Brazilian Trojans Poised to Spread around the World

When we talk about Brazil, we no longer think only Carnival and caipiriña, or the favelas (slums) that came into being as a result of the highly unequal distribution of income. Bearing in mind that Brazil is one of the largest countries in the world, a major new concern has arisen as the Internet and technological devices are being used to find fast ways to earn money.

In 2014, Brazil was listed as the country with the most number of attacked users. Kaspersky identified over 90,000 attacks in Brazil, with Russia in second place.

Brzail_number_of_attacksCybercrime has combined the creativity of Brazilian hackers with new forms of illegal activities, specifically online bank fraud, turning the country into a producer of Trojan malware. The increased variety of Trojans produced in Brazil is becoming a trend. Hackers are spreading their tools via hacking communities, by selling or simply sharing tools, tutorials and tips for using Trojans as a means to intercept information on users and their banks. They use social network platforms, personal blogs or “security information web sites,” IRC channels and the forums on the deep web where “laranjas” (oranges in Portuguese, used to denominate a tool/card trader) do business to sell the malware or the stolen data.

A hacker asks for help in generating Boletos, a payment method consisting with bank tickets, commonly used in Brazil

A hacker asks for help in generating Boletos, a payment method consisting with bank tickets, commonly used in Brazil

While hackers from other countries use malware tools such as Zeus, the uniqueness of the Brazilian hackers is that they develop specific, personalized codes targeting banking frauds. They also find creative ways to use software to access their targets, with the aim of stealing bank accounts. CPL is one of these innovations – a legitimate Windows Control Panel file is being used by cybercriminals to spread banking Trojans targeting Brazilian users.

Cybercriminals send fake emails, using social engineering techniques designed to mislead users. Usually, the email content is a document with a quotation, invoice or receipt, information on a debt or a banking situation, or digital payment instruments used in Brazil, such as Boleto bancário or Electronic tax note, file photographs, videos or similar.

An example for the use of the CPL malware in a phishing email

An example for the use of the CPL malware in a phishing email

The fact that Brazil has the highest percentage of online banking users has also contributed to the development of different personalized attacks. As a result, banking Trojans have become the number one threat in Brazilian cybercrime. As previously demonstrated in the Brazilian malware arena, some code writers spread their viruses around the world. The security sector, in this case the banking sector, must be aware of the possible dangers and increase their efforts to protect their clients.

The Swine Flu Wants to Infect Your PC

Russian underground forums often serve as a marketplace for talented coders of sophisticated malware who develop attack tools to target the financial industry.

During routine monitoring of these forums, we came across a new type of malware loader called H1N1. Loaders are used as an initial intrusion vector, enabling an attacker to install malware on a workstation at a later time of his own choosing. They provide the attacker with both an initial foothold in the victim’s system and a future channel for delivering malicious programs at any time.

The new loader, which is named after the swine flu virus, was offered for sale in late April for $500 by a member of a Russian password-protected forum.

According to the sales thread, H1N1 is a non-resident loader. This means that it is executed in the system, installs the programs from its task list, and deletes itself after the computer is rebooted. (A resident loader, on the other hand, writes itself into the operating system and is not deleted after reboot. Since it receives commands from the C&C server, it can keep installing malicious software on the infected computer.)

H1N1 characteristics

  • Bypasses User Account Control (UAC) through a UAC whitelist, which allows it to run files with elevated privileges. This bypass does not require use of additional .dll libraries or Windows Sysprep. If the loader is unable to receive elevated privileges, it will run programs with user privileges.
  • Traffic in both directions is encrypted.
  • Installs .exe files on the infected computer using Windows Instrumentation Management (WMI). The .dll files are installed from memory.
  • Has an embedded security mechanism that recognizes when it is being executed in a virtual machine.
  • Can be injected into the address space of legitimate system processes (of the default browsers).
  • Bypasses AV and HIPS programs. With AV programs, it does this by identifying their running processes and paths, creating copies of the processes, injecting into the copied processes, and finally, disabling all threads of the AV software’s legitimate processes.
  • Elevates privileges from a low integrity level by using WMI and exploiting the CVE-2014-4113 vulnerability.
  • Identifies and neutralizes certain AV programs.
H1N1 administration panel

H1N1 administration panel

A number of forum members who claimed to have used the tool gave generally positive feedback but stated that it does not bypass all AV programs. According to the technical analysis (below), Kaspersky Internet Security identified the presence of the loader, while ESET NOD32 and Outpost Security Suite did not. Avira only identified the activity as malicious in some cases (depending on the crypt of the loader).

