up context with some definitions. What is Malware? Malware is any software that does something that causes detriment to the user, computer, or network—such as viruses, trojan horses, worms, rootkits, scareware, and spyware. Malware Static Analysis Basic static analysis consists of examining the executable file without viewing the actual instructions. Basic static analysis can confirm whether a file is malicious, provide information about its functionality, and sometimes provide information that will allow you to produce simple network signatures. Basic static analysis is straightforward and can be quick, but it’s largely ineffective against sophisticated malware, and it can miss important behaviors. Enough with definitions — let’s get down to Malware Static Analysis Techniques. Malware Static Analysis Techniques Uploading the results to VirusTotal The very first technique in static analysis is to upload the suspicious executable to VirusTotal, which runs the executable against several AV solutions and gives the result. For example, the below file states that the detection ratio is 17 out of 57. Finding strings Searching through the strings can be a simple way to get hints about the functionality of a program. For example, if the program accesses a URL, then you will see the URL accessed stored as a string in the program. Microsoft has a utility called “Strings”. When Strings searches an executable for ASCII and Unicode strings, it ignores context and formatting, so that it can analyse any file type and detect strings across an entire file (though this also means that it may identify bytes of characters as strings when they are not). Strings searches for a three-letter or greater sequence of ASCII and Unicode characters, followed by a string termination character. Below are some examples of strings from which important information can be revealed. Using the Strings utility, files can be searched with following command at the cmd: Strings <filename> Example 1: Below is a string extraction of keywords from a malicious executable. As we can see, it gives us good information that functions like “FindNextFileA” and “FindFirstFileA”, which shows that this executable will search for a file, and then combining that with “CopyFileA” means that it will find a file and replace it with another file. Another important point to note that is about “Kerne132.dll”. This is a misleading text and should not be confused with “Kernel32.dll”. Example 2: Below is another extraction from a string utility. It shows us that usage of “CreateProcessA” will create a process. Commands like “Exec” and “sleep” are used to control a remote file. It can be a bot as well, and then an IP field, which can be the IP of a controlling server. Example 3: Below is another example of an extraction using Strings. Interesting fields are “InternetOpenURLA” which states that it will connect with some external server to download something, and then we have a http:// file also, which even clarifies the server address from which it will connect and download. How to check if a malware code is obfuscated or not? Often malware writers obfuscate their codes so that the files are hard to read. When a packed program runs, a wrapper program also runs around to unpack it. With static analysis, it is really hard to predict which files are packed unless it is clearly evident that they are. For example, tools like PEid sometimes are able to tell that the files are packed. In the below figure, it is clearly evident that files are packed with UPX. Files which are UPX packed can be unpacked by the following command: upx –o <newfilename> -d <packedfilename> PE file sections ETHICAL HACKING TRAINING – RESOURCES (INFOSEC) Information gathering from Portable Executable (PE) file format PE file format is used by Windows executables, DDLs etc. It contains the necessary information for Windows OS loader to run the code. While examining the PE files, we can analyse which functions have been imported, exported and what type of linking is there i.e. runtime, static or dynamic. PE file sections A PE file contains a header and some more important sections. Under these sections there is some useful information. Let’s understand these sections as well. .text: This contains the executable code. .rdata: This sections holds read only globally accessible data. [.data: Stores global data accessed through the program. .rsrc: This sections stores resources needed by the executable. Most often malware writers use dynamic linking in their code. For example, with the use of the tool Dependency Walker, we can see in the below screenshot that under WININET.dll are functions like “InternetOpenUrlA”, which states that this malware will make a connection with some external server. Note: Wininet.dll contains higher level networking functions that implement protocols such as FTP, HTTP and NTP. Under the header, there is a subsection named “IMAGE_FILE_HEADER”, which contains the timestamp field. This timestamp shows the compile time of the executable. This is very important information, since if the time is old, then there may a case that AV solutions might have a signature around it. However, this field is not reliable, since the compile can be changed easily by the malware writer. Suppose from static analysis, an analyst predicts that the executable will create a process and then suppose the following exec and sleep command is found, but there is no information found about the respective DLL, which has a function to connect with another server. In that case, the resource is hidden with the executable. Open the .rsrc section of PE file with a tool like Resource Hacker to gain more information regarding the malware. Below is the analysing of the above resource using PEview. As we have learnt with static analysis, there is very little information that can be gathered, but it is very useful too. In a coming article, I will bring in dynamic analysis though basic to the rescue. Source MALWARE ANALYSIS BASICS - PART 2 Dynamic Analysis Techniques As we have covered the malware analysis basics with static techniques here, this post is all about performing the basic analysis of malware using dynamic technique. As we have seen in the previous post, the ability to fully perform malware analysis is very much restricted using static techniques either due to obfuscation, packing, or the analyst having exhausted the available static analysis techniques. Precautions Before performing dynamic malware analysis, be sure to do it in a safe environment. Consider deploying a Windows virtual machine and using VMware for provisioning virtual machines. You should also take a snapshot of the virtual machine before executing the malicious binaries so that the safe state can be easily restored. Analyzing with Process Monitor Process Monitor is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activities. Process Monitor monitors all system calls it can gather as soon as it is run. Since there are always huge number of calls being made in the Windows OS, it is sometimes impractical to discover important events. Process Monitor helps this issue with a filter tab through which we can filter by the type of calls. For example, see the screenshot below. It shows that I have applied a filter with operation of “WriteFile” and “RegSetValue”. These are usually the call made by a malicious executable to write the file onto the disk and to make registry changes. After applying the filter, we get a list of following events in Process Monitor. The most important are the top two entries which shows the execution of file and creation of registry entry with a new entry named “Video Driver.” Other entries can be ignored as it is usual for pseudorandom numbers to be generated. On clicking the first entry, we can even see that what action that call has made. As is clear from the screenshot below, a total 7168 bytes have been written to the file system by this binary. Analyzing with Process Explorer Process Explorer is a tool used for performing dynamic analysis and can give you a great insight onto the processes currently running onto the system. Below is an example of the process being created after running a binary. Clicking on process can help you reveal whether the process has created any mutant or not. Also it can give you all the information about the DLLs being used by the function. Below, the screenshot shows that the process uses ws2_32.dll, which means that a network connection will be made by this process. Double clicking a particular process will yield more information about the process. Some of the important attributes are: Verify Option. There is a verify option in every process to check whether that binary is signed by the MS or not. Below, the screenshot depicts that this binary is not signed by the MS. Threads will showcase the number of threads associated with this process. Strings tab can help in determining whether there is any process replacement occur or not. If two strings are drastically different then the process replacement might have occur. Below, the screenshot shows that strings in the executable both on disk and in memory. Using INetSim INetSim is a free Linux based suite for simulating common Internet services. It is sometimes difficult to analyze a malware without letting it complete execute the code and that can involve contacting the outer world for services over http, https, FTP etc. INetSIM does exactly this by emulating services like Http, Https, FTP and allows analyst to analyze the behaviour of malware. Since this is Linux based, the best way to use this is to install it on a Linux machine and keep it in the same network as that of windows testing machine. INetSIM can serve any type of request that the malware might request for. For example, suppose a malware requests for an image from the for tis code to execute. INetSIM can fulfil the request of the malware though the image will not be what malware will be looking for but it will keep the malware to keep executing the code. INetSIM can also log all the request from the client regardless of the port. This can be used to record all the data sent from malware. In the next series, we will move to advanced techniques of malware analysis using both static and dynamic analysis. Source

Hey you can crash any version of skype: read here Hope you guys like it Ya i am not distributing malware trust me

Nektra SpyStudio is an all-in-one tool for cyber security analysts, DevOps, QA engineers, and developers. This multi-tool is useful for application virtualization, troubleshooting Windows applications, application performance monitoring, malware analysis, and as a process monitor complement. Get it now Read more at Nothing found for - | SharewareOnSale

Kaspersky researcher Ido Noar says attackers have hit hundreds of small and medium businesses, stealing credentials and documents in a noisy smash-and-grab campaign. Noar says criminals have stolen some 10,000 documents from nanotechnology, education, and media outfits in an attack that foists a newly-discovered strain of malware called "Grabit". "Our documentation points to a campaign that started somewhere in late February 2015 and ended in mid-March," Noar says in a notice. "As the development phase supposedly ended, malware started spreading from India, the United States and Israel to other countries around the globe. "Grabit threat actors did not use any sophisticated evasions or manoeuvres in their dynamic activity." Attackers did not commit much effort to conceal their command and control servers, nor hide from the local system. Noar discovered the locations of the servers by simply opening the malicious Grabit phishing document file in an editor. "During our research, dynamic analysis showed that the malicious software’s 'call home' functionality communicates over obvious channels and does not go the extra mile to hide its activity. In addition, the files themselves were not programmed to make any kind of registry manoeuvres that would hide them from Windows Explorer," he says. The criminals could choose their favourite remote access trojan including DarkComet and the less complex HawkEye keylogger. Grabit should serve as a wake up call to admins in charge of protecting small businesses that coordinated attack campaigns are not confined to large enterprises and high-profile organisations. Source

