Securelist / Blog

Jumcar. From Peru with a focus on Latin America [First part]

webmaster@securelist.com (Jorge Mieres ) — 20 May 2013 08:06:07 +0400

�Jumcar� is the name we have given to a family of malicious code developed in Latin America � particularly in Peru � and which, according to our research, has been deploying attack maneuvers since March 2012.

After six months of research we can now detail the specific features of Jumcar. We will communicate these over the following days. Essentially the main purpose of the malware is stealing financial information from Latin American users who use the home-banking services of major banking companies. Of these, 90% are channeled in Peru through phishing strategies based on cloning the websites of six banks.

Some variants of the Jumcar family also target two banks in Chile, and another in Costa Rica.

Percentage of the phishing attacks by countries

NoSuchCon 2013

webmaster@securelist.com (Stefano Ortolani) — 18 May 2013 16:00:51 +0400

Fostering knowledge exchange among different generations of security researchers is maybe one of the best traits of a good security conference. Judging by its attendance, NoSuchCon can easily claim to be one of these. It's rare to see such a mix of young researchers and old gurus exchanging ideas and getting to know each other. Organized this year in Paris, NoSuchCon takes place in the premises of the Espace Oscar Niemeyer; admittedly, indeed a nice move putting a security conference within an art exposition center (congrats to the organizers :)) .

Espace Oscar Niemeyer

Malicious PACs and Bitcoins

webmaster@securelist.com (Fabio Assolini) — 17 May 2013 17:58:17 +0400

Now cybercriminals from Brazil are also interested in Bitcoin currency. In order to join the horde of phishers on the lookout for the virtual currency they have applied their best malicious technique: malicious PAC on web attacks, and phishing domains.

The malicious usage of PAC (Proxy Auto-Config) among Brazilian black hats is not something new � we�ve known about it since 2007. Generally, these kind of malicious scripts are used to redirect the victim�s connection to a phishing page of banks, credit cards and so on. We described these attacks in detail here. In 2012 a Russian Trojan banker called Capper also started using the same technique. When it�s used in drive-by-download attacks, it becomes very effective.

After registering the domain java7update.com, Brazilian criminals started attacking several websites, inserting a malicious iframe in some compromised pages:

Microsoft Updates May 2013 - Slew of Internet Explorer Critical Vulnerabilities, Kernel EoP, and Others

webmaster@securelist.com (Kurt Baumgartner) — 14 May 2013 22:06:28 +0400

Microsoft released a long list of updates for Microsoft software today. The most interesting appear to be those patching Internet Explorer and the kernel software vulnerabilities. In all, ten critical "use-after-free" vulnerabilities are patched in IE along with one important Information Disclosure vulnerability, and three elevation of privilege vulnerabilities are being patched as well. Almost all of these IE vulnerabilities were reported by external security researchers working through HP's Zero Day Initiative.

The recent Internet Explorer 8 0day implemented with ROP to work across ASLR-protected Windows 7, hosted on the compromised Department of Labor website and others, was used as a part of a targeted attack watering hole campaign suggested to be run by known threat actor "DeepPanda". This IE 0day was reported by the guys over at FireEye and iSight Partners. It is being patched with Security Bulletin MS13-038. The others may not have been actively used by threat actors, but as always, it is very important for all Internet Explorer users to update these asap and avoid being a victim of the more common financially motivated mass-exploitation schemes.

A bit less sexy but very important for organizations to update are the three "Important" kernel escalation of privilege vulnerabilities. While these have not yet been known to be publicly exploited, EoP are actively deployed for post-exploitation purposes and are a significant part of any infiltration exercise. All three of these problems were reported by external security researchers, to whom Microsoft extended a "thanks".

Organizations should also be aware that Http.sys in Windows 8, Windows RT and Windows 2012 is vulnerable to denial of service attacks, but exploiting this bug appears to be very difficult. Accordingly, they are rating it "Important".

Other client side apps are being patched with "Important" rated updates as well, including Word, Publisher, and more. More information on all of these updates can be found over at Microsoft's summary.

Also today, Adobe's PSIRT pushed several important updates in ColdFusion (in the crosshairs for persistent attackers on organizations) and both of their big client side apps Flash and Reader/Acrobat.

