Friday, November 27, 2015

Black Friday Deals on Malware & Scams

The holiday season means different things to a lot of people. For some, it’s a time for family and extravagant meals. For others, it’s a time for charity and giving more than your best to your partner. Yet for others’s time to shop. Black Friday is once again upon us. That magical time of the year when we take to the high street or internet, hoping to find a good deal on that new device you’ve been window shopping for the last month. Users beware! There is more harm than good that can be done from clicking on what appears to be a good deal. During this time of the year, the internet runs amok with an increase of phishing and scam websites looking to exploit your consumer instincts.

The Zscaler ThreatLabZ team has been monitoring a subset of opt-in data to discover a correlation between shopping activity and scams. As an effect of increased shopping behavior, we've observed a steady number of scams clicked on by users. Scammers take notice of trending topics as well and us consumer’s impaired judgement to cast a wide net of phishing, fraud, and scam attacks meant to capitalize on the shopping season. Whether you are using a mobile device or your home PC, the uptick in shopping trends remains relevant.

As shown in the graphs, the trend in phishing activity tends to rise with the amount of online shopping traffic, which comes with the added risk of scammers taking advantage of a consumers better judgement.

Vawtrak Botnet Scam

Our first case study illustrates the danger of these fraudulent deals. The botnet, Vawtrak (also known as NeverQuest and Snifula), is a powerful information stealing backdoor Trojan that has been gaining momentum over past few months. It primarily targets user's bank account via online banking websites. We’ve come across numerous reports, where users begin the infection cycle through spam e-mails promising a sales deal. This case appears to be no different, as we see the Pony Trojan Downloader being leveraged to download the Vawtrak payload.
  • salesdeal.magentochile[.]cl/f1.exe
VirusTotal has this threat marked as a fairly well known sample with a score of 32/55 at the time of research. Vawtrak is a treacherous botnet that is known to target the user’s saved banking credentials or even keylog for other passwords. Vawtrak achieves this by manipulating key Windows processes and lowering security settings to ensure that its Command and Control traffic can be reached.

Savvy users that suspect themselves to be afflicted with this threat should look for similar suspicious files:
  • C:\Users\[COMPUTERNAME]\AppData\Local\Temp\~DFECDDE19F2005BD31.TMP
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\Kapag
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\KuhaKqigd.dll
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\KuhaKqigd.exe
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\Qucuz
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\Sofolq
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\Uoqet
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\YidaLboz
The folder name in the ‘Local’ Directory will be named randomly. The fastest option to make sure you are targeting the right directory is to have a quick look at what programs are AutoStarting in the registry. In this instance, the following location was observed:
  • HKU\[USER-ID]\Software\Microsoft\Windows\CurrentVersion\Run\WopuVdax: "regsvr32.exe "C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\KuhaKqigd.dll""

Once the infection is successful, the Internet Settings are lowered to accommodate suspicious beaconing activity. The following was observed in our execution of the malicious sample:
  • HKU\S-1-5-21-4274511564-889519498-3811658521-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500: 0x00000000
  • HKU\S-1-5-21-4274511564-889519498-3811658521-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500: 0x00000003
 Upon successful manipulation of the Internet Settings, command and control attempts are made.


The threat responds with a list of locations to fetch configuration files as well as other malicious payloads. In the instance we observed, we received the keylogging Botnet, NetWired.

NetWired leaves two files actively running which beacon to suspicious destinations. These processes collect and exfiltrate stolen data to the threat actors.

The NetWired botnet communicates with the following server IPs from our research:
  • 109[.]163[.]226[.]153
  • 213[.]152[.]162[.]99
  • 31[.]184[.]194[.]138
  • 46[.]161[.]1[.]172
  • 46[.]165[.]208[.]108
  • 46[.]20[.]33[.]82
  • 62[.]102[.]148[.]181
  • 95[.]211[.]229[.]148

Free iPhone6 scams

Lots of scam sites are offering a free iPhone 6 to lure victims into click fraud attacks. Scam sites also ask for personal information like phone number, address, or e-mail address. Victims end up losing their personal information that can be further leveraged into future scams. The below screenshot shows scammers doing their best to make a site look like an official Apple site.