In a VirusTotal analysis of the loader’s files, the detection ratio was 41/57 for the dropper file (as of May 21, 2015) and 22/57 for the memory file (as of May 14, 2015).

Technical Analysis

It is common practice on closed Russian forums for veteran, trusted members to analyze and validate malware sold by newbies to prevent them from cheating and selling a low-quality product. It is harder to find buyers for non-validated malware, especially if the seller is new to the forum (for a review of different types of sellers, see our previous post on this subject). Since a major part of the underground ecosystem is based on reputation and the hierarchy on different underground forums, an impartial entity whose role is to validate new goods is extremely important.

Ares, the administrator of a well-known Russian forum, conducted a validation analysis to check whether H1N1 really possesses the capabilities claimed by the seller, including the ability to bypass security measures. He published an extensive review on his forum.

According to Ares, the code is written in Assembly language and was obfuscated (for security purposes). Once all the initial procedures are loaded (the code utilizes kernel32 and advapi32 during loading), the loader launches the Explorer process from syswow64 on x64 systems and system32 on x86 systems. The process is mapped with a rewritten shellcode entrypoint.

The shellcode receives all of the necessary APIs and reads a packed binary file (which it extracts).

The binary is a .dll file that scans for various important API elements and then checks the hash signature of the filename through which the process was started. If the file name is Explorer, it tries to elevate its privileges.

Initially the malicious .dll file copies itself and patches with the shellcode. Later it moves the copied file into the system32/setup folder. After that, H1N1 runs several checks (such as OS version) and tries to elevate its privileges from medium to high.

The loader uses various methods to inject malicious content into legitimate processes. For example, if injection into a default browser fails, it tries to inject the malicious content through svchost.

Lastly, the execution module kicks in where the loader will be executed. The malware conducts fake network tests (for example, pinging various websites), collects information about the infected machine, and then requests content from the C&C server. The HTTP requests are encrypted with RC4 and the data length is transferred in the HTTP header.

HTTP requests from the C&C server

HTTP requests from the C&C server

Following publication of the analysis by Ares and in response to critical feedback from forum members, the seller has been updating and improving H1N1. For example, he responded to criticism of the UAC bypass by announcing that he had changed the bypass method and that it was now similar to the method used by the Carberp Trojan.

In later tests performed by several authoritative forum members, privilege escalation and the UAC bypass had a relatively low success rate. However, since then, the author claims to have fixed the problems with the loader.

An Important Recommendation

H1N1 uses bthudtask.exe for its purposes. This executable is part of Microsoft Windows and is usually located under C:\Windows\system32. The file description is “Bluetooth Uninstall Device Task.” If you do not require Bluetooth devices, we would strongly recommend removing the file from your end-points.

Conclusion

H1N1 is a new type of malware loader and is not yet very sophisticated. However, it has attracted the attention of many high-ranking Russian underground forum members, who have analyzed it and written about its weak points. This seems to be encouraging the seller to improve and upgrade his product and fix the bugs.

Shell Profiles on the Russian Underground

Russian underground cyber-markets are known venues for purchasing high-quality hacking tools and services. Many such tools, popular worldwide, make their first appearances on closed Russian forums. There are two main types of sellers on these platforms: well-known members with seniority and strong reputations, who have already sold tools and received positive buyer feedback, and an emerging “shell profile” type of user. According to our recent analysis, such users typically register to a forum a few days before posting an advertisement for the tool. These new users often enlist the aid of forum administrators and more senior members, by providing them with a copy of the tool for their review, and thus gain the trust of potential buyers.