Hi, hadn't any time to take a closer look at it. Maybe someone is interested in this malware. Description can be found here: Win32/TrojanDownloader.Spyrov.A | ESET Virusradar Attached: Win32/TrojanDownloader.Spyrov.A samples Download Pass: infected Source

Infect files on removable disks and remote network drives. Description Virus:Win32/Ursnif VT: https://www.virustotal.com/en/file/8fa8122cfa52d7ff7fd8d918ccc9089a1762420c23edb6c50e8573456bfcdde3/analysis/1430975102/ https://www.virustotal.com/en/file/9bd91d207911b08489079c3927478b824b7948b741e1b6221339893581e4e9cb/analysis/1430976279/ Download Malware Pass: infected Source

The source code for a Linux rootkit that leverages the infected device’s graphics processor unit (GPU) for enhanced stealthiness and efficiency has been published on GitHub. Dubbed Jellyfish, the proof-of-concept malware leverages the LD_PRELOAD technique from the Jynx Linux rootkit and OpenCL, a low-level API developed by Khronos for heterogeneous computing. According to the developers of Jellyfish, who call themselves Team Jellyfish, one of the main advantages of GPU-based malware is that it’s more likely to evade detection due to the lack of malware analysis tools for such threats. Another advantage is that this type of malware can “snoop” on the CPU host memory via direct memory access (DMA). Additionally, the GPU is fast and the malicious code remains in its memory even after the device is shut down, the developers said. The experimental Jellyfish malware is currently designed to run on computers with AMD and NVIDIA graphics cards, but Intel products are also supported through the AMD APP Software Development Kit (SDK). OpenCL drivers must be installed on the system for the rootkit to work. Another PoC malware developed by Team Jellyfish is a keylogger called Demon. The developers say Demon has been built using information from a paper published in 2013 by researchers at Columbia University. The paper describes a stealthy keylogger that runs directly on a graphics processor. “We are not associated with the creators of this paper. We only PoC’d what was described in it, plus a little more,” the developers of Demon noted. While for the Jellyfish rootkit the developers use the LD_PRELOAD variable to hide malicious components, in the case of Demon they say they are using code injection. Team Jellyfish claims that their creations are designed for educational purposes, and that their goal is to “make everyone aware that GPU-based malware is real.” They noted that Jellyfish and Demon are currently only in beta version and they still have a lot of bugs. Malware that uses the GPU is not unheard of. Over the past years, researchers have spotted several threats that leverage an infected device’s GPU to mine Bitcoins. However, Jellyfish and Demon are more interesting because they use the GPU for more than just its processing power. It remains to be seen if the code published by Team Jellyfish will be used by malicious actors in their operations. source: PoC Linux Rootkit Uses GPU to Evade Detection

