After Intimidating Humankind Around the World, the Ebola Virus is now Threatening the Cyber Arena

It is a well-known fact that hackers can be very creative, not only when writing malicious code, but also when bestowing a name on their creation or connecting it to some sensational subject.

This time, inspired by the outbreak of the Ebola epidemic in Africa, the authors of the ransomware discussed below coded it to change filenames on the infected computer into a string containing the word “Ebola”. Let us take a deeper look at this new malware.

We first encountered the malware in a discussion on VKontakte, a very popular Russian social network. One of the participants uploaded a sample of the virus that infected his computer.

According to his description, he received the malware via an email message that contained a link. Clicking the link initiated the downloading of an .RAR archive that DOES NOT pop-up an AV alert. After unzipping the archive, all the files on the PC (extensions: PDF, DOC, DOCX, XLS, XLSX, JPG, DWG) became encrypted and their names were changed to *id-*help@antivirusebola.com. The shared folders were also encrypted and access denied. To recover the contents of the PC, the victim had to send an email to the address help[at]antivirusebola.com, and was subsequently instructed to pay 1 Bitcoin (approximately US$380) to a given address.

Further investigation on the Russian-speaking web revealed many other reports of Ebola virus infections. In most of the cases, the malicious link was sent via an email message, allegedly from the tax authorities or traffic police.

The ransomware was reported on several security firm forums (such as Kaspersky, Symantec and Dr.Web), but no solution to decrypting the files was found.

According to the Russian security company Dr.Web, the malware, now called “the Ebola Virus,” firstly appeared on August 20. The same ransomware has been distributed since August 7, albeit in a slightly different format – the file names were changed to id-*_decrypt@india.com or id-*_com@darkweider.com). All three versions are probably variants of the same malware identified by Dr.Web as Trojan.Encoder.741, and coded by a Russian nicknamed Korrektor (presumably the author of other ransomware as well). The malware is written in Delphi language, packed with an Armadillo packer and uses the algorithm AES-128 for encryption.

A closer look at the sample revealed the IP address of the C&C server – 31.220.2.150 – which belongs to a company called KODDOS, registered in Hong Kong (offering Offshore hosting and DDoS protection). The network is generated over HTTP – the infected machine sends out a unique string, probably the UID of the infected machine.

The post in VKontakte

It is important to note that to date, the malware is largely unrecognized by AV vendors. (The detection rate varies for different samples on VirusTotal – the highest is 15/55.)

After the Russian Yandex and Mail.ru, Gmail Accounts are Leaked. Who will be Tomorrow’s Target?

This morning cyber security sources informed us for the third time this week about email addresses and passwords being leaked from a large mail provider. After the Russian services Yandex.ru (one million leaked emails) and Mail.ru (4.5 million leaked emails), came Gmail’s turn – around five million emails were posted on a Russian platform.

According to publications about the Gmail leak, the data was published on a Russian forum that focuses on bitcoin issues – Bitcoin Security. The forum member who uploaded the database is nicknamed tvskit, and he was the first one to publish the data online in all three of the cases.

A short search on the above nickname on social networks revealed a 34-year old man by the name of Ivan Bragin, from the Perm administrative center in Russia. His VK and Twitter pages contain plenty of information regarding crypto-currencies, in addition to a tweet about the Gmail leak linked to the BTC forum. From his posts, it seems that he did not directly connect himself to the leaks, nor did he take credit for stealing the data. Moreover, the story he tells is about running into these email lists on the web, then deleting the passwords and publishing them ‘for the greater good’. It is a strange coincidence that all three lists were found by the same person.

Based on the fact that tvskit‘s real identity was so easy to find (no attempts to hide it from his side), combined with the fact that initially the account list was published without the passwords (“just in order for people to check if their address was on the list”), makes us doubt that he stole the data.

According to several cyber security sources that analyzed the database, some of the compromised mail accounts were either automatically registered or were not active in the past. Nevertheless, some users of the above providers did confirm the authenticity of the logins and passwords.

Yandex and Mail.ru denied any kind of breach of their databases, so the leading hypothesis of the accounts origin is that all three lists were collected over a long period of time, from different sources, maybe along with other, less “attractive” data, that was later sorted by email providers and published online. In addition, we should also consider that at least some of the addresses are fictitious or not valid. At this moment, it is difficult to specify the exact number of addresses with a valid password.

Relying on the information above, we believe that all three lists were obtained by the same person (not necessarily tvskit), who managed to get hold of some valid logins and passwords and then mixed them with non-valid or automatically created addresses to intensify the scale of the leak.

