Wednesday, November 26, 2014

Defaced websites leading to Dokta Chef Exploit Kit and CVE-2014-6332

Defacing websites has been the main stay for hacktivist groups to spread their message.  During recent research, we found multiple compromised websites containing a malicious link to a "lulz.htm" page, which in turn leads the user to a Dokta Chef Exploit Kit (EK) hosting site. This appears to be  a new tactic whereby a hacktivist group has escalated their activities by attacking users who visit defaced sites.  This is out of character for such groups that generally seem more interested in disrupting private sector compliance with government entities, than targeting end users.

The contact information provided on the defacement page shows that the culprits of this attack are claiming to be part of the "AnonGhostTeam" group, based on the associated Twitter account.  This group has targeted numerous Government and Mass Media websites in the past including:
The defaced pages have been lifted in most cases, leaving only a Zone-H mirror

Written in Beautiful Comic Sans
The defaced websites were found to be hosting a page called "lulz.htm", that contains highly obfuscated JavaScript code leading the users to a Dotka Chef EK infection cycle.

Obfuscated JavaScript on the compromised sites

CVE-2014-6332 exploit

The Dokta Chef EK, was serving a malicious payload for a recently disclosed Microsoft Vulnerability CVE-2014-6332, that causes remote code execution when the user visits a specially crafted webpage using Internet Explorer (IE). The vulnerability is triggered when IE improperly accesses Object Linking and Embedding (OLE) objects in the memory. The vulnerable code has been present in OleAut32 library since IE version 3.0 and was recently fixed - MS14-064

The attacker is targeting only the 32-bit Windows Operating systems and also ensuring that the user's browser is IE, as seen in the exploit code snippet above. The exploit cycle will terminate if any of the following conditions are true:
  • User is browsing from a 64-bit Windows Operating system
  • User is browsing from a non-Windows Operating system, 
  • User's browser is not IE

If the IE version used by the victim is lower than 4, the runshellcode() routine will be invoked, skipping the CVE-2014-6332 exploit cycle.  If the version used is higher than 3, setnotsafemode() routine is invoked to exploit the CVE-2014-6332 vulnerability.

The CVE-2014-6332 vulnerability is triggered by using an abnormally large array in conjunction with the redim Preserve function, as shown in the VBScript exploit code snippet above.

At the time of research, the end payload was not reachable, but the VirusTotal Scan of the hostname shows a history of dubious activity.

The Zscaler ThreatLabZ team has deployed multiple protections against this threat and is actively monitoring the malicious activity surrounding this mass compromise.

Tuesday, November 25, 2014

Beware of Phishing Attacks and Other Scams during the Thanksgiving Shopping Season

Black-Friday-Cyber-Monday-deals.jpgThanksgiving Day is one of the major holidays celebrated in the United States on the fourth Thursday in November. The following Friday, referred to as Black Friday, marks the start of the Christmas holiday shopping season. Almost every retailer large and small offers huge discounts on Black Friday, often extending through the weekend and the following Monday, now known as Cyber Monday.

As we near Thanksgiving and the start of the holiday shopping frenzy, we’re observing a sharp increase in cyber scams and phishing activities targeting online shoppers. As shoppers look for the best deals available, cybercriminals are quick to take advantage of unsuspecting users.

Increase in online shopping transactions

Every year during this timeframe, we observe a noticeable spike in the total number of web transactions within the Shopping category. We have shared this trend in our previous blogs as well ([1],[2]).

Last year, we saw around 2.71% of all the web transactions categorized as Shopping and this year is no different. We currently see that 2.63% of total web transactions belong to the Shopping category and we expect this number to rise as we approach the end of the month. The following chart shows that the number of Shopping transactions has increased steadily throughout November.

Cyber Scams and Phishing attacks

The increase in Shopping activity comes with an unwelcome increase in phishing attempts. Phishing is a well known attack method, often used by attackers to steal sensitive information like authentication credentials, credit card numbers and personal information. We have already seen a large spike in Phishing and Spam activity, specifically targeting Thanksgiving, Black Friday, and Cyber Monday events. The following graph shows the phishing transactions for this month that have been blocked by Zscaler:

We caution consumers to be extra vigilant this holiday season when shopping online. Here are some examples of phishing attempts that we have blocked:

Walmart phishing attempt:


Amazon phishing attempt:

Ebay phishing attempt:


The motive behind these attempts is to steal sensitive user information which includes personal credentials and financial data. Cybercriminals often use this stolen information for illicit activities resulting in monetary gain.