Introduction to POS malware In September 2014, experts at Trustwave firm published an interesting report on the evolution of the point-of-sale (PoS) malware in recent months. The attention of the media on PoS malware was raised after the numerous data breaches suffered by retail giants Target, Home Depot and Neiman Marcus. Experts at Trustwave investigated a number of incidents involving payment card data, and researchers examined a large amount of malicious code used by criminal crews to target point-of-sale devices. PoS malware is specifically designed to steal sensitive information stored in the magnetic stripe of a payment card, yet techniques implemented by the malware authors are different and are becoming even more sophisticated. Point-of-sale malware are able to steal data by scraping the memory of the machine or accessing its disk. Since 2013, POS malware is rapidly evolving, and numerous actors in the underground have offered customization for malicious codes widely used worldwide. The most interesting evolutions for PoS malware are related to evasion techniques and exfiltration methods. Cyber criminals are exploiting new solutions to avoid detection of defensive software. Malware authors are also looking with great interest to PoS malware botnets that rely on command and control (C&C) servers hidden in the TOR networks. “We also saw evidence of more authors automating the installation and control of their malware in 2013. While Trustwave discovered a number of new POS malware families exhibiting botnet-like tendencies, a number of well-known, older families also made an appearance,” states the post published by Trustwave. Which are the most popular PoS malware? Experts at Trustwave revealed that the Alina (19,1) malware family was the most prevalent malware used by threat actors behind the cases investigated by Trustwave. Other malware detected by the investigators were Baggage (16,5%) and Triforce (11,2%), meanwhile the popular BlackPos malware, Dexter and ChewBacca were used in a limited number of attacks, despite that they are considered very sophisticated. A detailed look to several PoS malware revealed that the Dexter malware is appreciated for the memory dumping ability it implements. Dexter implements process-injection mechanisms and logs keystrokes. Chewbacca is another powerful malware characterized by a sophisticated exfiltration mechanism that relays over the TOR network to host C&C servers. Debuting in late 2012, Alina surprised many, because it was one of a small number of POS malware families that included a C&C structure, encrypted the data it exfiltrated, blacklisted common Windows processes and installed itself to a randomly chosen name.” In many cases, criminal crews also used commercial keyloggers to infect the POS systems. A common characteristic for all the malware detected since 2014 is the lack of encryption for exfiltrated data. The “exclusive OR” (XOR) operation is the encryption technique most used by the malware authors (32%), followed by Blowfish (3.7%). Analyzing the exfiltration methods used by point-of-sale malware, the experts discovered that in the majority of cases (41%) the attackers don’t adopt a botnet infrastructure with a classic C&C infrastructure, instead they prefer to leave the stolen data on disk to be extracted manually later. HTTP is the second exfiltration technique (29%), followed by SMTP (22%). By analyzing the POS malware persistence mechanisms, the experts noticed that they did not change significantly from the past years. The point-of-sale malware use maintained persistence in one of the following ways: Run Registry Modification (53.2%) Installed as a Service (30.9%) AppInitDLLs Registry Modification (0.5%) None (14.9%) The evolution of point-of sale malware – what’s new? The authors of point-of-sale malware are improving their code. Let’s analyze together the most interesting code discovered since the report published by Trustwave in 2014. Name Abilities PoSeidon malware Sophisticated method to find card data. Self-update ability to execute new code. Effective measures to protect its code from analysis. The malware belongs to the “scrapers” family. Implementation of the Luhn formula to verify card validity. Uses a keylogger module. NewPosThings malware Efficient memory scraping process. Custom packer and new anti-debugging mechanisms. Implements ability to harvest user input. To obtain persistence it uses registry entry with the name “Java. Update Manager”. Disables the warning messages used by the OS. Implementation of the Luhn formula to verify card validity. d4re|dev1| malware Infects Mass Transit Systems. Allows remote control of victims. Implements functionalities of RAM scrapping and keylogging features. Allows loading of additional payloads through “File Upload” option for lateral movement inside the local network. The PoSeidon malware Recently, experts at Cisco have discovered a new strain of PoS malware dubbed PoSeidon. The new variant of malware presents many similarities with the popular Zeus trojan and implements sophisticated methods to find card data on the infected machine with respect to other PoS malicious code like BlackPoS, which is the malware that was used to steal data from the US giant retailers Target and Home Depot. “PoSeidon was professionally written to be quick and evasive with new capabilities not seen in other PoS malware,” states the blog post from Cisco’s Security Solutions team. “It can communicate directly with C&C servers, self-update to execute new code and has self-protection mechanisms guarding against reverse engineering.” The following image shows the architecture of the PoSeidon malware used by criminal crews to steal credit/debit card data from PoS systems. The malicious code belongs to the family of malicious code dubbed “scrapers”, which are malware that “scrape” the memory of point-of-sale systems searching for card numbers of principal card issuers (i.e. Visa, MasterCard, AMEX and Discover). PoSeidon has the ability to verify the validity of card numbers by using the Luhn formula. Once in execution, PoSeidon starts with a loader binary that operates to ensure the persistence on the infected PoS machine, then it receives other components from the C&C servers. Among the binaries downloaded by the loader, there is also a keylogger component used to steal passwords and could have been the initial infection vector, Cisco said. “The Loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server,” continues Cisco. The loader contacts one of the hardcoded servers in the following list provided by CISCO experts, the majority of them belonging to Russian domains: linturefa.com xablopefgr.com tabidzuwek.com lacdileftre.ru tabidzuwek.com xablopefgr.com lacdileftre.ru weksrubaz.ru linturefa.ru mifastubiv.ru xablopefgr.ru tabidzuwek.ru PoSeidon protects exfiltrated data with encryption. The data stolen from the memory of the machine and collected by the keylogger are sent to the C&C in XOR and base64 encoding. The majority of command and control servers identified by the experts are currently hosted on “.ru” domains. PoSeidon demonstrates the great interest in the criminal underground in PoS systems. Criminal crews are developing sophisticated techniques to compromise these systems. “Attackers will continue to target PoS systems and employ various obfuscation techniques in an attempt to avoid detection. As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families. Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats,” explained Cisco’s Security Solutions team. NewPosThings malware Another insidious point-of-sale malware recently improved is NewPosThings. Researchers at Trend Micro in fact have detected a new strain of the malicious code. The new variant of NewPosThings, also known as NewPosThings 3.0, is a 64-bit version of the known agent discovered in 2014 by the experts at Arbor Networks. The researchers at Trend Micro confirmed that the malware had been in development since October 2013, and since then many variants were detected in the wild, including the last version that was specifically designed to compromise 64-bit architectures. The NewPosThings PoS malware implements an efficient memory scraping process to steal payment card data directly from the memory of the PoS machine. Malware authors implemented a custom packer and new anti-debugging mechanisms and a module to harvest user input. The NewPosThings variant, coded as TSPY_POSNEWT. SM, installs itself on the victim’s machine using different names that appear familiar to the users, including javaj.exe, vchost.exe, dwm.exe, ism.exe and isasss.exe. As explained by malware experts from Trend Micro, the choice of the name is not casual, but it is the result of an algorithm that calculates based on information related to the infected machine like its name and the volume serial number. NewPosThings uses a registry entry with the name “Java Update Manager” to obtain persistence on the PoS machine. Figure 3 -NewPosThings uses a registry entry with the name “Java Update Manager” to obtain persistence on the PoS machine. Once it has infected the target, NewPosThings starts gathering sensitive data, including passwords for virtual network computing (VNC) software such as UltraVNC, RealVNC, WinVNC, and TightVNC. Then the malware disables the warning messages used by the OS for certain file extensions, including .exe,.bat,.reg and .vbs. .exe,.bat,.reg and .vbs. “Disabling the Open File Security Warning of Microsoft Windows reduces the overall security posture of the Microsoft Windows host operating system. This is because the system no longer prompts the user for validation when opening up files that could have been downloaded from malicious sources,” states the blog post published by Trend Micro. NewPosThings checks the presence of financial software on the target machine, and when it recognizes the associated process it searches for patterns that could be associated with credit/debit card numbers, and like other malware, uses the Luhn algorithm to validate the data. The same algorithm was used for card number validation by recently discovered PoSeidon and Soraya malicious codes. NewPosThings transfers data to the command and control (C&C) server every 10 minutes. The collected data is sent to the server via HTTP. Among the C&C servers used by the malware authors there are also IP addresses associated with two US airports. “While analyzing the C&C servers used by the PoS Trojan, experts identified IP addresses associated with two airports in the United States. Trend Micro PoS Trojan, experts identified IP addresses associated with two airports in the United States. Trend Micro warned that travelers will be increasingly targeted and that airports are a target-rich environment.” Security Experts at Voidsec security firm published an interesting analysis of the malware and its command and control infrastructure. The experts used data provided by Arbor Networks to locate the Command & Control servers that are still up and running. The experts exploited some vulnerabilities in the C&C servers to analyze their contents. By analyzing the server, experts from Voidsec discovered the following vulnerabilities: Ability to run bruteforce attacks on administrative credentials. Presence of the phpMyAdmin application implementing web login. Authentication bypass, which gives the attacker the ability to view a protected page on the C2 server without being logged. By accessing data hosted on the compromised Command & Control servers, the researcher profiled the botnet used by the criminal crews: The two servers C&C servers analyzed managed a total of 80 bots. At the moment the experts logged C2 servers, there were 50 bots active, 10 did not have a status, and 20 bots were “dead.” The total number of archived log is 5240, an average of 65.5 log / bot. 79% of the bots were based on 32-bit architecture, the remaining on 64-bit architecture. The majority of compromised bots (57%) were XP machines, followed by Windows 7 (34%). The greatest number of infections was observed in Canada (29%), Australia (21%) and UK (13%). Figure 5 – PoS machine OS (Analysis Voidsec) The “d4re|dev1|” PoS malware The last case I want to discuss is a PoS malware that was detected by security experts at the IntelCrawler cyber threat intelligence firm at the end of 2014. Researchers detected a new point-of-Sale malware called “d4re|dev1|” (read dareldevil), which was used by criminal crews to infect ticket vending machines and electronic kiosks. In this case, the malware was used to infect Mass Transit Systems. The malicious code appeared as a sophisticated backdoor, which allows remote control of victims. d4re|dev1| implements RAM scraping and keylogging features exactly like any other PoS malware. The experts at IntelCrawler explained that d4re|dev1| is able to steal data from several PoS systems, including QuickBooks Point of Sale Multi-Store, OSIPOS Retail Management System, Harmony WinPOS and Figure Gemini POS. IntelCrawler discovered that cyber criminals managing the d4re|dev1| botnet also compromised ticket vending machines used by mass transportation systems and electronic kiosks installed in public areas. One of the infected ticket vending machines was identified in August 2014 in Sardinia, Italy, and attackers obtained the access exploiting credentials for a VNC (Virtual Network Computing). “These kiosks and ticket machines don’t usually house large daily lots of money like ATMs, but many have insecure methods of remote administration allowing for infectious payloads and the exfiltration of payment data in an ongoing and undetected scheme,” states IntelCrawler. igure 7 – d4re|dev1| Control panel In a classic attack scenario, threat actors used to compromise the targeted PoS by discovering the remote administrative credentials, for example through a brute force attack. Researchers at IntelCrawler believe that attackers use this tactic to compromise the POS systems. Anyway, the d4re|dev1| malware also allows operators to remotely upload files to the victim’s machine, and in this way the attacker can provide updates to code or to serve additional payloads for lateral movement inside the local network. “The malware has a “File Upload” option, which can be used for remote payload updating. The process of malware was masked under “PGTerm.exe” or “hkcmd.exe”, as well as legitimate names of software such as Google Chrome. Adversaries use this option for the installation of additional backdoors and tools, which allows them to avoid infrastructure limitations and security policies designed for detection,” said InterCrawler. The “upload feature” is particularly important for cyber criminals. Experts speculate that attackers are interested to compromise systems inside enterprise wide networks to capitalize their efforts with multiple activities inside the targeted infrastructure (i.e. data stealing, botnet recruiting). “Serious cybercriminals are not interested in just one particular Point-of-Sale terminal—they are looking for enterprise wide network environments, having tens of connected devices accepting payments and returning larger sets of spoils to their C2 [command-and-control] servers,” states the blog post published by IntelCrawler. Conclusions The number of data breaches is growing at a fast pace, and the retail industry is among the most affected sectors. Security experts sustain that measures to prevent cyber attacks against systems in the retail industry are not adequate, and PoS systems are a privileged target of cyber criminals that are developing new malicious code that presents sophisticated techniques. In this post, we have analyzed three of the most effective samples of PoS malware recently detected by security firms. They implement a similar feature that makes these malicious codes perfect hacking weapons that in some cases are used to breach the overall infrastructure of the victims. The experts highlight that the employees of breached companies commonly violated security policies, for example, it is very common that they used the terminals to navigate on the web, check their email, to access social network accounts and play online games. This dangerous behavior must be banned, and it is necessary to instruct personnel on the principal threats and the techniques, tactics, and procedures of the attackers. It is recommended to use a secure connection for administrative activities and limit the software environment for operators “by using proper access control lists and updated security polices”. References http://securityaffairs.co/wordpress/28160/malware/point-of-sale-malware.html https://gsr.trustwave.com/topics/placeholder-topic/point-of-sale-malware/ http://securityaffairs.co/wordpress/35181/cyber-crime/poseidon-pos-malware.html http://www.arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/ http://securityaffairs.co/wordpress/30570/cyber-crime/pos-malware-dareldevil.html http://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/ http://voidsec.com/newposthings-hacked-exposed/#server http://securityaffairs.co/wordpress/30570/cyber-crime/pos-malware-dareldevil.html https://www.intelcrawler.com/news-24 http://securityaffairs.co/wordpress/30570/cyber-crime/pos-malware-dareldevil.html Source

Researchers have uncovered new malware that takes extraordinary measures to evade detection and analysis, including deleting all hard drive data and rendering a computer inoperable. Rombertik, as the malware has been dubbed by researchers from Cisco Systems' Talos Group, is a complex piece of software that indiscriminately collects everything a user does on the Web, presumably to obtain login credentials and other sensitive data. It gets installed when people click on attachments included in malicious e-mails. Talos researchers reverse engineered the software and found that behind the scenes Rombertik takes a variety of steps to evade analysis. It contains multiple levels of obfuscation and anti-analysis functions that make it hard for outsiders to peer into its inner workings. And in cases that main yfoye.exe component detects the malware is under the microscope of a security researcher or rival malware writer, Rombertik will self-destruct, taking along with it the contents of a victim's hard drive. In a blog post published Monday, Talos researchers Ben Baker and Alex Chiu wrote: "If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes," the Talos researchers explained. "Even if the analysis environment was capable of handling a log that large, it would take over 25 minutes just to write that much data to a typical hard drive. This complicates analysis.'>Source

