The Olympic Games are a huge event. And scammers are obviously going to try and exploit the interest they generate. We’ve already written about “Olympic” spam mailings. Now, SMS spammers have also appeared on the scene.
On February 10 we registered a spam mailing, which supposedly led to the live stream of an Olympic event:
«Olympic live stream in Sochi hxxp://mms****.ru/olympic.apk»
If unsuspecting users click on the link, a Trojan will be downloaded to their device. We detect the Trojan in question as HEUR:Trojan-SMS.AndroidOS.FakeInst.fb.
If this Trojan successfully downloads and launches, it addresses the C&C server and transfers the data gathered on the user’s phone, including the list of contacts.
The XXII Winter Olympic Games officially get under way on 7 February. Of course, this major sporting event has not gone unnoticed by the spammers. The “Nigerian” scammers couldn’t resist either: at the end of January we received an interesting mailing from someone looking for a trustworthy person in Russia who they could transfer 850,000 euros to. To explain such an unusual request, the author didn’t use the standard “Nigerian” tales, but instead cited a trip to the Olympic Games - the money was needed for a group of six people who supposedly intended to stay in Sochi. For further information, the recipient of this generous offer had to contact the sender.
A seemingly harmless request for help in organizing a trip turns out to be a trap, with the usual large sum of money as the bait. A reference to a real event is used to persuade the recipient that the request is genuine. But the result is always the same – the spammer asks the recipient to transfer a certain amount of money, for instance, to cover the costs of the transfer, and after that the fraudster vanishes without a trace.
Letters about lottery wins are a standard trick used by ”Nigerian” scammers. Very often, the author of such letters will explain that he is the happy winner of a multi-million lottery win, and he doesn’t know how to spend the unexpected windfall, and has decided to turn to philanthropy.
A short while ago, we came across a set of similar SWF exploits and were unable to determine which vulnerability they exploited.
We reported this to Adobe and it turned out that these ITW exploits targeted a 0-day vulnerability. Today, Adobe released a patch for the vulnerability.
This post provides a technical analysis of the exploits and payload that we discovered.
All in all, we discovered a total of 11 exploits, which work on the following versions of Adobe Flash Player:
All of the exploits exploit the same vulnerability and all are unpacked SWF files. All have identical actionscript code, which performs an operating system version check. The exploits only work under the following Windows versions: XP, Vista, 2003 R2, 2003, 7, 7x64, 2008 R2, 2008, 8, 8x64. Some of the samples also have a check in place which makes the exploits terminate under Windows 8.1 and 8.1 x64.
Operating system version check algorithm
Several media reported the news on January 7th, 2014, that a PC associated with “Monju” (the Fast Breeder Reactor of the Japan Atomic Energy Agency) was infected by malware and there was a suspicion of information leaks. Some pointed out that the infection had possibly been led by the abuse of the legitimate update of "GOM Player", which made it big news. GOM Player is a free media player with popular video/audio codecs built-in, favored by many Japanese people. It is different from similar free media players in some notable points: it supports major file formats such as AVI, DAT, DivX, MPEG, WMV to name just some; and it officially deploys a Japanese version. Its users are said to be more than 6 million in Japan.
We received the sample file named “GoMPLAYER_JPSETUP.EXE”:
The storm of phishing and malware attacks using the theme of the World Cup continues – some months ago we registered several malicious campaigns with this theme. To diversify the attacks and attract more victims, Brazilian cybercriminals decided to invest their efforts to spread fake giveaways and fraudulent websites selling tickets for the games at very low prices, tickets that in fact do not exist.
The attacks start when a user does a simple search on Google, looking for websites selling World Cup tickets. Bad guys registered the fraudulent domain fifabr.com that is displayed among the first results as a sponsored link:
Mikhail Khodorkovsky, the former head of the Russian oil company YUKOS, was recently released from jail. There is a lot of speculation in Russia as to the reasons for his amnesty, while tabloids around the world are watching the ex-businessman’s every step. For ‘Nigerian’ scammers, the news was used as the basis for a tale of tragedy whose sole aim is to squeeze money out of the gullible users.
According to the ‘Nigerian’ story, an entire group of Russian oil tycoons (an exaggeration that is intended to justify the huge sum of money referred to in the story) faced trial on fraud charges. Luckily for the recipient, they had time to transfer their fortunes to a trust account with a UK bank. And now a mysterious middleman, Mr. Maharais Abash, is asking people to provide a personal bank account that the $50 million oil fortune could be transferred to. Naturally, the affair is strictly confidential – UK and Russian officials should know nothing about it.
Khodorkovsky’s release from jail triggered a surge in creative scams by these writers of ‘Nigerians letters’ – there can be no other explanation for the claim that an entire group of oil tycoons (rather than just one individual) was supposedly given a 15-year sentence. Fortunately, this makes it easier to spot the scam. A simple online search will quickly reveal that there have been no mass arrests of Russian oligarchs, and that the $50 million is merely a figment of Mr. Maharais Abash’s imagination – if indeed he even exists.
China is traditionally the leading source of spam in the world, and letters from numerous Chinese manufacturers, producing a huge variety of goods, are constantly present in spam traffic. In our October report we mentioned that these mailings are usually linked in some way to the most popular international holidays. And seeing as how January doesn’t really have any major holidays to speak of, the spammers have turned to another major event – the forthcoming Winter Olympics in Sochi. For instance, some warehouse companies have been promoting their services by telling recipients that their services are being used by Russia in preparation for the Sochi 2014 Games.
Early this year, we received a malicious Java application for analysis, which turned out to be a multi-platform bot capable of running on Windows, Mac OS and Linux. The bot was written entirely in Java. The attackers used vulnerability CVE-2013-2465 to infect users with the malware.
To make analyzing and detecting the malware more difficult, its developers used the Zelix Klassmaster obfuscator. In addition to obfuscating bytecode, Zelix encrypts string constants. Zelix generates a different key for each class – which means that in order to decrypt all the strings in the application, you have to analyze all the classes in order to find the decryption keys.
String initialization and decryption is implemented in the static initializer code (<clinit>).
In our practice, we often encounter cases where messages with a malicious attachment are mass-mailed to many addresses at the same time. Recently, though, we saw a series of messages persistently sent to the same email address. Apparently, the attacker’s main goal was to infect that computer – all emails, no matter what their headers were, contained Email-Worm.Win32.NetSky.q. This worm’s characteristic feature is that it spreads via email attachments. After infecting a computer, the worm finds all the email addresses in it and copies itself to them, using specific short phrases and avoiding any email addresses that may be directly associated with IT security providers, such as antivirus companies.
The first message we detected purportedly came from the PayPal payment system. The text in the body of the letter said that there was a bill for the user in the attachment.