Sharp Rise in Mining-Related Malware on the Russian-speaking Underground

Verint’s powerful portfolio of interception and monitoring solutions provides full monitoring and operational value. Dedicated systems address separate real-time and retroactive investigation needs, for lawful monitoring, field operations and background research. In the case below, we have used our Cyber and Webint suite to constantly monitor, collect and analyze malware-related items, to gain actionable intelligence and perform the investigation.

We constantly monitor groups, markets and IM channels manually and automatically, in this case, our monitoring has revealed in recent months a sharp rise in mining malware traded on numerous Dark Web forums, where hackers of various underground communities reside. This is hardly surprising, considering the rise in the value of cryptocurrency since late 2017. As a ramification of this trade, in recent months, a sharp rise in mining malware attacks has also been observed.

The rise in the trade in mining malware originates with cybercriminals engaged in attacks against banks and their clients, who are currently opting to focus on attacks designed to bring various kinds of cryptocurrency into their hands. For instance, SenseCy analysts spotted known sellers of banking malware, starting to offer for sale malware related to crypto-currency mining. These attacks can be divided into two types:

  • Infection with mining malware – we have spotted a rise in the trade of mining malware in hacking communities, as well as an increase in the number of discussions related to these types of attacks. This indicates an elevated interest in this field and a shift by hackers previously engaged in other criminal activities to acquiring knowledge and attack tools in the illegal mining field. These attacks are targeting a wide scope of end users and servers, and are designed to take advantage of their systems’ resources to mine cryptocurrency. Along with the slowdown of the infected system, mining malware can sometimes cause significant damage to the hardware, as in the case of the Loapi Android Trojan that worked a phone so hard its battery overheated and burst open the device’s back cover.
  • Attacks against cryptocurrency holders, be they private wallet owners or cryptocurrency exchange platforms. While the former are usually targeted by phishing or Man-in-the-Middle (MitM) attacks designed to steal credentials, the latter is a large-scale attack designed to steal cryptocurrency from the exchange platform. We see a large volume of evidence related to the first type in closed sources, but the second type is usually coordinated outside of hacking forums.

The picture received from our automatic monitoring systems surfaced according to pre-defined queries supports these findings, which were manually identified by our analysts. More than 4,000 mentions of “miner” on password-protected forums were identified in the period between September 1, 2017, and February 24, 2018, compared to just 1,000 for the same period one year earlier. In addition, a sharp rise in the number of discussions can be clearly observed starting from mid-October 2017, following the rise in the price of Bitcoin and other cryptocurrencies. In fact, the number of discussions on hacking-dedicated platforms correlates with the fluctuations in Bitcoin value (with a slight delay of several days).

The number of discussions from password-protected hacking sources in which the word “miner” was mentioned. Source: Verint DarkAlert
The value of Bitcoin in USD during the same period. Source: CoinDesk
The value of Bitcoin in USD during the same period. Source: CoinDesk

For instance, we identified two prominent threat actors from the Russian underground, who usually offer mobile “injections” – fake overlay pages designed to be used along with mobile Trojans to steal user credentials (usually for banking and e-commerce apps.) These threat actors started offering injections targeting users of popular Bitcoin wallets during the same period that the Bitcoin price increased.

Another example is the trade of a new mining malware dubbed CryptoNight, which started two months ago (February 10, 2018). For US$ 50, the author offers a miner for a variety of cryptocurrencies (those that use the CryptoNight or CryptoNight-lite algorithm), with a relatively low detection rate (according to tests run by other forum members). The malware also possesses clipboard stealer capabilities designed to steal credentials of the most popular cryptocurrency wallets (Bitcoin, Ethereum, Dogecoin and others).