Core checker a defensive wrecker Seculert CTO Aviv Raff says a nasty piece of malware linked to widespread destruction and bank account plundering has become more dangerous with the ability to evade popular sandboxes. Raff says the Dyre malware ducks popular sandbox tools by detecting the number of cores in use. The known but effective and previously unused technique is enough to beat at least eight of the most widely used free and commercial kit, Raff says. "If the machine has only one core it immediately terminates," Raff says in a post. "As many sandboxes are configured with only one processor with one core as a way to save resources, the check performed by Dyre is a good and effective way to avoid being analysed. "On the other hand, most of the PCs in use today have more than one core." Dyre is linked to a variant Dyre Wolf that IBM said last month plundered some $1 million from bank accounts. Raff informed the affected sandbox developers of the evasion technique. Dyre's Upatre downloader also sports new evasion techniques including a different user agent and grammatical fixes previously used to identify the malware. Raff says the technique proves sandboxing should not be used in isolation to stamp out malware. It is the latest development in a long history of cat-and-mouse warfare between malware writers and white hat defenders. Criminals need to contend with infiltrating victim machines while avoid anti-virus and white hats who look for indicators that are hallmarks of a type of malware. Defenders meanwhile face malware that uses increasingly complex evasion techniques that are specifically honed to beat sandboxes, virtual machines and other tools. Source

Dropbox strikes back against Bartalex macro malware phishers Dropbox has struck back against a hacker group using its cloud storage services to store and spread the Bartalex macro malware. Trend Micro fraud analyst Christopher Talampas reported uncovering the campaign while investigating attacks targeting the Automated Clearing House (ACH) network used by many businesses for electronic funds transfers in the US on Tuesday. A Dropbox spokesperson later told V3 that the firm is aware of the campaign and has already taken action against the hackers. "We're aware of the issue and have already revoked the ability for accounts involved to share links since they've violated our Acceptable Use Policy," said the spokesperson. "We act quickly in response to abuse reports submitted to abuse@dropbox.com, and are constantly improving how we detect and prevent Dropbox users from sharing spam, malware or phishing links." The use of Dropbox links containing the Bartalex macro malware reportedly makes the campaign particularly dangerous. "Instead of attachments, the message this time bore a link to ‘view the full details'. By hovering over the URL we can see that it redirects to a Dropbox link with a file name related to the supposed ACH transaction," read Trend Micro in an advisory. "The URL leads to a Dropbox page that contains specific instructions (and an almost convincing) Microsoft Office warning that instructs users to enable the macros. "Upon enabling the macro, the malicious document then triggers the download of the banking malware." Trend Micro reported uncovering at least 1,000 malicious Dropbox links hosting the malware during the campaigns peak. It is unclear how successful the campaign has been, although Trend Micro said that the malware has been used to target big name financial institutions including JP Morgan. Trend Micro cited the use of macro malware as a sign that criminals are rehashing old tricks in a bid to get round more modern system defences. "Macro malware like Bartalex is seemingly more prominent than ever, which is an indicator that old threats are still effective infection vectors on systems today," read the advisory. "And they seem to be adapting: they are now being hosted in legitimate services like Dropbox and, with the recent outbreak, macro malware may continue to threaten more businesses in the future." Macro malware is a threat that afflicted older versions of Windows. Microsoft ended the threat with Office XP in 2001 when it tweaked its systems to request user permission before executing macros script in embedded files. Macros are code scripts containing commands for automating tasks that are used in numerous applications. The discovery follows a reported boom in phishing levels. Research from Verizon earlier in April showed that a staggering one in four phishing scams currently result in success. Source

In this article, I would like to show how an analysis is performed on the Beta Bot trojan to identify its characteristics. The Beta Bot trojan, classified as Troj/Neurevt-A, is a dangerous trojan. This trojan is transferred to the victim machine through a phishing email, and the user downloads the files disguised as a legitimate program. This malicious file, when executed, drops a file in the victim machine, then changes system and browser behaviors and also generates HTTP POST traffic to some malicious domains. Beta Bot has various capabilities, including disabling AV, preventing access to security websites, and changing the settings of the browser. This trojan was initially released as an HTTP bot, and was later enhanced with a wide variety of capabilities, including backdoor functionality. The bot injects itself into almost all user processes to take over the whole system. It also utilizes a mechanism to make use of Windows messages and the registry to coordinate the injected codes. The bot also communicates with its C&C server through HTTP requests. The Beta Bot trojan spreads through USB drives, the messaging platform Skype and phishing emails. Analysis Walkthrough Now let’s see how we can do a detailed analysis on the Beta Bot trojan. First step is to isolate the infected system and analyze the system to find any suspicious files. Upon analysis, we found a suspicious file, crt.exe. The crt.exe file was then uploaded into our automated malware analysis system for deeper analysis and it was able to find malicious traffic to several malicious domains. (DNS request to malicious domains) A list of file manipulations was revealed during automated malware analysis. A malicious file named ‘wfwhhydlr.exe’ that was dropped by Beta Bot was revealed during this analysis. (File creation and modification) Mutexes that were used by the malware were also found during the automated analysis. (Mutex list of Beta Bot Trojan) After that, the analysis was carried out on our dedicated malware analysis machine. This machine consists of all the core tools needed to carry out both the static and dynamic analysis. As the first step of manual analysis, static analysis was carried out to find the time stamp of the malware. We were able to find the compile date of the malware sample. The malware was compiled on March 14th, 2013, and a GUI is also associated with this sample. File properties of the Beta Bot trojan) Later, static malware analysis was carried out, and as a first step the malware was checked to find whether it was packed or not. On analysis we found that the malware was packed with UPX packer. (Packer detection of the malware) A manual unpacking process was carried out to unpack the packer using a user mode debugger. Then we dumped the unpacked malware, and Import Address Table was reconstructed. (Debugger view of the malware before UPX unpacking) After the IAT reconstruction, the malware was analyzed using the debugger and found that there is no data available and the all the strings are functions are obfuscated. Thus it has to be suspected that the malware was multipacked, and we found that it was packed with a sophisticated crypter called VBCrypter. Then we came to a conclusion that this Beta Bot malware was multi-packed with a combination of UPX packer and VBCrypt crypter. VBCrypter is written in Visual Basic and it is more sophisticated that usual packers. During the execution of the packed malware, it creates the unpacked code as a child process itself and executes that code in the memory. Thus this type of packed malware will be very difficult to unpack. Crypter detection of the malware) Then a process of steps was carried out in order to decrypt the malware encrypted with VBCrypt. A user mode debugger was used for this process and by following a series of steps; the malware was decrypted up to an extent and thus the obfuscated code was retrieved for further analysis. Debugger view of the Beta Bot trojan after UPX unpacking) After decrypting the VBCrypt, it showed up with strings and functions that reveal the activity of the malware. The Beta Bot malware tries to find out the Network Interface Card in the infection machine, in order to find out the network adapter device name. The malware also looks for the computer name of the infected machine. (Debugger view of the decrypted Beta Bot trojan) Also using the debugger analysis, it came to an inference that the Beta Bot trojan also has the capability of deactivating the Task Manager of the infected machine. (Debugger view of the malware) The malware was analyzed through a disassembler, and several multi-language strings were retrieved. This reveals the multi-language capability of the Beta Bot trojan. This malware has the ability to configure and behave according to the geo-location of the victim machine. (Disassembler view of the Beta Bot trojan) Dynamic analysis was carried out by executing the malware within our isolated virtual malware lab. On executing the Beta Bot malware was dropped another executable named vuxrwtqas.exe. This file was dropped in the highworker folder under the Program files folder in C drive. (Files dropped by the Beta Bot trojan) Then registry analysis of the Beta Bot trojan was carried out, and on analysis we found that the malware manipulates the Windows registry setting of the infected machine. Registry values are added in order to carry out the debugging of the major security products like MalwareBytes Spybot, Trendmicro Housecall and Hijackthis. This registry setting can used to debug the startup code of the applications and thus the malware can bypass these security applications and thus can execute in the machine. (Registry values added by the Beta Bot trojan) Then packet sniffers were used to study the network behavior of the malware, and we were able to list out several malicious IPs on which the malware were trying to connect. Malicious IPs on which the malware connects) Then the memory analysis of the malware was carried out by executing the malware and taking the dump on the primary memory. On analysis, a large number of trampoline hooks was found. The malware, when executed, hooks almost all the processes in the victim machine and thus takes control of the whole machine. The Beta Bot trojan inserts a trampoline hook on the wuauclt.exe file, and this is a Windows Update AutoUpdate Client which runs as a background process that checks the Microsoft website for updates to the operating system. Thus it can assumed that the malware updates itself or downloads other malicious software by hooking this process. (Trampoline hook by the malware) The Beta Bot trojan, on execution, creates a sub-folder named ‘highworker.{2227A280-3AEA-1069-A2DE- 08002B30309D}’ under %PROGRAM FILES%\ COMMON FILES and creates a file named ‘vuxrwtqas.exe’. The first part of the folder name, ‘highworker’, is obtained from the configuration of the bot. The rest of the strings in the folder name is a special GUID which makes the folder link to the ‘Printers and Faxes’ folder in Windows Explorer, and this folder will act as the initializer when malware restarts. The crt.exe then creates a new file and it exits and this newly created file creates a process of a system application and starts to inject the process. (Folder in which malware is dropped) The dropped file is digitally signed with Texas Instruments Inc., is an American company that designs and makes semiconductors, which it sells to electronics designers and manufacturers globally. Thus we can assume that the file is not genuinely signed. (Metadata of the dropped file) Recommendations Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world. Block peer to peer traffic across the organization. Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application. Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack. Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files. Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Ensure that your Anti-Virus solution is up to date with latest virus definitions. Ensure that your systems are up to date with the latest available patches. Isolate the compromised system immediately if the malware is found to be present. Block traffic to the following domains in your perimeter devices such as Firewalls and IDS/IPS solutions: highroller.pixnet.to sbn.pxnet.to cpstw.santros.ws ccc.santros.ws Eradication The following products can be used to remove the Beta Bot trojan from the infected machine: Symantec Power Eraser Kaspersky’s TDSSKILLER Microsoft’s Malicious Software Removal Tool (MSRT) Malwarebytes Anti-Malware Login through the victim machine in Safe Mode and manually remove the process crt.exe and vuxrwtqas.exe related to the Beta Bot trojan. Manually delete the registry entries associated with the Beta Bot trojan. Delete the malicious file dropped by the malware in the highworker.{2227A280-3AEA-1069-A2DE- 08002B30309D}’ under %PROGRAM FILES%\ COMMON FILES\vuxrwtqas.exe. References Endpoint, Cloud, Mobile & Virtual Security Solutions | Symantec Source

