English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

0.1
 

The situation surrounding attempted mobile malware infections is constantly changing, and I’d like to write about one recent trend. Over the last year, Trojan-SMS.AndroidOS.Stealer.a, a mobile Trojan, has become a leader in terms of the number of attempted infections on KL user devices, and now continually occupies the leading positions among active threats. For example, in Q1 2014 it accounted for almost a quarter of all detected attacks.

Geographic distribution

This SMS Trojan has actively been pushed by cybercriminals in Russia, and there have also been continual attempts to attack users in Europe and Asia. Infections with this Trojan have occurred virtually everywhere across the globe:

0.5
 

Malicious macro-enabled Microsoft Office document
The last interesting item found on the same malicious cybercriminal server is a .docm file (a macro-enabled document according to Microsoft Office standards).

It is a malicious file that when opened shows its victims the following content:

0.3
 

We have discovered a new Tor-based malware, named "ChewBacca" and detected as "Trojan.Win32.Fsysna.fej". Adding Tor to malware is not unique to this sample, but it-s still a rare feature.

Lately Tor has become more attractive as a service to ensure users- anonymity. Also criminals use it for their activities, but they are only slowly adopting this to host their malicious infrastructure. This capability was added to Zeus recently, as reported by my colleague Dmitry Tarakanov here. In addition, the CrimewareKit Atrax and the botnet-based on Mevade became known because of this.



0.2
 

Jumcar stands out from other malicious code developed in Latin America because of its particularly aggressive features. At the moment three generations of this malware family exist, which basically use symmetric algorithms in the first and second generation, and an asymmetric algorithm in the third. In this manner the configuration parameters are hidden, progressively increasing the complexity of the variants.

In the first generation, data is encrypted with AES (Advanced Encryption Standard). We estimate that the first variant was released in March 2012, and that other pieces of malware with similar characteristics were being developed until August of the same year. That is to say over a six month period.

In this first stage, 75% of the phishing campaigns targeted Peruvian consumers that use home-banking services. The 25% remaining targeted users in Chile.

The following diagram shows multiple instances used by the second generation of Jumcar:

Some .NET instances used by a variant of the first generation of Jumcar


0.5
 

Together with our partner CrySyS Lab, we've discovered two new, previously-unknown infection mechanisms for Miniduke. These new infection vectors rely on Java and IE vulnerabilities to infect the victim's PC.

While inspecting one of the C&C servers of Miniduke, we have found files that were not related to the C&C code, but seemed to be prepared for infecting visitors using web-based vulnerabilities.

The page hxxp://[c2_hostname]/groups/business-principles.html is used as an starting point for the attack. It consists of two frames, one for loading the decoy web page from a legitimate website (copied from http://www.albannagroup.com/business-principles.html), and another for performing malicious activities (hxxp://[c2_hostname]/groups/sidebar.html)


Source code of business-principles.html


Decoy webpage loaded

The second webpage, "sidebar.html" contains 88 lines, mostly JavaScript code, and works as a primitive exploit pack. Its code identifies the victim's browser and then serves one of two exploits. It also sends collected browser data to another script by sending a POST request to "hxxp://[c2_hostname]/groups/count/write.php".

0.9
 

Earlier this week, we published our report on Red October, a high-level cyber-espionage campaign that during the past five years has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations.

In part one, we covered the most important parts of the campaign: the anatomy of the attack, a timeline of the attackers operation, the geographical distribution of the victims, sinkhole information and presented a high level overview of the C&C infrastructure.

Today we are publishing part two of our research, which comprises over 140 pages of technical analysis of the modules used in the operation.

When analyzing targeted attacks, sometimes researchers focus on the superficial system infection and how that occurred. Sometimes, that is sufficient, but in the case of Kaspersky Lab, we have higher standards. This is why our philosophy is that its important to analyze not just the infection, but to answer three very important questions:

  • What happens to the victim after theyre infected?
  • What information is being stolen?
  • Why is Red October such a big deal compared to other campaigns like Aurora or Night Dragon?
  • According to our knowledge, never before in the history of ITSec has an cyber-espionage operation been analyzed in such deep detail, with a focus on the modules used for attack and data exfiltration. In most cases, the analysis is compromised by the lack of access to the victims data; the researchers see only some of the modules and do not understand the full purpose of the attack or what was stolen.

    To get around these hiccups, we set up several fake victims around the world and monitored how the attackers handled them over the course of several months. This allowed us to collect hundreds of attack modules and tools. In addition to these, we identified many other modules used in other attacks, which allowed us to gain a unique insight into the attack.

    0.4
     

    Right after the Venezuelan presidential elections cybercriminals launched a new credential stealing malware joined by a social engineering campaign saying that supposedly the last election was a fraud. The name of the malicious file is listas-fraude-electoral.pdf.exe which is translates to Fraud elections lists and it spread via a fake Globovision Venezuelan news TV station.

    The mentioned malware is quite simple and it sets out to disable the UAC system, which allows the criminals to run administrative commands under restricted users accounts.

    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

    0.5
     

    Many things have been told already about the latest Skype malware spread via instant messages. However I just wanted to add something not mentioned yet. The first thing is about when the attack was launched first. According to Google Short URL service it first surfaced on Oct 6th :

    0.5
     

    While looking over some potentially malicious links from Brazil, I came across an interesting group of files. They were of varying sizes but had similar structures.

    0.5
     

    Identifying a botnet is not an easy task sometimes, especially when one gets lost in different components like droppers, infectors and other bad stuff. Some two weeks ago, Jose Nazario from Arbor Networks pointed me to a new varmint that appears to be another peer-to-peer bot. When executed, the program installs tons of stuff that holds a number of goodies, for example

    • an executable hidden in an Alternate Data Stream,
    • three Bitcoin miners: the Ufasoft miner, the RCP miner and the Phoenix miner,
    • a file with geo-location information for IP address ranges.

    However, we leave these aside for now and focus on the botnet's architecture instead, which is really just a channel for pushing software to infected machines. Scrabbling about in the installed programs finally brought up the actual bot, which we detect as Trojan.Win32.Miner.h. The binary has some layers of obfuscation to make analysis harder but eventually writes a UPX packed executable into a memory section from where to original binary can be restored.

    One of the first things that come to attention is a list of 1953 hard-coded IP address strings that are contained in the binary. These addresses are contacted by the bot during its bootstrapping phase in order to join the peer-to-peer network.

    IP address list in the deobfuscated binary

    IP address list in the deobfuscated binary