Cybercriminals Integrate Exploit for CVE-2018-8174 into Numerous Attack Tools

The CVE-2018-8174 vulnerability, also dubbed “Double Kill,” was discovered in the beginning of May 2018, when it was exploited as a 0-day in an APT attack leveraging malicious Office files in China. The vulnerability affects users with Internet Explorer installed, either after they browse the web or after they open crafted Office documents – even if the default browser on the victim’s machine is not set to IE. Moreover, it will also affect IE11, even though VBScript is no longer supported by using the compatibility tag for IE10. Microsoft patched the vulnerability on May 8, 2018. Continue reading “Cybercriminals Integrate Exploit for CVE-2018-8174 into Numerous Attack Tools”

Insider Threats – Sometimes it is your Colleagues, and not Remote Attackers

Insiders pose the most substantial threat to organizations everywhere, a recent across-the-board study conducted by IBM demonstrates. Although in the majority of the cases, the insider is an employee of the company, he could also be a third party, such as an external contractor, a consultant or a business partner. An insider generally has all the Continue reading “Insider Threats – Sometimes it is your Colleagues, and not Remote Attackers”

Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)

While monitoring closed platforms that propagate an Islamic State agenda, we detected an initial interest in hacking lessons, focusing on spam and phishing methods. Many discussions in the technical sections of closed platforms affiliated with the Islamic State deal with the implementation of Continue reading “Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)”

The Healthcare Sector is Targeted by Cybercriminals More than Ever

The healthcare sector has recently become a desirable target for cyber crooks. According to Symantec ISTR report statistics, healthcare was the most breached sub-sector in 2015, comprising almost 40% of all the attacks. Hospital security systems are generally less secure than those of financial organizations, as monetary theft has always been perceived as the greatest threat for organizations, and dangers to other sectors were usually underestimated. Moreover, awareness of cyber-attacks against hospitals and medical centers is much lower than it is to financial cybercrime, and as a result, the employees are less well-trained on how to avoid falling victim to a cyber-attack.

Top 10 Sub-Sectors Breached by Number of Incidents According to Symantec ISTR report

Only lately, this concept has started to be challenged, revealing the potential damage that can be caused by the theft and leakage of patient data. However, the ‘bad guys’ remain one step ahead and during the last few months, we have witnessed a spate of attacks targeting the healthcare industry: ransomware attacks encrypting essential data and demanding payment of a ransom, numerous data leakages revealing confidential patient data, unauthorized access to medical networks and even the hacking of medical devices, such as pumps and X-ray equipment.

Moreover, the healthcare sector is being targeted by hackers not only directly, but also via third-party companies in the supply chain, such as equipment and drug suppliers. These companies usually store some confidential data that originates in the hospitals’ databases and may even have access to the hospital IT systems, but they are far less secure than the hospitals themselves. Thus, they serve as a preferable infiltration point for malicious actors pursuing the theft of medical data and attempting to infiltrate the hospitals’ networks.

The consequences of attacks on the healthcare industry may be extensive, including the impairment of the medical center functioning, which may result in danger to human lives in the worst case scenario. In other cases, personal data will be stolen and sold on underground markets. Cybercriminals will take advantages of these personal details for identity theft or for future cyber-attacks combining social engineering based on the stolen details.

While monitoring closed Deep-Web and Darknet sources, SenseCy analysts recently noticed a growing interest toward the healthcare sector among cyber criminals. Databases of medical institutions are traded on illicit marketplaces and closed forums, along with access to their servers. In the last few months alone, we came across several occurrences indicating extensive trade of medical records and access to servers where this data is stored.

The first case, in May 2016, was the sale of RDP access for a large clinic group with several branches in the central U.S., which was offered for sale on a Darknet closed forum. For a payment of $50,000 Bitcoins, the buyer would receive access to the compromised workstation, with access to 3 GB of data stored on four hard disks. Additionally, the workstation allows access to an aggregate electronical system (EHR) for managing medical records, where data regarding patients, suppliers, payments and more can be exploited.

Although the seller did not mention the origin of the credentials he was selling, he claimed that local administrator privileges could be received on the compromised system. He also specified that 45 users from the medical personnel were logged into the system from the workstation he hacked.

The relatively high price for this offer indicates the high demand for medical information. With RDP access, the potential attackers can perform any action on the compromised workstation: install malware, encrypt the files or erase them, infect other machines in the network and access any data stored in the network. The consequences can be tremendous.

An excerpt of the sale thread posted on a Darknet forum


Screenshot allegedly taken on the hacked workstation

Just a few weeks later, in June 2016, our analysts detected another cyber-accident related to healthcare. This time, three databases allegedly stolen via an RDP access to a medical organization were offered for sale for more than $500,000 on a dedicated Darknet marketplace. In one of his posts, the seller claimed that one of the databases belongs to a large American health insurer.

One of the sales posts on a Darknet marketplace
Screenshot posted by the seller as a proof of hacking into a medical organization

Before long, we again discovered evidence of hacking into a medical-related organization, this time by Russian-speaking hackers. On one of the forums we monitor, a member tried to sell an SSH access to the server of an American company supplying equipment to 130 medical center in the U.S. He uploaded screenshots proving that he accessed the server where personal data of patients is stored.

The conclusions following these findings are concerning. An extensive trade in medical information and compromised workstations and servers is a common sight on underground illegal markets. This business generates hundreds of thousands, if not millions of dollars annually, ensuring its continuation as long as there are such high profits to those involved. Since the ramifications can be grave, the healthcare sector must take all necessary measures to protect their systems and data:

  1. Implement a strong password policy, because many hacks are a result of brute-force attack. Strong passwords and two-factor authentications to log into organizational systems should be the number one rule for medical organizations.
  2. Deploy suitable security systems.
  3. Instruct the employees to follow cyber security rules – choosing strong and unique passwords, spotting phishing email messages, avoiding clicking on links and downloading files from unknown sources, etc. Consider periodic training for employees on these issues to maintain high awareness and compliance with the rules.
  4. Use Cyber Threat Intelligence (CTI) – to keep up with the times regarding the current most prominent threats to your organization and industry.
  5. Keep all software updated.

ORX-Locker – A Darknet Ransomware That Even Your Grandmother Can Use

Written by Ran L. and Mickael S.

The bar for becoming a cyber-criminal has never been so low. Whether buying off-the-shelf malware or writing your own, with a small investment, anyone can make a profit. Now it seems that the bar has been lowered even further with the creation of a new Darknet site that offers Ransomware-as-a-Service (RaaS), titled ORX-Locker.

Ransomware-as-a-Service enables a user with no knowledge or cash to create his own stubs and use them to infect systems. If the victim decides to pay, the ransom goes to the service provider, who takes a percent of the payment and forwards the rest to the user. For cyber-criminals, this is a win-win situation. The user who cannot afford to buy the ransomware or does not have the requisite knowledge can acquire it for free, and the creator gets his ransomware spread without any effort from his side.

This is not the first time we have seen this kind of service. McAfee previously (May, 2015) reported on Tox. While Tox was the first ransomware-as-a-service, it seems that ORX has taken the idea one step further, with AV evasion methods and complex communication techniques, and apparently also using universities and other platforms as its infrastructure.

In the “August 2015 IBM Security IBM X-Force Threat Intelligence Quarterly, 3Q 2015,” published on Monday (August 24, 2015), IBM mentioned TOX while predicting: “This simplicity may spread rapidly to more sophisticated but less common ransomware attack paradigms and lead to off-the-shelf offerings in the cloud.” Just one day later, a post was published on a closed Darknet forum regarding the new ORX-Locker service.

ORX – First Appearance

On August 25, 2015, a user dubbed orxteam published a post regarding the new ransomware service. The message, which was part of his introduction post – a mandatory post every new user has to make to be accepted to the forum – described the new ORX-Locker ransomware as a service platform. In the introduction, the user presented himself as Team ORX, a group that provides private locker software (their name for ransomware) and also ransomware-as-a-service platform.

ORX team introduction post in a closed Darknet hacking forum.
ORX Team introduction post in a closed Darknet hacking forum.

ORX Locker Online Platform

Team ORX has built a Darknet website dedicated to the new public service. To enter the site, new users just need to register. No email or other identification details are required. Upon registration, users have the option to enter a referral username, which will earn them three percent from every payment made to the new user. After logging in, the user can move between five sections:

Home – the welcome screen where you users can see statistics on how much system has been locked by their ransom, how many victims decided to pay, how much they earned and their current balance.

Build EXE – Team ORX has made the process of creating a stub so simple that the only thing a user needs to do is to enter an ID number for his stub (5 digits max) and the ransom price (ORX put a minimum of $75). After that, the user clicks on the Build EXE button and the stub is created and presented in a table with all other stubs previously created by the user.

ORX-Locker Darknet platform, which enables every registered user to build his own ransomware stub.
ORX-Locker Darknet platform, which enables every registered user to build his own ransomware stub.

Stats – This section presents the user with information on systems infected with his stub, including the system OS, how many files have been encrypted, time and date of infection, how much profit has been generated by each system, etc.

Wallet – following a successful infection, the user can withdraw his earnings and transfer them to a Bitcoin address of his choosing.

Support – This section provides general information on the service, including more information on how to build the stub and a mail address (orxsupport@safe-mail[.]net) that users can contact if they require support.


When a user downloads the created stub, he gets a zip file containing the stub, in the form of an “.exe” file. Both the zip and the stub names consist of a random string, 20-characters long. Each file has a different name.

Once executed, the ransomware starts communicating with various IP addresses. The following is a sample from our analysis:

  1. 130[.]75[.]81[.]251 – Leibniz University of Hanover
  2. 130[.]149[.]200[.]12 – Technical University of Berlin
  3. 171[.]25[.]193[.]9 – DFRI (Swedish non-profit and non-party organization working for digital rights)
  4. 199[.]254[.]238[.]52 – Riseup (Riseup provides online communication tools for people and groups working on liberatory social change)

As you can see, some of the addresses are related to universities and others to organizations with various agendas.

Upon activation, the ransomware connects to the official TOR project website and downloads the TOR client. The malware then transmits data over this channel. Using hidden services for communication is a trend that has been adopted by most known ransomware tools in the last year, as was the case of Cryptowall 3.0. In our analysis, the communication was over the standard 9050 port and over 49201.

The final piece would be the encryption of files on the victim’s machine. Unlike other, more “target oriented” ransomware, this particular one locks all files, changing the file ending to .LOCKED and deletes the originals.

When the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted, and a payment instruction file will be created on the desktop.

After the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted
After the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted

In the payment instruction file (.html), the victim receives a unique payment ID and a link to the payment website, located on the onion network (rkcgwcsfwhvuvgli[.]onion). After entering the site using the payment ID, the victim receives another set of instructions in order to complete the payment.

ORX-Locker payment platform which has a dedicated site located on the onion network.
ORX-Locker payment platform, which has a dedicated site located on the onion network.

Finally, although some basic persistence and anti-AV mechanisms are present, the malware still has room to “grow.” We are certain that as its popularity grows, more developments and enhancements will follow.

YARA rule:

rule ORXLocker
author = “SenseCy”
date = “30/08/15”
description = “ORXLocker_yara_rule”

$string0 = {43 61 6e 27 74 20 63 6f 6d 70 6c 65 74 65 20 53 4f 43 4b 53 34 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 64 2e 25 64 2e 25 64 2e 25 64 3a 25 64 2e 20 28 25 64 29 2c 20 72 65 71 75 65 73 74 20 72 65 6a 65 63 74 65 64 20 62 65 63 61 75 73 65 20 74 68 65 20 63 6c 69 65 6e 74 20 70 72 6f 67 72 61 6d 20 61 6e 64 20 69 64 65 6e 74 64 20 72 65 70 6f 72 74 20 64 69 66 66 65 72 65 6e 74 20 75 73 65 72 2d 69 64 73 2e}
$string1 = {43 61 6e 27 74 20 63 6f 6d 70 6c 65 74 65 20 53 4f 43 4b 53 35 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 64 2e 20 28 25 64 29}
$string2 = {53 4f 43 4b 53 35 3a 20 73 65 72 76 65 72 20 72 65 73 6f 6c 76 69 6e 67 20 64 69 73 61 62 6c 65 64 20 66 6f 72 20 68 6f 73 74 6e 61 6d 65 73 20 6f 66 20 6c 65 6e 67 74 68 20 3e 20 32 35 35 20 5b 61 63 74 75 61 6c 20 6c 65 6e 3d 25 7a 75 5d}
$string3 = {50 72 6f 78 79 20 43 4f 4e 4e 45 43 54 20 66 6f 6c 6c 6f 77 65 64 20 62 79 20 25 7a 64 20 62 79 74 65 73 20 6f 66 20 6f 70 61 71 75 65 20 64 61 74 61 2e 20 44 61 74 61 20 69 67 6e 6f 72 65 64 20 28 6b 6e 6f 77 6e 20 62 75 67 20 23 33 39 29}
$string4 = {3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 72 6b 63 67 77 63 73 66 77 68 76 75 76 67 6c 69 2e 74 6f 72 32 77 65 62 2e 6f 72 67 3e 68 74 74 70 73 3a 2f 2f 72 6b 63 67 77 63 73 66 77 68 76 75 76 67 6c 69 2e 74 6f 72 32 77 65 62 2e 6f 72 67 3c 2f 61 3e 3c 62 72 3e}
$string5 = {43 3a 5c 44 65 76 5c 46 69 6e 61 6c 5c 52 65 6c 65 61 73 65 5c 6d 61 69 6e 2e 70 64 62}
$string6 = {2e 3f 41 56 3f 24 62 61 73 69 63 5f 6f 66 73 74 72 65 61 6d 40 44 55 3f 24 63 68 61 72 5f 74 72 61 69 74 73 40 44 40 73 74 64 40 40 40 73 74 64 40 40}
$string7 = {2e 3f 41 56 3f 24 62 61 73 69 63 5f 69 6f 73 40 5f 57 55 3f 24 63 68 61 72 5f 74 72 61 69 74 73 40 5f 57 40 73 74 64 40 40 40 73 74 64 40 40}
$string8 = “ttp://4rhfxsrzmzilheyj.onion/get.php?a=” wide
$string9 = “\\Payment-Instructions.htm” wide

