The Latest Trends in the Russian Underground – H1 2015 Summary

It is summer in Russia, and the time of the year when people head to the seaside on vacation for a couple of weeks’ break. The decline in activity can be clearly seen on the Russian-speaking forums and marketplaces dealing with cybercrime. Apparently, cybercriminals also take a rest from their online activities, just as they would from a regular full-time job. For us, it is the best time to perform a deep analysis of the main trends in the Russian underground boards during the first half of 2015. When preparing the insights from this analysis, our goal was to identify the main scope of interest on closed, Russian-speaking forums these days, as well as to pinpoint the shifts that have occurred in the last six months.

In order to draw conclusions, we analyzed the threads from the last six months from the four leading Russian forums. These forums mainly serve as a marketplace for attack tools and platforms, in addition to being a source of information and consultation for the forum members. Hereinafter, we tried to summarize the main topics of conversation on Russian marketplaces dedicated to cybercrime during the past six months:

Exploit Kits: In recent months, we have witnessed numerous attacks involving EK as the intrusion vector, including Angler, Neutrino, Nuclear, Magnitude and RIG. These EKs are constantly updated with new exploits.

While some EKs are offered for sale on trading boards, others are available exclusively to selected buyers via private sales, using the Jabber instant messaging system for example. For one case in point, RIG EK 3.0 is offered for a monthly rental fee of $700 on a closed Russian forum (this is considered an extremely low price). In comparison, Angler EK, AKA XXX is not advertised at all among Russian forum members on any of the closed forums.

RIG EK Statistics – screenshots published by the developer of the EK
RIG EK Statistics – screenshots published by the developer of the EK

Banking Trojans: During the last few months, we did not spot any new banking Trojans for sale on the Russian underground. The majority of recent attacks against the financial industry clients were perpetrated using DYRE or Dridex banking Trojans. Even though there is evidence that both were developed by Russian coders and are distributed among Russian-speaking criminals, we did not witness any commercial trading of these Trojans.

The two Trojans currently selling on Russian forums are Kronos, whose sales started back in the middle of 2014, and the new version of Tinba, which is based on source code leaked in the 2014 version.

Tinba banking Trojan offered for rent
Tinba banking Trojan offered for rent

Ransomware: Despite the fact that new campaigns distributing ransomware are uncovered on a regular basis, culminating in an FBI alert at the beginning of 2015, we did not see an elevated interest in this kind of malware on the Russian forums. The sales of CTB-Locker were ceased, at least publicly, probably because of the extensive media coverage. None of the ransomware tools that are widely used in the wild (TorrentLocker, Tesla Crypt, Cryptowall), are offered for sale on Russian marketplaces. The only two new ransomware tools offered during H1 2015 were GM Cryptolocker for Android-based devices and Azazel locker, for just $200. Both are relatively new and there has been no comprehensive feedback from buyers as yet.

The interface of GM Cryptolocker – ransomware for mobile platforms
The interface of GM Cryptolocker – ransomware for mobile platforms

RAT malware based on legitimate software – a clear new trend on the Russian underground is the development of malicious tools based on the source code of legitimate software for remote access (such as TeamViewer, AmmyAdmin, etc.). These tools are disguised as an update for the software or as a setup file. Additional tools traded on the forums exploit services and programs for remote control, such as RDS (Remote Desktop Services, RMS (Remote Manipulator System) and RDP (Remote Desktop Protocol).

To date, we have identified five different malicious tools of this kind for sale during the last six months. According to the sellers’ description, they are capable of bypassing defense mechanisms installed on the machine and gaining full access to it.

Screenshot from a video uploaded by the seller of TVSpy, a RAT based on TeamViewer software. The video presents the malware in action.
Screenshot from a video uploaded by the seller of TVSpy, a RAT based on TeamViewer software. The video presents the malware in action.

Loaders and Droppers – In recent months, we have identified a rise in this type of malware for sale on Russian underground forums. Generally, they it is spread via spam emails, and once installed on the system, serves as a tunnel for later installations of malicious programs. In this manner, defense mechanisms can be bypassed. One instance involving this malware was the infamous Andromeda, sold since 2011 to date for only $500. Andromeda was employed by the Carbanak group against financial targets. Aside from Andromeda, we also identified six new loaders and droppers offered for sale during the past six months.