Some scams also ask for shipping fees to collect additional funds as well as sensitive information.

Scammers leverage brand names to provide an air of legitimacy to their scam websites. Some examples we have seen:
  • http[:]//apple[.]com[-]freegiveaway[.]com
  • http[:]//applestore[.]officialfreegiveway[.]com/
  • http[:]//facebook[.]officialfreegiveway[.]com/
  • http[:]//8sd5ug[.]getafreeiphone6splustoday[.]com/
  • http[:]//giveaways[.]xyz/iphone[-]giveaway/
  • http[:]//iphone6[.]howtogetafree[.]eu/

We recently covered a fake app offering early access to Black Friday and Cyber Monday offers and deals. With the rise in mobile device usage for browsing and shopping activities, we expect to see more and more instances of such fake applications with exciting offers targeting mobile users.

How can online shoppers protect themselves?

Thanksgiving marks the start of the holiday shopping season which continues through Christmas. The Zscaler ThreatLabZ team is working around the clock to ensure that our customers do not fall prey to such malicious activity.

We highly recommend that all online shoppers exercise extreme caution and follow our holiday season shopping security checklist:
  • Inspect the source of emails with enticing shopping deals. Be wary of any suspicious attachments
  • Steer clear of unofficial mobile application stores
  • Ensure HTTPS/secure connections to online retailers and banking sites
  • Check the authenticity of the URL or website address before clicking on a link
  • Stay away from e-mailed invoices - this is often a social engineering technique used by cyber criminals
  • Do not use insecure public WiFi for shopping
  • Use two-factor authentication whenever possible especially on sensitive accounts such as those used for banking
  • Always ensure that your operating system and web browser have the latest security patches installed
  • Use browser add-ons like Adblock Plus to block popups and potential malvertisements
  • Backup your documents and media files
  • Review the Identity Theft Guide and FAQ from the Federal Trade Commission.
Wishing you all a very Happy Thanksgiving!

Tuesday, November 24, 2015

This Thanksgiving, deals on your private data too

In a matter of years, we’ve seen Black Friday and Cyber Monday become two of the most anticipated days of the calendar year. While consumers eagerly await the chance to buy this season’s hottest gifts, what they don’t realize is that hackers are also anticipating a holiday treat: their personal data. This weekend, Zscaler uncovered a campaign where malware turning the holiday shopping season into an opportunity to scam large number of people by creating fake apps offering early access to Black Friday and Cyber Monday offers and deals.

The Zscaler research team recently came across one such fake amazon app which was masked as an Black Friday deals app, but actually intended to collect victim's personal data. The URL from where this fake app is downloaded is as shown below:
  • URL :  http[:]//amazon[.]de[.]offer47263[.]cc/amazon[.]apk
From the URL it can be observed that the malware authors are using cyber squatting to fool the victim and portraying itself as a legitimate Amazon site.

Once the application gets installed it disguises itself as a legit Amazon app.
When the user starts this installed fake Amazon app, it loads another app named "" as seen below.

Loading application dynamically
This newly loaded child application asks for administrative privileges and other risky permissions like sending SMS and dialing phone numbers.
This newly loaded app will first register itself as a service. Even if we remove the fake Amazon app, the "" app will stay persistent and keep doing its activity in the background. Once this malicious app is installed on the victim's phone, the fake Amazon application will start giving the error message: "Device not supported with App". This forces the victim to delete the fake amazon app thinking that there were some errors while installing it. As the malicious child app does not have any icon, it is quite difficult for the common users to remove the app.

The presence of this app can be seen in Settings>Apps>Running Applications section of device as shown below. 
Silently working in backgroud

Administrative access
This loaded malicious application has code for harvesting user's personal data.
The following code routine present in the app is used to collect victim's browser history and bookmarks.
Browser data
It is also able to harvest the call logs, received inbox messages and segregate it into sender's numbers, SMS body, received incoming call number and contact name etc as shown below.
Call logs
Inbox messages
The malicious app also gathers victims contact details.
This particular piece of malware was also found to be communicating with an IP address in Canada, "198[.]50[.]169[.]251" on port 4467 probably sending the harvest data through network socket.

