While many are still in shock after the Boston Marathon bombings on 16 April, it didn't take long for cyber criminals to abuse that tragic incident for their dirty deeds.

Today we already started receiving emails containing links to malicious locations with names like "news.html". These pages contain URLs of non-malicious youtube clips covering the recent event. After a delay of 60 seconds, another link leading to an executable file is activated.

The malware, once running on an infected machine, tries to connect to several IP addresses in Ukraine, Argentina and Taiwan.
Kaspersky Lab detects this threat as "Trojan-PSW.Win32.Tepfer.*".

MD5sums of some of the collected samples:
5EA646FFDC1E9BC7759FDFC926DE7660
959E2DCAD471C86B4FDCF824A6A502DC

Our thoughts and prayers are with our colleagues in Massachusetts and others affected by the tragic events in Boston.

A new-ish Flash exploit has been on the loose for attacks around the web. This time, the attackers have compromised a caregiver site providing support for Tibetan refugee children and are spreading backdoors signed with Winnti stolen certificates delivered with Flash exploits - the compromised web site is the NGO "Tibetan Homes Foundation". Previously, FireEye identified similar "Lady Boyle" related malicious swf exploiting CVE-2013-0634. A notification has been sent to the contacts of the web site, but apparently the malicious footer.swf file is still hosted at the Foundation's web site, so please do not visit it just yet. Also, be sure to update your Flash player to the latest version.

This site certainly appears to be a classic example of a "watering hole" attack. F-Secure pointed out another Lady Boyle watering hole set up against a related Uyghur group, which has been targeted in tandem following the early March World Uyghur Congress. The delivered backdoors are shown to be signed with Winnti-stolen digital certificates in the F-Secure post, including the stolen MGAME certificate.

Here is an example of those same stolen certs reused for the backdoors in the Tibetan Homes Foundation incident. We see both the MGAME cert and the ShenZehn certs signing the backdoors, here are screenshots of the latter:

Our products detect the Flash exploit+payload as Exploit.SWF.CVE-2013-0634.a. Here is a heatmap of our worldwide detections. Note that not all of these detections are Lady Boyle related, I estimate that at least a third of them are:

Other sites hosting the Lady Boyle swf exploit over the past couple of months have included "tibetangeeks.com", who recently cleaned up their site and posted a cooperative plea to their attackers, and "vot.org" or the "Voice of Tibet" which is also cleaned up. Currently cleaned up but previously serving "Exploit.SWF.CVE-2013-0634.a" were Uyghur related sites "istiqlaltv.com" and "maarip.org", with the same "LadyBoyle" swf path as the Tibetan Homes Foundation, i.e.:
hxxp://maarip.org/uyghur/footer(.)swf

So, what we have is an active watering hole campaign implementing a fairly new Flash exploit and abusing digital certificates that were stolen as a part of the ongoing Winnti targeted attack campaigns on game developers and publishers.

Related md5:
BD9FD3E199C3DAB16CF8C9134E06FE12
215CEC7261D70A5913E79CD11EBC9ECC
12181311E049EB9F1B909EABFDB55427

In the past, we've seen targeted attacks against Tibetan and Uyghur activists on Windows and Mac OS X platforms. We've documented several interesting attacks (A Gift for Dalai Lamas Birthday and Cyber Attacks Against Uyghur Mac OS X Users Intensify) which used ZIP files as well as DOC, XLS and PDF documents rigged with exploits.

Several days ago, the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates. Perhaps the most interesting part is that the attack e-mails had an APK attachment - a malicious program for Android.

The attack

On March 24th, 2013, the e-mail account of a high-profile Tibetan activist was hacked and used to send spear phishing e-mails to their contact list. This is what the spear phishing e-mail looked like:

In regards to the message text above, multiple activist groups have recently organized a human rights conference event in Geneva. We've noticed an increase in the number of attacks using this event as a lure. Here's another example of such an attack hitting Windows users:

Going back to the Android Package (APK) file was attached to the e-mail, this is pushing an Android application named "WUC's Conference.apk".

This malicious APK is 334326 bytes file, MD5: 0b8806b38b52bebfe39ff585639e2ea2 and is detected by Kaspersky Lab products as "Backdoor.AndroidOS.Chuli.a".

After the installation, an application named "Conference" appears on the desktop:

If the victim launches this app, he will see text which "enlightens" the information about the upcoming event:

Earlier today, the Laboratory of Cryptography and System Security (CrySyS Lab), together with the Hungarian National Security Authority (NBF), published details on a high profile targeted attack against Hungary. The details about the exact targets are not known and the incident remains classified.

Considering the implications of such an attack, Kaspersky Lab’s Global Research & Analysis Team performed a technical analysis of the campaign and related malware samples.

You can read our short FAQ below and you can download our technical analysis paper linked at the end of the blogpost.

In mid-February 2013 a Kaspersky user from Malaysia asked us to check a Google Play application called My HRMIS & JPA Demo developed by Nur Nazri.

The user was suspicious about the large number of permissions required by the app, though its only stated function was to open four websites.

On March 4^th we spotted a large number of unusual emails being blocked by our Linux Mail Security product. The emails all contained the same PDF attachment (MD5: 97b720519aefa00da58026f03d818251) but were being sent from many different source addresses.