Digital Certificates Trade – This phenomenon started as a sporadic sales thread, appearing occasionally on several forums during the last year. As demand expanded, trade in digital certificates evolved into a successful sub-category on Russian underground marketplaces. Recently, a dedicated online shop for trade in digital certificates was launched. The average price for one certificate is about 1.4 BTC.

The vigorous trade in these certificates demonstrates that they are quite useful for the purchasers, who use them to sign the malicious code they distribute and evade detection.

For obvious reasons, the sellers do not disclose the origin of the certificates, but claim they are authentic and were issued by a Certificate Authority (CA).

An online shop for digital certificates trade
An online shop for digital certificates trade

The Swine Flu Wants to Infect Your PC

Russian underground forums often serve as a marketplace for talented coders of sophisticated malware who develop attack tools to target the financial industry.

During routine monitoring of these forums, we came across a new type of malware loader called H1N1. Loaders are used as an initial intrusion vector, enabling an attacker to install malware on a workstation at a later time of his own choosing. They provide the attacker with both an initial foothold in the victim’s system and a future channel for delivering malicious programs at any time.

The new loader, which is named after the swine flu virus, was offered for sale in late April for $500 by a member of a Russian password-protected forum.

According to the sales thread, H1N1 is a non-resident loader. This means that it is executed in the system, installs the programs from its task list, and deletes itself after the computer is rebooted. (A resident loader, on the other hand, writes itself into the operating system and is not deleted after reboot. Since it receives commands from the C&C server, it can keep installing malicious software on the infected computer.)

H1N1 characteristics

  • Bypasses User Account Control (UAC) through a UAC whitelist, which allows it to run files with elevated privileges. This bypass does not require use of additional .dll libraries or Windows Sysprep. If the loader is unable to receive elevated privileges, it will run programs with user privileges.
  • Traffic in both directions is encrypted.
  • Installs .exe files on the infected computer using Windows Instrumentation Management (WMI). The .dll files are installed from memory.
  • Has an embedded security mechanism that recognizes when it is being executed in a virtual machine.
  • Can be injected into the address space of legitimate system processes (of the default browsers).
  • Bypasses AV and HIPS programs. With AV programs, it does this by identifying their running processes and paths, creating copies of the processes, injecting into the copied processes, and finally, disabling all threads of the AV software’s legitimate processes.
  • Elevates privileges from a low integrity level by using WMI and exploiting the CVE-2014-4113 vulnerability.
  • Identifies and neutralizes certain AV programs.
H1N1 administration panel
H1N1 administration panel

A number of forum members who claimed to have used the tool gave generally positive feedback but stated that it does not bypass all AV programs. According to the technical analysis (below), Kaspersky Internet Security identified the presence of the loader, while ESET NOD32 and Outpost Security Suite did not. Avira only identified the activity as malicious in some cases (depending on the crypt of the loader).

In a VirusTotal analysis of the loader’s files, the detection ratio was 41/57 for the dropper file (as of May 21, 2015) and 22/57 for the memory file (as of May 14, 2015).

Technical Analysis

It is common practice on closed Russian forums for veteran, trusted members to analyze and validate malware sold by newbies to prevent them from cheating and selling a low-quality product. It is harder to find buyers for non-validated malware, especially if the seller is new to the forum (for a review of different types of sellers, see our previous post on this subject). Since a major part of the underground ecosystem is based on reputation and the hierarchy on different underground forums, an impartial entity whose role is to validate new goods is extremely important.

Ares, the administrator of a well-known Russian forum, conducted a validation analysis to check whether H1N1 really possesses the capabilities claimed by the seller, including the ability to bypass security measures. He published an extensive review on his forum.

According to Ares, the code is written in Assembly language and was obfuscated (for security purposes). Once all the initial procedures are loaded (the code utilizes kernel32 and advapi32 during loading), the loader launches the Explorer process from syswow64 on x64 systems and system32 on x86 systems. The process is mapped with a rewritten shellcode entrypoint.

The shellcode receives all of the necessary APIs and reads a packed binary file (which it extracts).

The binary is a .dll file that scans for various important API elements and then checks the hash signature of the filename through which the process was started. If the file name is Explorer, it tries to elevate its privileges.