CTB-Locker

For example, CTB-Locker, a malware program, was first advertised on a Russian underground forum on June 10, 2014 by a user called Tapkin. This ransomware scans the computer for data files, encrypts them with a unique algorithm, and demands a ransom to release them. Tapkin registered on this forum on June 2, 2014, several days before posting the advertisement, and posted a total of five messages to the forum, all on the subject of CTB-Locker. Around this time, a user by the same name posted identical information on other forums.

Tapkin registered to another Russian underground forum on June 13, 2014, and three days later, he advertised the tool on the forum. This was the first and only thread that Tapkin started on this platform, and all of his posts were about this topic.

Tapkin stopped selling CTB-Locker on June 27, but on November 19, 2014, he posted another advertisement, this time for “serious” clients only. Tapkin last advertised the ransomware on a carding forum on December 8, 2014, after registering to this forum the same day.

Thus, in three cases, Tapkin registered to a forum a few days before posting an advertisement for the tool and did not participate in any other forum discussions. As a newly created profile, Tapkin lacked seniority and therefore had low credibility. However, our impression is that this user demonstrates knowledge regarding the tool, its capabilities and can answer questions regarding the technical component of the tool fluently. An analysis of Tapkin’s posts indicates that behind the shell profile is not one person, but rather a group of people who developed the tool together.

Forum comments indicating the presence of a team behind the username Tapkin

Forum comments indicating the presence of a team behind the username Tapkin

This username appears to have been created for the sole purpose of selling the ransomware, which was only advertised on Russian-speaking platforms. On May 19, 2015, a well-known forum user posted a message stating that his computer had been infected by CTB-Locker and asking for Tapkin. However, Tapkin had by then already disappeared.

Forum member post searching for Tapkin in correlation with CTB-Locker

Forum member post searching for Tapkin in correlation with CTB-Locker

Loki Bot

Another example of malware advertised by a new forum member is the Loki Bot password and coin wallet stealer. Loki Bot, written in C++, can steal passwords from browsers, FTP/SSH applications, email accounts, and poker clients. It has an option to configure C&C IP addresses or domains.

Bot-selling advertisement

Bot-selling advertisement

This bot, which works on Windows versions XP, Vista, 7, 8, and 8.1, is relatively new and is still under development. It was first advertised on a well-known Russian underground forum in early May 2015 by a new user with no reputation. A week later, a user by the same name registered on two other well-known underground forums attempted to boost his credibility by sending the forum administrator a test version of the malware. Similar to the previous example, we assume that a group of people is behind this user as well.

Forum administrator approves a new tool advertised by a “shell profile” user (May 18, 2015)

Forum administrator approves a new tool advertised by a “shell profile” user (May 18, 2015)

We can see that new users are registering on Russian underground forums for one purpose only, to sell a particular malware program, and their entire online presence is focused on this. They register to a forum a few days before posting an advertisement for the tool and do not participate in other forum discussions. Newly created profiles lack seniority and therefore have low credibility ratings. Sometimes such users attempt to improve their credibility by sending the forum administrator a test version of the malware. In some cases we can see that behind the shell profile there is a team, and not an individual. They appear suddenly and disappear just as suddenly after their business is completed.

Why Are Information Security Tools and Cyber Intelligence Like a Hammer and Nails?

By Dori Fisher, VP Intelligence Solutions

Information security (“cyber security”) has rapidly evolved in recent years, and as a result, we need to reinvent and redefine concepts that were once considered clear and concepts that have not yet been addressed. One of these concepts is cyber threat intelligence, or CTI.

Market Guide for Security Threat Intelligence Services, a Gartner paper from October 2014, lists 27 companies in its CTI category. These include two very different Israeli companies, Check Point, known originally for its firewalls, and SenseCy, which is known for its intelligence.

Yet one-dimensional market categories do not reflect the specific activities of various companies. In other words, CTI, like DLP (data leakage protection) and other terms, is implemented in various ways and expresses different needs. Sometimes, with all the marketing hype, words lose their meaning. One of the biggest challenges with “CTI” is that it refers to intelligence when what is actually delivered is information.

What is Intelligence?