New Variant of Notorious Svpeng Currently for Sale on the Russian Underground

In recent days, there have been numerous reports about the new Svpeng variant, with extended capabilities. These capabilities include keystroke logging and taking control of many device functions, using the accessibility services feature. Continue reading “New Variant of Notorious Svpeng Currently for Sale on the Russian Underground”

The IoT Threat – Infographic

2016 made IoT one of the hottest topics across the cyber security industry as Internet-connected devices became a major tool for DDoS attacks. Researchers expect that the role of IoT will only grow in the coming years. Although very recent, the first signs for this new threat vector were visible over the past two years, with malicious actors engaging in IoT exploitability and attacks utilizing these devices. In fact, IoT botnets are not new. In 2015, Continue reading “The IoT Threat – Infographic”

SenseCy’s Predictions for the Cyber Global Arena in 2017 – Infographic

2016 witnessed an unprecedented volume of cyber events of varying impact and future significance. Following a detailed analysis of those events deemed to have the most strategic future ramifications, we have identified a number of major trends and concerning developments expected to gain momentum in 2017. Check out our new Continue reading “SenseCy’s Predictions for the Cyber Global Arena in 2017 – Infographic”

Exploit Kits Out, Loaders and Macros Back in

During 2016, we witnessed the collapse of three major exploit kits that were previously used for massive malware delivery: Nuclear (first), Angler and then Neutrino (later). Along with other more private EKs (such as Magnitude), they caused major damage in previous years and served as infection vectors for many malicious malware-distributing campaigns. Continue reading “Exploit Kits Out, Loaders and Macros Back in”

The Shade (Troldesh) Ransomware: One More Soldier in the Army of Encryption Miscreants

Written by Mickael S. and Tanya K.

Last week, SenseCy analysts happened upon a new sample of Shade ransomware, also known as Troldesh, which uses a no_more_ransom extension for encrypted files. This ransomware is far from famous, lacking the glorious Continue reading “The Shade (Troldesh) Ransomware: One More Soldier in the Army of Encryption Miscreants”

Insider Threats – Sometimes it is your Colleagues, and not Remote Attackers

Insiders pose the most substantial threat to organizations everywhere, a recent across-the-board study conducted by IBM demonstrates. Although in the majority of the cases, the insider is an employee of the company, he could also be a third party, such as an external contractor, a consultant or a business partner. An insider generally has all the Continue reading “Insider Threats – Sometimes it is your Colleagues, and not Remote Attackers”

Cerber Ransomware JavaScript Loader Goes Undetected

We have been closely monitoring Cerber ransomware since it first emerged on a Russian password-protected forum, offered as-a-service for members only.

At present, Cerber ransomware constitutes a sophisticated malware threat to organizations. (it was responsible for more than 25% of the total number of ransomware infections recorded worldwide in June 2016, according to Microsoft). Files encrypted by Cerber are currently non-decryptable.

On August 23, 2016, a member of the same closed forum where Cerber ransomware is traded posted a detailed analysis of the loader that the malware uses to install itself. According to his post, he did this after hearing that the loader is very useful and capable of installing any malware without detection. His conclusion was that the loader does not employ any extraordinary methods to install the ransomware, but its tremendous advantage of being fully undetectable by AV programs is due to the usage of several rare code functions that are difficult to emulate.

First, he posted the full obfuscated code of the loader, explaining parts of it:

  • Replacement of the Eval function, i.e. it receives a parameter that contains JavaScript code and executes it. Usually, AV programs emulate this function. Replacing the Eval function blocks this emulation.
  • Another part of the code creates a Desktop shortcut, probably also as an anti-emulator measure (the post writer comments that in his opinion AV would quickly detect it).
  • The next part of the code is obfuscated – a HEX code which is divided and deobfuscated using XOR.After deobfuscation, we can see that the code contains anti-emulation.
  • Then a random string is created and a path from %TEMP% environment obtained for it.
  • The next stage involves downloading the malicious file from an URL address and saving it in the system.
  • A parameter is added to the header to block AV bots and researchers: setRequestHeader(‘cerber’,’true’)
  • If the malicious payload was downloaded properly, it is executed.
  • Finally, the Eval alternative is launched.

Summarizing the analysis, the post author concludes that the advantages of the loader are a good implementation of the payload download and execution and errors control. The disadvantages he mentions are weak implementation of obfuscation and anti-emulation, and low level of usability functionality. He also attached an AV scanner report from August 23, showing a detection rate of 15/40.

Several days later, on August 27, 2016, the same forum member posted that he had analyzed the latest version of the loader and was surprised by the fact it is totally undetectable by AV programs. Moreover, this version is capable of installing payloads from several alternative URL addresses and it uses improved debugging. This version does not use anti-emulation at all, but employs a unique method that totally blocks the AV syntax emulation. 

Below is a description of the main techniques used by the loader to remain undetected:

  • Replacement of the Eval function (even though it is a simple technique, it is used extensively by JS packers and therefore cannot be detected by AV as malicious).
  • The part of the code that avoids emulation is an array that contains random data, with the first element being the important one. The functions Math.floor and Math.random always output only the first element in the array and AV cannot properly emulate them. Full undetectability is achieved by using these two functions.

The emulator will always output one single value and will never reach the part of the array when the right value is located. As a result, the emulator cannot perform the calculations, a critical error occurs and the AV programs are unable to identify the loader as a malicious file.

1
The message that analyzes what code feature allows the malware to avoid AV detection

The post author attached an AV scanner report showing a 0/35 detection rate (as of August 27, 2016).

2
The scan showing that the loader is not detected by AV engines

Cyber Intelligence From the Deep Web – An Interview with SenseCy CEO Gadi Aviran

Below is a shortened version of an interview with SenseCy CEO, Gadi Aviran. The full interview is available in vpnMentor Blog.

Gadi Aviran is a man of many talents. Formerly the head of the technical intelligence analysis desk at the IDF (Israeli Defense force), Aviran has been involved in technical terror intelligence analysis for over a decade, serving as one of Israel’s leading authorities in the field of Explosive Ordnance Disposal (EOD) and in Disposal of Improvised Explosive Devices (IEDs). Since his retirement from the military, Aviran has founded a number of companies that all deal with different aspects of OSINT/WEBINT intelligence, including SenseCy, where he currently serves as CEO. In this rare interview he talks about cyber intelligent from the detective’s perspective, and explains why successful cyber intelligence can never be done by machines only.

vpnMentor: Please tell us about your personal background and the companies you’re involved in.

Lets not start in the middle ages, we’ll start when I got out of the military and founded a company which ended up being Terrogence in 2004. Terrogence took it upon itself to look for intelligence in the open web, but use a different methodology than what most of the companies out there are doing. Normally, a company would set up crawlers to collect all the data they can, and then look through the data to find those pieces of information that are important for them, but like a needle in the hay, it’s a long and insufficient process.

At Terrogence, we decided to answer questions instead, meaning, we ask our clients what kind of information are they interested in, and use assumed identities or ‘virtual humant’ in order to penetrate and infiltrate closed areas within the web to find the answers.

As time went by, we developed our own technology, which supports us very much in doing what we do. We incorporated a new technological company called “Webintpro”, which provides software solutions for intelligence gathering, while Terrogence remained a service provider.

About 5 years ago we started receiving requests from customers, asking about threats in the cyber domain, and that’s when we started dealing with cyber security. We changed our name to SenseCy about 2 years ago due to market responses to the word ‘Terrogence’, bearing in mind that the market is mainly civilian.

vpnMentor: So what can you tell about the work of SenseCy?

SenseCy is an interesting creature. It’s very focused on the customers, providing them insights from dark and distant parts of the web. In order to do that we look into their DNA and see who’s talking about them, who’s selling their information, who’s interested in their domain, their software and their personal activities, and that gives us a very unique perspective.  There are only about 5-10 companies in the world that actually do what we do, so it’s a very interesting and very challenging business to be in.

We have been operating in the cyber domain for the past 5 years, offering very unique capabilities which attract the attention of potential customers and partners. We represent a very narrow and interesting niche in the cyber protection arena. As you know the industry had gone through a whole set of changes, but at the end of the day the answers are not sufficient; what people are interested in is not how dangerous the web is as a whole, but what are the dangers FOR THEM?

For example, if someone is interested in buying emails of your c-level personnel, or shows specific interest in your company in order to obtain information or funds from and about the company, it’s a dangerous situation for everyone involved. This is what we call a personalized threat, and if you were a target, you’d definitely want to know about it.

vpnMentor: What type of clients do you work with and what types of threats are they facing?

Our customers come from different walks of life. We have of course clients from the finance, health and insurance industries which are constantly threatened by cyber activities, but it’s a changing landscape. Finance used to be the hottest thing and get the most threats, but now we can see that the health industry is becoming a much greater target, because they have information that’s worth a lot of money.

Hackers who do it for money will find whoever’s willing to pay, and exploit them in every way they can. In some cases they may sell the information to many people, or ask their victim to pay a ransom for receiving their data back. As you probably know, ransomware is a huge business these days.

vpnMentor: Surely, money isn’t the only motive for attackers of such scale.

That’s right. Bear in mind though that the world of cyber is segmented into 3 general types of threats. I’ve already mentioned the money-driven hackers. There are also of course state sponsored threats, where we have very little visibility over what is going on. There are exceptions, for instance, in places like Iran, where state and private activities are often mixed up, but generally speaking, we do not investigate or report about state abilities because states normally don’t operate on the web, they do it in a much more private way.

The third type of threat is hacktivism, where each player has his own sources and in some cases his own malware or tools. In their eyes, they do it for “justice”.

Take Anonymous for instance, who attacked Japanese companies and government institutions, including those of Prime Minister Shinzo Abe, the Ministry of Finance, the Financial Services Agency and Nissan Motors, because they endanger dolphins and whales. It used to be that the hacktivists were relatively low key. Their technology wasn’t very advanced and relied mainly on DDOS capability, but that is completely changed now. The tools that are now being used for hacktivism campaigns are the most advanced tools that we are finding, but they are not tools that are made to make money, they are tools made to destruct.

vpnMentor: What is the difference between your work and the work of a professional hacker?

The 2 companies that came out of Terrogence only deal with open source intelligence (OSINT). A source can be a news article in the New York Times, or an Arabic newspaper, which is published online but is only available to people who understand Arabic.

The information can hide behind various doors of privacy but at the end of the day it’s all in the public domain. We don’t hack into sources of information, we don’t use backdoors into them, and we are very overt about what we do.

In addition to our business clients, we’ve also been working for many governments, meaning that what we do is legal. We are very careful not to cross the legality lines, so whenever we’re asked to do something, we look into it, and if a task’s legality is uncertain, we will not follow it through. To sum things up, we are not hackers and we’re not hacker-wanabees: We’re a business. We’ve been doing it for quite a long time and we do it well.

vpnMentor: I suppose as an intelligence provider you’d prefer to remain under the radar.

Yes our work is very tailored, we work for customers that have a name and that name is something we hold very closely. We share some of it in our blog and give lectures here and there, but generally we go into the light very little. We don’t participate in trade conferences and things like that, and it’s not where we find our customers- the customers normally come to us. The fact that I’m talking to you is not something that we normally do.

At the end of the day, it’s an industry of essence. You are not judged by how much PR you have, but by the intelligence that you provide to the customer.

The Healthcare Sector is Targeted by Cybercriminals More than Ever

The healthcare sector has recently become a desirable target for cyber crooks. According to Symantec ISTR report statistics, healthcare was the most breached sub-sector in 2015, comprising almost 40% of all the attacks. Hospital security systems are generally less secure than those of financial organizations, as monetary theft has always been perceived as the greatest threat for organizations, and dangers to other sectors were usually underestimated. Moreover, awareness of cyber-attacks against hospitals and medical centers is much lower than it is to financial cybercrime, and as a result, the employees are less well-trained on how to avoid falling victim to a cyber-attack.

1
Top 10 Sub-Sectors Breached by Number of Incidents According to Symantec ISTR report

Only lately, this concept has started to be challenged, revealing the potential damage that can be caused by the theft and leakage of patient data. However, the ‘bad guys’ remain one step ahead and during the last few months, we have witnessed a spate of attacks targeting the healthcare industry: ransomware attacks encrypting essential data and demanding payment of a ransom, numerous data leakages revealing confidential patient data, unauthorized access to medical networks and even the hacking of medical devices, such as pumps and X-ray equipment.

Moreover, the healthcare sector is being targeted by hackers not only directly, but also via third-party companies in the supply chain, such as equipment and drug suppliers. These companies usually store some confidential data that originates in the hospitals’ databases and may even have access to the hospital IT systems, but they are far less secure than the hospitals themselves. Thus, they serve as a preferable infiltration point for malicious actors pursuing the theft of medical data and attempting to infiltrate the hospitals’ networks.

The consequences of attacks on the healthcare industry may be extensive, including the impairment of the medical center functioning, which may result in danger to human lives in the worst case scenario. In other cases, personal data will be stolen and sold on underground markets. Cybercriminals will take advantages of these personal details for identity theft or for future cyber-attacks combining social engineering based on the stolen details.

While monitoring closed Deep-Web and Darknet sources, SenseCy analysts recently noticed a growing interest toward the healthcare sector among cyber criminals. Databases of medical institutions are traded on illicit marketplaces and closed forums, along with access to their servers. In the last few months alone, we came across several occurrences indicating extensive trade of medical records and access to servers where this data is stored.

The first case, in May 2016, was the sale of RDP access for a large clinic group with several branches in the central U.S., which was offered for sale on a Darknet closed forum. For a payment of $50,000 Bitcoins, the buyer would receive access to the compromised workstation, with access to 3 GB of data stored on four hard disks. Additionally, the workstation allows access to an aggregate electronical system (EHR) for managing medical records, where data regarding patients, suppliers, payments and more can be exploited.

Although the seller did not mention the origin of the credentials he was selling, he claimed that local administrator privileges could be received on the compromised system. He also specified that 45 users from the medical personnel were logged into the system from the workstation he hacked.

The relatively high price for this offer indicates the high demand for medical information. With RDP access, the potential attackers can perform any action on the compromised workstation: install malware, encrypt the files or erase them, infect other machines in the network and access any data stored in the network. The consequences can be tremendous.

2
An excerpt of the sale thread posted on a Darknet forum

 

3
Screenshot allegedly taken on the hacked workstation

Just a few weeks later, in June 2016, our analysts detected another cyber-accident related to healthcare. This time, three databases allegedly stolen via an RDP access to a medical organization were offered for sale for more than $500,000 on a dedicated Darknet marketplace. In one of his posts, the seller claimed that one of the databases belongs to a large American health insurer.

4
One of the sales posts on a Darknet marketplace
5
Screenshot posted by the seller as a proof of hacking into a medical organization

Before long, we again discovered evidence of hacking into a medical-related organization, this time by Russian-speaking hackers. On one of the forums we monitor, a member tried to sell an SSH access to the server of an American company supplying equipment to 130 medical center in the U.S. He uploaded screenshots proving that he accessed the server where personal data of patients is stored.

The conclusions following these findings are concerning. An extensive trade in medical information and compromised workstations and servers is a common sight on underground illegal markets. This business generates hundreds of thousands, if not millions of dollars annually, ensuring its continuation as long as there are such high profits to those involved. Since the ramifications can be grave, the healthcare sector must take all necessary measures to protect their systems and data:

  1. Implement a strong password policy, because many hacks are a result of brute-force attack. Strong passwords and two-factor authentications to log into organizational systems should be the number one rule for medical organizations.
  2. Deploy suitable security systems.
  3. Instruct the employees to follow cyber security rules – choosing strong and unique passwords, spotting phishing email messages, avoiding clicking on links and downloading files from unknown sources, etc. Consider periodic training for employees on these issues to maintain high awareness and compliance with the rules.
  4. Use Cyber Threat Intelligence (CTI) – to keep up with the times regarding the current most prominent threats to your organization and industry.
  5. Keep all software updated.