Google said Thursday that malware infections on Android devices have been cut in half in the past year following security upgrades for the mobile platform. In a security review for 2014, Google said it made significant strides for the platform long seen as weak on security. Android security engineer Adrian Ludwig said in a blog post that the overall worldwide rate of potentially harmful applications installed dropped by nearly 50 percent between the first quarter and the fourth quarter of the year. Ludwig noted over one billion Android devices in use worldwide have security through Google Play "which conducts 200 million security scans of devices per day" and that fewer than one percent of the devices had potentially harmful apps installed in 2014. For those devices which only use Google Play apps, the rate of potentially malicious apps was less than 0.15 percent, Google said. The report noted that Android got several security upgrades in 2014, including improved encryption and better detection tools for malware. Android has long been seen as vulnerable to malware because it is an open platform and many devices run older versions of the mobile operating system. But Google's report said its review "does not show any evidence of widespread exploitation of Android devices." "We want to ensure that Android is a safe place, and this report has helped us take a look at how we did in the past year, and what we can still improve on," Ludwig said. "In 2015, we have already announced that we are are being even more proactive in reviewing applications for all types of policy violations within Google Play. Outside of Google Play, we have also increased our efforts to enhance protections for specific higher-risk devices and regions." Android is used on around 80 percent of the smartphones globally, but its popularity has also made it a magnet for malware. Sursa: Google Says Android Malware Cut in Half | SecurityWeek.Com

IBM has unearthed evidence of an international cybercrime operation that has plundered more than $1 million from the corporate accounts of U.S. businesses. IBM has dubbed the operation 'The Dyre Wolf' after the Dyre malware at the center of the scheme. In October, US-CERT warned the malware was being used in spear-phishing campaigns to steal money from victims. In the campaign uncovered by IBM, attackers often used phony invoices laced with malware to snare their victims. While the file inside the attached zip file has an embedded PDF icon, it is actually an EXE or SCR file. Once opened, the victim is served the Upatre malware, which in turn downloads Dyre. "Once Dyre is loaded, Upatre removes itself as everything going forward is the result of the extensive functionality of Dyre itself," IBM noted in its report. "The password-stealing function of Dyre is the focus of this campaign, and ultimately what's used to directly transfer the money from the victim’s account. Dyre’s set up, much like Upatre’s, requires a number of steps to remain stealthy which helps it to spread itself to additional victims." Dyre also hooks into the victim's browsers (Internet Explorer, Chrome and Firefox) in order to steal credentials the user enters when they visit any of the targeted bank sites. In some cases, possibly due to the use of two-factor authentication, an extra dose of social engineering is used. "Once the infected victim tries to log in to one of the hundreds of bank websites for which Dyre is programmed to monitor, a new screen will appear instead of the corporate banking site," blogged John Kuhn, senior threat researcher at IBM. "The page will explain the site is experiencing issues and that the victim should call the number provided to get help logging in." According to IBM, when the victims call the number, they are greeted by a person with an American accent who states he works with the affected bank. After a brief conversation, the individual prompts the person to give their username and password and appears to verify it several times. The person may also ask for a token code, and ask to speak with a co-worker with similar access to the account and get information from them as well. "One of the many interesting things with this campaign is that the attackers are bold enough to use the same phone number for each website and know when victims will call and which bank to answer as," Kuhn blogged. This all results in successfully duping their victims into providing their company’s banking credentials, he added. After stealing the credentials, the attacker logs into the account and transfers large sums of money to various offshore accounts, IBM notes in its report. There have been reports of amounts ranging from $500,000 to $1 million USD being stolen via multiple, smaller transactions. As if that were not enough, the victim may also be hit with a distributed denial-of-service attack to cover the attacker's tracks. "The DDoS itself appears to be volumetric in nature," according to IBM's report. "Using reflection attacks with NTP and DNS, the Dyre Wolf operators are able to overwhelm any resource downstream. While they may have the potential to attack any external point in a business's network, the incidents we are tracking appear to focus on the company's website." Back in October, IBM's Trusteer team tracked a spike in the infection rate of Dyre, which is now believed by the firm to be in direct relationship with the development advancements within the Dyre project. In its current form, the malware appears to be owned and operated by a closed cyber-gang based in Eastern Europe, though the malware code itself could be operated by several connected teams attacking different geographies, IBM reported. "The sophistication and the level of deception that Dyre is now using is unprecedented when it comes to banking trojans," Kuhn told SecurityWeek. "The social engineering to defeat two-factor authentication shows the level of dedication and persistence to obtain their goal. Covering their tracks by initiating the denial-of-service attacks demonstrates how far they will go to ensure that the illicit transfer of money is hidden for as long as possible. The Dyre Wolf campaign is well funded, sophisticated and methodical in the theft off large sums of money." *This story was updated with additional information about the attack. Sursa: IBM: Cyber-gang Uses Dyre Malware to Loot Corporate Bank Accounts | SecurityWeek.Com

Security researcher has discovered some new features in the most dangerous Vawtrak, aka Neverquest, malware that allow it to send and receive data through encrypted favicons distributed over the secured Tor network. The researcher, Jakub Kroustek from AVG anti-virus firm, has provided an in-depth analysis (PDF) on the new and complex set of features of the malware which is considered to be one of the most dangerous threats in existence. Vawtrak is a sophisticated piece of malware in terms of supported features. It is capable of stealing financial information and executing transactions from the compromised computer remotely without leaving traces. The features include videos and screenshots capturing and launching man-in-the-middle attacks. HOW VAWTRAK SPREADS ? AVG anti-virus firm is warning users that it has discovered an ongoing campaign delivering Vawtrak to gain access to bank accounts visited by the victim and using the infamous Pony module in order to steal a wide range of victims’ login credentials. The Vawtrak Banking Trojan spreads by using one of the three ways: Drive-by download – spam email attachments or links to compromised sites Malware downloader – like Zemot or Chaintor Exploit kit – like as Angler Exploit Kit Mai multe aici: Dangerous 'Vawtrak Banking Trojan' Harvesting Passwords Worldwide - Hacker News Daca cineva detine sample rog pm.