More phishing sites targeting online retailers:
  • Ebay - hxxp://124[.]150[.]140[.]133/~ritenfad/viewitem/dll/88322933932/
  • Walmart - hxxp://ofertaswalmart[.]
  • Walmart - hxxp://walmartfriday[.]net/
  • Amazon - hxxp://zekocase[.]com/._ama_c0nf1rm/info_bill/login.php
  • Amazon - 213[.]13[.]119[.]152/am/

Fake Black Friday/Cyber Monday/Thanksgiving related sites:
  • hxxp://sfspr[.]org/?hid=hollister-cyber-monday-cyber-monday-sale
  • hxxp://cyber-shop[.]net
  • hxxp://www[.]ocdiagnostics[.]net/?id=louboutin-loafers-cyber-monday-deals
  • hxxp://koeriersdienstdemolen[.]nl/wp-content/languages/?page=toms-soap-cyber-monday-2014
  • hxxp://devillevacaville[.]com/?tid=cyber-monday-toms-canada
  • hxxp://[.]uk/?mid=mulberry-bags-cyber-monday-deals
  • hxxp://[.]br/?hid=hollister-girls-cyber-monday-2014
  • hxxp://dl5.iq11download[.]com/lm/lmdisc2/thanksgivingss.exe
  • hxxp://www[.]americanasblackfriday[.]esy[.]es
  • hxxp://www[.]systempackaging[.]com/images/ugg/black-friday-uggs-p-35.html
  • hxxp://busycatholicmoms[.]com/2013/11/26/new-articles-and-happy-thanksgiving/

Sample of subjects used in spam e-mail messages targeting online shoppers:

  • Get Stylish-furniture At Discount
  • Checkout tire sales for Black Friday
  • Make the Most of Black Friday, with A New smart-phone
  • Brand name laptops on sale for BlackFriday
  • [Black Friday Starts EARLY]Saveup to 90% +FREE BonusItems!
  • Walmart One Day Specials BlackFriday
  • Shop Black Friday sales to upgrade furniture
  • Thanksgiving Specials and BlackFriday Discounts!
  • New Early BlackFriday Door busters are Added EveryDay
  • Shop Black Friday to find discounts on electronics
  • Search major Savings on laptops...On black-friday
  • Limited Time Black Friday Deal
  • 10% off Site-Wide. Get Your Black Friday Shopping Started Today!
How can online shoppers protect themselves?

Thanksgiving marks the start of the holiday shopping season which continues until Christmas. The Zscaler ThreatLabZ team is working round the clock to ensure that our customers do not fall prey to such malicious activity.

We highly recommend that all online shoppers exercise extreme caution and follow our holiday season shopping security checklist:  

  • Inspect the source of emails with shopping deals

  • Ensure HTTPS/secure connections to online retailers and Banking sites

  • Check the authenticity of the URL or website address before clicking on a link

  • Stay away from e-mailed invoices - this is often a social engineering technique used by cybercriminals

  • Do not use insecure public WiFi for shopping

  • Use two-factor authentication whenever possible especially on sensitive accounts such as those used for banking

  • Always ensure that your Operating System and Web Browser have the latest security patches installed

  • Use browser add-ons like Adblock Plus to block popups and potential malvertisements

  • Backup your documents and media files

Wishing you all a very Happy Thanksgiving and don’t spend too much!

Credit for analysis: Rubin Azad, Uday Pratap Singh

Wednesday, November 12, 2014

Evolution of Upatre Trojan Downloader


Upatre is a Trojan Downloader family that once installed, is responsible for stealing information and downloading additional malware onto the victim machine. It typically arrives via spammed e-mail messages from the Cutwail Botnet, either as an attachment or via a URL pointing to a remote hosting site. We are also seeing Exploit Kits being used as a vector for Upatre infections in the wild.

Upatre Downloader cybercrime network

Upon successful infection, Upatre has been responsible for downloading malicious payloads from known malware families such as:
  • Zeus (Zbot) banking Trojan
  • Rovnix Volume Boot Record (VBR) bootkit
  • Dyreza (DYRE) banking Trojan
The Upatre malware family was first discovered in August 2013 and exponentially increased its infection rates by October, 2013. With the demise of the popular Blackhole Exploit Kit in October 2013, many malware authors resorted to traditional spam with the Upatre Trojan downloader as a medium for delivery of the ultimate payload, which also contributed to the increase in infections.