Initially the malicious .dll file copies itself and patches with the shellcode. Later it moves the copied file into the system32/setup folder. After that, H1N1 runs several checks (such as OS version) and tries to elevate its privileges from medium to high.

The loader uses various methods to inject malicious content into legitimate processes. For example, if injection into a default browser fails, it tries to inject the malicious content through svchost.

Lastly, the execution module kicks in where the loader will be executed. The malware conducts fake network tests (for example, pinging various websites), collects information about the infected machine, and then requests content from the C&C server. The HTTP requests are encrypted with RC4 and the data length is transferred in the HTTP header.

HTTP requests from the C&C server
HTTP requests from the C&C server

Following publication of the analysis by Ares and in response to critical feedback from forum members, the seller has been updating and improving H1N1. For example, he responded to criticism of the UAC bypass by announcing that he had changed the bypass method and that it was now similar to the method used by the Carberp Trojan.

In later tests performed by several authoritative forum members, privilege escalation and the UAC bypass had a relatively low success rate. However, since then, the author claims to have fixed the problems with the loader.

An Important Recommendation

H1N1 uses bthudtask.exe for its purposes. This executable is part of Microsoft Windows and is usually located under C:\Windows\system32. The file description is “Bluetooth Uninstall Device Task.” If you do not require Bluetooth devices, we would strongly recommend removing the file from your end-points.

Conclusion

H1N1 is a new type of malware loader and is not yet very sophisticated. However, it has attracted the attention of many high-ranking Russian underground forum members, who have analyzed it and written about its weak points. This seems to be encouraging the seller to improve and upgrade his product and fix the bugs.

Australian Banks Targeted by Russian Malware for Android Devices

Introduction

Several months ago, while monitoring Russian underground forums, we came across a new malware designed to attack Android smartphones via a social engineering vector, luring victims into providing their banking data, as well as credit card details to the attackers.

The malware is dubbed GM BOT, and it has been offered for rent since October 2014 on a Russian underground forum dealing with malware development and sales. The price was $4,000 for one month, and this later dropped to $2,000. In January 2015, the renter of the GM BOT posted about deploying the malware on Australian botnet, including screenshots of banking details from Australian banks.

Later, in February 2015, the renter posted examples of Man-in-the-Middle (MitM) attacks that can be carried out by his malware, two of them presenting fake login pages to Australian banks.

GM BOT Capabilities

The first version of the malware was released on October 29, 2014 and according to the thread, it is designed to collect banking and credit card details. The data collection from the infected devices is performed via a social engineering vector, when fake pages are presented to victims. The tool works in different ways:

  • Collection of VBV data by using a fake Google Play application (Luhn algorithm is used for validation).
  • Scanning the mobile phone for installed banking services, and presenting dialog boxes for filling in confidential data.
  • Checking for email and social media accounts linked to the phone (Gmail, Facebook, Twitter, etc.) and presenting dialog boxes for filling in confidential data.

In addition, the malware is capable of incoming SMS message interception and blocking (to avoid alerts from the bank from reaching the victim), as well as incoming call redirection, GPS data monitoring and more. The malware received highly positive feedback from other forum members, as suitable for cybercrime activity.

Initially, the thread’s author specified that the bot would be rented to five clients – Russian speakers only. On November 3, 2014, the renter announced that all the five clients had been found, and that the ad was no longer relevant. However, one month later, on December 2, he posted about updates of GM BOT capabilities, saying that he is looking for more clients. The new version of the bot enables its operator to create JS or HTML dialog boxes that are presented to the victim, thus expanding the number of accounts whose credentials can be achieved.

The Australian Link

On January 13, 2015, the author posted again. This time the post included screenshots showing the results of GM BOT activity. According to the post, 165 users in Australia were infected on January 10. 68 of these were communicating back with the C&C infrastructure at the moment of the post. Screenshots of the collected data were attached.

Credit card data and banking credentials of Australian bank clients, collected by GM BOT
Credit card data and banking credentials of Australian bank clients, collected by GM BOT

On February 12, 2015, another post regarding GM BOT was uploaded by the author, focusing on its MitM attacks capabilities. According to this post, the bot can inject JS or HTML code into running application, thus showing the user fake pages for drawing out data.

It should be mentioned that the malware distribution method is not included in the rented product. This means that the attacker who purchases the malware delivers it to the victims by a method of his choosing, spam emails for instance.

