English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Incidents|The Icefog APT Hits US Targets With Java Backdoor

Costin Raiu
Kaspersky Lab Expert
Posted January 14, 09:30  GMT
Tags: JavaScript, Targeted Attacks
VitalyK
Kaspersky Lab Expert
Posted January 14, 09:30  GMT
Tags: JavaScript, Targeted Attacks
Igor Soumenkov
Kaspersky Lab Expert
Posted January 14, 09:30  GMT
Tags: JavaScript, Targeted Attacks
0.3
 

In September 2013, we published our extensive analysis of Icefog, an APT campaign that focused on the supply chain – targeting government institutions, military contractors, maritime and ship-building groups.

Icefog, also known as the "Dagger Panda" by Crowdstrike's naming convention, infected targets mainly in South Korea and Japan. You can find our Icefog APT analysis and detailed report here.

Since the publication of our report, the Icefog attackers went completely dark, shutting down all known command-and-control servers. Nevertheless, we continued to monitor the operation by sinkholing domains and analysing victim connections. During this monitoring, we observed an interesting type of connection which seemed to indicate a Java version of Icefog, further to be referenced as "Javafog".


Meet "Lingdona"

The Icefog operation has been operational since at least 2011, with many different variants released during this time. For Microsoft Windows PCs, we identified at least 6 different generations:

  • The "old" 2011 Icefog – sends stolen data by e-mail; this version was used against the Japanese House of Representatives and the House of Councillors in 2011.
  • Type "1" "normal" Icefog – interacts with command-and-control servers via a set of ".aspx" scripts.
  • Type "2" Icefog – interacts with a script-based proxy server that redirects commands from the attackers to another machine.
  • Type "3" Icefog – a variant that uses a certain type of C&C server with scripts named "view.asp" and "update.asp"
  • Type "4" Icefog – a variant that uses a certain type of C&C server with scripts named "upfile.asp"
  • Icefog-NG – communicates by direct TCP connection to port 5600

In addition to these, we also identified "Macfog", a native Mac OS X implementation of Icefog that infected several hundred victims worldwide.

0.2
 

Every single day, Kaspersky Lab processes more than 300,000 new malware samples. The vast majority of these malicious files is what we call crimeware -- computer programs designed for financial profit and used by cyber-criminals to make money. From the remaining percentage, a small amount are designed exclusively for cyber-espionage and used by a variety of advanced threat actors.

What is left is an even smaller percentage of the total and includes rare, unusual things. Wipers, which are highly destructive programs, are some of the rarest kinds of malware, however, their usage has spiked over the last few years.

Back in the old days, most of the malware was written by computer enthusiasts,  cyber-hooligans and pranksters. Hence, destructive viruses, or Trojans, were much more common. Some examples include BadSectors, a computer virus that would mark disk sectors as bad, even if they weren’t, resulting in subtle corruption of data.  Another example was OneHalf, a computer virus that would encrypt the hard drive cylinder-by-cylinder, transparently decrypting it on the fly while active. If one were to remove the virus,that would leave the data on the disk in encrypted format, without an easy way to decrypt it.

Perhaps the best known example is CIH, also known as Chernobyl. CIH, named after the initials of its author, Chen Ing-hau, was a computer virus that had the ability to wipe the BIOS flash memory. Computers affected by CIH couldn’t boot up anymore. This wasn’t a major problem for PCs, which had the BIOS memory in the form of a removal chip that could be reprogrammed on another system; however, for laptop owners, the CIH virus was quite destructive.

Over the last few years, we’ve seen a number of major incidents involving destructive malware.  We’ve decided to put together a brief summary the most important Wiper incidents:

1. The “Wiper”

In late-2011, early-2012, reports emerged about computer systems that were compromised and rendered unbootable.  The extent of the damage to these systems was so big that almost no data was recoverable. Some artefacts from the wiped systems indicated a possible link with Stuxnet and Duqu; however, these were never proven. The malware responsible for these attacks was named the "Wiper"; we wrote about it here.

0.8
 

You may have read about the Cryptolocker malware, a new ransomware Trojan that encrypts your files and demands money to return them.

In the past, we have witnessed similar malware like the famous GPCode that used RSA keys for encryption. Back in 2008, we cracked the 660 bit RSA key used by GPCode and provided the victims with a method to decrypt and recover their data. Later, the GPCode authors upgraded the RSA key to 1024 bits, putting it perhaps only in the realm of NSA’s cracking power.

0.3
 

NetTraveler, which we described in depth in a previous post, is an APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler (also known as ‘Travnet’ or “Netfile”) include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.

During the last week, several spear-phishing e-mails were sent to multiple Uyghur activists. Here’s an example:

0.7
 

In the past, we've seen targeted attacks against Tibetan and Uyghur activists on Windows and Mac OS X platforms. We've documented several interesting attacks (A Gift for Dalai Lamas Birthday and Cyber Attacks Against Uyghur Mac OS X Users Intensify) which used ZIP files as well as DOC, XLS and PDF documents rigged with exploits.