Intelligence, according to the FBI, is “information that has been analyzed and refined so that it is useful to policymakers in making decisions.”

Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice.”

The common thread in definitions of intelligence is that it is information analyzed to create value.

Stages of Cyber Intelligence

Cyber intelligence, like classic intelligence, consists of a number of major processes:

Developing sources: Where do you look and how do you get there? (For example, how do you become a member of a closed Indonesian carding forum?)

Collection: What do you look for and how do you find information? (For example, using various languages, automatic or manual tools, etc.)

Filtering and aggregation: Filtering and combining bits of information.

Analysis: Understanding the information and its value.

Conclusions and deliverables: Insights about the information analyzed and packaging of the information.

Computers have proven themselves efficient at collecting, aggregating, and filtering intelligence. However, human beings are still better at developing high-quality sources, analyzing, and drawing conclusions – despite the great promise of various analytic technologies.

Intelligence vs. Information

Many of the deliveries called intelligence (or CTI) are in fact, information.

Examples are information collection by means of honey pots, attack servers, network forensics, social networks, Internet networks not accessible through a Google search (the Deep Web), or networks requiring special browsing software (the Dark Web).

Without information collection there would be no intelligence, but the mere act of collection from one source or another does not make the information “intelligence.”

For example, a quote from a closed group that is planning to attack a certain bank on Christmas is important information, but the modus operandi, the tools to be used, the ability to actually carry out the attack, and the likelihood that the attack will take place is important intelligence.

Cyber Intelligence as a Nail and Information Security Tools as a Hammer

Psychologist Abraham Maslow noted that “it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.”

In the ancient world, when Joshua sent spies into Jericho, his tools were mainly between his ears, and the intelligence took form accordingly. Today, with firewalls, information security management systems, data leak prevention, and endpoint protection, we sometimes confuse intelligence with technological information like IP addresses and signatures that can be inserted into the products that we buy.

The technological information is the delivery but not the essence.

High-quality intelligence can sometimes also be expressed in technological deliveries, but the quality of intelligence can be measured based on the ability to act upon it, whether by updating firewall rules or redefining strategy or tactics in regard to a certain topic.

 

LogJam, Little Sister of FREAK

On May 20, 2015, researchers from the University of Michigan announced a new vulnerability in the Diffie-Hellman key exchange, called LogJam.

The vulnerability resides in the basic design of TLS itself, exposing both clients and servers, including mail servers, to a MitM attack, in which a malicious attacker can downgrade SSL-based connections to 512-bit export-grade cryptography, thus bypassing the basic security mechanism and allowing the attacker to read and modify any exposed traffic.

According to the official publication in weakdh.org, “The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top one million domains were initially vulnerable.” Moreover, the flaw exploits a vulnerability in the Diffie-Hellman TLS key-exchange protocol, rather than the RSA key exchange exploited by the FREAK vulnerability.

When a client requests a DHE_EXPORT cipher-suite instead of DHE, the server (if it supports DHE_EXPORT) will pick a small, breakable 512-bit parameter for the secret exchange.

According to a CloudFlare publication, this is the protocol flaw at the heart of LogJam “downgrade attack”:

  • A MitM attacker intercepts a client connection and replaces all the accepted cipher-suites with only the DHE_EXPORT ones.
  • The server picks weak 512-bits parameters, does its half of the computation, and signs the parameters with the certificate’s private key. Neither the Client Hello, the client cipher-suites, nor the chosen cipher-suite are signed by the server.
  • The client is led to believe that the server picked a DHE Key Exchange and just willingly opted for small parameters. From its point of view, it has have no way to know that the server was tricked by the MitM into doing so.
  • The attacker would then break one of the two weak DH shares, recover the connection key, and proceed with the TLS connection with the client.

LogJam_1

Moreover, the researchers have speculated that the LogJam vulnerability provides an explanation for how the NSA cracked VPN connections, saying “a close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.”

Further to the publication of the LogJam vulnerability, SenseCy monitored its popularity among known hacker groups and cyber hacktivist. A general interest was noted, with some questions on the vulnerability.

LogJam_2

So how should you approach this vulnerability?