SenseCy 2014 Annual Cyber Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

Executive Summary

Clearly, 2014 was an important year in the cyber arena. The technical level of the attacks, the variety of tools and methods used and the destructive results achieved have proven, yet again, that cyber is a cross-border tool that is rapidly gaining momentum.

This year, we witnessed attacks on key vectors: cyber criminals setting their sights on targets in the private sector, hacktivists using cyber tools for their ideological struggles, state-sponsored campaigns to facilitate spying on high-profile targets, and cyber conflicts between countries.

The following is an excerpt from an annual report prepared by our Cyber Intelligence analysts. To receive a copy, please send a request to: info@sensecy.com

Insights

Below are several of our insights regarding cyber activity this past year:

  • The financial sector was and continues to be a key target for cyber criminals, with most of the corporations hacked this year in the U.S. being attacked through infection of Point-of-Sale (POS) systems. Despite the high level of awareness as to the vulnerability of these systems following the Target breach at the end of 2013, ever more organizations are continuing to fall victim to these types of attacks, as the cybercrime community develops and sells dedicated tools for these systems.
  • In 2014, we saw another step up in the use of cyber as a cross-border weapon, the use of which can be highly destructive. This was evidenced in the attack on JPMorgan, which according to reports was a response to sanctions imposed by the U.S. on Russia. The ensuing Sony breach and threats to peoples’ lives should the movie The Interview be screened exacerbated the state of asymmetrical war in cyber space, where on the one hand, we see countries attacking companies, and on the other, groups of hackers attacking countries. This trend becomes even more concerning following the reports of the deaths of three workers at a nuclear reactor in South Korea, after it became the target of a targeted cyber-attack, evidently by North Korean entities.
  • This past year was rife with campaigns by anti-Israel hacktivist campaigns, whose motivation for attacking Israel’s cyber networks was especially strong. Again, it was clearly demonstrated that the relationship between physical and virtual space is particularly strong, when alongside Operation Protective Edge (July-August 2014), we witnessed a targeted cyber campaign by hacktivist organizations from throughout the Muslim world (but not only) and by cyber terror groups, which in some cases were able to score significant successes. We believe that in 2015, attacks by hacktivist groups will become higher quality (DDoS attacks at high bandwidth, for example) and the use of vectors, which to date have been less common, such as attacks against mobile devices, will become increasingly frequent.
  • Involvement of the internal factor in cyber-attacks: According to some speculations published recently in the global media regarding the massive Sony breach, former company employees  may have abused their positions and status to steal confidential information and try to harm the organization. This underscores the importance of information security and internal compartmentalization in organizations with databases containing sensitive information.

The Past Year on the Russian Underground

In 2014, we saw active underground trading of malware and exploits, with some of them being used in attacks inside and outside Russia that gained widespread media coverage in sources dealing with information security.

The following is a list of categories of malware and the main services offered for sale in 2014 on the Russian-speaking underground forums. Note that in this analysis, we only included important tools that were well-received by the buyers, which indicates their reliability and level of professionalism. Additionally, only tools that were sold for over a month were included. Let us also note that the analysis does not include special PoS firmware, but only programs designed to facilitate remote information theft through takeover of the terminal.

Malware_Russian Underground

Prices

The average price of a tool offered for sale in 2014 was $1,500. Since 2013, the average price has increased by $500. The following graph lists the average price in each of the categories outlined above (in USD):

Average_Price_by_Category

Key Trends Observed on the Russian Underground this Past Year

Trojan Horses for the Financial Sector

Malware designed to target financial institutions is a highly sought-after product on the Russian underground, and this past year we observed the development of malware based on Kronos source code – Zeus, Chthonic (called Udacha by the seller) and Dyre malware. Additionally, the sale of tools designed to sell login details for banking sites via mobile devices were also observed.

In this context, it should be noted that the modular structure of many types of financial malware allows flexibility by both the seller and the buyer. Most financial malware is sold in this format – meaning, various modules responsible for the malware’s activity can be purchased separately: Formgrabber module, Web-Injections module and more.