Hard coded IP
The following packet capture shows the malware communication with its C&C(Command and Control Center).

Packet Capture

Data being sent
Especially during this holiday season, consumers need to be aware of the applications they’re downloading and stay away from such fake apps. Always install applications from legitimate app stores and websites. Be aware of the permissions asked by the application during installation. Shopping apps should not be asking for access to your contacts or SMS. Keeping an eye on the permissions used by the app can save you from installing such fake apps.

Happy Thanksgiving to all !!

Monday, November 23, 2015

Pornography - A Favorite Costume For Android Malware

30% of Internet traffic is in some way related to pornography and this is the primary reason why malware authors are using porn apps to infect large numbers of users. During recent data mining, we noticed an increasing volume of mobile malware using pornography (disguised as porn apps) to lure victims into different scams and stealing personal data or locking phones and demanding ransom payments. We recently wrote about Android Ransomware and an SMS Trojan leveraging pornography to scam victims. In this blog we share the analysis of two adult themed malicious apps - SMS and Infostealer Trojans that we recently spotted.

Case 1: SMS Trojan

Here we look at a Chinese SMS Trojan disguised as porn app. Upon installation, the malware fools the victim by displaying random adult sites, steals sensitive information and sends SMS to predetermined Chinese numbers in the background.
  • Name : 浴室自拍
  • URL:  http://yg-file.91wapbang[.]com/apk/appad/14461771841467103.apk?uid=ef2592f22af8c568f2b2993467a1e21a
  • Package Name : com.uryioen.lkhgonsd
  • Flagged by 6/53 AVs on VirusTotal at the time of analysis.
The malware installs the app with a lewd icon as shown below.
Once a user clicks on the icon, the user will be directed to a random URL from an array defined in the main code module. Interestingly, all the URLs are encoded in base64 format. 

Base64 URLs
List of URLs:
  •  http://www.4493[.]com/star/sifang/(aHR0cDovL3d3dy40NDkzLmNvbS9zdGFyL3NpZmFuZy8=)
  •  http://m.mnsfz[.]com/h/meihuo/(aHR0cDovL20ubW5zZnouY29tL2gvbWVpaHVvLw==)
  •  http://m.4493[.]com/gaoqingmeinv/(aHR0cDovL20uNDQ5My5jb20vZ2FvcWluZ21laW52Lw==)
  •  http://www.mm131[.]com/xinggan/(aHR0cDovL3d3dy5tbTEzMS5jb20veGluZ2dhbi8=)
  • http://www.5542[.]cc/xingganmeinv/(aHR0cDovL3d3dy41NTQyLmNjL3hpbmdnYW5tZWludi8=)
  • http://www.100mz[.]com/a/xingganmeinv/(aHR0cDovL3d3dy4xMDBtei5jb20vYS94aW5nZ2FubWVpbnYv)
  • http://m.xgmtu[.]com/( aHR0cDovL20ueGdtdHUuY29tLw==)
The malware is collecting all the device information in the background and sending it to a remote Command & Control (C&C) server as seen below.
Post Request
The C&C server responds back to the bot with further instructions as seen below.
The C&C response in screenshot shows the malware receiving a phone number with content that needs to be sent to that number via SMS. The following code shows how the malware will parse this response and start sending SMS messages.

Send SMS code
After sending the message, the malware sends another POST request notifying the C&C server about the sent SMS activity.

Post Request
  • C&C server - http[:]//www[.]mscdea[.]com:7981

This activity occurs once a day at a random time interval where the malware sends a post request to the C&C server and receives phone numbers with SMS content to be sent out. 

The continuous SMS activity can lead to a significant financial loss for the victim. 

Case 2: Fake Ransomware stealing personal data

The malware in this case is trying to scare the user with a warning screen accusing them of watching child porn. The malware steals victim's personal data in background and send it to C&C server.
  • URL: http://maturefuckporn[.]info/download/kyvcuwc/diper/video.apk (down as of now)
  • App Name :  video
  • Package Name :
  • Flagged by 12/53 AV vendors on VirusTotal.

