In December, we registered ‘Nigerian’ mailings exploiting the theme of Nelson Mandela’s death to trick users. The same topic is still inspiring spam mailings in January – but this time there are some differences in the content – the intro and the author’s signature. At first glance there seemed to be nothing in common between the emails.
Messages from bank workers or millionaires looking for someone to help them cash in huge sums of money are no longer capable of surprising us. Most of these emails are written in English, which has long been the language of international correspondence - it was unusual to ever see these kinds of messages written in other languages. However, that has changed, and now we are increasingly seeing letters like this written in Portuguese, French, Spanish and Russian as well as in Hebrew, Belorussian and Arabic.
Here is a letter about a win in an “Australian Lottery” held across several continents. It is written in Arabic and uses a standard scam: the recipient is told that he/she was randomly selected from among millions of people and has won a large sum of money. In order to claim the money, the user has to contact the scammers.
In September 2013, we published our extensive analysis of Icefog, an APT campaign that focused on the supply chain – targeting government institutions, military contractors, maritime and ship-building groups.
Icefog, also known as the "Dagger Panda" by Crowdstrike's naming convention, infected targets mainly in South Korea and Japan. You can find our Icefog APT analysis and detailed report here.
Since the publication of our report, the Icefog attackers went completely dark, shutting down all known command-and-control servers. Nevertheless, we continued to monitor the operation by sinkholing domains and analysing victim connections. During this monitoring, we observed an interesting type of connection which seemed to indicate a Java version of Icefog, further to be referenced as "Javafog".
The Icefog operation has been operational since at least 2011, with many different variants released during this time. For Microsoft Windows PCs, we identified at least 6 different generations:
In addition to these, we also identified "Macfog", a native Mac OS X implementation of Icefog that infected several hundred victims worldwide.
Malware using the .CPL extension is nothing new for us, but its still interesting that almost all the banking malware currently originating in Brazil is distributed in this format. It doesn't matter whether it's a drive-by download or a simple attack based on social engineering, users find themselves at the epicenter of a real CPL storm every day. We decided to look into this trend and find out why Brazilian cybercriminals now favor this approach.
CPL files are applets used in Windows Control Panel. Once executed, rundll32.exe is used to launch a wide variety of actions defined in DLLs. Among the many things it can do is invoking Control Panel applets. When Windows first loads a Control Panel item, it retrieves the address of the CPlApplet() function and subsequently uses that address to call the function and pass messages to it.
Each cybercriminal has a preferred modus operandi to distribute this kind of malware. Most of them like to put the CPL file inside a ZIP, but we have also found it inserted inside RTF files. This kind of malware belongs to the Trojan-Banker.Win32.ChePro family, first detected in Russia in October 2012.
Every single day, Kaspersky Lab processes more than 300,000 new malware samples. The vast majority of these malicious files is what we call crimeware -- computer programs designed for financial profit and used by cyber-criminals to make money. From the remaining percentage, a small amount are designed exclusively for cyber-espionage and used by a variety of advanced threat actors.
What is left is an even smaller percentage of the total and includes rare, unusual things. Wipers, which are highly destructive programs, are some of the rarest kinds of malware, however, their usage has spiked over the last few years.
Back in the old days, most of the malware was written by computer enthusiasts, cyber-hooligans and pranksters. Hence, destructive viruses, or Trojans, were much more common. Some examples include BadSectors, a computer virus that would mark disk sectors as bad, even if they weren’t, resulting in subtle corruption of data. Another example was OneHalf, a computer virus that would encrypt the hard drive cylinder-by-cylinder, transparently decrypting it on the fly while active. If one were to remove the virus,that would leave the data on the disk in encrypted format, without an easy way to decrypt it.
Perhaps the best known example is CIH, also known as Chernobyl. CIH, named after the initials of its author, Chen Ing-hau, was a computer virus that had the ability to wipe the BIOS flash memory. Computers affected by CIH couldn’t boot up anymore. This wasn’t a major problem for PCs, which had the BIOS memory in the form of a removal chip that could be reprogrammed on another system; however, for laptop owners, the CIH virus was quite destructive.
Over the last few years, we’ve seen a number of major incidents involving destructive malware. We’ve decided to put together a brief summary the most important Wiper incidents:
In late-2011, early-2012, reports emerged about computer systems that were compromised and rendered unbootable. The extent of the damage to these systems was so big that almost no data was recoverable. Some artefacts from the wiped systems indicated a possible link with Stuxnet and Duqu; however, these were never proven. The malware responsible for these attacks was named the "Wiper"; we wrote about it here.
We have discovered a new Tor-based malware, named "ChewBacca" and detected as "Trojan.Win32.Fsysna.fej". Adding Tor to malware is not unique to this sample, but it-s still a rare feature.