MitM Attacks

This type of attack vector, known to cyber criminals as Web injections, is most common as a module in Trojan horses for the financial sector. Members of many forums offer their services as injection writers, referring to creation of malware designed to be integrated into a specific banking Trojan horse (generally based on Zeus), tailored to the specific bank, which imitates the design of its windows, etc. In 2014, we saw this field prosper, with at least seven similar services offered on the various forums.

Ransomware

This year we witnessed a not insignificant amount of ransomware for sale on Russian-speaking forums. It would appear that the forums see a strong potential for profit through this attack vector and therefore invest in the development of ransomware. Furthermore, note that some of the ransomware uses the Tor network to better conceal the command and control servers. Since CryptoLocker was discovered in September 2013, we have seen numerous attempts at developing similar malware both for PCs and laptops.

Additional trends and insights are detailed in the full report.

Malware is Coming to the Trusted Software Near to You – Trade in Code Signing Certificates is on the Rise on the Russian Underground

Written by Tanya Koyfman

Instead of spending days and nights coding, crypting and modifying the malware to avoid AV detection, the underground market offers to sign it by a digital certificate issued for a legitimate entity.

While monitoring our Russian-speaking sources, we identified a Russian forum member offering code signing certificates issued by one of the largest CAs for sale.

The forum thread was opened on a Russian password-protected forum that serves as an illegal platform for cybercrime related discussions. On the forum, one can find sales of financial malware, stolen databases and exploits, as well as technical discussions regarding hacking and programming.

The post about the sale of certificates was initially published two months ago, and the topic is still updated regularly. In the first message, the post author offered one certificate for sale in exchange for almost $1000. According to the seller, the certificate can be used to sign exe files. Forum members who are interested in purchasing are requested to connect via Jabber (an instant messaging service based on XMPP protocol, highly popular among Russian cybercriminals).

The next day, the author published another post claiming that the certificate had been sold. He said that he could obtain 1-2 certificates per week, and that if there was a demand he could get his hands on also driver signing certificates.

The thread also included feedback messages from buyers, who testified that the certificates were useful in avoiding AV detection, but only for a specific malware infection. In a case of a mass distribution of malware programs, the certificate would be cancelled within days.

During the forum discussion, the seller mentioned that signing an exe file by certificate helped avoid detection by all AV pro-active detection mechanisms, except for one. He also clarified that the certificates could be used for .exe, .dll, .jar and .doc files, but not for .sys files (drivers).

To date, after almost two months of sales, at least 7-10 certificates have been sold (providing a profit of $10,000 for the seller).

The first message regarding the sale of the certificates
The first message regarding the sale of the certificates

Taking into account that the above forum member has regular access to legitimately issued certificates from one of the top five Certificate Authorities (CA) in the world, the above case is probably only the tip of a slippery slope. We may soon witness an increase in malware distribution attacks based on using genuine code signing certificates. The $1,000 paid for the certificates is an incredibly low price for the hacker to pay, compared to the large sums of money he can earn using these certificates in his attacks. While we do not know the precise origin of the certificates (a breach in an organization that purchases certificates, a breach in a reseller supplying the CA certificates or simply an “illegal” reselling or legally purchased certificates), the volume of certificates that the seller is supplying is reminiscent of the DigiNotar case.

The Case of DigiNotar (July-August 2011)

DigiNotar was a Dutch Certificate Authority company owned by VASCO Data Security International. DigiNotar went bankrupt following a security breach that resulted in the fraudulent issuing of CA certificates on September 3, 2011. DigiNotar hosted a number of CA’s and issued certificates including default SSL certificates, Qualified Certificates and ‘PKIoverheid’ – government accredited certificates.

In August 2011, a rogue certificate for *.google.com signed by DigiNotar was revoked by several Internet user browsers in Iran. Fox-IT conducted an investigation of the events in their report ‘Operation Black Tulip’ and found that a total of 531 fraudulent certificates had been issued. They identified around 300,000 requests to google.com with IPs originating from Iran that used the rogue certificate before it was revoked. The attack lasted nearly six weeks.

The compromised IP users might have had their emails intercepted, and their login cookie could have been intercepted making the attacker able to enter their Gmail accounts and all other services offered by Google. Having access to the e-mail account, the attacker is also able to reset passwords of other services with the lost password button. Fox-IT further examined the hacking tools and found some of them to be amateurish and some very advanced, some were published hacking tools and some specifically developed.