Upon installing the app on device, the user will see a video player icon on the screen.
Once the user clicks on the icon, the malware displays a fake warning page as seen below. The warning page pretends to be from the Industrial Control Systems - Cyber Emergency Response Team (ICS-CERT) but is different from the classic FBI/Police Ransomware pages.
Warning page
The malicious app does not ask for administrative privileges to lock the device and is fairly easy to remove. We did not find any code for locking the device. The malware harvests inbox messages, contacts & e-mail addresses, which are then relayed to a remote C&C server in the background.

Collecting data
The malware logs the harvested SMS messages & sender's phone number in a specific format to a temporary file as seen in the code snippet above.

C&C construction.
The screenshot above shows the C&C URI construction code. The file containing the stolen data is then sent to the remote C&C server as seen in the network capture below.

Post capture.
The stolen SMS messages being sent to the C&C server in a file.
Inbox messages
The stolen contacts & e-mail addresses being sent to the C&C in a file
  • C&C server - http[:]//maturefucklist[.]com


We are seeing an increasing number of adult themed Android malware apps using pornography to lure victims. To avoid being  a victim of such malware, it is always best to download apps only from trusted app stores, such as Google Play. This can be enforced by unchecking the "Unknown Sources" option under the "Security" settings of your device.

Friday, November 6, 2015

International Council of Women site leading to Nuclear & Kelihos


We recently wrote about a compromised Chinese government site leading to an Angler Exploit Kit (EK) infection cycle. Nuclear EK operators are on par with their Angler EK peers in terms of the activity we are seeing in the wild. During our course of EK hunting, we came across a popular multinational organization, the International Council of Women (ICW), being compromised and leading users to a Nuclear EK landing site. The end user will get infected with the information stealing Kelihos bot if the exploit cycle is successful.

Compromised site - ICW

The following screenshot shows the malicious iframe injected on the compromised website.

Compromised ICW web page

The malicious iframe leads users to a Nuclear EK landing site as seen below.

Nuclear EK redirection

The Nuclear EK landing page is heavily obfuscated to evade security software detection as shown below.

Nuclear EK landing page

Upon successful execution of the obfuscated JavaScript, a malicious Flash file is downloaded on the victim's machine as seen below.

Flash Exploit Download

Kelihos Payload Analysis

Upon successful exploitation, a new variant of the Kelihos bot is downloaded and installed on the victim machine. Here are some of the download locations for the Kelihos bot that we have seen in this campaign:


Final Payload Download

Kelihos is a Trojan family that distributes spam email messages. The malware communicates with remote servers to exchange information that is used to execute various tasks, including sending spam email, capturing sensitive information or downloading and executing arbitrary files.

The malware executable file is a Microsoft Visual C++ 6.0 compiled binary with custom packed content stored in the executable's overlay section. Kelihos installs WinPcap, a legitimate and commonly used Windows packet capture library at the following locations:
  • %system32%\winpcap.dll
  • %system32%\Packet.dll
  • %system32%\drivers\npf.sys
Note: %system32% is c:\windows\system32

It uses hard coded User-Agents from the following list when communicating with the remote host:

Crafted User-Agent
Kelihos tries to steal the login credentials of FTP and POP3 applications by monitoring the network traffic of the victim's machine using the installed WinPcap libraries. The bot checks for the presence of the following applications on the victim machine and attempts to steal login credentials, digital currency and other information:
  • 3D-FTP
  • Bitcoin
  • BitKinex
  • BlazeFtp
  • Bullet Proof FTP
  • Classic FTP
  • Core FTP
  • CuteFTP
  • Cyberduck
  • Directory Opus
  • FileZilla
  • Frigate3
  • FTPGetter
  • LeapFTP
  • FTPRush
  • xterm
  • PuTTY
  • SecureFX
  • SmartFTP
  • Bitcoin
  • BitKinex
The malware extracts stored information such as usernames, passwords and host names from the following browsers:
  • Google\Chrome
  • Chromium
  • ChromePlus
  • Bromium
  • Nichrome
  • Comodo
  • RockMelt
  • CoolNovo
  • MapleStudio\ChromePlus
  • Yandex
Kelihos communicates to Command & Control (C&C) servers using HTTP via messages encrypted using the Blowfish symmetric-key algorithm.

Post Infection Communication


Nuclear EK remains a worthy rival to Angler EK, with widespread campaigns, regular exploit payload updates, new obfuscation techniques and new malware payloads. The end malware payload we saw in this campaign was the information stealing Kelihos bot which has extremely low AV detection.

ThreatLabZ is actively monitoring new Nuclear EK infections in the wild and ensuring that Zscaler customers are protected.

Research by Dhanalakshmi PK and Rubin Azad

Tuesday, November 3, 2015

Chinese Government Website Compromised, Leads to Angler


Despite a recent takedown targeting the Angler Exploit Kit (EK), it's back to business as usual for kit operators. On 30-October-2015, ThreatLabZ noticed a compromised Chinese government website that led to the Angler Exploit Kit with an end payload of Cryptowall 3.0. This compromise does not appear targeted and the compromised site was cleaned up within 24 hours. We have noticed some recent changes to Angler, as well as the inclusion of newer Flash exploits. A set of indicators for this compromise is at the end of this post.

Compromised Site

The "Chuxiong Archives" website, www.cxda[.], was compromised with injected code. The site has a similar look and feel to both the Chuxiong Yi Prefecture and Chuxiong City websites and appears somewhat inactive, but surprisingly the site was remediated in less than 24 hours. The full infection cycle from compromised site to encrypted payload is shown in the fiddler session below.

Fig 1. Infection cycle
The injected code was before the opening HTML tag and was heavily obfuscated. The code, shown below, is very similar to other recent compromises we've observed and was present on every page of the site, suggesting a complete site compromise.

Fig 2. Injected script
Consistent with other recent examples, the injected code appears to target Internet Explorer (IE) since Firefox and Chrome consistently throw errors when attempting to execute the code and no redirection occurs. IE has no issues executing the code, however, which unsurprisingly decodes to an iframe leading to an Angler EK landing page:

Fig 3. Decoded injected code
While we did not have access to the server-side code, it likely retrieves landing page URLs from a remote server since we observed iframes leading to multiple different Angler domains within a brief period of time.

Landing Page

The landing page for Angler is immediately recognizable, but with some notable recent changes. For example, instead of using a long block of around seven-character long strings inside divs tag, the newer landing pages use 'li' tags and most of the strings are only about two characters long. Additionally, there's a conspicuous 'triggerApi' function toward the top of the main script block:

Fig 4: Short strings and triggerApi function
Outside of these changes, the functionality of the landing page appears unchanged, and the goal is naturally to serve up a malicious SWF:

Fig 5. Decoded landing page SWF objects

Malicious SWF - CVE-2015-7645

Kafeine already broke the news that Angler is exploiting Flash, and we can corroborate that with the samples we've observed.
Fig 6. Flash being exploited
In fact, we compared the sample from his recent post with one obtained from this infection and the structure is identical, with very few changes in the actionscript. The biggest change we saw was in the embedded binary data.

Fig 7. SWF structure, 30-Oct sample on the left, Kafeine's sample on the right

Fig 8. Comparison of binary data, 30-Oct sample on the left, Kafeine's sample on the right
Upon successful exploit cycle, a new CryptoWall 3.0 variant from the crypt13 campaign is downloaded and installed on the target machine. The image below shows a decrypted Command & Control (C&C) communication message from the CryptoWall variant which also contains the total number of files encrypted on the target system:

Fig 9. CryptoWall 3.0 C&C message reporting encrypted file count

Final Thoughts

As stated, this seems to be business as usual for Angler EK operators. While these attacks were not targeted in nature, this is the first instance where we saw EK operators leveraging a government site to target end users. One interesting observation is that we no longer see any Diffie-Helman POST exchange to prevent replaying captured sessions for offline analysis. Additionally, there was a much larger number of C&C servers than we've previously observed, and some of the domain names seem to suggest multi-use hosts (e.g.: spam, bitcoin mining, etc). Note that none of the C&C servers are pseudo-randomly generated domains. ThreatLabZ will continue to track new developments with the Angler Exploit Kit.