Lately Tor has become more attractive as a service to ensure users- anonymity. Also criminals use it for their activities, but they are only slowly adopting this to host their malicious infrastructure. This capability was added to Zeus recently, as reported by my colleague Dmitry Tarakanov here. In addition, the CrimewareKit Atrax and the botnet-based on Mevade became known because of this.
In our search for various types of malicious code for Mac we recently came across a rather interesting peculiarity in Safari. It turns out that Safari for Mac OS, like many other contemporary browsers, can restore the previous browsing session. In other words, all the sites that were open in the previous session – even those that required authorization – can be restored in a few simple steps when the browser is launched. Convenient? Of course. Safe? No, unfortunately.
So that the browser knows what was open at the end of the previous session, the relevant information needs to be stored somewhere. Obviously, that needs to be somewhere that isn’t easily accessible to just anybody, and the information definitely needs to be encrypted.
Safari, however, doesn’t encrypt previous sessions and stores them in a standard plist file that is freely accessible. As a result, it’s easy to find a user’s login credentials:
It’s pretty clear that the login and password are not encrypted (see the red oval in the screenshot).
The complete authorized session on the site is saved in the plist file in full view despite the use of https. The file itself is located in a hidden folder, but is available for anyone to read.
The system can easily open a plist file. It stores information about the saved session – including http requests encrypted using a simple Base64 encoding algorithm – in a structured format.
There is a function in Safari – ‘Reopen All Windows from Last Session’ – that allows sites to be opened exactly as they were at the end of the previous session. This is the function that uses LastSession.plist.
The function is available in the following versions of Mac OS X and Safari:
You can just imagine what would happen if cybercriminals or a malicious program got access to the LastSession.plist file on a system where the user logs in to Facebook, Twitter, LinkedIn or their online bank account.
As far as we are concerned, storing unencrypted confidential information with unrestricted access is a major security flaw that gives malicious users the opportunity to steal user data with a minimum of effort.
We have informed Apple about the problem.
At the current time we can’t confirm whether or not there is malicious code out there that targets this file, but we’re ready to bet that it won’t be long before it appears.
This vulnerability has been fixed in Safari 6.1
In early November Typhoon Haiyan devastated the Philippines, with a catastrophic numbers of victims – several thousand were reported killed, while hundreds of thousands were evacuated. A few days after the typhoon struck we detected the first “Nigerian letters” in which scammers were exploiting the tragedy for their own selfish ends. The author of the letter below pretended to be a driver at a local security company. The tale of how he became a multi-millionaire sounds plausible enough.
The typhoon supposedly left the driver alone with a cargo of $11.5 million. Realizing he had lost his security escort and that the money was probably presumed lost, he decided to make the most of his predicament and conveyed the money to an associate at another security company. In the letter he is asking the recipient to help transfer the valuable cargo out of the Philippines in return for a generous reward. To add a touch of authenticity, the scammer added real links to news about the typhoon – mostly to the BBC. The news articles are the only reliable information provided in the letter. This amazing story of a newly-made millionaire, along with his name and surname are merely trying to deceive an unsuspecting recipient.
Two days ago FireEye reported that the recent CVE-2013-3906 exploit has begun to be used by new threat actors other than the original ones. The new infected documents share similarities with previously detected exploits but carry a different payload. This time these exploits are being used to deliver Taidoor and PlugX backdoors, according to FireEye.
At Kaspersky Lab we have also detected that yet another APT group has just started spreading malicious MS Word documents exploiting CVE-2013-3906. This APT actor is the Winnti group, which we described in detail here. They have sent spear-phishing emails with an attached document containing the exploit. As usual the Winnti perpetrators are trying to use this technique to deliver 1st stage malware - PlugX.
We became aware of an attack against one gaming company which constantly undergoes attacks from the Winnti group. The MS Word document containing the exploit shows the same TIFF picture - 7dd89c99ed7cec0ebc4afa8cd010f1f1 that triggers the exploitation of the vulnerability, as in the Hangover attacks. If the exploitation is successful, the PlugX backdoor is downloaded from a remote URL:
On November 5, Microsoft announced the discovery of a new vulnerability CVE-2013-3906 which can be exploited when TIFF images are processed. By exploiting this vulnerability it is possible to attack software – including Microsoft Office and Lync – that uses a vulnerable DLL for processing TIFF images. On the same day, there were reports that Microsoft had recorded attacks that exploit CVE-2013-3906.
Several malware samples became available to us that exploit CVE-2013-3906. We analyzed them in detail. All of them make use of heap spraying, recording their code to the address 0x08080808, and execute the code from that location. Exception generation and memory rewrite is performed in the vulnerable ogl.dll.
Fragment of WinDbg shellcode execution
The exploits that we had access to can be divided into two groups according to the shellcodes used in them.