Telecom fraud - phishing and Trojans combined

webmaster@securelist.com (Dong Yan) — 13 May 2013 11:15:00 +0400

In China telecom fraud has become an increasingly common crime. Last year there were more than 170,000 telecom fraud cases, causing the loss of over $12.5 billion. The fraudsters usually call their victims and trick them into transferring cash to a criminal gang via an ATM. But recently a new breed of telecom fraud, which combines phishing sites and backdoor Trojans, has emerged.

Last week the police from the Dongcheng sub-branch of Beijing’s Public Security Bureau asked us to help investigate a telecom fraud case. The victim was defrauded of $100,000. After our investigation, the fraudsters’ tactics were laid bare.

So how does the scam work? How was the victim deceived?

First you get a call from a ‘public prosecutor’ saying that you are implicated in a financial crime and you must help with the investigation. Of course, you deny everything, but the ‘public prosecutor’ advises you to check if you are listed in an official database as a suspected criminal. To do this, they tell you to visit the “Supreme Procuratorate’s” website, which is, of course, a phishing site:

CeCOS VII

webmaster@securelist.com (Michael) — 27 Apr 2013 00:49:47 +0400

The Counter eCrime Operations Summit VII (CeCOS VII) engages questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the electronic-crime threat every day. The annual event, organized by the Anti-Phishing Working Group (APWG) is this time held in Buenos Aires, Argentina.

Security policies: remote access programs

webmaster@securelist.com (Kirill Kruglov) — 25 Apr 2013 19:44:00 +0400

The experience of many information security officers shows that only a small portion of security incidents take place as a result of meticulously planned and sophisticated targeted attacks, while most incidents are due to a lack of effective security and control measures. This post begins a series of publications about IT security threats associated with the use of legitimate software.

TeamViewer

Hugely popular, easy-to-use and practical, remote access tools have been appreciated by system administrators and developers alike, as well as by anyone who has ever needed to log on to a work computer from a remote location, whether traveling on business, working from home, or caught out by an emergency while on vacation. However, unregulated use of this software poses a threat to corporate security and may lead to security incidents.

Lock, stock and two smoking Trojans-2

webmaster@securelist.com (Sergey Golovanov) — 22 Apr 2013 20:24:00 +0400

It has been three years since we published Lock, stock and two smoking Trojans in our blog. The article describes the first piece of malware designed to attack users of online banking software developed by a company called BIFIT. There are now several malicious programs with similar functionality, including:

Trojan-Spy.Win32.Lurk
Trojan-Banker.Win32.iBank
Trojan-Banker.Win32.Oris
Trojan-Spy.Win32.Carberp
Trojan-Banker.Win32.BifiBank
Trojan-Banker.Win32.BifitAgent

In spite of its functionality no longer being unique, the last program on the list caught our attention.

Words and strings used by Trojan-Banker.Win32.BifitAgent

This particular piece of malware has a number of features that set it apart from other similar programs.

Is digital marketing the new spam?

webmaster@securelist.com (Vicente Diaz) — 22 Apr 2013 09:54:12 +0400

What a week for being in Boston! I was heading to Source Conference the very same day the blast happened. It�s hard to describe all the intense emotions when I arrived. As president Obama said today to the city of Boston: �You will run again�. All my best to you guys, stay strong.

In my presentation in Source I talked about fraud in Twitter. These days we find a lot of spam bots in this social network, both blindly sending unsolicited direct messages to other users or doing some previous semantic analysis, depending on your tweets, for a more targeted message.

An ambush for peculiar Koreans

webmaster@securelist.com (Dmitry Tarakanov) — 19 Apr 2013 14:24:37 +0400

While researching PlugX propagation with the use of Java exploits we stumbled upon one compromised site that

hosted and pushed a malicious Java applet exploiting the CVE 2013-0422 vulnerability. The very malicious Java

application was detected heuristically with generic verdict for that vulnerability and it would have been hardly

possible to spot that particular site between tons of other places where various malicious Java applications were

detected with that generic verdict. But it was a very specific search conducted back then and this site appeared in

statistics among not so many search results. Well, to be honest it was a false positive in terms of search

criteria, but in this case it was a lucky mistake.

The infectious website was an Internet resource named - minjok.com and it turned out to be a news site in

Korean and English languages covering mostly political events around the Korean peninsula. We notified an editor of

this site about the compromise and although he has not responded, the site got closed after a while.

This is how minjok.com is described at http://www.northkoreatech.org/the-north-korean-website-list/minjok-tongshin/:

Description of minjok.com

Boston Aftermath

webmaster@securelist.com (Michael) — 17 Apr 2013 08:02:51 +0400

While many are still in shock after the Boston Marathon bombings on 16 April, it didn't take long for cyber criminals to abuse that tragic incident for their dirty deeds.

Today we already started receiving emails containing links to malicious locations with names like "news.html". These pages contain URLs of non-malicious youtube clips covering the recent event. After a delay of 60 seconds, another link leading to an executable file is activated.

The malware, once running on an infected machine, tries to connect to several IP addresses in Ukraine, Argentina and Taiwan. Kaspersky Lab detects this threat as "Trojan-PSW.Win32.Tepfer.*".

MD5sums of some of the collected samples: 5EA646FFDC1E9BC7759FDFC926DE7660 959E2DCAD471C86B4FDCF824A6A502DC

Our thoughts and prayers are with our colleagues in Massachusetts and others affected by the tragic events in Boston.

Winnti returns with PlugX

webmaster@securelist.com (Dmitry Tarakanov) — 15 Apr 2013 16:30:00 +0400

Continuing our investigation into Winnti, in this post we describe how the group tried to re-infect a certain gaming company and what malware they used.

After discovering that the company-s servers were infected, we began to clean them up in conjunction with the company-s system administrator, removing

malicious files from the corporate network. This took a while because it was not clear at first exactly how the cybercriminals had penetrated the corporate

network; we couldn-t find a way to completely stop attacks penetrating the network and malicious files kept appearing. An analysis performed by the gaming

company itself led us to the conclusion that the infection started after establishing working contacts with a South Korean gaming company. This was also

confirmed by our research: as we wrote before, the Winnti group is most active in East Asia and we identified 14 infected gaming companies in South Korea.

In the course of our efforts to remove the infection, the gaming company sent us suspicious files that were appearing on their computers. Many of these

files were samples of Winnti malware. As soon as information about the malicious files was added to our antivirus databases, our products were used to remove

Winnti malware from the gaming company-s corporate network. However, the attackers reacted very rapidly: new malware samples mysteriously appeared on

computers from which the infection had been completely removed the previous day. Eventually, though, our efforts proved successful and further access to the

gaming company-s computers was denied to the attackers.

However, just as we expected, it was too early to celebrate. Exactly one month after the gaming company-s network had been cleaned, the Winnti group

returned. The system administrator sent us suspicious files, which had been attached to messages sent to company employees. This was run-of-the-mill

spearphishing: the attackers introduced themselves as computer game developers and pretended to be looking for opportunities related to working with large

publishers.

Hello from Infiltrate 2013

webmaster@securelist.com (Roel) — 12 Apr 2013 21:51:22 +0400

Today is the second and last day of Infiltrate 2013 which is taking place in Miami Beach. It's my first time at Infiltrate and so far I've been really impressed with the quality of the conference.

The opening keynote by Chris Eagle definitely set the tone for the rest of the con, with a very clear focus on offense. Chris shared his own view on various issues concerning how the US Armed Forces - and the Navy in particular - deal with educating people on cyber.

One of the bits I found particularly interesting was the Title 10 issue. Many of the experts creating cyber-tools, which would make them best equipped to handle them, are civilians. However under Title 10, only military personnel can actually 'pull the trigger'. You can see how this can be problematic.

Winnti-Stolen Digital Certificates Re-Used in Current Watering Hole Attacks on Tibetan and Uyghur Groups

webmaster@securelist.com (Kurt Baumgartner) — 12 Apr 2013 04:31:18 +0400

A new-ish Flash exploit has been on the loose for attacks around the web. This time, the attackers have compromised a caregiver site providing support for Tibetan refugee children and are spreading backdoors signed with Winnti stolen certificates delivered with Flash exploits - the compromised web site is the NGO "Tibetan Homes Foundation". Previously, FireEye identified similar "Lady Boyle" related malicious swf exploiting CVE-2013-0634. A notification has been sent to the contacts of the web site, but apparently the malicious footer.swf file is still hosted at the Foundation's web site, so please do not visit it just yet. Also, be sure to update your Flash player to the latest version.

This site certainly appears to be a classic example of a "watering hole" attack. F-Secure pointed out another Lady Boyle watering hole set up against a related Uyghur group, which has been targeted in tandem following the early March World Uyghur Congress. The delivered backdoors are shown to be signed with Winnti-stolen digital certificates in the F-Secure post, including the stolen MGAME certificate.

Here is an example of those same stolen certs reused for the backdoors in the Tibetan Homes Foundation incident. We see both the MGAME cert and the ShenZehn certs signing the backdoors, here are screenshots of the latter:

Our products detect the Flash exploit+payload as Exploit.SWF.CVE-2013-0634.a. Here is a heatmap of our worldwide detections. Note that not all of these detections are Lady Boyle related, I estimate that at least a third of them are:

Other sites hosting the Lady Boyle swf exploit over the past couple of months have included "tibetangeeks.com", who recently cleaned up their site and posted a cooperative plea to their attackers, and "vot.org" or the "Voice of Tibet" which is also cleaned up. Currently cleaned up but previously serving "Exploit.SWF.CVE-2013-0634.a" were Uyghur related sites "istiqlaltv.com" and "maarip.org", with the same "LadyBoyle" swf path as the Tibetan Homes Foundation, i.e.:
hxxp://maarip.org/uyghur/footer(.)swf

So, what we have is an active watering hole campaign implementing a fairly new Flash exploit and abusing digital certificates that were stolen as a part of the ongoing Winnti targeted attack campaigns on game developers and publishers.

Related md5:
BD9FD3E199C3DAB16CF8C9134E06FE12
215CEC7261D70A5913E79CD11EBC9ECC
12181311E049EB9F1B909EABFDB55427

The Winnti honeypot - luring intruders

webmaster@securelist.com (Dmitry Tarakanov) — 11 Apr 2013 17:23:00 +0400

During our research on the Winnti group we discovered a considerable amount of Winnti samples targeting different gaming companies. Using this sophisticated malicious program cybercriminals gained remote access to infected workstations and then carried out further activity manually.

Naturally, we were keen to find out how the malicious libraries spread across a local network. To do so, we tracked the attackers- activity on an infected computer.

1^st attempt: virtual machine #1

At the beginning of the investigation we ran the malicious programs on a virtual machine, which worked fairly well - we even spotted some cybercriminal activity. But they quickly realized it wasn-t a computer they wanted to net. Once that was the case, the attackers- servers stopped responding to requests from bots working on virtual machines.

This is what we managed to learn at this stage of our monitoring.

First of all, the perpetrators looked at what was happening on the victim-s desktop. After that they enabled the remote command line and used it to browse the root folder of the current disk, searched for the file winmm.dll, and checked the operating system version. The ListFileManager plugin then came into play. It works with the file system and the attackers used it to browse the folders C:\Windows and C:\Work. Then they tried to restart the computer, but made a mistake in the parameters of the ?shutdown� command, having typed ?shutdown /t /r 1� (the computer should have been restarted in 1 second), but after a while they shut the computer down completely with the use of the correct command ?shutdown /s /t 1�.

Winnti FAQ. More than just a game

webmaster@securelist.com (GReAT) — 11 Apr 2013 17:21:16 +0400

Today Kaspersky Lab's team of experts published a detailed research report that analyzes a sustained cyberespionage campaign conducted by the cybercriminal organization known as Winnti.

According to report, the Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active.

The group's objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects.

The attackers' favorite tool is the malicious program we called "Winnti". It has evolved since its first use, but all variants can be divided into two generations: 1.x and 2.x. Our publication describes both variants of this tool.

In our report we publish an analysis of the first generation of Winnti.

The second generation (2.x) was used in one of the attacks which we investigated during its active stage, helping the victim to interrupt data transfer and isolate infections in the corporate network. The incidents, as well as results of our investigation, are described in the full report (PDF) on the Winnti group.

The Executive Summary is available here.

Is this research about a gaming Trojan from 2011? Why do you think it is significant?

This research is about a set of industrial cyberespionage campaigns and a criminal organization which massively penetrates many software companies and plays a very important role in the success of cyberespionage campaigns of other malicious actors.

It is important to be aware of this threat actor to understand the broader picture of cyberattacks coming from Asia. Having infected gaming companies that do business in the MMORPG space, the attackers potentially get access to millions of users. So far, we don't have data that the attackers stole from common users but we do have at least 2 incidents where the Winnti malware was planted on an online game update servers and these malicious executables were spread among a large number of the online gamers. The samples we observed seemed not to be malware targeting end user gamers, but a malware module which accidentally got into wrong place. Hoever, the potential for attackers to misuse such access to infect hundreds of millions of Internet users creates a major global risk.

It's important to understand that many gaming companies do business not only in gaming, but very often they are also developers or publishers of different other types of software. We have tracked an incident where a compromised company served an update of their software which included a Trojan from the Winnti hacking team. That became an infection vector to penetrate another company, which in turn led to a personal data leak of large number of its customers.

So far, this research is dedicated to a malicious group that not only undermines trust in fair gameplay but has a serious impact on trust in software vendors in general, especially in the regions where the Winnti group is active at the moment.

What are the malicious purposes of this Trojan?

The Trojan, or to be precise, a penetration kit called Winnti includes various modules to provide general purpose remote access to compromised machines. This includes general system information collection, file and process management, creating chains of network port redirection for convenient data exfiltration and remote desktop access.

Is this attack still active?

Yes, despite active steps to stop the attackers by the revocation of digital certificates, detection of the malware and an active investigation, the attackers remain active, with at least several victim companies around the world being actively compromised.

Microsoft Updates April 2013 - 3 Critical Vulnerabilities

webmaster@securelist.com (Kurt Baumgartner) — 09 Apr 2013 22:23:20 +0400

Microsoft released two Bulletins this month patching 3 critical vulnerabilities. Along with these immediate issues, they released five other Bulletins rated "Important". It appears that the two critical Bulletins address use-after-free vulnerabilities that can all be attacked through Internet Explorer.

For the Windows workstation environments, all versions of Internet Explorer need to be patched asap, including v10 preview running on Windows RT. The patch for Internet Explorer 10 on Windows RT is available at the "Windows Update" site.

In addition to the privately reported vulnerabilities in Internet Explorer code itself, the Remote Desktop Connection v6.1 Client and Remote Desktop Connection v7.0 Client ActiveX components on XP, Vista, and Windows 7 are vulnerable. Microsoft's SRD team expects to see exploits available within 30 days targeting CVE-2013-1296.

Of the "Important" vulnerabilities, interesting to note is a privately reported Elevation of Privilege issue CVE-2013-0078, which is a bug in the Windows Defender anti-malware engine running on Windows 8 and Windows RT. This vulnerability could be used by an insider or determined adversary to gain further access, and not a type of vulnerability usually hit by mass exploitation kits. Within organizations, this is something to quickly address, but generally individuals do not need to urgently address this type of issue.

See Microsoft's Security Bulletin Summary for April 2013 for the full list of this month's Bulletin releases.

Absent-minded spammers

webmaster@securelist.com (Tatiana Kulikova) — 09 Apr 2013 17:42:00 +0400

A large number of scam emails disguised as newsletters sent by the CNN television channel have been detected again. Sensational headlines are used in the messages to grab the attention of recipients (e.g., falling stock indexes, the election of a new Pope etc.). Users are asked to click on the links provided in the messages to get access to the complete versions of the articles. To make them look authentic, the emails also include links to real CNN pages, but of course the link with the main piece of news is fake. It leads to a compromised website which uses JavaScript to redirect the user to a site hosting malware - in this case, the Blackhole exploit kit.

At the same time as the CNN newsletter scam, there has also been an epidemic of scam emails imitating Facebook notifications. In these emails, spammers suggested that users check out new comments on their photos. The mechanism used in the malicious link was the same as in the case described above. The most curious part, though, was that the scammers did not even bother to change the links. While in the former case the link included “cnnbrnews.html” after the domain name, the same ending in the link provided in fake Facebook messages looks out of place.

Unfortunately, this is the only part of the scam where the cybercriminals were careless. Emails containing the malicious links are still being distributed, so be cautious when handling suspicious messages.

Skypemageddon by bitcoining

webmaster@securelist.com (Dmitry Bestuzhev) — 04 Apr 2013 23:28:00 +0400

Is it a Skype day? Or maybe a Bitcoin one? Or maybe just both- I say this because right after I published my previous post about malware ongoing campaign on Skype, a mate from Venezuela sent me a screenshot of her Skype client with a similar campaign in terms of propagation but different in terms of origins and purposes. Here is the original screenshot:

(Translation from Spanish: ?this is my favorite picture of you�)

An avalanche in Skype

webmaster@securelist.com (Dmitry Bestuzhev) — 04 Apr 2013 18:40:19 +0400

There is a new malicious ongoing campaign on Skype. It�s active and kicking yet. The infection vector is via social engineering abusing infected Skype by sending massive messages to the contacts like these ones: i don't think i will ever sleep again after seeing this photo http://www.goo.gl/XXXXX?image=IMG0540250-JPG tell me what you think of this picture i edited http://www.goo.gl/XXXXX?image=IMG0540250-JPG Goo.gl short URL service shows that at the moment there are more than 170k clicks on the malicious URL and only 1 hour ago there were around 160k clicks. It means the campaign is quite active with around 10k clicks per hour or with 2.7 clicks per second! The most of victims come from Russia and Ukraine: �

Virus calendar wallpapers for 2013

webmaster@securelist.com (David) — 04 Apr 2013 12:06:20 +0400

Some of you may remember the virus wallpaper calendars that we published in previous years, listing a selection of significant events in the history of the IT security industry.

Well, we're posting new versions for 2013.

April's wallpaper is here.

clickable!

But be sure to check our calendar page each month as we'll be adding new wallpapers as we go through the year.

We hope they'll be an interesting background for your desktop, as well as highlighting key security events from the past.

The Biggest DDoS Ever that "Almost Broke the Internet"?

webmaster@securelist.com (Roel) — 30 Mar 2013 08:25:45 +0400

"If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why." Well, "a bit more sluggish" for limited sets of communications in parts of Europe for a few days is not a broken internet, and is certainly not close to a critical infrastructure disaster.

There's been a lot of attention for the recent reports regarding a DDoS attack against Spamhaus which reached a peak of 300gbps. Yes, such enormous amount of throughput definitely makes this one of the biggest DDoS attacks ever seen. DDoS attacks have seen an increase in popularity in recent times and there's no sign they'll go away anytime soon. Cyber-criminals, competitors, hacktivists and nation-state sponsored actors all have their motives to use DDoS attacks. In this case, a suspected entity behind these attacks is a Dutch hosting company called CyberBunker, whose owner denies being responsible, but claims to be a spokesman for the attackers. The conflict between Spamhaus and CyberBunker goes back to 2011 and has now escalated after Spamhaus blacklisted CyberBunker earlier this month. The timing and conflict is uncanny. And, Spamhaus is certainly under attack from some determined group capable of generating massive amounts of traffic, forcing them to move to hosting and service provider CloudFlare, known for effectively dissipating large DDoS attacks.

Military Hardware and Men�s Health

webmaster@securelist.com (Ben Godwood) — 29 Mar 2013 16:40:47 +0400

Over the last few months we have seen a series of very similar targeted attacks being blocked in our Linux Mail Security Product. In each case the documents used were RTF and the exploit was CVE-2012-0158 (MSCOMCTL.OCX RCE Vulnerability).

The attacks seem to be from the same group and most appear to be sent from Australia or Republic of Korea. The sender IP addresses vary but many are sent via mail.mailftast.com. This domain is registered in China:

REGISTRANT CONTACT INFO liu runxin No.1,Nanjing Road Shanghai Shanghai 200001 CN Phone:         +86.2164415698 Email Address: lishd2011@163.com

The documents are in three categories:

The first group of documents are related to articles on the Men�s Health website. These are some example filenames:

EAT FOR BETTER SEX.doc How to last longer in bed.doc 6 Awkward Sex Moments, Defused.doc 9 ways to have better,hotter,and more memorable sex.doc 10 Ways to Get More Sex.doc

The second group are military related:

Stealth Frigate.doc The BrahMos Missile.doc How DRDO failed India's military.doc

The third set have Cyrillic filenames:

приоритеты сотрудничества.doc Список участников рабочей группы(0603-2013).doc Список кадров.doc Приглашение МИОМ ТЕЙКОВО 2013.doc

Android Trojan Found in Targeted Attack

webmaster@securelist.com (Costin Raiu) — 26 Mar 2013 16:14:19 +0400

In the past, we've seen targeted attacks against Tibetan and Uyghur activists on Windows and Mac OS X platforms. We've documented several interesting attacks (A Gift for Dalai Lamas Birthday and Cyber Attacks Against Uyghur Mac OS X Users Intensify) which used ZIP files as well as DOC, XLS and PDF documents rigged with exploits.

Several days ago, the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates. Perhaps the most interesting part is that the attack e-mails had an APK attachment - a malicious program for Android.