A forum thread Bitcoin Security forum, which cointians the leaked Gmail database on
A forum thread from Bitcoin Security forum, which cointains the leaked Gmail database
Ivan Bragin's Twit linked to the forum post about Gmail leak
Ivan Bragin’s tweet linked to the forum post about the Gmail leak

Ukraine Accuses Russia of Invasion – Ukrainian Hackers Set to Retaliate

Earlier today (August 28, 2014) Ukrainian President Petro Poroshenko said that Russia has sent troops to eastern Ukraine. Ukrainian hacker groups are quickly aiming to retaliate – Anonymous Ukraine plans to attack a number of Russian bank websites and the official websites of the Russian President . The first target was sberbank.ru, and the attack was planned to take place on August 28 at 16:00.

Anonymous Ukraine is threatening to carry out DDoS attacks
Anonymous Ukraine is threatening to carry out DDoS attacks

Other websites on the list include:

Threats to wage cyber attacks on sberbank.ru
Threats to wage cyber attacks on sberbank.ru

Two New Banking Trojans Offered for Sale on the Russian Underground

It is the time of summer vacations in East Europe now, and we definitely see a certain recession in the underground cybercrime business. Just as “regular” people in Russia, cybercriminals also spend a week or two by the sea or in their dachas (chalets), after hard work round the clock during the year. We are witnessing this recession not only in the decrease of trade activity, but also in the lack of support for some services offered on the forums, long absence of several high ranked members from the boards etc.

Considering this situation, it was quite exceptional to see almost simultaneously the appearance of two new Banking Trojans on one of the Russian underground forums. Although offered by different sellers, the names of both of them are derived from the Greek Mythology – Kronos and Kratos. Kronos is the father of Zeus, the most important Greek God, while Kratos was a far less important figure. The prices match the significance of the gods – Kronos costs $7,000 (a special release price till July 18th is $5,000, and one-week trial is offered for $1,000, on your own domain), while Kratos is available for only $2,000.

Let us look deeper at the features of the above mentioned Trojans, as they are described by the sellers.

Kronos

Kronos, first published on June 10th, is claimed not to be based on Zeus source code, or other known banking Trojans, thus suggesting a new generation of financial malware. The extremely high price supports this suggestion.

It has a ring 3 rootkit which is compatible both with x86 and x64 systems and includes formgrabber for the last versions of the popular browsers (IE, FF and Crome). Kronos’ web injections are configured in Zeus’ format, so the adjustment of old injections for the new Trojan is supposed to be pretty simple. As for security features, the Trojan is capable of bypassing proactive AV protection, as well as bypassing user-mode sandboxes and rootkits.

Among the disadvantages of this Trojan, the seller mentions the lack of VNC module and the discrepancy of Opera browser. Nevertheless, a vigorous discussion about Kronos developed on the forum and gained mostly positive feedback.

On July 8th, the seller posted the results of AV scan that he performed to his product – it was detected by 10 out of 35 vendors, as a generic malware.

Kronos in action - a snapshot from a video published by the seller
Kronos in action – a snapshot from a video published by the seller

Kratos

Kratos’ sales started on July 7th. It is based on Carberp’s bootkit, without relying on Zeus source code, and has the php Citadel’s administration panel.

The seller describes the main concept of his product as blocking AV detection (depends on a successful installation of ring0 bootkit). It works on both x86 and x64 OS, and based on modulatory system – one of them is injecting module for all version of FF, IE and Chrome browsers. As to security functions, the Trojan bypasses UAC protection and has a unique, 16kb, RSA signature key.

Kratos’ seller emphasizes the fact that the change in one of the protocols (compared to Zeus), allowed compression of the traffic, thus opening the possibility of connection to TOR browser.

The thread about Kratos on one of Russian underground forums
The thread about Kratos on one of Russian underground forums

In both cases, the discussions still continue. We still have not seen feedbacks from satisfied purchasers, but in general both of the Trojans were accepted with positives responses.

Protect your Mobile, or else – You Will Have to Pay Ransom for the Right to Use it Again!

Over the last couple of months, two major threats to the constantly evolving cybercrime world are becoming more and more prominent. Cybercriminals are seeking new sources of profit, as the old ones become harder to exploit over time. Lately, we have noticed a new developing trend, a procreation that combines the two mentioned below.

The first trend on the rise is the targeting of Android systems. Although the subject is not new on underground platforms, and dedicated rooms for discussing vulnerabilities on Android were already opened a couple of years ago, we can definitely say that a big step forward has been made in recent months in this area.

Malware for Android is frequently seen on underground forums and uploaded to file-sharing platforms. Since the beginning of 2014 alone, we have monitored approximately ten malware tools for infecting Android devices, for example Dendroid, AndroRAT, iDroid (targeting both iOS and Android systems), Stoned Cat, etc. The modus operandi can be different, but the final target is always the same: monetary theft, as opposed to stealing credentials for mobile banking applications, sending premium SMS messages, or some other method. The infection technique also varies. It usually happens when the victim installs a new application that is actually the virus itself, obviously well-disguised as something harmless. Another infection vector is binding a malicious code to a legitimate application. Finally, there are the good old emails and SMS messages containing a link that initiates the download of malware.

Dendroid's Admin Panel
Dendroid’s Admin Panel
IDroid's Admin Panel
IDroid’s Admin Panel

The second trend is the growing number of ransomware viruses that lock the user’s computer and/or encrypt his files, then demand remuneration for restoring the computer to its initial state. The most infamous malware of this kind is Cryptolocker, but there are some more that we wrote about in the past.

If these two methods are profitable, why not combine them and increase the odds of earning more easy money? We recently noticed the sale of two “ransomware for mobile” products on the Russian underground. The first is called Block Android Mobile – offered alongside additional products by the same seller, such as Syslocker and BrowBlock. The seller and his services appeared on one of the closed Russian forums in February 2014, but the mobile ransomware was offered as a new function in April 2014. According to the seller, there are two APIs for this malware – the first redirects traffic to a lending page, where an automatic downloading of a malicious file occurs. The victim then has to run the APK file later. The second API injects the APK file, directly by the cybercriminal, wherever he desires. A deeper analysis of this malware was provided in the Malware don’t need coffee blog, as he came across its files in action.

Another ransomware for mobile is Tor Android Cryptolocker. This was offered for sale for US$5,000 about two weeks ago. Once installed on the mobile device, the malware blocks the screen, thus preventing its deletion. At the same time, it encrypts all the files of a defined format that are found on the SD card and in the phone’s memory (including music, photos, videos, etc.). The victim is asked to pay a certain amount of WebMoney, and then his phone is unblocked. The author was offering only three copies for sale. According to our last check, two were already sold. This probably means that we will soon see this malware in action.

The blocking message sent by Tor Android Cryptolocker
The blocking message sent by Tor Android Cryptolocker

Taking into account the important role that mobile phones play in our lives, this can be a very profitable means of money extortion. Buying a new phone may not always be cheaper than paying hundreds of dollars to get the old one back. And there are also all those pics and videos (of extremely high emotional value) that we do not always backup, although it is widely known that we should. Cyber criminals can be good psychologists sometimes, and they can hurt us in the most painful places.

Cybercriminals Target iOS Devices

We recently discovered a post about a new mobile Trojan on one of the Russian underground forums. The uniqueness of this malware (if the publications prove true, of course) is that it is capable of attacking both iOS and Android systems. The magic malware’s name is iDroid bot 0.7.

The malware first appeared on the Web about a month ago, on two different underground forums. It was also mentioned in a thread on a Russian crowd-funding site that tried to raise RUB 16,000 (about $450) for further development of the malware.

Sales are conducted via a dedicated website, on which no contact details are published and the only way to contact the seller is to leave your contact details on the site. When you receive a response, you pay the sum of $800 (or 1.5 bitcoins if you prefer to count your money in virtual currency), and become the lucky owner of a malicious program that is supposed to help you become a rich person without too much effort.

So, what are iDroid’s capabilities? Obviously, the most important one is infecting both iOS (versions 7.1 and below) and Android (versions 2.2 and up). Members of the underground forums have expressed doubt about this feature, as the infection of iOS systems is very sophisticated, especially if combined with Android’s infection in the same tool. In addition, the admin panel uses the TOR browser and a proxy for connection.

The grabbing features of the tool include keylogger, CC grabber and email grabber. The main profit for the operator comes from grabbing data from mobile wallets (QIWI, Yandex.Money, and WebMoney Keeper Mobile), by substituting the operation on the mobile device. Finally, we have all the “regular features” of a mobile Trojan, such as SMS sending and interception, conversation records, receiving screenshots, etc.

Screenshots of the bot, uploaded to YouTube
Screenshots of the bot, uploaded to YouTube

Another fact worth mentioning is that the author is already working on the next version of his brainchild, iDroid bot 0.8. This version will contain additional functions, such as a utility for writing Zeus-like injections into banks and paying system applications, auto injections into applications of 56 banks and auto delivery of the Trojan via Bluetooth (only for Android).

iDroid bot is the second bot that purports to infect iOS devices (the first was Zorenium, whose sales started in January 2014). Apple is definitely the next big target for cybercriminals, and even if the above-mentioned tools prove fictional, they are working on this pretty hard. So as we see it, the odds for success in the short-term are high.

We have recently seen the development and publishing of hack applications for smartphones on underground forums. Check the updates in our new post: HACKoDROID: An Increasing Tendency Toward Smartphone-Based Attacks

Exploiting the World of WebMoney

The appearance of virtual money has played in favor of cyber criminals. The level of anonymity provided by crypto currencies is significantly higher than in real money transactions, and leaves much more space for performing illegal activities.

The first and most obvious way to exploit WebMoney and earn an easy profit is to mine virtual currencies via botnets specifically created for the purpose. The underground is awash with different mining bots, miners and mining Trojans for sale (downloads are also available), all of which are designated to infects PCs of naive users and exploit their PC CPU/GPU resources to mine the precious coins. The price range varies widely, starting at $50-$100 for a build of a simple Bitcoin/Litecoin miner, to $400-$500 for more sophisticated malware capable of mining a wider variety of virtual currencies (such as Namecoins, Dogecoins, QuarkCoins, etc.) and reaching $1,000-$1,500 for complete mining kits that can mine coins on processor or video cards, contain UAC bypass and web panel for statistical management of the bots, are signed with a digital certificate, and more.

Litecoin mining Bot
Litecoin mining Bot
"Diamond Axe" - another mining bot
“Diamond Axe” – another mining bot

The abundance of different mining platforms identified over the past year has created some difficulties for those making a living in this area. Prices dropped due to the increase in supply, while in parallel, the miners became more detectable by AV vendors, as a large number of them operate by the same mechanism. We identified forums threads from members looking for alternative methods of money-making, stressing their preference for malware capable of virtual money theft.

This can perhaps shed some light on the shift in the activities of cybercriminals in this area – from creating mining botnets, to stealing coins from web wallets. Indeed, in the last month alone, we identified three different stealers of Bitcoin wallets: *coin Grabber, Stealer coins and Wallet Stealer. While the tools are not very sophisticated, they can cause a great deal of damage. *coin Grabber is designed to steal data (files and passwords) from Bitcoin-QT, MultiBit, Armory and Electrum wallets during the transaction process, and costs $500. Stealer Coins is supposed to search for and steal Bitcoin wallet files and send them to FTP, and is sold for $250. The Wallet Stealer is capable of stealing different kinds of WebMoney (not only Bitcoins) from Armory and MultiBit wallets and bypass UAC, and it costs $600.

The Administration Panel of *coin Grabber
The Administration Panel of *coin Grabber

In conclusion, we should mention again the three injection codes for Bitcoin exchanges that were found on one of the Russian underground forums (we wrote about this in detail about a week ago). This code replaces the values of the send-to-address, send-value and the send button elements, thus exploiting vulnerability on the exchange website.
As time goes by, we are witnessing the evolution of more and more cybercrime tools aimed at the relatively young but very profitable area of web currencies. The simple, easy methods are being abandoned for more complicated ones and new trends are popping up, like in other spheres of the dynamic cyber crime world.

Zorenium Bot: Follow-up

This is a guest post by Dimitry, a forensics expert who will be joining our team soon.

Image

As a follow up to our previous post, here is a quick overview of some of Zorenium’s capabilities.

Please note that as we are still in the process of fully analyzing this bot’s capabilities – the post is mostly based on the information publish by the bot maker.

Without a doubt, one of the most interesting modules to start with would be the FakeShoutDown mechanism. If according to the author indeed it operates as they say it does, then it is definitely a new “way of thinking”.

In essence, the authors of Zorenium are faking the shutdown process of a machine. The code imitates the entire process (once the shutdown sequence isinitiated by the user) including proper images and even, and this is quite fascinating, slowing down the computer fans to eliminate the noise.

In my humble opinion, it is quite impressive.

The bot has multiple interfaces of management (such as IRC and I2P), and all come with a great set of 256 bit AES keys.

Another interesting aspect would be the implementation of the stenography module. The stenography module is not a “regular”, and it makes this bot into more sophisticated than others. I am curious to see how that implementation works.

Another funky aspect of the bot would be what the author called “CHRISTMAS USERKIT4 SPECIAL ADDON”. Amongst the various features, the bot will replicate a new disk drive and will drop the core dll’s onto it. Then it will encrypt the hard drive and thus protect it from various AV and anti-malware mechanisms. Pretty sweet if you ask me.

The cherry on this icecream would be the iOS module. This is definitely the first bot that I have seen that actually operates on “Cross-platforms”. It can infect Android, Windows and iOS systems – a true nightmare to all security specialists. The main question regarding iOS still remains – are only jailbroken phones at risk or is it much, much worse?

Zorenium Bot Coming to the iPhone Nearest to You

Written by Tanya Koyfman and Assaf Keren

Recently our analysts have been monitoring the advancement of a new threat in the commercial malware theater – the Zorenium Bot. Zorenium, a relatively new and unknown bot,  has been for sale on the underground sinceJanuary 2014. This bot will be getting new features in its March 18th update, including, the ability to infect iOS devices (version 5-7), alongside its existing capabilities to run on Linux- and Windows-based machines. The developers have also updated the rootkit to TDL4 (making it vulnerable to anti-TDSS tools).

 zorenium1

Capture of the recent release notifications

Zorenium, a relative of Betabot, is a very robust bot which is still undetected by most AV companies. It has several key abilities, including DDoS, Formgrabbing, Bot-killing, Banking Trojan and Bitcoin mining. The cost of a basic Zorenium bot is 350 GBP and with advanced features (including P2P C&C, i2p C&C and more) it can go up to over 5000GBP.

 zorenium2

Zorenium Payment Plans

According to the developers, it is still in beta mode and more features will be available in time .

 zorenium3

Zorenium Source Screen Capture

Ukraine versus Russia in a Cyber-Duel

The eyes of the world are trained on events unfolding between Russia and the Ukraine these days – partly curious, partly concerned, with others directly supportive of one of the sides, either through actions or by disseminating the agenda they believe in. Everyone understands that this conflict (or should we already use the term “war”?), may have a huge impact on the balance of power in Eastern Europe, and further afield. For the time being, we can only assume what Russia’s true goals are in this conflict and to what extent it can deteriorate. But one thing is already clear – this is a confrontation not only in the battlefield, with tanks and guns, but also in cyberspace, where the weapons are site defacements, data leaks and damage to the networks of financial and critical infrastructures. And it is not so obvious which of them is the more merciless and destructive…

This is not the first time that Russia has resorted to cyber-attacks against her enemies. April 2007 is still burned into the collective memory of Estonia, when thousands of sites belonging to Estonian organizations came under cyber-attack over a three-week period, which withheld many essential services from the general public.

Another conflict that served as a background to numerous cyber-attacks was the Russia–Georgia war in 2008. South Ossetian, Russian, Georgian, and Azerbaijani informational and governmental websites were hacked, resulting in defacements with political messages and denial of service to numerous websites. It was not clear whether the attack was an organized, government supported warfare or a riot of individuals and groups touting pro-Russian views.

The current confrontation in the Crimean Peninsula has only been underway for a few days, but it is already widely backed by supporters from both sides in cyberspace. Many websites with Russian and Ukrainian URLs have already been hacked and #OpUkraine and #OpRussia campaigns launched on social networks, mainly VK, Odnoklassniki and Facebook.

The Ukranians, imbued with patriotic feelings, are trying to hack Russian sites and leak data. The Ukranian site Bimba, which calls itself the “cyber weapon of the Maidan revolution,” announced its recruitment of cyber volunteers wishing to work for the benefit of the Ukraine.

Defacement of Russian Sites by Anonymous Ukraine
Recruitment of cyber volunteers on anti-Russian site

The VK group #опПокращення // #OpUkraine, identified with Anonymous, uploaded a paste to the pastebin.com site, containing an anti-Russian message and a link to a download of an internal SQL data from Crownservice.ru (publishes tenders for governmental jobs), in a file called Putin Smack Down Saturday.

Other hacker groups in the Ukraine hacked regime websites, in expression of their support for the revolution. In general, a large number of internal cyberattacks among the different Ukrainian groups have been executed since the clashes began at the end of 2013. One of the more prominent was the hacking of the email of Ukraine opposition leader, Vitali Klitschko.

Russia tried to get even, although in a less obvious manner. Starting February 28, reports about cyberattacks in the Crimean Peninsula were published by some sources. Local communication companies experienced problems in their work that may have been caused by cyberattacks, as well as landline and Internet services. Moreover, Russia’s Internet monitoring agency (Roskomnadzor) has blocked Internet pages linked to the Ukraine protest movement.

Aside from Russians and Ukrainians, this conflict has attracted hackers from other countries, and we have already seen Turkish, Tunisian, Albanian and Palestinian hacker groups attacking Russian sites in support of the Ukrainian revolution.

Turkish hackers teams join in hacking Russian and Ukrainian sites
Anonymous Gaza hack Russian websites

At the time of writing, news sites have reported two more attacks on Russian sites by Ukrainian activists. This is a surprising, dynamic duel, and cyberspace is likely the stage upon which it will be played out.