13 Feb Absolute Computrace: Frequently Asked Questions VitalyK
10 Feb The Careto/Mask APT: Frequently Asked Questions GReAT
05 Feb Big box LatAm hack (3rd part – infection by Office files) Dmitry Bestuzhev
03 Feb Big box LatAm hack (2nd part – Email brute-force and spam) Dmitry Bestuzhev
23 Jan From Latin America with love, Jumcar strikes again Santiago Pontiroli
21 Jan WhatsApp for PC - a guaranteed Trojan banker Dmitry Bestuzhev
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
In response to numerous requests for comments and clarifications after our presentation at the Kaspersky Security Analyst Summit 2014, we have created this FAQ with some answers to the most commonly asked questions.
Kaspersky Lab decided to undertake full research on this topic after discovering several privately owned laptops of Kaspersky Lab security researchers had the Computrace agent running without prior authorization. Such unauthorized activations quickly became alarming when our reverse engineering revealed serious vulnerabilities in the Computrace agent protocol design.
The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007.
What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated piece of malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (iOS).
The Mask also uses a customized attack against older Kaspersky Lab products in order to hide in the system. This puts it above Duqu in terms of sophistication, making The Mask one of the most advanced threats at the current time. This and several other factors make us believe this could be a state-sponsored operation.
It is a malicious file that when opened shows its victims the following content:
A new sample was submitted to the Virus Total system on January 18th which was quickly spotted by my colleague Dmitry Bestuzhev. Interestingly enough, it seems that a new variant of the Jumcar malware family has appeared and a lot of changes have been made to the original source code. As this is Latin American custom made malware there are lots of strings written in Spanish, some of them which we won’t mention since they are meant to insult security researchers while they inspect the code.
They first thing that caught our attention was the presence of some debug information still available in the executable file. After a very basic analysis we confirmed that we were dealing with a Microsoft .NET application and the string we found was the original path where the malicious work was being debugged in the developer’s system. Apparently “Victor” was testing his new creation against several antivirus engines since the sample was submitted by himself to Virus Total.
Disguised as an innocent “Facebook” application, Jumcar lures the user into double-clicking the file to infect the system and deliver the malicious payload.
Seems pretty innocent, right?
After the executable has been launched, it will appear as a “Facebook” utility in the process monitor while it starts to perform some network connectivity tests to determine if it’s able to download the second stage of the malicious code. In this case it checks using Google (using both the domain name and IP address) to see if an Internet connection is available and downloads another file needed for the infection.
If everything goes as expected, Jumcar will try to get a text file from a server located in Chile which contains the name of the banks it will try to steal information from. This list is also conveniently renamed as a “robots.txt” standard exclusion file so that IT administrators won’t notice anything out of the ordinary while checking their log entries.
With this list downloaded, the following step is to use it to overwrite the Windows hosts information located in %systemroot%\system32\drivers\etc\. So now, every time the user tries to access any of the domains included in the malicious hosts list, he will be redirected to another IP and presented with a fake version of the desired website instead. Currently this IP is offline, but since the file is retrieved dynamically by the malware this can be easily changed by replacing the “robots.txt” file.
In previous versions of Jumcar, the targets were banking institutions, mainly from Peru. In this variant, the code has been customized to attack Bolivian banks, but there's nothing to stop the malware creators from expanding this list. This makes sense since the Assembly name for the .NET executable was “newbol”, which might indicate a new Bolivian variant.
A lot of cryptographic functions are being used within the code (nothing new here, since previous versions relied heavily on crypto) to add a layer of obfuscation and thwart analysis efforts. Fortunately by inspecting the network traffic and disassembling the .NET source code we are able to gain a sneak peek of how the internal development of this threat was done. This latest version includes a number of embedded strings which get decrypted using a method called GenerateRSAreverse(), taking each string and generating a clear text version that will be used for different tasks of the malware.
For example, from the following section of RSA encrypted text, Jumcar will obtain the file name to use for persistence (using “winlogon.exe” in the CurrentVersion\Run registry key), the IP address of the server where it needs to obtain the “robots.txt” file and more.
The main logic of this threat remains quite simple and relies on quickly infecting the system and replacing the hosts file to allow data theft. Even though it's not very sophisticated, it does seem to be highly effective and allows attackers to make code modifications quickly, generating new variants on demand.
It’s not very common to find malware developed
in Latin America, or using .NET technology. However in recent
months we have seen that the benefits of rapid code development
and framework usage are tempting enough to convince cybercriminals
to adopt software development best practices. With Ploutus,
an ATM malware also created from scratch in the region in .NET it
seems that the Spanish speaking malware world is just about to get
interesting. For the moment, this appears to be just an attempt of
the malware creator to test detection rates, but we’ll need to
keep an eye open since the real threat can emerge at any moment. From
with love, Jumcar is here again.
Kaspersky Anti-Virus detects all mentioned
samples heuristically as Trojan.Win32.Fsysna variants.
In short, this message says that WhatsApp for PC is finally available and that the recipient already has 11 pending invitations from friends in his account. This is what the email looks like:
Today we got a spam message with a fake e-card in Portuguese leading to an interesting piece of malware:
Header translation: You got a Christmas e-card. Somebody very special has sent this Christmas e-card for you. In case you are not able to visualize it, click here. Much better than any present is a happy family.
One of the systems I have been running collects all our web malware detections for .ES domains. I usually check it out every morning, just in case I see something especially interesting or relevant. And when I find something, I like to create some statistics to have a global overview.
There are some things that I find every time I check my stats, like URLs that have been infected for more than 200 days, even being notified. That speaks of the lack of security awareness on some companies, and how some websites just get abandoned and become a hive of malware.
However one of the things that drew my attention was the detection of many PHP Backdoors with not-so-common extensions, such as JPG or MP3. Maybe a false positive? Worth taking a look!