all of them

The Latest Trends in the Russian Underground – H1 2015 Summary

It is summer in Russia, and the time of the year when people head to the seaside on vacation for a couple of weeks’ break. The decline in activity can be clearly seen on the Russian-speaking forums and marketplaces dealing with cybercrime. Apparently, cybercriminals also take a rest from their online activities, just as they would from a regular full-time job. For us, it is the best time to perform a deep analysis of the main trends in the Russian underground boards during the first half of 2015. When preparing the insights from this analysis, our goal was to identify the main scope of interest on closed, Russian-speaking forums these days, as well as to pinpoint the shifts that have occurred in the last six months.

In order to draw conclusions, we analyzed the threads from the last six months from the four leading Russian forums. These forums mainly serve as a marketplace for attack tools and platforms, in addition to being a source of information and consultation for the forum members. Hereinafter, we tried to summarize the main topics of conversation on Russian marketplaces dedicated to cybercrime during the past six months:

Exploit Kits: In recent months, we have witnessed numerous attacks involving EK as the intrusion vector, including Angler, Neutrino, Nuclear, Magnitude and RIG. These EKs are constantly updated with new exploits.

While some EKs are offered for sale on trading boards, others are available exclusively to selected buyers via private sales, using the Jabber instant messaging system for example. For one case in point, RIG EK 3.0 is offered for a monthly rental fee of $700 on a closed Russian forum (this is considered an extremely low price). In comparison, Angler EK, AKA XXX is not advertised at all among Russian forum members on any of the closed forums.

RIG EK Statistics – screenshots published by the developer of the EK
RIG EK Statistics – screenshots published by the developer of the EK

Banking Trojans: During the last few months, we did not spot any new banking Trojans for sale on the Russian underground. The majority of recent attacks against the financial industry clients were perpetrated using DYRE or Dridex banking Trojans. Even though there is evidence that both were developed by Russian coders and are distributed among Russian-speaking criminals, we did not witness any commercial trading of these Trojans.

The two Trojans currently selling on Russian forums are Kronos, whose sales started back in the middle of 2014, and the new version of Tinba, which is based on source code leaked in the 2014 version.

Tinba banking Trojan offered for rent
Tinba banking Trojan offered for rent

Ransomware: Despite the fact that new campaigns distributing ransomware are uncovered on a regular basis, culminating in an FBI alert at the beginning of 2015, we did not see an elevated interest in this kind of malware on the Russian forums. The sales of CTB-Locker were ceased, at least publicly, probably because of the extensive media coverage. None of the ransomware tools that are widely used in the wild (TorrentLocker, Tesla Crypt, Cryptowall), are offered for sale on Russian marketplaces. The only two new ransomware tools offered during H1 2015 were GM Cryptolocker for Android-based devices and Azazel locker, for just $200. Both are relatively new and there has been no comprehensive feedback from buyers as yet.

The interface of GM Cryptolocker – ransomware for mobile platforms
The interface of GM Cryptolocker – ransomware for mobile platforms

RAT malware based on legitimate software – a clear new trend on the Russian underground is the development of malicious tools based on the source code of legitimate software for remote access (such as TeamViewer, AmmyAdmin, etc.). These tools are disguised as an update for the software or as a setup file. Additional tools traded on the forums exploit services and programs for remote control, such as RDS (Remote Desktop Services, RMS (Remote Manipulator System) and RDP (Remote Desktop Protocol).

To date, we have identified five different malicious tools of this kind for sale during the last six months. According to the sellers’ description, they are capable of bypassing defense mechanisms installed on the machine and gaining full access to it.

Screenshot from a video uploaded by the seller of TVSpy, a RAT based on TeamViewer software. The video presents the malware in action.
Screenshot from a video uploaded by the seller of TVSpy, a RAT based on TeamViewer software. The video presents the malware in action.

Loaders and Droppers – In recent months, we have identified a rise in this type of malware for sale on Russian underground forums. Generally, they it is spread via spam emails, and once installed on the system, serves as a tunnel for later installations of malicious programs. In this manner, defense mechanisms can be bypassed. One instance involving this malware was the infamous Andromeda, sold since 2011 to date for only $500. Andromeda was employed by the Carbanak group against financial targets. Aside from Andromeda, we also identified six new loaders and droppers offered for sale during the past six months.

Digital Certificates Trade – This phenomenon started as a sporadic sales thread, appearing occasionally on several forums during the last year. As demand expanded, trade in digital certificates evolved into a successful sub-category on Russian underground marketplaces. Recently, a dedicated online shop for trade in digital certificates was launched. The average price for one certificate is about 1.4 BTC.

The vigorous trade in these certificates demonstrates that they are quite useful for the purchasers, who use them to sign the malicious code they distribute and evade detection.

For obvious reasons, the sellers do not disclose the origin of the certificates, but claim they are authentic and were issued by a Certificate Authority (CA).

An online shop for digital certificates trade
An online shop for digital certificates trade

Brazilian Trojans Poised to Spread around the World

When we talk about Brazil, we no longer think only Carnival and caipiriña, or the favelas (slums) that came into being as a result of the highly unequal distribution of income. Bearing in mind that Brazil is one of the largest countries in the world, a major new concern has arisen as the Internet and technological devices are being used to find fast ways to earn money.

In 2014, Brazil was listed as the country with the most number of attacked users. Kaspersky identified over 90,000 attacks in Brazil, with Russia in second place.

Brzail_number_of_attacksCybercrime has combined the creativity of Brazilian hackers with new forms of illegal activities, specifically online bank fraud, turning the country into a producer of Trojan malware. The increased variety of Trojans produced in Brazil is becoming a trend. Hackers are spreading their tools via hacking communities, by selling or simply sharing tools, tutorials and tips for using Trojans as a means to intercept information on users and their banks. They use social network platforms, personal blogs or “security information web sites,” IRC channels and the forums on the deep web where “laranjas” (oranges in Portuguese, used to denominate a tool/card trader) do business to sell the malware or the stolen data.

A hacker asks for help in generating Boletos, a payment method consisting with bank tickets, commonly used in Brazil
A hacker asks for help in generating Boletos, a payment method consisting with bank tickets, commonly used in Brazil

While hackers from other countries use malware tools such as Zeus, the uniqueness of the Brazilian hackers is that they develop specific, personalized codes targeting banking frauds. They also find creative ways to use software to access their targets, with the aim of stealing bank accounts. CPL is one of these innovations – a legitimate Windows Control Panel file is being used by cybercriminals to spread banking Trojans targeting Brazilian users.

Cybercriminals send fake emails, using social engineering techniques designed to mislead users. Usually, the email content is a document with a quotation, invoice or receipt, information on a debt or a banking situation, or digital payment instruments used in Brazil, such as Boleto bancário or Electronic tax note, file photographs, videos or similar.

An example for the use of the CPL malware in a phishing email
An example for the use of the CPL malware in a phishing email

The fact that Brazil has the highest percentage of online banking users has also contributed to the development of different personalized attacks. As a result, banking Trojans have become the number one threat in Brazilian cybercrime. As previously demonstrated in the Brazilian malware arena, some code writers spread their viruses around the world. The security sector, in this case the banking sector, must be aware of the possible dangers and increase their efforts to protect their clients.

The Swine Flu Wants to Infect Your PC

Russian underground forums often serve as a marketplace for talented coders of sophisticated malware who develop attack tools to target the financial industry.