Cisco on Friday shared details on what the company says is new breed of Point-of-Sale (PoS) malware that is more sophisticated and much better designed than previously seen PoS threats. Dubbed “PoSeidon” by Cisco, the malware has some resemblance to ZeuS and uses better methods to find card data than BlackPoS, the malware family reportedly used in the 2013 attack against Target and against Home Depot in 2014. According to Cisco, the malware scrapes memory to search out number sequences that specifically match up with formats used by Visa, MasterCard, AMEX and Discover, and goes as far as using the Luhn algorithm to verify that credit or debit card numbers are valid. “PoSeidon was professionally written to be quick and evasive with new capabilities not seen in other PoS malware,” members of Cisco’s Security Solutions team wrote in a blog post. “PoSeidon can communicate directly with C&C servers, self-update to execute new code and has self-protection mechanisms guarding against reverse engineering.” Some components of PoSeidon are illustrated in the following diagram created by Cisco: PoSeidon PoS Malware Features “At a high level, it starts with a Loader binary that upon being executed will first try to maintain persistence on the target machine in order to survive a possible system reboot,” Cisco’s team explained. “The Loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.” The Keylogger component was potentially used to steal passwords and could have been the initial infection vector, Cisco said. Upon being run, the Loader checks to see if it’s being executed with one of these two file names: WinHost.exe or WinHost32.exe. If it is not, the malware will make sure that no Windows service is running with the name WinHost. Loader will copy itself to %SystemRoot%\System32\WinHost.exe, overwriting any file in that location that would happen to have the same name. Next, Loader will start a service named WinHost. According to Cisco, this method allows the threat to remain running in memory even if the current user logs off. If the Loader is not able to install itself as a service, it will try to find other instances of itself running in memory and terminate them. Once installed, the Loader attempts to communicate with one of the hardcoded C&C server and Associated IP Addresses: Domains Name Associated IP Addresses linturefa.com xablopefgr.com tabidzuwek.com lacdileftre.ru tabidzuwek.com xablopefgr.com lacdileftre.ru weksrubaz.ru linturefa.ru mifastubiv.ru xablopefgr.ru tabidzuwek.ru 151.236.11.167 185.13.32.132 185.13.32.48 REDACTED at request of Federal Law Enforcement 31.184.192.196 91.220.131.116 91.220.131.87 Once captured, PoSeidon exfiltrates the payment card numbers and keylogger data to servers, after being XORed and base64 encoded. Most of the command and control servers are currently hosted on .ru domains, Cisco said. Some of the known domains used for data exfiltration servers include: • quartlet.com • horticartf.com • kilaxuntf.ru • dreplicag.ru • fimzusoln.ru • wetguqan.ru Other domains and IPs that could indicate a compromise include: • linturefa.com • xablopefgr.com • tabidzuwek.com • linturefa.ru • xablopefgr.ru • tabidzuwek.ru • weksrubaz.ru • mifastubiv.ru • lacdileftre.ru • quartlet.com • horticartf.com • kilaxuntf.ru • dreplicag.ru • fimzusoln.ru • wetguqan.ru IP Addresses: • 151.236.11.167 • 185.13.32.132 • 185.13.32.48 • 31.184.192.196 • 91.220.131.116 • 91.220.131.87 “PoSeidon is another in the growing number of Point-of-Sale malware targeting PoS systems that demonstrate the sophisticated techniques and approaches of malware authors,” Cisco’s Security Solutions team noted. “Attackers will continue to target PoS systems and employ various obfuscation techniques in an attempt to avoid detection. As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families. Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats.” In its annual Global Threat Intel Report, security firm CrowdStrike noted that criminals have been increasingly turning to ready-to-use PoS malware kits in the cyber-underground. According to Adam Meyers, vice president of intelligence at CrowdStrike, the price of these kits varied depending on their complexity, with some going for tens of dollars and others costing in the hundreds or thousands. In its report, CrowdStrike explained that the explosion of PoS malware may be mitigated by the adoption of EMV standards (Europay, MasterCard and Visa) as well as the growth of payment options such as Google Wallet and Apple Pay. Other point of sale malware used in recent attacks include vSkimmer, Dexter, Backoff, LusyPOS and Dump Memory Grabber, among others. In December 2014, researchers at Trend Micro came across a sample of a new PoS malware called “Poslogr” which appeared to be under development. Source

Pushers of the Dridex banking malware have gone old-school for some time now, moving the malware through phishing messages executed by macros in Microsoft Office documents. While macros are disabled by default since the release of Office 2007, the malware includes somewhat convincing social engineering that urges the user to enable macros—with directions included—in order to view an important invoice, bill or other sensitive document. The cat and mouse game between attackers and defenders took another turn recently when researchers at Proofpoint discovered that a recent spate of phishing messages contained macros-based attacks that did not execute until the malicious document was closed. The technique, which involves the inclusion of an AutoClose method, which helps the malware sample evade detection. “The user is enticed to enable macros and open the attachment, and when they open it, they see a blank page and, under the hood, nothing bad happens,” said a Proofpoint advisory. “Instead, the malicious action occurs when the document is closed. The macro payload, in this case, listens for a document close event, and when that happens, the macro executes.” The use of this type of VBscript function, Proofpoint said, is effective against sandbox detection capabilities. Malware that delays execution isn’t necessarily a new evasion tactic, but attackers have been getting innovative about side-stepping security protections in place. For example, sandboxes and intrusion detection software became wise to short delays in execution times. By executing only when the document closes, this current string of Dridex seems to have taken the next step. “As sandboxes have adjusted to also ‘wait,’ the ability of the malicious macro to run when the document closes expands the infection window and forces a detection sandbox to monitor longer and possibly miss the infection altogether,” Proofpoint said. “No matter how long the sandbox waits, infection will not occur, and if the sandbox shuts down or exits without closing the document, the infection action will be missed entirely.” Dridex, once it’s implanted on the compromised machine behaves like most banking malware. It waits for the user to visit their online banking account and injects code onto the bank’s site and captures user credentials via an iframe. Dridex and its cousin Cridex are members of the GameOver Zeus family, which is also adept at wire fraud. GoZ uses a peer-to-peer architecture to spread and send stolen goods, opting to forgo a centralized command-and-control. P2P and domain generation algorithm techniques make botnet takedowns difficult and extend the lifespan of such malware schemes. Previous Dridex campaigns have spread via Excel documents laced with a malicious macro. Earlier this month, researchers at Trustwave found a spike of phishing messages using XML files as a lure. The XML files were passed off as remittance advice and payment notifications, and prey on security’s trust of text documents to get onto machines. These older Dridex campaigns targeted U.K. banking customers with spam messages spoofing popular companies either based or active in the U.K. Separate spam spikes using macros started in October and continued right through mid-December; messages contained malicious attachments claiming to be invoices from a number of sources, including shipping companies, retailers, software companies, financial institutions and others. Source

Hackers are targeting a number of European businesses and organisations with a spear phishing campaign with the colourful codename Operation Woolen Goldfish. Trend Micro researchers reported uncovering the campaign in an Operation Woolen-Goldfish: When Kittens Go Phishing white paper, warning the attacks are likely a follow-up to the "Rocket Kitten" campaign discovered in December 2014. "In February 2015, the Trend Micro Smart Protection Network received an alert from Europe that triggered several targeted attack indicators related to a specific malware family, prompting our threat defence experts to investigate further," read the report. "The alert showed an infected Microsoft Excel file that soon proved to have been launched by Rocket Kitten." Rocket Kitten was an attack campaign that targeted victims with basic spear phishing messages designed to entice them to open malicious Office files loaded with a rare "Ghole" malware. Trend Micro said the follow-up Woolen Goldfish campaign is far more sophisticated. "By the end of 2014 we saw significant changes in the attack behavior of the Rocket Kitten group in terms of spear-phishing campaigns and malware infection schemes," read the paper. The firm highlighted a Woolen Goldfish attack targeting an Israeli engineer as proof of the group's evolution. "The attackers used a OneDrive link in their campaign. OneDrive is a free online cloud storage system from Microsoft that comes with several gigabytes of data storage capacity," explained the report. "The attackers probably decided to store their malicious binaries online rather than send them as an attachment to bypass email detection. "Once executed, the file drops a non-malicious PowerPoint file used as a decoy file, while silently infecting the system with a variant of the CWoolger keylogger." Trend Micro said the CWoolger keylogger malware appears to have been developed by a hacker operating under the "Wool3n.H4t" pseudonym. Wool3n.H4t is believed to have taken part in past Rocket Kitten attacks. "Consistent with the other malware used by the threat actors involved in Operation Woolen Goldfish, the command and control reference is hard-coded as an IP address in the binary," read the paper. "A domain name was not used. Moreover, it lands on the system with a name, which is very similar to some Ghole malware variants [used by Rocket Kitten]." The paper highlighted the malware as proof the Rocket Kitten hackers are developing new attack tools and could become an even bigger threat in the very near future. Rocket Kitten is one of many targeted attack groups currently active. On 12 March, researchers at Kaspersky reported finding evidence the Equation group has been developing and mounting sophisticated attacks since at least 2003. Source

