14 Jan The Icefog APT Hits US Targets With Java Backdoor Costin Raiu
19 Dec Malware in metadata Vicente Diaz
14 Mar Reminder: be careful opening invoices on the 21st March Ben Godwood
08 Mar CIA "DELETED" Venezuela's Hugo Chavez? Dmitry Bestuzhev
11 Oct BoteAR: a “social botnet”? What are we talking about? Jorge Mieres
01 Aug “RunForestRun”, “gootkit” and random domain name generation Marta Janus
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
In September 2013, we published our extensive analysis of Icefog, an APT campaign that focused on the supply chain – targeting government institutions, military contractors, maritime and ship-building groups.
Icefog, also known as the "Dagger Panda" by Crowdstrike's naming convention, infected targets mainly in South Korea and Japan. You can find our Icefog APT analysis and detailed report here.
Since the publication of our report, the Icefog attackers went completely dark, shutting down all known command-and-control servers. Nevertheless, we continued to monitor the operation by sinkholing domains and analysing victim connections. During this monitoring, we observed an interesting type of connection which seemed to indicate a Java version of Icefog, further to be referenced as "Javafog".
The Icefog operation has been operational since at least 2011, with many different variants released during this time. For Microsoft Windows PCs, we identified at least 6 different generations:
In addition to these, we also identified "Macfog", a native Mac OS X implementation of Icefog that infected several hundred victims worldwide.
One of the systems I have been running collects all our web malware detections for .ES domains. I usually check it out every morning, just in case I see something especially interesting or relevant. And when I find something, I like to create some statistics to have a global overview.
There are some things that I find every time I check my stats, like URLs that have been infected for more than 200 days, even being notified. That speaks of the lack of security awareness on some companies, and how some websites just get abandoned and become a hive of malware.
However one of the things that drew my attention was the detection of many PHP Backdoors with not-so-common extensions, such as JPG or MP3. Maybe a false positive? Worth taking a look!
On March 4th we spotted a large number of unusual emails being blocked by our Linux Mail Security product. The emails all contained the same PDF attachment (MD5: 97b720519aefa00da58026f03d818251) but were being sent from many different source addresses.
The emails were written in German and most were sent from German IP addresses. Below is a map showing the distribution of addresses:
The computer names referenced in the mail headers were often of the form Andreas-PC or Kerstin-Laptop (the names have been changed to protect the innocent) suggesting that they had been sent from German home computers.
In information security, talk about botnets equals talk about malicious actions that materialize through criminal action. In essence, we think there is always a hostile attitude on the part of those who administer them. Please correct me colleagues, refute this if I'm wrong, but I think conceptually you agree with me.
BoteAR (developed in Argentina) adopts the concept of "social networks" although it seems, as yet, not fully materialized. It offers a conventional and manageable botnet via HTTP but uses the model of crimeware-as-a-service. Moreover, the author seems to adopt (maybe unknowingly) the business model of affiliate systems originating in Eastern Europe which are used to spread malware i.e. infect and get revenue for each node you infect.
So far nothing unusual, unfortunately we witness this kind of tactic every day. The striking thing about BoteAR though is that it tries to shield itself under a wrapper of security in an attempt to "fraternize" with its community.
Recently, we came across web malware that – instead of injecting an iframe pointing to a fixed existing address – generates a pseudo-random domain name, depending on the current date. This approach is not new and is widely used by botnets in C&C domain name generation, yet it's not very common for the web malware we’ve seen so far.
After deobfuscation, we can see that the iframe redirecting to the malicious URL with generated domain name is appended to the HTML file. All URLs consist of 16 pseudo-random letters, belonging to the ru domain and execute PHP script on the server side with the
sid=botnet2 as argument:
Today we came across a new, very sophisticated type of phishing. The user receives a message that, at first glance, appears to be from McDonald's. It states that the recipient has won the chance to participate in a survey and immediately receive remuneration of $80 for doing so.
The infection strategies using java script technology are on the agenda and that because of his status as a "hybrid", criminals looking to expand its coverage of attack recruiting infected computers regardless of the browser or operating system you use.
In terms of criminal activities, the techniques of Drive-by-Download by injecting malicious java script in different websites, are a combo of social engineering that requires users to increasingly sharpen the senses of "detection".
During this weekend, we encountered a fake website of the popular system analyzes suspicious files Virustotal, by Hispasec company, touted to infect users through the methods mentioned above.
It's one of these days where I just had one of these "Oh no..." moments when I logged into my Twitter account and suddenly a message box with my cookie popped up.
Update 3 (14:24 CEST): Worm code for this vulnerability has been posted on IRC, making the rounds.
Update 4 (14:36 CEST): Worm is live already...
Update 5 (14:59 CEST): It appears Twitter now properly escapes links, that specific vulnerability seems closed.
Update on Infection Rates (posted by Costin): During the peak of the infection, we noticed roughly 100 posts per second which seemed to be related to the exploit. Thanks to Paul Roberts who pointed out a simple way of looking at the outbreak using Twitscoop:
The graph suggests 93 posts per second, which is not far from the peak we observed.
Although accurate numbers are hard to extrapolate from the existing data, the total number of malicious posts could have easily exceeded half a million.
A new Twitter XSS exploit was identified in the wild as it started to be used by cybercriminals overnight.
But how many people clicked the link? The bit.ly statistics for one of the malicious links are more than worrying, showing an alarming number: more than 100.000.
All clues point to Brazil as the originating country for this attack. First, the 2 domain names used to get the stolen cookies are registered under Brazilian names. More than that, one of them is actually also hosted in Brazil. Last, but not least, just take a look at the tweet used in distributing this malicious payload:
Pe Lanza da banda Restart sofre acidente tragico - it's a short tweet in Portugese about the Brazilian pop band Restart suffering a "tragic accident". I'd say there's not much doubt about the origins of this attack.
We've added detection for the malicious scripts as Exploit.JS.Twetti.a and also made sure the URLs used in this attack are blacklisted. We are currently working on taking down the malicious URLs and minimizing the damage as much as possible. Twitter along with other significant industry peers have of course been notified.
UPDATE: Twitter has confirmed the vulnerability is fixed now.