During routine monitoring of these forums, we came across a new type of malware loader called H1N1. Loaders are used as an initial intrusion vector, enabling an attacker to install malware on a workstation at a later time of his own choosing. They provide the attacker with both an initial foothold in the victim’s system and a future channel for delivering malicious programs at any time.

The new loader, which is named after the swine flu virus, was offered for sale in late April for $500 by a member of a Russian password-protected forum.

According to the sales thread, H1N1 is a non-resident loader. This means that it is executed in the system, installs the programs from its task list, and deletes itself after the computer is rebooted. (A resident loader, on the other hand, writes itself into the operating system and is not deleted after reboot. Since it receives commands from the C&C server, it can keep installing malicious software on the infected computer.)

H1N1 characteristics

  • Bypasses User Account Control (UAC) through a UAC whitelist, which allows it to run files with elevated privileges. This bypass does not require use of additional .dll libraries or Windows Sysprep. If the loader is unable to receive elevated privileges, it will run programs with user privileges.
  • Traffic in both directions is encrypted.
  • Installs .exe files on the infected computer using Windows Instrumentation Management (WMI). The .dll files are installed from memory.
  • Has an embedded security mechanism that recognizes when it is being executed in a virtual machine.
  • Can be injected into the address space of legitimate system processes (of the default browsers).
  • Bypasses AV and HIPS programs. With AV programs, it does this by identifying their running processes and paths, creating copies of the processes, injecting into the copied processes, and finally, disabling all threads of the AV software’s legitimate processes.
  • Elevates privileges from a low integrity level by using WMI and exploiting the CVE-2014-4113 vulnerability.
  • Identifies and neutralizes certain AV programs.
H1N1 administration panel
H1N1 administration panel

A number of forum members who claimed to have used the tool gave generally positive feedback but stated that it does not bypass all AV programs. According to the technical analysis (below), Kaspersky Internet Security identified the presence of the loader, while ESET NOD32 and Outpost Security Suite did not. Avira only identified the activity as malicious in some cases (depending on the crypt of the loader).

In a VirusTotal analysis of the loader’s files, the detection ratio was 41/57 for the dropper file (as of May 21, 2015) and 22/57 for the memory file (as of May 14, 2015).

Technical Analysis

It is common practice on closed Russian forums for veteran, trusted members to analyze and validate malware sold by newbies to prevent them from cheating and selling a low-quality product. It is harder to find buyers for non-validated malware, especially if the seller is new to the forum (for a review of different types of sellers, see our previous post on this subject). Since a major part of the underground ecosystem is based on reputation and the hierarchy on different underground forums, an impartial entity whose role is to validate new goods is extremely important.

Ares, the administrator of a well-known Russian forum, conducted a validation analysis to check whether H1N1 really possesses the capabilities claimed by the seller, including the ability to bypass security measures. He published an extensive review on his forum.

According to Ares, the code is written in Assembly language and was obfuscated (for security purposes). Once all the initial procedures are loaded (the code utilizes kernel32 and advapi32 during loading), the loader launches the Explorer process from syswow64 on x64 systems and system32 on x86 systems. The process is mapped with a rewritten shellcode entrypoint.

The shellcode receives all of the necessary APIs and reads a packed binary file (which it extracts).

The binary is a .dll file that scans for various important API elements and then checks the hash signature of the filename through which the process was started. If the file name is Explorer, it tries to elevate its privileges.

Initially the malicious .dll file copies itself and patches with the shellcode. Later it moves the copied file into the system32/setup folder. After that, H1N1 runs several checks (such as OS version) and tries to elevate its privileges from medium to high.

The loader uses various methods to inject malicious content into legitimate processes. For example, if injection into a default browser fails, it tries to inject the malicious content through svchost.

Lastly, the execution module kicks in where the loader will be executed. The malware conducts fake network tests (for example, pinging various websites), collects information about the infected machine, and then requests content from the C&C server. The HTTP requests are encrypted with RC4 and the data length is transferred in the HTTP header.

HTTP requests from the C&C server
HTTP requests from the C&C server

Following publication of the analysis by Ares and in response to critical feedback from forum members, the seller has been updating and improving H1N1. For example, he responded to criticism of the UAC bypass by announcing that he had changed the bypass method and that it was now similar to the method used by the Carberp Trojan.