Malware analysts have had a measure of success using static mutex values as a fingerprint for detecting and blocking malicious code. These values are used in programming to enable software to synchronize communication between multiple threads or processes, or to determine whether another instance of a program is running already. There’s better reliability in using a mutex object in this way than checking for the presence of a process name, which could change. Malware writers, however, may have caught on to this fingerprinting technique. Lenny Zeltser, a SANS Institute instructor, said a malware sample he was examining dynamically generates the name of a mutex object by using the product ID associated with the software, lessening its predictability and complicating detection. “Given that malware analysts know to look for mutex names for ‘fingerprinting’ malicious software, it’s natural that authors of such programs will start shifting their techniques,” Zeltser said. “The technique that this malware used to generate the mutex name wasn’t especially elaborate, but it made it harder for the defenders to use this attribute for defending or investigating the system.” Malware evasion techniques are the epitome of the cat-and-mouse game between hackers and researchers. The LogPOS point-of-sale malware is a recent example of the constant evolution on the attackers’ side. The malware makes use of a Windows technology called mailslots to create a webserver; additional code is injected into various processes and acts as a client that moves stolen credit card data to the mailslot which then sends it to the attackers’ command and control infrastructure. Last October, academics at the University of California at Santa Barbara, made a plea for defenders to begin working on technology that spots evasive behavior. Security systems, said Giovanni Vigna, director of the Center for Cybersecurity at UCSB, must eventually elicit malicious behavior from malware before it executes. “The dynamic of action-reaction is common in the world of information security: The defenders find a way of interfering with the attackers, the attackers adjust tactics, the defenders tweak our methods, the attackers react, etc,” Zeltser said. The sample Zeltser studied a malware sample called TreasureHunter and today in a post on the SANS Internet Storm Center website, he describes how the malware transforms a computer’s specific Windows Product ID into a string that serves as the basis for its mutex. Not all malware samples make use of mutex objects, but those that do until now have hardcoded the name. Backoff, probably the most notorious point-of-sale malware in the wake of the mega Target and Home Depot breaches, named their mutexes in ways that were known to incident responders, Zeltser said. This scenario simplified detection for malware analysts, enabling them to use mutex names as indicators of compromise for Backoff infections, he said. For an attacker, the use of a static, hardcoded mutex name, also allows multiple instances of malicious code running on the infected host to refer to the same mutex, Zeltser said. TreasureHunter, he said, is the first time he’s seen malware move away from this static approach. “The author of TreasureHunter decided to use a more sophisticated approach of deriving the name of the mutex based on the system’s Product ID,” Zeltser explained in his post. “This helped the specimen evade detection in situations where incident responders or anti-malware tools attempted to use a static object name as the indicator of compromise.” Source

Point-of-sale (PoS) malware has become one of the chief weapons used by attackers to steal credit and debit card data, and now researchers at Trend Micro say they have found yet another threat to add to the list of tools in criminals' toolboxes. The malware is dubbed PwnPOS, and has managed to stay under the radar despite being active since at least 2013. According to Trend Micro, it has been spotted targeting small-to-midsized businesses (SMBs) in Japan, Australia, India, Canada, Germany, Romania and the United States. Trend Micro Threat Analyst Jay Yaneza called PwnPOS an example of malware that's been "able to fly under the radar all these years due to its simple but thoughtful construction." "Technically, there are two components of PwnPOS: 1) the RAM scraper binary, and 2) the binary responsible for data exfiltration," he explained in a blog post. "While the RAM scraper component remains constant, the data exfiltration component has seen several changes – implying that there are two, and possibly distinct, authors. The RAM scraper goes through a process’ memory and dumps the data to the file and the binary uses SMTP for data exfiltration." The malware targets devices running 32-bit versions of Windows XP and Windows 7. One of the keys to the malware's stealth appears to be its ability to remove and add itself from a list of services on the PoS device. "Most incident response and malware-related tools attempt to enumerate auto-run, auto-start or items that have an entry within the services applet in attempt to detect malicious files," Yaneza blogged. "Thus, having parameters that add and remove itself from the list of services allows the attacker to “remain persistent” on the target POS machine when needed, while allowing the malicious file to appear benign as it waits within the %SYSTEM$ directory for the next time it is invoked." PwnPOS enumerates all running processes and searches for card information. Afterward, the stolen data is dumped into a file and ultimately emailed to "a pre-defined mail account via SMTP with SSL and authentication," the researcher blogged. Cybercriminals have increasingly been turning to ready-to-use point-of-sale malware kits. According to security firm Crowdstrike, such kits can cost from as little as tens of dollars to thousands depending upon their complexity. Sursa: securityweek.com

Researchers at security firms ESET and Cyphort continue to analyze the malware families believed to have been developed by a French intelligence agency. The latest threat uncovered by experts has been dubbed “Casper.” In March 2014, the French publication LeMonde published some slides from Canada's Communications Security Establishment (CSE) describing “Operation Snowglobe,” a campaign discovered by the agency in 2009. Additional slides were made available by the German publication Der Spiegel in January 2015. The presentation revealed details on a piece of malware named Babar, which appeared to be the work of a French intelligence agency. Based on the information from the slides, researchers first uncovered a piece of spyware, dubbed “EvilBunny,” which they believe is linked to Operation Snowglobe. Last month, G DATA and Cyphort published the details of a threat which they believe is Babar, the malware described in the CSE slides. Now, they have come across Casper, which also appears to have been developed by the same authors. Casper and the links to other cartoon malware families The new threat has been dubbed Casper because its dropper implant is a file named Casper_DLL.dll. The name could stem from the animated cartoon series “Casper the Friendly Ghost.” According to ESET and Cyphort, Casper appears to be a reconnaissance tool designed to harvest information on the infected system, including OS version and system architecture, default Web browser, running processes, installed applications, apps that run on startup, and country and organization details. Researchers have determined that Casper uses an interesting technique to evade detection by security solutions. The espionage tool checks to see which antivirus is running on the infected system. A different strategy, which defines how the malware behaves, is available for four different antiviruses. If no antivirus is found, or if there is no specific strategy for the installed security software, a default strategy is applied. Experts discovered several similarities between Casper, Babar, EvilBunny and NBOT, a threat that also seems to be linked to the cartoon malware families. The list of similarities includes enumeration of installed security solutions through Windows Management Instrumentation (WMI), a hashing algorithm used for hiding calls to API functions, unhandled exception filters, payload deployment through remote thread injection, embedded and encrypted configuration in XML format, and proxy bypass code. Casper attacks in Syria Unlike Babar and EvilBunny, Casper appears to be a newer family that has been used in attacks as recently as April 2014. An operation involving the threat was spotted by Kaspersky in mid-April 2014. At the time, researchers noticed that jpic.gov.sy, a complaint website set up in 2011 by the Syrian Ministry of Justice, had been leveraged in a watering hole attack that involved an Adobe Flash Player zero-day exploit (CVE-2014-0515). Kaspersky researchers could not identify the payload that had been served, but ESET, Cyphort, G DATA and the Computer Incident Response Center in Luxembourg (CIRCL) determined recently that it was likely Casper. “According to our telemetry data, all the people targeted during this operation were located in Syria. These targets may have been the visitors of the jpic.gov.sy website — Syrian citizens who want to file a complaint. In this case they could have been redirected to the exploits from a legitimate page of this website,” ESET researcher Joan Calvet noted in a blog post. “But we were actually unable to determine if this were indeed the case. In other words, it is just as likely that the targets have been redirected to the exploits from another location, for example from a hacked legitimate website or from a link in an email. What is known for sure is that the exploits, the Casper binaries and the C&C component were all hosted on this website’s server,” Calvet added. Attribution and motivation One possibility is that the attackers used the Syrian server for storage. They might have wanted to be able to access the data from within Syria, or they might have wanted to throw off investigators and make them believe the Syrian government was behind the attack. Cyphort researcher Marion Marschalek noted that while the source code base suggests that the same authors are behind Casper, EvilBunny, Babar and NBOT, it doesn’t necessarily mean that all of the attacks involving these malware families were carried out by the same actor. “Taking into account that the geographical area targeted by Casper is of high political interest for many parties and that the malware’s intention is clearly the preparation of a more targeted attack we expect the nature of the attack to be of political rather than criminal intent,” Marschalek said in a blog post. “The considerably high amount of resources spent on development and distribution of the malware support this theory. Development of targeted malware with a level of sophistication shown by Casper requires a skilled team of developers; also the use of 0-day exploits in the distribution process leaves the conclusion the operators were very well funded,” Marschalek added. In the case of Casper, ESET noted that there is no evidence linking the malware to French intelligence. The theory that a French intelligence agency is behind the cartoon malware families is mainly supported by evidence presented by CSE for Babar. The presumption that the French government is involved is based on the list of targets, the countries where the attack infrastructure was hosted, the fact that “Babar the Elephant” is a fictional character from a French children’s book, a nickname used by one of the malware developers (titi), and some language and regional settings. Other cartoon malware families Kaspersky has also been monitoring this advanced threat actor, which it has dubbed “Animal Farm.” According to the security firm, the group uses a total of six major malware families. In addition to Casper, Bunny, Babar and NBOT, Kaspersky has observed Dino, a full-featured espionage platform, and Tafacalou (also known as TFC and Transporter), a validator-style Trojan. Kaspersky has also identified a link to France. Experts believe the name Tafacalou, which is used internally by the threat actor, could stem from "Ta Fa Calou," which means "so it's getting hot" in Occitan, a language spoken in southern France, Monaco, and some parts of Spain and Italy. *Updated with information from Kaspersky on the Animal Farm APT Sursa: securityweek.com