The Upatre malware authors have deployed multiple new techniques over the past year, which is the reason why it is one of the most prevalent malware families today. Some of the features that we have tracked include:
  • Password protected attachments - This makes the e-mail look more legitimate and confidential
  • Spammed as an attachment inside an attachment - The spammed e-mail messages contained another e-mail message (*.msg, *.eml) as an attachment which contains the actual Upatre archive attachment
  • Email messages containing a URL pointing to the actual payload
  • Randomized header bytes and encrypted malware downloads to evade detection
  • Usage of SSL encryption for Command & Control (C2) communication and subsequent malware downloads
Recent Attacks

We have seen an increase in the number of Upatre Downloader infections occurring through spammed messages containing fake invoices or voice-mail messages in the past month. The final payload being downloaded from these recent Upatre infections tends to be the Dyreza Banking Trojan. Below is a sample e-mail message from this campaign:

Cutwail spam e-mail leading to Upatre

If the user clicks on the link in the e-mail, they will be redirected to the same site with additional information identifying the operating system in the URI before serving the payload as seen here:
GET /documents/invoice_101114_pdf.php?h=[3 digit integer]&w=[4 digit integer]&ua=[User-Agent String]&e=1 HTTP/1.1
The user will then be prompted to download a zipped archive file, which contains a new variant of the Upatre Trojan downloader as seen below:

Upatre download in an archive

The user is redirected to a legitimate site (i.e ""), if the operating system is not supported or is redirected at the end of the download cycle.

The Upatre executable masquerades as a PDF document as seen here:

Upatre executable with PDF icon

The infection cycle begins once the user opens the enclosed executable file. It makes a copy of itself as "%Temp%\pvavq.exe" and runs it. The newly launched process "pvavq.exe", will then delete the original executable "invoice10-11-14_pdf.exe". It connects to a remote C2 server over TCP port 40007 to report the infection and supply information about the Month and Year of spammed binary, victim computer name, operating system information, etc.

Upatre network communication

It further downloads the Dyreza banking Trojan in an encrypted form as "%Temp%\utt214.tmp" on the victim machine to evade network detection. It then decrypts the downloaded payload as "%Temp%\EXE1.exe" and executes it. This will initiate the Dyreza banking Trojan infection cycle.

Dyreza banking Trojan encrypted and decrypted payload

This variant uses an incremental 4-byte XOR key in the decryption routine as opposed to the hardcoded key we have seen before.

Part of Upatre decryption routine for downloaded payload

The following screenshot shows the custom User-Agent string and hard coded remote server locations we found during our Upatre binary analysis:

unpacked Upatre binary

Indicators of Compromise

Here is a sample list of HTTP requests that will provide a good indication of an Upatre and Dyreza compromise on your network:

Upatre indicators of compromise

Additionally, we have seen the following three hardcoded User-Agent strings being used for the HTTP requests in the Upatre variants that we have analyzed:

The Upatre Trojan downloader family continues to evolve and is one of the most prevalent malware families at present. It continues to add new malware to its cyber crime pay-per-install nexus, serving as a vector for downloading and installing additional malware family payloads.

Zscaler ThreatLabZ is actively monitoring this threat and ensuring full security coverage for our customers.

Monday, October 27, 2014

Crypto-Ransomware Running Rampant

There's no doubt that ransomware is one of the most popular malware threats of 2014. Zscaler is not alone in this opinion, as other security firms have observed up to a 700% increase in infection rates to ransom-like malicious activity on victim PCs.  It's no wonder the attacks are so effective when for example, the delivery mechanism is designed to impersonate a legitimate service such as a harmless eFax.

This link is seen from a phishing e-mail.
Ransomware attacks can be monetized quickly and efficiently without the need to create a large scale botnet or expose the attacker's affiliate ID via click-fraud schemes. We've seen multiple attack vectors leveraged to target end users. Some vectors we have monitored include phishing email links or a malvertising campaign which leverages exploit kit distribution. Attackers will often pose as legitimate services, such as a law enforcement agency or a mass media outlet, in order to lure the unsuspecting victim into their scheme.

We recently encountered a ransomware campaign leveraging phishing e-mails purporting to be from the Australian Postal Services
The spam campaign themes used by the attackers involve tracking services or mobile invoices containing a link to the malicious contentUpon completion of a CAPTCHA, the user is provided a zip file which contains a malicious executable posing as a PDF document.

At the time of research, this particular file shows a a detection rate of 16/53 antivirus engines on Virustotal. Before the victim even has a chance to realize their mistake, they are greeted by a message informing them of just how impacted they are.

It's rare for a piece of malware to name itself to the victim...