The emails were written in German and most were sent from German IP addresses. Below is a map showing the distribution of addresses:

The computer names referenced in the mail headers were often of the form Andreas-PC or Kerstin-Laptop (the names have been changed to protect the innocent) suggesting that they had been sent from German home computers.

On Feb 12th 2013, FireEye announced the discovery of an Adobe Reader 0-day exploit which is used to drop a previously unknown, advanced piece of malware. We called this new malware "ItaDuke" because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri's "Divine Comedy".

Previously, we posted about another campaign hitting Governments and other institutions, named Miniduke, which was also using the same "Divine Comedy" PDF exploits.

In the meantime, we've come by other attacks which piggyback on the same high level exploit code, only this time the targets are different: Uyghur activists.

Together with our partner at AlienVault Labs, we analyzed these new exploits. For their blog, which includes Yara rules and industry standard IOC's, please read [here]. For our analysis, please read below.

The new attacks

A few days ago, we observed several PDF files which carry the CVE-2013-0640/641 (ItaDuke) exploits. Some of the MD5s and filenames include:

7005e9ee9f673edad5130b3341bf5e5f        2013-Yilliq Noruz Bayram Merik isige Teklip.pdf
d00e4ac94f1e4ff67e0e0dfcf900c1a8        ÁLÃûÐÅ.pdf (joint_letter.pdf)
ad668992e15806812dd9a1514cfc065b        arp.pdf

The Kaspersky detection name for these exploits is Exploit.JS.Pdfka.gjc.

(or, how many cool words can you fit into one title)

On Feb 12th 2013, FireEye announced the discovery of an Adobe Reader 0-day exploit which is used to drop a previously unknown, advanced piece of malware. We called this new malware "ItaDuke" because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri's "Divine Comedy".

Since the original announcement, we have observed several new attacks using the same exploit (CVE-2013-0640) which drop other malware. Between these, we've observed a couple of incidents which are so unusual in many ways that we-ve decided to analyse them in depth.

Together with our partner CrySyS Lab, we've performed a detailed analysis of these unusual incidents which suggest a new, previously unknown threat actor. For the CrySyS Lab analysis, please read [here]. For our analysis, please read below.

Key findings include:

• The MiniDuke attackers are still active at this time and have created malware as recently as February 20, 2013. To compromise the victims, the attackers used extremely effective social engineering techniques which involved sending malicious PDF documents to their targets. The PDFs were highly relevant and well-crafted content that fabricated human rights seminar information (ASEM) and Ukraine-s foreign policy and NATO membership plans.

These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9, 10 and 11, bypassing its sandbox.

• Once the system is exploited, a very small downloader is dropped onto the victim-s disc that-s only 20KB in size. This downloader is unique per system and contains a customized backdoor written in Assembler. When loaded at system boot, the downloader uses a set of mathematical calculations to determine the computer-s unique fingerprint, and in turn uses this data to uniquely encrypt its communications later.

• If the target system meets the pre-defined requirements, the malware will use Twitter (unbeknownst to the user) and start looking for specific tweets from pre-made accounts. These accounts were created by MiniDuke-s Command and Control (C2) operators and the tweets maintain specific tags labeling encrypted URLs for the backdoors.

These URLs provide access to the C2s, which then provide potential commands and encrypted transfers of additional backdoors onto the system via GIF files.

• Based on the analysis, it appears that the MiniDuke-s creators provide a dynamic backup system that also can fly under the radar - if Twitter isn-t working or the accounts are down, the malware can use Google Search to find the encrypted strings to the next C2. This model is flexible and enables the operators to constantly change how their backdoors retrieve further commands or malcode as needed.

• Once the infected system locates the C2, it receives encrypted backdoors that are obfuscated within GIF files and disguised as pictures that appear on a victim-s machine.

Once they are downloaded to the machine, they can fetch a larger backdoor which carries out the cyberespionage activities, through functions such as copy file, move file, remove file, make directory, kill process and of course, download and execute new malware and lateral movement tools.

• The final stage backdoor connects to two servers, one in Panama and one in Turkey to receive the instructions from the attackers.

• The attackers left a small clue in the code, in the form of the number 666 (0x29A hex) before one of the decryption subroutines:

• By analysing the logs from the command servers, we have observed 59 unique victims in 23 countries:

Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, Ukraine, United Kingdom and United States.

For the detailed analysis and information on how to protect against the attack, please read:

[The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor.PDF]

In partnership with researchers at AlienVault Labs, we’ve analysed a series of targeted attacks against Uyghur Mac OS X users which took place during the past months. You can read their analysis here. For our research, please read below.

We previously wrote about targeted attacks against Tibetan activists which used Mac OS X malware. In addition to these, last June we reported about attacks using Mac OS X malware against Uyghur supporters. These later attacks took advantage of social engineering to infect unsuspecting users with “Backdoor.OSX.MaControl.b”.

During the past months, we’ve monitored a series of targeted attacks against Uyghur supporters, most notably against the World Uyghur Congress (WUC).

Since our announcement about "Red October", we've received a lot of questions on how to quickly identify compromised systems.

That's why together with our partner Alienvault we've decided to put together a small whitepaper for CERTs and system administrators which can help identify and mitigate the attack.