The researchers provided some simple answers to this question:

If you run a server:

If you have a web or mail server, you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. Step-by-step instructions can be found here.

If you use a browser:

Make sure you have the most recent version of your browser installed, and check for updates frequently (including smartphones).

If you are a system administrator or developer:

Make sure any TLS libraries you use are up-to-date and that you reject Diffie-Hellman Groups smaller than 1024-bit.

You can check if your browser is vulnerable here.

You can download the complete research document from here.

AnonGhost VS Uncle Sam (#OpUSA – May 7, 2015)

Hacking group AnonGhost has published an official video on #OpUSA, its upcoming cyber campaign against the United States. The video, addressed to the U.S. government, does not mention the date of the campaign or the list of targets, but based on the group’s 2013 #OpUSA campaign, it appears that it is set to take place on May 7. The official video’s YouTube page mentions prominent AnonGhost members Mauritania Attacker, An0nx0xtn, DarkCoder, Donnazmi, and Hussein Haxor, all of whom promote the group’s agenda in social networks.

AnonGhost post about #OpUSA

AnonGhost post about #OpUSA

On May 7, 2013, AnonGhost, along with other groups such as the Tunisian Hackers, threatened to hack American government and financial websites. While they were highly motivated, they failed to achieve much other than to deface several websites and leak emails and personal information. A possible reason for their limited success is that several days before the campaign, hackers speculated on social media that #OpUSA was actually a trap set by the federal government in order to expose and arrest the participants.

Partial list of #OpUSA targets in 2013

Partial list of #OpUSA targets in 2013

One of the groups that participated in 2013, N4m3le55 Cr3w, published a long list of recommended DDoS tools at that time, most of which are common hacking tools that are likely to be used in the current campaign as well.

  • HOIC
  • LOIC
  • Slowloris
  • ByteDos
  • TorsHammer, a Python-based DDoS tool created by the group called An0nSec.
  • SYN Flood DOS, a DDoS tool that operates with NMAP and conducts a SYN Flood attack.

MitM Attacks Pick Up Speed – A Russian Coder Launches a New Web Injection Coding Service

In a successful MitM attack, the hacker infiltrates a web session between a bank and a bank customer, intercepts the messages they are exchanging, including credentials and classified information, and injects new messages, all without arousing the suspicion of either party.

In most cases, the injections are tailored to the victim. In other words, the victim sees a website purporting to belong to the specific bank whose site the victim is attempting to access. The injections are delivered via banking Trojans such as Zeus. On closed forums, injections are sold as separate modules for banking malware.

Web injections are sold on a Russian underground forum

Web injections are sold on a Russian underground forum

On one of the leading Russian-language cybercrime forums, we recently discovered a new thread offering web-injection services. The author was selling a large variety of injections for banks and online services in the United States and Canada.

According to the thread, the service includes an administration panel for managing the infected machines and stolen data, the ability to change the victim’s banking account balance (after a money transfer was performed), the ability to grab answers to security questions, and many other features.

The prices are quite affordable and vary from $50 to $150, though it should be noted that anyone wishing to carry out an MitM attack should already possess a botnet of machines infected with banking Trojans. When the victim tries to access his bank account, the attacker intercepts the session and displays a fake webpage that is very similar to the real bank’s site. The victim is asked to fill in login credentials, answer security questions, provide credit card data, and more. The attacker immediately receives the information through the administration panel and can use it to transfer the money, while the victim receives a connection error and simply tries to connect to the bank’s website one more time.

Detecting such an attack can be difficult, since one failed connection to the bank website or minor differences between the design of the fake page and that of the real page do not usually arouse the victim’s suspicions. In addition, as mentioned above, the account balance that the victim sees does not change after the money has been stolen.

The seller has launched a website to promote sales of the injections he coded. The site contains samples of injections for banks in the United States and Canada and for online services such as PayPal and Ebay. The targeted banks are Wells Fargo, HSBC, Citizens Bank, Scotiabank, RBC Bank, and many more. There was a section in the site indicating that European institutions will be targeted in the future.

Example of injection for a bank, published on the dedicated website