The goal of Cryptolocker or any other Crypto-Ransomware attack is to encrypt personal files and hold them hostage. The attacker encrypts the files using a specific key which is either obtained during the phone home request to a Command & Control (C2) server, or hard-coded within the malicious executable. In  this case, the malicious executable itself is falsely presenting itself as a valid executable for AQQ IM. 

AQQ is a popular IM application
Cryptolocker's encryption has been an evolving piece of this threat, often relying on asymmetric encryption to lock the victim's files.  In this particular version, the Cryptolocker variant targeted the following folders for encryption:
  •  C:\MSOCache\All Users\
  •  C:\Users\[Public/Username]\
The ".encrypted" files can only the key controlled by the attacker can release them.

The threat will also drop a file in the Windows directory and an associated registry key to launch the file upon boot.  This will ensure that the threat will remain persistent if the victim attempts to reboot their system.

The autostart value is randomly generated.

Cryptolocker will phone home to a hard-coded malicious domain via SSL. The SSL certificate is signed using the printable string 'debian'. This transaction is the secure communication which will provide the specific key needed to encrypt the victim's files.

Viewing the C:\Windows\uhjrajyj.exe in this case will reveal the hardcoded domain used to phone home.
The phone home address is hard-coded within the malicious payload.
Decrypted SSL traffic reveals the initial call back attempt that contains a POST request with victim's machine name and unique ID as seen below:

Decrypted call back attempt
This variant was found to be using a Domain Generation Algorithm for the C2 server communication, similar to the phone home method of Zeus.GameOver.

DGA activity

These domains are largely returning 504 errors now as they have either not yet been registered or have already been shutdown.  A few do were still live at the time of the research.  Zscaler inspected the associated IP addresses and found them to be hosted in the Russian Federation. The two server IP addresses of note at the time of the blog are and  Active ransomware URLs leading to these servers include:
  • usygoseqowapadoh[.]com:443
  • usygoseqowapadoh[.]com/topic.php
  • octoberpics[.]ru:443
  • octoberpics[.]ru/topic.php

Administrators should be on the lookout for the above connections as they likely indicate a compromised system. Given how prevalent this threat is, the U.S. Government recently released an associated alert on the US-CERT site

Taking regular backups of your personal files remains a user's best chance at mitigating the threat if they have been hit by this attack. It is also important for system administrators to enforce  strict file-type access control policies surrounding the download of archive and executable files from unknown sources.

Friday, October 24, 2014

Android Ransomware 'Koler' Learns to Propagate via SMS

Android Koler is a family of ransomware that targets Android users by locking up their mobile devices and demanding a ransom. It is believed to be the mobile extension of the Reveton ransomware family. Ransomware has been a profitable venture in the PC world with the likes of Crytolocker, but is a relative newcomer on mobile devices, at least in part due to file restrictions in mobile operating systems which limit the ability of apps to access the full file system. Despite this fact, the mobile market is clearly one that ransomware operators would like to tap into and Koler is a step in that direction.

In case of this new Koler variant, the malicious Android application arrives via a shortened URL to a Dropbox location and pretends to be an image file. If the unsuspecting user downloads and installs the package, it will lock the user's screen, displaying a fake FBI warning page (see below), accusing the user of viewing child pornography. Additionally, we also found a new self-propagation module that allows it to spread by sending SMS messages containing the shortened URL to all contacts on the compromised device.


Name: IMG_7821.apk
  • android.permission.INTERNET
  • android.permission.READ_CONTACTS
  • android.permission.READ_PHONE_STATE
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.SEND_SMS
  • android.permission.SYSTEM_ALERT_WINDOW

The user's device screen gets locked with following fake warning upon infection:

The ransom amount to unlock the device is U$300 USD as seen below:

Below, we can see the self-propagation code, where Koler sends out text messages containing a link to download the Koler APK, to all the contacts on the infected mobile device.

Full text message that gets sent out:
 "someone made a profile  named -Luca Pelliciari- and he uploaded some of your photos! is that  you?". 

The shortened URL points to a Dropbox location hosting the same ransomware package. The dropbox file has now been taken down.

Upon successful infection, the ransomware also connects to a predetermined command and control server and sends out sensitive device information like build version and device id.

Command and Control callback

The ransomware variant also incorporates an anti-VM technique to avoid being debugged inside an emulator. This is achieved by checking for the value of the Device ID. If the value contains all zeros (indicating the presence on a VM), the application will hide and terminate itself as seen below:


We did not see any file encryption routine to encrypt the user's files, but it is able to lock the screen and stay persistent even after reboot.

It is highly recommended that users install applications from authorized stores only. It is important to check the developer information, ratings for the application, permissions requested upon installation and also ensure that the application has been signed by the developer.