ScanBox is a framework in the form of a JavaScript file. The function of ScanBox is to collect information about the visitor’s system without infecting the system. And this information includes things like the last page the user was on before visiting the compromised website, the OS of the system and the language settings of the system, the screen width and height, the web browsers used by the victim, the geographical location, security softwares used and programs like Java, Acrobat Reader, MS Office and Adobe Flash versions used. ScanBox also can log the keystrokes the victim is typing inside the website under the control of the attacker, which could include the passwords and other sensitive information of the users. And all this information is then sent to a remote C&C server controlled by the attackers. ScanBox’s goal is to collect information that will later be misused to compromise specific targets. The ScanBox framework has been deployed on several websites belonging to disparate companies and organizations in different countries. Attackers were able to compromise the website and include code that loaded a malicious JavaScript file from a remote server. ScanBox is particularly dangerous, as it doesn’t require malware to be successfully deployed to disk in order to steal information. Instead the key logging functionality would do the same work by simply requiring the JavaScript code to be executed by the web browser. The framework also facilitates surveillance, enabling attackers to exploit vulnerabilities in visitors’ systems by pushing & executing malware. ScanBox is designed to be a modular and reusable JavaScript based exploit kit. It allows a lesser number of sophisticated attackers to first compromise a website using basic attacks such as SQL injection or WordPress bugs and set up a waterhole attack to infect hundreds to thousands of victims who visit that website. Some of the recent attacks which used ScanBox are the following: Table 1: List Of Attacks Month Identified Country Sector/Type Scan Box domain August 2014 JP Industrial sector js.webmailgoogle.com September 2014 CN Uyghur code.googlecaches.com October 2014 US Think tank news.foundationssl.com October 2014 KR Hospitality qoog1e.com By analyzing the script used in these attacks, it has been found that the base codes are pretty much the same and they differ in implementation. This shows that different attackers are using ScanBox as a tool for their attack. The framework was altered according to the victims’ browsers and other factors in every case. Researchers say that the changes may be the result of the upgrades in the framework. The common codebase in all the attacks leads to a conclusion that all the attackers share some resources in using this framework. Working Step 1: The basic step of the ScanBox framework is to configure the C&C server. This server helps to collect and store the information obtained from the compromised website. Figure 1: ScanBox framework for collecting data Step 2: The collected information is first encrypted before sending it to the C&C server to ensure security. Figure 2: Function for data encryption Step 3: After completion of the encryption process the following request is passed: Figure 3: Request produced after encryption Step 4: The encrypted data finally reaches the C&C server and is decrypted to obtain the original data. These pieces of information are the key for starting the attack. Figure 4: Decrypted data Figure 5: Working of ScanBox framework Plugins Several plugins are loaded accordingly in between to extract the required information. These are selectively added to avoid any kind of suspicious alerts when the page loads. The following are some plugins used during the process: Pluginid 1: List the software installed in the system and also to check if the system is running any different versions of EMET (Enhanced Mitigation Experience Toolkit). Figure 6: Pluginid 1 code Pluginid 2: Determines Adobe Flash versions Pluginid 5: Determines Microsoft Office versions Pluginid 6: Enumerates Adobe Reader versions Pluginid 8: Lists Java versions Pluginid 21: Plants a keylogger inside the compromised website. It records all the keystrokes the person is typing in the website. The logs may include account password and other details. The recorded logs are sent to the corresponding command and control center. This information is later used to launch an attack against the particular user. The keylogger feature of ScanBox helps the attacker to collect the data without loading a malware from the disc. Therefore any malware removal tool won’t be able to find this. Figure 7: Keylogger plugin code The plugins required to load a page on different browsers are different. An attacker should be well aware of the version and type of browser used by the victim. According to the requirement, the plugins are loaded so that the desired result could be obtained. The following is the list of plugins loaded per browser on code.googlecaches.com. Table 2: Plugins loaded per browser on code.googlecaches.com Plugin ID Description Internet Explorer Chrome Firefox Safari 1 Software reconnaissance Y N N N 2 Browser plugin N Y Y Y 3 Flash recon Y Y Y Y 4 SharePoint recon Y N N N 5 Adobe PDF reader recon Y N N N 6 Chrome security plugins recon N N Y N 7 Java recon Y Y Y Y 8 Internal IP recon N Y N N 9 JavaScript keylogger Y Y Y Y It has been found that Google Chrome is less vulnerable to such attacks than others on the list due to their security update between the interval of 15 days, which makes it a bit difficult to carry out the attack. Also the Aviator Web browser set up by WhiteHat Security provides impressive privacy and security settings by default. Watering Hole Attack This is a type of attack is mainly targeted on businesses and organizations. Waterholing attacks drive the ScanBox framework. The attacker keeps an eye on the websites the victim visits frequently and infects the websites with a malware. These type of attacks are hard to detect. Once the targeted victim enters the infected website, the malware finds a way into the victim’s network or system. The dropped malware may be in the form of a Remote Access Trojan (RAT), which allows the attacker to access delicate and personal information. The main goal of the watering hole attack is not to serve maximum malware to the system, but to exploit the websites frequently visited by the targeted victim. Figure 8: Watering hole working A watering hole attack could be carried out with the help of ScanBox framework. In this method the JavaScript does its job and saves the attacker from using a malware. This type of attack using ScanBox has much more efficiency than using a malware and could not be detected by any malware removal tool. You can see the list of watering hole attacks which used ScanBox in Table 1. Precautions Regular Software Updating: Timely upgrade on the software reduces the vulnerability of such attacks. Vulnerability Shielding: It helps to scan suspicious traffic and any deviation from the normal protocols used. Network Traffic Detection: Even though hackers find different ways to access the information, the traffic generated by the final malware in communicating with the C&C server remains consistent. Identifying these paths helps to take control of the effect of such attacks. Threat Intelligence: A subscription of prominent threat intelligence providers will help you to track down all the command and control servers that it connects to. These C&C servers can be fed to proxy or perimeter devices to see any successful communication has been established or not. Least privilege: The concept of least privilege has to be implemented on all users who log on to the machine. Admin privilege has to be limited to certain users only. Next generation firewall: Use of a next generation firewall can detect such type of attacks easier, as they have an inbuilt sandbox. SIEM: By using a SIEM solution, security administrators will be able to monitor all the traffic by capturing the logs. It will give a holistic view of what is happening on your network with a few clicks on a single dashboard. Conclusion By the detailed analysis of ScanBox framework, we can say that it could be very dangerous if the user is not cautious. Thorough monitoring and analysis of computer and network should keep such attacks bolted to an extent. References Cyber security updates: October 2014 ScanBox Framework — Krebs on Security https://www.alienvault.com/open-threat-exchange/blog/ScanBox-a-reconnaissance-framework-used-on-watering-hole-attacks AlienVault discovered Watering Hole attacks using Scanbox for reconnaissanceSecurity Affairs Source

Product Description IObit Malware Fighter 3 is an advanced malware & spyware removal utility that detects and removes the deepest infections and users’ most concerned online threats, and protects your PC from malicious behavior in real time. With IObit unique “Dual-Core” anti-malware engine, it’s able to detect the most complex and deepest malware, like spyware, adware, trojans, keyloggers, bots, worms, and hijackers, in a fast and efficient way! With the enhanced browser protection module, IObit Malware Fighter 3 will ensure you a full online surfing & pri Features: Full Anti-Malware Ability with Unique “Dual-Core” Engine Basic Real-time Protection against Malicious Behavior Comprehensive Real-time Protection for Top PC Security Prevent Virus Infection Carried by USB Disk Detect Malicious Process Running in RAM Detect Threats by Analyzing Malicious Action Intelligently Works in Background without Interrupting Automatic Update to the Latest Version Free 24/7 Technical Support on Demand -> Download <-Deal Expires in: EXPIRED!

Summary: 1. Thanks for the sample file(s) 2. First view 3. Second view 4. More Read more: http://dl.packetstormsecurity.net/papers/virus/fakeav-downloader-analysis.pdf

Table of contents 1. What is the Equation group?..........................................................................3 2. Why do you call them the “Equation” group?................................................3 3. What attack tools and malware does the*Equation group use? ..................4 4. What is DOUBLEFANTASY?.............................................................................6 5. What is EQUATIONDRUG? ..............................................................................8 6. What is GRAYFISH?.........................................................................................9 7. What is Fanny?............................................................................................. 12 8. What exploits does the Equation group*use?............................................. 14 9. How do victims get infected by EQUATION group malware?...................... 15 10. What is the most sophisticated thing about the EQUATION group? ......... 16 11. Have you observed any artifacts indicating who is behind the*EQUATION*group?.................................................................................. 19 12. How many victims are there?...................................................................... 20 13. Have you seen any non-Windows malware from the Equation group?..... 22 14. What C&C infrastructure do the Equation group implants use? ............... 23 15. How do victims get selected for infection by the EQUATION group?......... 23 16. What kind of encryption algorithms are*used by the EQUATION group?... 27 17. How does the EQUATION group’s attack platforms compare with Regin?................................................................................... 30 18. How did you discover this malware? .......................................................... 31 Indicators of compromise (“one of each”) ......................................................... 32 Read more here: http://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf