Cybercriminals Integrate Exploit for CVE-2018-8174 into Numerous Attack Tools

The CVE-2018-8174 vulnerability, also dubbed “Double Kill,” was discovered in the beginning of May 2018, when it was exploited as a 0-day in an APT attack leveraging malicious Office files in China. The vulnerability affects users with Internet Explorer installed, either after they browse the web or after they open crafted Office documents – even if the default browser on the victim’s machine is not set to IE. Moreover, it will also affect IE11, even though VBScript is no longer supported by using the compatibility tag for IE10. Microsoft patched the vulnerability on May 8, 2018.

Our monitoring revealed that since its discovery, various threat actors in the Russian underground hacking scene have shown a keen interest in this particular vulnerability, indicating their strong intent to exploit it in attacks. Since then, we have observed exploits for this vulnerability incorporated into several prominent attack tools used by Russian threat actors, including the RIG Exploit Kit and the Threadkit package of Office exploits indicating that cybercriminals see it as a profitable attack vector. Concurrently, security reports state the exploitation of this vulnerability has been witnessed in additional attack campaigns.

The CVE-2018-8174 Exploit

The vulnerability exists in the VBScript – incorporated both in the Internet Explorer browser and in Microsoft Office software. Being a use-after-free (UAF) memory vulnerability, it is particularly dangerous because of the enabling of the execution of arbitrary code, or, in some cases, full remote code execution, due to access to read and write primitives.

The APT attack spotted in China, later attributed to North Korean threat actors, used the URL Moniker technique to load the VisualBasic exploit leveraging CVE-2017-8174 into the Office process. Unlike previously-known Office exploits that used the same technique, the URL link in the current exploit calls the mshtml.dll, which is a library that contains the Visual Basic engine in Internet Explorer. Thus, albeit delivered via a Word document as the initial attack vector, the exploit takes advantage of a vulnerability in VBScript, and not in Microsoft Word.

This attack vector allows the attackers to incorporate Internet Explorer Browser exploits directly into Office documents, enabling them to use it via spear-phishing and drive-by campaigns. Immediately upon its discovery, it was estimated that the vulnerability would be exploited in multiple attack campaigns in the near future.

The in-the wild exploit consisted of three stages:

  • Delivery of a malicious Word document
  • Once opened, an HTML page containing a VBScript code is downloaded to the victim’s machine
  • A UAF vulnerability is triggered, and shellcode is executed

Microsoft Office alert pops-up when opening the crafted document
Microsoft Office alert pops-up when opening the crafted document

In less than two weeks, the exploit for CVE-2018-8174 was incorporated into the Metasploit framework. At the same time, we have spotted vigorous chatter regarding this vulnerability emerging on underground sources, in particular Russian-languages ones. Threat actors sought to purchase the exploit, and others shared PoC samples for the explicit purpose of their analysis and further modification.

CVE-2018-8174 exploit is mentioned on underground chatter. Source: Verint DarkAlert
CVE-2018-8174 exploit is mentioned on underground chatter. Source: Verint DarkAlert

Moreover, and in accordance with predictions made by security researchers, exploitation of this vulnerability was included in some of the most popular attack tools on the Russian underground. Of note, operators of malware targeting both Microsoft Office and IE browser announced the addition of the exploit to their attack tools, indicating that the malicious payload is to be delivered by one of these two vulnerable software types. As explained above, the attack vector can be a malicious Microsoft Office file that will trigger the launch of IE browser, even if not configured as the default browser, or a crafted URL link directly provided to the target.

We detected an exploit for CVE-2018-8174 added to the following attack tools traded on the Russian underground:

  • The RIG exploit kit[1] – in the wild attacks using this exploit to deliver the Monero Miner were already spotted.

    The RIG campaign’s infection chain. Source: Trend Micro
    The RIG campaign’s infection chain. Source: Trend Micro
  • The Threadkit Office exploits package – the modified version that includes the CVE-2018-8174 exploit is yet to be discovered in the wild. However, the malware’s author already announced its incorporation several days ago. The update for the kit will cost US$ 400.
  • Another Office exploits package – the new version includes exploits for the following vulnerabilities: CVE-2018-8174, CVE-2018-0802, CVE-2017-11882 and CVE-2017-8570.

    Exploit for CVE-2018-8174 is added to another office exploitation package. Source: Verint Dark Alert
    Exploit for CVE-2018-8174 is added to another office exploitation package. Source: Verint Dark Alert

TOO SOON TO PATCH? – TIMESPAN FROM EXPOSURE TO ATTACK

This is an excerpt from the SenseCy 2017 Annual Report. To receive the full version of the report, please contact us at CyberThreat.Insider@verint.com

In the past year, the number of disclosed vulnerabilities (14,712) reached an all-time peak in all of cyber-history – twice as high as the two previous years: 6,480 vulnerabilities were Continue reading “TOO SOON TO PATCH? – TIMESPAN FROM EXPOSURE TO ATTACK”

Exploit Kits Out, Loaders and Macros Back in

During 2016, we witnessed the collapse of three major exploit kits that were previously used for massive malware delivery: Nuclear (first), Angler and then Neutrino (later). Along with other more private EKs (such as Magnitude), they caused major damage in previous years and served as infection vectors for many malicious malware-distributing campaigns. Continue reading “Exploit Kits Out, Loaders and Macros Back in”

Russian Cyber Criminal Underground – 2015: The Prosperity of Ransomware and Office Exploits

The prominent products traded during 2015 on Russian underground forums were Ransomware programs and exploits targeting Microsoft Office. Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms. Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and Crypting malware to avoid detection were also extremely popular on Russian forums.

Check out the new Infographic from SenseCy illustrating key trends observed on Russian underground in 2015.

Please contact us to receive your complimentary 2015 SenseCy Annual Cyber Threat Intelligence Report: https://www.sensecy.com/contact

Russian_underground_final

SenseCy Investigates The English-Language Underground

In 2015 we saw an active underground trading of exploits, botnets and spam tools. The number of Ransomware sales were much lower than it was expected by cyber security experts. Investigate the key trends in hacking tools commerce observed on the English-language underground in 2015 from our short Infographic.

Please contact us to receive your complimentary 2015 SenseCy Annual Cyber Threat Intelligence Report. https://www.sensecy.com/contact

English-language underground_2015

The Latest Trends in the Russian Underground – H1 2015 Summary

It is summer in Russia, and the time of the year when people head to the seaside on vacation for a couple of weeks’ break. The decline in activity can be clearly seen on the Russian-speaking forums and marketplaces dealing with cybercrime. Apparently, cybercriminals also take a rest from their online activities, just as they would from a regular full-time job. For us, it is the best time to perform a deep analysis of the main trends in the Russian underground boards during the first half of 2015. When preparing the insights from this analysis, our goal was to identify the main scope of interest on closed, Russian-speaking forums these days, as well as to pinpoint the shifts that have occurred in the last six months.

In order to draw conclusions, we analyzed the threads from the last six months from the four leading Russian forums. These forums mainly serve as a marketplace for attack tools and platforms, in addition to being a source of information and consultation for the forum members. Hereinafter, we tried to summarize the main topics of conversation on Russian marketplaces dedicated to cybercrime during the past six months:

Exploit Kits: In recent months, we have witnessed numerous attacks involving EK as the intrusion vector, including Angler, Neutrino, Nuclear, Magnitude and RIG. These EKs are constantly updated with new exploits.

While some EKs are offered for sale on trading boards, others are available exclusively to selected buyers via private sales, using the Jabber instant messaging system for example. For one case in point, RIG EK 3.0 is offered for a monthly rental fee of $700 on a closed Russian forum (this is considered an extremely low price). In comparison, Angler EK, AKA XXX is not advertised at all among Russian forum members on any of the closed forums.

RIG EK Statistics – screenshots published by the developer of the EK
RIG EK Statistics – screenshots published by the developer of the EK

Banking Trojans: During the last few months, we did not spot any new banking Trojans for sale on the Russian underground. The majority of recent attacks against the financial industry clients were perpetrated using DYRE or Dridex banking Trojans. Even though there is evidence that both were developed by Russian coders and are distributed among Russian-speaking criminals, we did not witness any commercial trading of these Trojans.

The two Trojans currently selling on Russian forums are Kronos, whose sales started back in the middle of 2014, and the new version of Tinba, which is based on source code leaked in the 2014 version.

Tinba banking Trojan offered for rent
Tinba banking Trojan offered for rent

Ransomware: Despite the fact that new campaigns distributing ransomware are uncovered on a regular basis, culminating in an FBI alert at the beginning of 2015, we did not see an elevated interest in this kind of malware on the Russian forums. The sales of CTB-Locker were ceased, at least publicly, probably because of the extensive media coverage. None of the ransomware tools that are widely used in the wild (TorrentLocker, Tesla Crypt, Cryptowall), are offered for sale on Russian marketplaces. The only two new ransomware tools offered during H1 2015 were GM Cryptolocker for Android-based devices and Azazel locker, for just $200. Both are relatively new and there has been no comprehensive feedback from buyers as yet.

The interface of GM Cryptolocker – ransomware for mobile platforms
The interface of GM Cryptolocker – ransomware for mobile platforms

RAT malware based on legitimate software – a clear new trend on the Russian underground is the development of malicious tools based on the source code of legitimate software for remote access (such as TeamViewer, AmmyAdmin, etc.). These tools are disguised as an update for the software or as a setup file. Additional tools traded on the forums exploit services and programs for remote control, such as RDS (Remote Desktop Services, RMS (Remote Manipulator System) and RDP (Remote Desktop Protocol).

To date, we have identified five different malicious tools of this kind for sale during the last six months. According to the sellers’ description, they are capable of bypassing defense mechanisms installed on the machine and gaining full access to it.

Screenshot from a video uploaded by the seller of TVSpy, a RAT based on TeamViewer software. The video presents the malware in action.
Screenshot from a video uploaded by the seller of TVSpy, a RAT based on TeamViewer software. The video presents the malware in action.

Loaders and Droppers – In recent months, we have identified a rise in this type of malware for sale on Russian underground forums. Generally, they it is spread via spam emails, and once installed on the system, serves as a tunnel for later installations of malicious programs. In this manner, defense mechanisms can be bypassed. One instance involving this malware was the infamous Andromeda, sold since 2011 to date for only $500. Andromeda was employed by the Carbanak group against financial targets. Aside from Andromeda, we also identified six new loaders and droppers offered for sale during the past six months.

Digital Certificates Trade – This phenomenon started as a sporadic sales thread, appearing occasionally on several forums during the last year. As demand expanded, trade in digital certificates evolved into a successful sub-category on Russian underground marketplaces. Recently, a dedicated online shop for trade in digital certificates was launched. The average price for one certificate is about 1.4 BTC.

The vigorous trade in these certificates demonstrates that they are quite useful for the purchasers, who use them to sign the malicious code they distribute and evade detection.

For obvious reasons, the sellers do not disclose the origin of the certificates, but claim they are authentic and were issued by a Certificate Authority (CA).

An online shop for digital certificates trade
An online shop for digital certificates trade

Brazilian Trojans Poised to Spread around the World

When we talk about Brazil, we no longer think only Carnival and caipiriña, or the favelas (slums) that came into being as a result of the highly unequal distribution of income. Bearing in mind that Brazil is one of the largest countries in the world, a major new concern has arisen as the Internet and technological devices are being used to find fast ways to earn money.

In 2014, Brazil was listed as the country with the most number of attacked users. Kaspersky identified over 90,000 attacks in Brazil, with Russia in second place.

Brzail_number_of_attacksCybercrime has combined the creativity of Brazilian hackers with new forms of illegal activities, specifically online bank fraud, turning the country into a producer of Trojan malware. The increased variety of Trojans produced in Brazil is becoming a trend. Hackers are spreading their tools via hacking communities, by selling or simply sharing tools, tutorials and tips for using Trojans as a means to intercept information on users and their banks. They use social network platforms, personal blogs or “security information web sites,” IRC channels and the forums on the deep web where “laranjas” (oranges in Portuguese, used to denominate a tool/card trader) do business to sell the malware or the stolen data.

A hacker asks for help in generating Boletos, a payment method consisting with bank tickets, commonly used in Brazil
A hacker asks for help in generating Boletos, a payment method consisting with bank tickets, commonly used in Brazil

While hackers from other countries use malware tools such as Zeus, the uniqueness of the Brazilian hackers is that they develop specific, personalized codes targeting banking frauds. They also find creative ways to use software to access their targets, with the aim of stealing bank accounts. CPL is one of these innovations – a legitimate Windows Control Panel file is being used by cybercriminals to spread banking Trojans targeting Brazilian users.

Cybercriminals send fake emails, using social engineering techniques designed to mislead users. Usually, the email content is a document with a quotation, invoice or receipt, information on a debt or a banking situation, or digital payment instruments used in Brazil, such as Boleto bancário or Electronic tax note, file photographs, videos or similar.

An example for the use of the CPL malware in a phishing email
An example for the use of the CPL malware in a phishing email

The fact that Brazil has the highest percentage of online banking users has also contributed to the development of different personalized attacks. As a result, banking Trojans have become the number one threat in Brazilian cybercrime. As previously demonstrated in the Brazilian malware arena, some code writers spread their viruses around the world. The security sector, in this case the banking sector, must be aware of the possible dangers and increase their efforts to protect their clients.

School Is Now in Session – The Spread of Hacking Tutorials in the Deep and Dark Web

One of the most common posts seen on hacker forums is “Hello, I’m new and I want to be a hacker.” Any aspiring hacker must learn coding, networking, system security, and the like, and increasingly, hacking forums are responding to this demand and providing tutorials for those who wish to learn the basics quickly.

Hacking forums have two main kinds of tutorial sections, one open to any forum member and the other exclusively for VIP members. In this post we will review two case studies from closed forums, one from the onion network and the other from the Deep Web.

Case Studies

The first tutorial, taken from a closed forum in the onion network, is actually four tutorials wrapped together to teach POS (point-of-sale) hacking. It includes a list of essential malware and software for POS hacking. While it starts with a basic overview of POS and of RAM (random-access memory) scraping, it very quickly dives into explanations that require an advanced understanding of hacking.

POS tutorial in the onion network
POS tutorial in the onion network

The second tutorial is a basic PayPal hacking tutorial, taken from a closed forum on the Deep Web and oriented toward noobs (beginners). It is actually more about scamming than hacking. It notes that one way to get user details is to hack vulnerable shopping sites using SQL injections and explains how to check whether the stolen user details are associated with a PayPal account. It also mentions that user details can simply be acquired from posts on the forum.

PayPal tutorial on closed forum
PayPal tutorial on closed forum

What is really interesting is that this practical forum has many tutorial sections and sub-sections (we counted six), which raises an interesting question: Why do hackers share?

Motives

There is no one answer to this question, but we can divide hackers’ motivations into four categories:

  • Self-promotion – One of the differences between regular hackers and good hackers is reputation. The most obvious way for hackers to improve their reputation is of course to perform a good hack, but they can also enhance their reputation by being part of a well-known hacking team or displaying vast knowledge, such as by publishing tutorials. It appears that Red, a junior member of the onion network forum who is not known and has a small number of posts, is increasing his value in the eyes of other forum members and site administrators by publishing tutorials, including the POS tutorial. This improved reputation can give him new privileges, such as access to the forum’s VIP sections. In most cases, tutorials shared for this reason range from beginner to intermediate level and can be understand by almost any beginner.
  • Site promotion – Commerce in hacking forums hiding deep in the Internet works like any other free market: if you have the right goods, people will come and your business will boom, but if your shop does not look successful, customers will stay away. Hacking forums, like other businesses, compete for the attention of their target audience. The PayPal tutorial was published by BigBoss, a site administrator, who was probably seeking publicity for the site. To ensure that there is a large number of tutorials on the site, the administrators publish their own from time to time. These can be very simple (as in this case) or very specialized and technical (such as those offered in closed forum sections).
  • Financial gain – As we noted, these forums are businesses, and like any business, they need to sell products in order to make a profit. They can do this by creating VIP sections with unique content (such as special tutorials) open to paying members only, as opposed to VIP sections based on reputation or Individual members also use the forums for financial gain and sell more concrete items—malware, credit cards, and the like—or more abstract items, like knowledge in the form of tutorials or lessons. In most cases the tutorials are very advanced, with extensive details, so that their creators can charge for them.
A forum member selling his knowledge
A forum member selling his knowledge
  • Knowledge sharing — Sometimes, people share their knowledge without any ulterior motive. This is usually done in a closed section of a forum and only with prime members or a group of friends. In this case, the knowledge shared varies according to the group and can be state-of-the-art or very simple.

Conclusions

In a society based heavily on information, we cannot escape the frequently rehashed concept that “knowledge is power.” As the technology world continues to evolve and the hacker community along with it, the need for “how to” knowledge is growing. Tutorials provide beginners with an effective gateway into the world of hacking and expose advanced users to new methods of operation. For us, the observers, they provide a small glimpse into developing trends, attack methods, methods of assessing hacker knowledge, and much more.

SenseCy 2014 Annual Cyber Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

Executive Summary

Clearly, 2014 was an important year in the cyber arena. The technical level of the attacks, the variety of tools and methods used and the destructive results achieved have proven, yet again, that cyber is a cross-border tool that is rapidly gaining momentum.

This year, we witnessed attacks on key vectors: cyber criminals setting their sights on targets in the private sector, hacktivists using cyber tools for their ideological struggles, state-sponsored campaigns to facilitate spying on high-profile targets, and cyber conflicts between countries.

The following is an excerpt from an annual report prepared by our Cyber Intelligence analysts. To receive a copy, please send a request to: info@sensecy.com

Insights

Below are several of our insights regarding cyber activity this past year:

  • The financial sector was and continues to be a key target for cyber criminals, with most of the corporations hacked this year in the U.S. being attacked through infection of Point-of-Sale (POS) systems. Despite the high level of awareness as to the vulnerability of these systems following the Target breach at the end of 2013, ever more organizations are continuing to fall victim to these types of attacks, as the cybercrime community develops and sells dedicated tools for these systems.
  • In 2014, we saw another step up in the use of cyber as a cross-border weapon, the use of which can be highly destructive. This was evidenced in the attack on JPMorgan, which according to reports was a response to sanctions imposed by the U.S. on Russia. The ensuing Sony breach and threats to peoples’ lives should the movie The Interview be screened exacerbated the state of asymmetrical war in cyber space, where on the one hand, we see countries attacking companies, and on the other, groups of hackers attacking countries. This trend becomes even more concerning following the reports of the deaths of three workers at a nuclear reactor in South Korea, after it became the target of a targeted cyber-attack, evidently by North Korean entities.
  • This past year was rife with campaigns by anti-Israel hacktivist campaigns, whose motivation for attacking Israel’s cyber networks was especially strong. Again, it was clearly demonstrated that the relationship between physical and virtual space is particularly strong, when alongside Operation Protective Edge (July-August 2014), we witnessed a targeted cyber campaign by hacktivist organizations from throughout the Muslim world (but not only) and by cyber terror groups, which in some cases were able to score significant successes. We believe that in 2015, attacks by hacktivist groups will become higher quality (DDoS attacks at high bandwidth, for example) and the use of vectors, which to date have been less common, such as attacks against mobile devices, will become increasingly frequent.
  • Involvement of the internal factor in cyber-attacks: According to some speculations published recently in the global media regarding the massive Sony breach, former company employees  may have abused their positions and status to steal confidential information and try to harm the organization. This underscores the importance of information security and internal compartmentalization in organizations with databases containing sensitive information.

The Past Year on the Russian Underground

In 2014, we saw active underground trading of malware and exploits, with some of them being used in attacks inside and outside Russia that gained widespread media coverage in sources dealing with information security.

The following is a list of categories of malware and the main services offered for sale in 2014 on the Russian-speaking underground forums. Note that in this analysis, we only included important tools that were well-received by the buyers, which indicates their reliability and level of professionalism. Additionally, only tools that were sold for over a month were included. Let us also note that the analysis does not include special PoS firmware, but only programs designed to facilitate remote information theft through takeover of the terminal.

Malware_Russian Underground

Prices

The average price of a tool offered for sale in 2014 was $1,500. Since 2013, the average price has increased by $500. The following graph lists the average price in each of the categories outlined above (in USD):

Average_Price_by_Category

Key Trends Observed on the Russian Underground this Past Year

Trojan Horses for the Financial Sector

Malware designed to target financial institutions is a highly sought-after product on the Russian underground, and this past year we observed the development of malware based on Kronos source code – Zeus, Chthonic (called Udacha by the seller) and Dyre malware. Additionally, the sale of tools designed to sell login details for banking sites via mobile devices were also observed.

In this context, it should be noted that the modular structure of many types of financial malware allows flexibility by both the seller and the buyer. Most financial malware is sold in this format – meaning, various modules responsible for the malware’s activity can be purchased separately: Formgrabber module, Web-Injections module and more.

MitM Attacks

This type of attack vector, known to cyber criminals as Web injections, is most common as a module in Trojan horses for the financial sector. Members of many forums offer their services as injection writers, referring to creation of malware designed to be integrated into a specific banking Trojan horse (generally based on Zeus), tailored to the specific bank, which imitates the design of its windows, etc. In 2014, we saw this field prosper, with at least seven similar services offered on the various forums.

Ransomware

This year we witnessed a not insignificant amount of ransomware for sale on Russian-speaking forums. It would appear that the forums see a strong potential for profit through this attack vector and therefore invest in the development of ransomware. Furthermore, note that some of the ransomware uses the Tor network to better conceal the command and control servers. Since CryptoLocker was discovered in September 2013, we have seen numerous attempts at developing similar malware both for PCs and laptops.

Additional trends and insights are detailed in the full report.