In later tests performed by several authoritative forum members, privilege escalation and the UAC bypass had a relatively low success rate. However, since then, the author claims to have fixed the problems with the loader.

An Important Recommendation

H1N1 uses bthudtask.exe for its purposes. This executable is part of Microsoft Windows and is usually located under C:\Windows\system32. The file description is “Bluetooth Uninstall Device Task.” If you do not require Bluetooth devices, we would strongly recommend removing the file from your end-points.


H1N1 is a new type of malware loader and is not yet very sophisticated. However, it has attracted the attention of many high-ranking Russian underground forum members, who have analyzed it and written about its weak points. This seems to be encouraging the seller to improve and upgrade his product and fix the bugs.

MitM Attacks Pick Up Speed – A Russian Coder Launches a New Web Injection Coding Service

In a successful MitM attack, the hacker infiltrates a web session between a bank and a bank customer, intercepts the messages they are exchanging, including credentials and classified information, and injects new messages, all without arousing the suspicion of either party.

In most cases, the injections are tailored to the victim. In other words, the victim sees a website purporting to belong to the specific bank whose site the victim is attempting to access. The injections are delivered via banking Trojans such as Zeus. On closed forums, injections are sold as separate modules for banking malware.

Web injections are sold on a Russian underground forum
Web injections are sold on a Russian underground forum

On one of the leading Russian-language cybercrime forums, we recently discovered a new thread offering web-injection services. The author was selling a large variety of injections for banks and online services in the United States and Canada.

According to the thread, the service includes an administration panel for managing the infected machines and stolen data, the ability to change the victim’s banking account balance (after a money transfer was performed), the ability to grab answers to security questions, and many other features.

The prices are quite affordable and vary from $50 to $150, though it should be noted that anyone wishing to carry out an MitM attack should already possess a botnet of machines infected with banking Trojans. When the victim tries to access his bank account, the attacker intercepts the session and displays a fake webpage that is very similar to the real bank’s site. The victim is asked to fill in login credentials, answer security questions, provide credit card data, and more. The attacker immediately receives the information through the administration panel and can use it to transfer the money, while the victim receives a connection error and simply tries to connect to the bank’s website one more time.

Detecting such an attack can be difficult, since one failed connection to the bank website or minor differences between the design of the fake page and that of the real page do not usually arouse the victim’s suspicions. In addition, as mentioned above, the account balance that the victim sees does not change after the money has been stolen.

The seller has launched a website to promote sales of the injections he coded. The site contains samples of injections for banks in the United States and Canada and for online services such as PayPal and Ebay. The targeted banks are Wells Fargo, HSBC, Citizens Bank, Scotiabank, RBC Bank, and many more. There was a section in the site indicating that European institutions will be targeted in the future.

Example of injection for a bank, published on the dedicated website


A Creative Way to Celebrate the New Year’s Eve by the Russian Hacking Community

The second half of December is a joyful and festive time in the snowy, post-Soviet arena, culminating in the magical New Year’s Eve. Most people take vacation, and an atmosphere of playfulness and celebration can be felt in the air. The Russian-speaking hacker and malware development community is no exception, and each year the forums that serve as their main platforms are colorfully decorated for the holiday, while members post Season’s Greetings to each other.

This year, we witnessed a creative new idea by this community to celebrate the most important holiday in former Communist countries – a self-sponsored, cross-platform contest. Specifically, a quiz on hacking operations, scheduled to take place simultaneously on the last day of the year on several different forums.

The idea is the brainchild of one of the administrators of a leading underground forum, who started to raise money that will serve as prizes for the winners of the contest. A dedicated Bitcoin wallet has been opened for donations. Furthermore, service providers have offered free use of their products for the lucky winners.

The concept was met with enthusiasm by forum members, who proposed question topics and formats. A survey was launched on one forum, asking members to vote for the topic they would like to see in the quiz. The suggested topics involve the following areas of cybercrime: coding, spam, crypt, traffic, brute forcing, reverse engineering and administration.

A Survey launched on one forum about the topics in the quiz
A survey launched on one forum about the topics in the quiz

Several members have donated money, saying that such activity helps to develop the community and serves as motivation for achieving knowledge. Moreover, the administrators of numerous underground forums have expressed their support for the contest, indicating the expected high level of the quiz.

We look forward to discovering the names of the winners of the contest on December 31 and seeing what kind of questions are going to be asked. Meanwhile, we wish you all Happy Holidays and Happy Novy God!