Indicators of Compromise

Domain IP Address Description[.]cn118.123.7.122Chinese government site
erteilend-taendelt.sewnydine[.]com104.129.192.32Angler Domain
repersuasionboldoblique.classactoutlet[.]com104.129.192.32Angler Domain
ayh2m57ruxjtwyd5.stopmigrationss[.]com95.128.181.195Payment Server
ayh2m57ruxjtwyd5.starswarsspecs[.]comfailedPayment Server
ayh2m57ruxjtwyd5.malerstoniska[.]com109.70.26.37, Server
ayh2m57ruxjtwyd5.blindpayallfor[.]com95.128.181.195Payment Server
flat.splo1t[.]ru188.127.239.164C&C connections
sanliurfapastanesi[.]com95.173.190.210C&C connections
wesalerx[.]xyz46.148.18.100C&C connections
urfakaplanticaret[.]com95.173.190.210C&C connections
taigastyle[.]ru37.140.192.180C&C connections
flickstudio[.]com103.21.59.22C&C connections
mydaycarewebsite[.]com104.24.102.98, connections
sampiyonvitamin[.]com95.173.190.210C&C connections
xmest.web-zolotareva[.]ru82.146.36.185C&C connections
aandwrentalspm[.]com142.4.6.13C&C connections
orucogluelektronik[.]com95.173.190.210C&C connections
gaja24[.]pl91.234.146.241C&C connections
developmysuccess[.]com50.30.46.201C&C connections
20dollarhomebusiness[.]com50.30.46.201C&C connections
rizvanogluhafriyat[.]com95.173.190.210C&C connections
sanliurfapastanesi[.]com95.173.190.210C&C connections
newatena[.]com95.173.190.210C&C connections
stalkerbanget[.]com68.65.120.182C&C connections
primevisionstudio[.]com192.185.206.97C&C connections
i-tem[.]ru62.173.143.242C&C connections
localuzzweb[.]com143.95.32.179C&C connections
getpostivemind[.]com158.85.170.253C&C connections
zemli72.chaukakau[.]ru62.173.143.242C&C connections
grandmedianetwork[.]com111.118.215.77C&C connections
karakoprudugunsalonu[.]com95.173.190.210C&C connections
sanliurfaparke[.]com95.173.190.210C&C connections
nsdstudio[.]net192.185.206.97C&C connections
meble-simone[.]eu91.234.146.241C&C connections
vsedveri33[.]ru81.177.165.33C&C connections
osk-wojcikiewicz[.]pl91.234.146.241C&C connections
love-deep[.]com111.118.215.77C&C connections
turizmkirov[.]ru82.146.36.185C&C connections
new.turizmkirov[.]ru82.146.36.185C&C connections
avtoreliv[.]com.ua91.234.34.80C&C connections
localwebsitepro[.]com192.185.41.191C&C connections
makrol[.]net91.234.146.241C&C connections
altopics[.]com111.118.215.77C&C connections
burnfatquicky[.]com184.168.221.57C&C connections
mediaopt33[.]ru81.177.165.33C&C connections
otmanad[.]com91.234.146.241C&C connections
markossolomon[.]com104.27.181.171, connections
kominki-gorlice[.]pl91.234.146.241C&C connections
chaukakau[.]ru62.173.143.242C&C connections
crm.ruhtech[.]com202.160.165.21C&C connections
takas3aya.xsrv[.]jp183.90.232.25C&C connections
famouswhiskybrands[.]com103.21.59.21C&C connections
edwardbrownjr[.]com50.30.46.201C&C connections
avatar77[.]ru62.173.143.242C&C connections
bollywoodupdate[.]net95.173.190.210C&C connections
asiaroyaldeveloper[.]com103.21.59.22C&C connections
asattyres[.]com192.185.206.97C&C connections
records.karika[.]in.ua91.234.34.80C&C connections
ppcprofitz[.]com143.95.32.180C&C connections
ecodeva[.]ru62.173.143.242C&C connections
btcdoubler[.]bizfailedC&C connections
18dollars1time[.]info50.30.46.201C&C connections
urfaeleganceoptik[.]com95.173.190.210C&C connections