The attack

On March 24th, 2013, the e-mail account of a high-profile Tibetan activist was hacked and used to send spear phishing e-mails to their contact list. This is what the spear phishing e-mail looked like:

In regards to the message text above, multiple activist groups have recently organized a human rights conference event in Geneva. We've noticed an increase in the number of attacks using this event as a lure. Here's another example of such an attack hitting Windows users:

Going back to the Android Package (APK) file was attached to the e-mail, this is pushing an Android application named "WUC's Conference.apk".

This malicious APK is 334326 bytes file, MD5: 0b8806b38b52bebfe39ff585639e2ea2 and is detected by Kaspersky Lab products as "Backdoor.AndroidOS.Chuli.a".

After the installation, an application named "Conference" appears on the desktop:

If the victim launches this app, he will see text which "enlightens" the information about the upcoming event:

The TeamSpy Crew Attacks - Abusing TeamViewer for Cyberespionage

webmaster@securelist.com (GReAT) — 20 Mar 2013 21:23:19 +0400

Earlier today, the Laboratory of Cryptography and System Security (CrySyS Lab), together with the Hungarian National Security Authority (NBF), published details on a high profile targeted attack against Hungary. The details about the exact targets are not known and the incident remains classified.

Considering the implications of such an attack, Kaspersky Lab�s Global Research & Analysis Team performed a technical analysis of the campaign and related malware samples.

You can read our short FAQ below and you can download our technical analysis paper linked at the end of the blogpost.

South Korean 'Whois Team' attacks

webmaster@securelist.com (GReAT) — 20 Mar 2013 16:09:52 +0400

Earlier today, reports of a number of cyberattacks against various South Korean targets hit the news.

The attackers, going by the handle �Whois Team� left a number of messages during the defacements:

The end of MSN Messenger, the beginning of attacks

webmaster@securelist.com (Fabio Assolini) — 19 Mar 2013 15:27:02 +0400

Microsoft recently announced the shutdown of its popular IM client MSN Messenger, which will be replaced by Skype, but its end represents the beginning of malicious attacks posing as the installer of the software. Cybercriminals already started to use this fact in their attacks, registering malicious domains, buying sponsored links on search engines, tricking users to download and install a malware masquerade as the MSN installer.

MSN Messenger is still very popular in several countries; Microsoft informed that the service has more than 100 million users worldwide, approximately 30.5 million of them in Brazil. As an escalated migration of all users is planned, it's getting harder to find the installer of the program and this is the window of opportunity exploited by Brazilian cybercriminals aiming to infect users looking for the software.

In a simple search on Google for "MSN messenger" the first result displayed is sponsored link of a malicious domain aiming to distribute the fake installer, which is actually a Trojan banker:

Hello from Malaysia

webmaster@securelist.com (Roman Unuchek) — 15 Mar 2013 18:48:00 +0400

In mid-February 2013 a Kaspersky user from Malaysia asked us to check a Google Play application called My HRMIS & JPA Demo developed by Nur Nazri.

The user was suspicious about the large number of permissions required by the app, though its only stated function was to open four websites.

Highlights from BlackHat Europe 2013 in Amsterdam

webmaster@securelist.com (Stefano Ortolani) — 15 Mar 2013 18:41:50 +0400

Every year as Europe wakes up from the cold winter to the warm days of spring, BlackHat traditionally descends to Amsterdam. This year�s conference is taking place on March 14-15 at the NH Grand Hotel Krasnapolsky, right Dam Square, the heart of Amsterdam. As spring doesn�t necessarily equal warm days here in Europe right now, the 500 or so BlackHat participants hit the conference rooms to attend quite a few interesting talks. Here�s a summary of the best talks at BlackHat Europe 2013.

Reminder: be careful opening invoices on the 21st March

webmaster@securelist.com (Ben Godwood) — 14 Mar 2013 19:23:00 +0400

On March 4^th we spotted a large number of unusual emails being blocked by our Linux Mail Security product. The emails all contained the same PDF attachment (MD5: 97b720519aefa00da58026f03d818251) but were being sent from many different source addresses.

The emails were written in German and most were sent from German IP addresses. Below is a map showing the distribution of addresses:

The computer names referenced in the mail headers were often of the form Andreas-PC or Kerstin-Laptop (the names have been changed to protect the innocent) suggesting that they had been sent from German home computers.