Several days ago, the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates. Perhaps the most interesting part is that the attack e-mails had an APK attachment - a malicious program for Android.

The attack

On March 24th, 2013, the e-mail account of a high-profile Tibetan activist was hacked and used to send spear phishing e-mails to their contact list. This is what the spear phishing e-mail looked like:

In regards to the message text above, multiple activist groups have recently organized a human rights conference event in Geneva. We've noticed an increase in the number of attacks using this event as a lure. Here's another example of such an attack hitting Windows users:

Going back to the Android Package (APK) file was attached to the e-mail, this is pushing an Android application named "WUC's Conference.apk".

This malicious APK is 334326 bytes file, MD5: 0b8806b38b52bebfe39ff585639e2ea2 and is detected by Kaspersky Lab products as "Backdoor.AndroidOS.Chuli.a".

After the installation, an application named "Conference" appears on the desktop:

If the victim launches this app, he will see text which "enlightens" the information about the upcoming event:

Incidents|New Uyghur and Tibetan Themed Attacks Using PDF Exploits

Costin Raiu
Kaspersky Lab Expert
Posted March 14, 10:55  GMT
Tags: Adobe PDF, Targeted Attacks, Adobe
Igor Soumenkov
Kaspersky Lab Expert
Posted March 14, 10:55  GMT
Tags: Adobe PDF, Targeted Attacks, Adobe
0.5
 

On Feb 12th 2013, FireEye announced the discovery of an Adobe Reader 0-day exploit which is used to drop a previously unknown, advanced piece of malware. We called this new malware "ItaDuke" because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri's "Divine Comedy".

Previously, we posted about another campaign hitting Governments and other institutions, named Miniduke, which was also using the same "Divine Comedy" PDF exploits.

In the meantime, we've come by other attacks which piggyback on the same high level exploit code, only this time the targets are different: Uyghur activists.

Together with our partner at AlienVault Labs, we analyzed these new exploits. For their blog, which includes Yara rules and industry standard IOC's, please read [here]. For our analysis, please read below.

The new attacks

A few days ago, we observed several PDF files which carry the CVE-2013-0640/641 (ItaDuke) exploits. Some of the MD5s and filenames include:

7005e9ee9f673edad5130b3341bf5e5f        2013-Yilliq Noruz Bayram Merik isige Teklip.pdf
d00e4ac94f1e4ff67e0e0dfcf900c1a8        ÁLÃûÐÅ.pdf (joint_letter.pdf)
ad668992e15806812dd9a1514cfc065b        arp.pdf

The Kaspersky detection name for these exploits is Exploit.JS.Pdfka.gjc.

Incidents|Cyber Attacks Against Uyghur Mac OS X Users Intensify

Costin Raiu
Kaspersky Lab Expert
Posted February 13, 16:53  GMT
Tags: Targeted Attacks
Kurt Baumgartner
Kaspersky Lab Expert
Posted February 13, 16:53  GMT
Tags: Targeted Attacks
0.6
 

In partnership with researchers at AlienVault Labs, we’ve analysed a series of targeted attacks against Uyghur Mac OS X users which took place during the past months. You can read their analysis here. For our research, please read below.

We previously wrote about targeted attacks against Tibetan activists which used Mac OS X malware. In addition to these, last June we reported about attacks using Mac OS X malware against Uyghur supporters. These later attacks took advantage of social engineering to infect unsuspecting users with “Backdoor.OSX.MaControl.b”.

During the past months, we’ve monitored a series of targeted attacks against Uyghur supporters, most notably against the World Uyghur Congress (WUC).

Incidents|New Skype vulnerability allows hijacking of your account

Costin Raiu
Kaspersky Lab Expert
Posted November 14, 10:33  GMT
Tags: Microsoft, Skype
0.6
 

Last night, reports have appeared on several Russian forums regarding a Skype account hijacking exploit. The information has been made available on several Russian blogs and is now actively exploited in the wild.

Incidents|Hotmail: Your password was too long, so we fixed it for you

Costin Raiu
Kaspersky Lab Expert
Posted September 21, 16:04  GMT
Tags: Microsoft
0.4
 

Earlier this year, about 6.5 million LinkedIn account password hashes were published on a hackers’ forum. The hashes were simple SHA1 digests computed from the user’s passwords, as stored into the LinkedIn backend infrastructure.

It didn’t take long for hackers to start cracking them, with over half of them cracked in almost no time.

There are two main reasons why such fast cracking was possible:

* the usage of the SHA1 function itself
* fast GPUs

Let’s take a look look at both.

0.3
 

Recently, we wrote about Dalai Lama being a frequent Mac user. While this is true for his holiness, not all his supporters use Macs yet.

You may wonder why is this relevant? Well, on 6th of July, his holiness will be 77 years old, a kind of round number. There is no surprise that “Dalai Lama Birthday” attacks are already ongoing.

On July 3rd, we’ve noticed a new APT campaign entitled “Dalai Lama’s birthday on July 6 to be low-key affair”: