03 Feb A Glimpse Behind "The Mask" GReAT
11 Apr The Winnti honeypot - luring intruders Dmitry Tarakanov
11 Apr Winnti FAQ. More than just a game GReAT
29 Mar Military Hardware and Mens Health Ben Godwood
26 Mar Android Trojan Found in Targeted Attack Costin Raiu
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
In early 2013, we announced our research on RedOctober, a cyberespionage operation focusing on diplomatic institutions. In June 2013, we published our research on NetTraveler, and in September, our research on the Kimsuky attacks.
Our analysis of all these different APT operations indicated an unique use of languages, that offer clues regarding some of the people behind these operations. If the comments in the Flame C&C were written in English, artifacts in RedOctober indicated Russian speakers, NetTraveler indicated Chinese natives. Finally, Kimsuky indicated Korean speaking authors, which we linked to North Korea.
During the past months we have been busy analysing yet another sophisticated cyberespionage operation which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation "The Mask" for reasons to be explained later.
Internet Explorer receives the bulk of attention, with sixteen RCE bugs and one "information disclosure" bug all fixed up in one tidy bulletin, MS13-055. All of these but one are memory corruption issues, and all versions of IE across all operating systems are effected by one or another of these RCE issues.
Serious issues in multiple graphics components are being addressed this month.
Serious memory corruption flaw CVE-2013-3174 is being fixed in DirectShow that enables RCE across all supported Windows OS. DirectShow handles multimedia streaming, and the software mishandles .gif files, an ancient file format designed back in the day of 8-bit video, Windows 3.1 and x486. The major issue here is that this RCE exists across all versions of Windows.
A WMV decoding flaw is implemented in several dlls (wmvdecod.dll, wmvdmod.dll, and wmv9vcm.dll) that enables RCE. The dlls support Windows Media Player and the Windows Media Fomat Runtime across all versions of Windows except the server code installs. But, some administrators may have enabled the optional "Desktop Experience" and installed these dlls. These dlls are not all installed on each OS by default, so not all systems require MS13-056 DirectShow update.
TrueType font parsing, the software functionality attacked in targeted attacks including the Duqu campaign and currently a part of the Blackhole exploit kit, again enables exploitation of another vulnerability in kernel mode graphics handling component GDI+. This bug also exists across all versions of Windows.
The metasploit code attacking CVE-2013-3172 and patched with MS13-053 is currently limited to escalation of privilege, but with all the interest, this one may soon publicly become full RCE. Considering that the bug was publicly circulated in May, it is great to see Microsoft finally roll out a full patch for this one, because in addition to this month's TrueType handling fix, this win32k.sys vulnerability enables RCE across all versions of the Windows OS, including Windows 2012 core server installations.
.NET and Silverlight are being patched with one bulletin, and a couple of the bugs are publicly known.
During our research on the Winnti group we discovered a considerable amount of Winnti samples targeting different gaming companies. Using this sophisticated malicious program cybercriminals gained remote access to infected workstations and then carried out further activity manually.
Naturally, we were keen to find out how the malicious libraries spread across a local network. To do so, we tracked the attackers- activity on an infected computer.
At the beginning of the investigation we ran the malicious programs on a virtual machine, which worked fairly well - we even spotted some cybercriminal activity. But they quickly realized it wasn-t a computer they wanted to net. Once that was the case, the attackers- servers stopped responding to requests from bots working on virtual machines.
This is what we managed to learn at this stage of our monitoring.
First of all, the perpetrators looked at what was happening on the victim-s desktop. After that they enabled the remote command line and used it to browse the root folder of the current disk, searched for the file winmm.dll, and checked the operating system version. The ListFileManager plugin then came into play. It works with the file system and the attackers used it to browse the folders C:\Windows and C:\Work. Then they tried to restart the computer, but made a mistake in the parameters of the ?shutdown command, having typed ?shutdown /t /r 1 (the computer should have been restarted in 1 second), but after a while they shut the computer down completely with the use of the correct command ?shutdown /s /t 1.
Today Kaspersky Lab's team of experts published a detailed research report that analyzes a sustained cyberespionage campaign conducted by the cybercriminal organization known as Winnti.
According to report, the Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active.
The group's objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects.The attackers' favorite tool is the malicious program we called "Winnti". It has evolved since its first use, but all variants can be divided into two generations: 1.x and 2.x. Our publication describes both variants of this tool.
In our report we publish an analysis of the first generation of Winnti.
The second generation (2.x) was used in one of the attacks which we investigated during its active stage, helping the victim to interrupt data transfer and isolate infections in the corporate network. The incidents, as well as results of our investigation, are described in the full report (PDF) on the Winnti group.
The Executive Summary is available here.
Is this research about a gaming Trojan from 2011? Why do you think it is significant?
This research is about a set of industrial cyberespionage campaigns and a criminal organization which massively penetrates many software companies and plays a very important role in the success of cyberespionage campaigns of other malicious actors.
It is important to be aware of this threat actor to understand the broader picture of cyberattacks coming from Asia. Having infected gaming companies that do business in the MMORPG space, the attackers potentially get access to millions of users. So far, we don't have data that the attackers stole from common users but we do have at least 2 incidents where the Winnti malware was planted on an online game update servers and these malicious executables were spread among a large number of the online gamers. The samples we observed seemed not to be malware targeting end user gamers, but a malware module which accidentally got into wrong place. Hoever, the potential for attackers to misuse such access to infect hundreds of millions of Internet users creates a major global risk.
It's important to understand that many gaming companies do business not only in gaming, but very often they are also developers or publishers of different other types of software. We have tracked an incident where a compromised company served an update of their software which included a Trojan from the Winnti hacking team. That became an infection vector to penetrate another company, which in turn led to a personal data leak of large number of its customers.
So far, this research is dedicated to a malicious group that not only undermines trust in fair gameplay but has a serious impact on trust in software vendors in general, especially in the regions where the Winnti group is active at the moment.
What are the malicious purposes of this Trojan?
The Trojan, or to be precise, a penetration kit called Winnti includes various modules to provide general purpose remote access to compromised machines. This includes general system information collection, file and process management, creating chains of network port redirection for convenient data exfiltration and remote desktop access.
Is this attack still active?
Yes, despite active steps to stop the attackers by the revocation of digital certificates, detection of the malware and an active investigation, the attackers remain active, with at least several victim companies around the world being actively compromised.
Over the last few months we have seen a series of very similar targeted attacks being blocked in our Linux Mail Security Product. In each case the documents used were RTF and the exploit was CVE-2012-0158 (MSCOMCTL.OCX RCE Vulnerability).
The attacks seem to be from the same group and most appear to be sent from Australia or Republic of Korea. The sender IP addresses vary but many are sent via mail.mailftast.com. This domain is registered in China:
REGISTRANT CONTACT INFO liu runxin No.1,Nanjing Road Shanghai Shanghai 200001 CN Phone: +86.2164415698 Email Address: email@example.com
The documents are in three categories:
EAT FOR BETTER SEX.doc How to last longer in bed.doc 6 Awkward Sex Moments, Defused.doc 9 ways to have better,hotter,and more memorable sex.doc 10 Ways to Get More Sex.doc
Stealth Frigate.doc The BrahMos Missile.doc How DRDO failed India's military.doc
приоритеты сотрудничества.doc Список участников рабочей группы(0603-2013).doc Список кадров.doc Приглашение МИОМ ТЕЙКОВО 2013.doc
In the past, we've seen targeted attacks against Tibetan and Uyghur activists on Windows and Mac OS X platforms. We've documented several interesting attacks (A Gift for Dalai Lamas Birthday and Cyber Attacks Against Uyghur Mac OS X Users Intensify) which used ZIP files as well as DOC, XLS and PDF documents rigged with exploits.
Several days ago, the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates. Perhaps the most interesting part is that the attack e-mails had an APK attachment - a malicious program for Android.
On March 24th, 2013, the e-mail account of a high-profile Tibetan activist was hacked and used to send spear phishing e-mails to their contact list. This is what the spear phishing e-mail looked like:
In regards to the message text above, multiple activist groups have recently organized a human rights conference event in Geneva. We've noticed an increase in the number of attacks using this event as a lure. Here's another example of such an attack hitting Windows users:
Going back to the Android Package (APK) file was attached to the e-mail, this is pushing an Android application named "WUC's Conference.apk".
This malicious APK is 334326 bytes file, MD5: 0b8806b38b52bebfe39ff585639e2ea2 and is detected by Kaspersky Lab products as "Backdoor.AndroidOS.Chuli.a".
After the installation, an application named "Conference" appears on the desktop:
If the victim launches this app, he will see text which "enlightens" the information about the upcoming event:
Today's February Microsoft Security Bulletin release patches a long list of vulnerabilities. However, only a subset of these vulnerabilities are critical. Four of them effect client side software and one effect server side - Internet Explorer, DirectShow media processing components (using web browsers or Office software as a vector of delivery), OLE automation components (APT related spearphish), and one effecting the specially licensed "Oracle Outside In" components hosted by Microsoft Exchange that could be used to attack OWA users. These critical vulnerabilities all potentially enable remote code execution, as does the Sharepoint server related Bulletin rated "important" this month. The other vulnerabilities enable Elevation of Privilege and Denial of Service attacks. Several of the vulnerabilities have been publicly disclosed, and at least one is known to be publicly exploited. A large number of the CVE being patched are in the kernel code, so this month most everyone should expect to manage a reboot.
The long list of CVE patched by MS-13-016 all address race conditions that were privately reported in win32k.sys, which all enable non-trivial EoP attacks. This lessens the severity of the issue, as evidenced by the recent RDP vulnerability that attracted so much attention at the end of this past year.
So, we should focus immediate efforts on the handful of critical RCE this month.
Earlier this week, we published our report on Red October, a high-level cyber-espionage campaign that during the past five years has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations.
In part one, we covered the most important parts of the campaign: the anatomy of the attack, a timeline of the attackers operation, the geographical distribution of the victims, sinkhole information and presented a high level overview of the C&C infrastructure.
Today we are publishing part two of our research, which comprises over 140 pages of technical analysis of the modules used in the operation.
When analyzing targeted attacks, sometimes researchers focus on the superficial system infection and how that occurred. Sometimes, that is sufficient, but in the case of Kaspersky Lab, we have higher standards. This is why our philosophy is that its important to analyze not just the infection, but to answer three very important questions:
According to our knowledge, never before in the history of ITSec has an cyber-espionage operation been analyzed in such deep detail, with a focus on the modules used for attack and data exfiltration. In most cases, the analysis is compromised by the lack of access to the victims data; the researchers see only some of the modules and do not understand the full purpose of the attack or what was stolen.
To get around these hiccups, we set up several fake victims around the world and monitored how the attackers handled them over the course of several months. This allowed us to collect hundreds of attack modules and tools. In addition to these, we identified many other modules used in other attacks, which allowed us to gain a unique insight into the attack.
Since the publication of our report, our colleagues from Seculert have discovered and posted a blog about the usage of another delivery vector in the Red October attacks.
In addition to Office documents (CVE-2009-3129, CVE-2010-3333, CVE-2012-0158), it appears that the attackers also infiltrated victim network(s) via Java exploitation (MD5: 35f1572eb7759cb7a66ca459c093e8a1 - 'NewsFinder.jar'), known as the 'Rhino' exploit (CVE-2011-3544).We know the early February 2012 timeframe that they would have used this technique, and this exploit use is consistent with their approach in that it's not 0-day. Most likely, a link to the site was emailed to potential victims, and the victim systems were running an outdated version of Java. However, it seems that this vector was not heavily used by the group. When we downloaded the php responsible for serving the '.jar' malcode archive, the line of code delivering the java exploit was commented out. Also, the related links, java, and the executable payload are proving difficult to track down to this point. The domain involved in the attack is presented only once in a public sandbox at malwr.com (http://malwr.com/analysis/c3b0d1403ba35c3aba8f4529f43fb300/), and only on February 14th, the very same day that they registered the domain hotinfonews.com:
Domain Name: HOTINFONEWS.COM
Denis Gozolov (firstname.lastname@example.org)
Narva mnt 27
Creation Date: 14-Feb-2012
Expiration Date: 14-Feb-2013
Following that quick public disclosure, related MD5s and links do not show up in public or private repositories, unlike the many other Red October components.We could speculate that the group successfully delivered their malware payload to the appropriate target(s) for a few days, then didn't need the effort any longer. Which may also tell us that this group, which meticulously adapted and developed their infiltration and collection toolset to their victims' environment, had a need to shift to Java from their usual spearphishing techniques in early February 2012. And then they went back to their spear phishing. Also of note, there was a log recording three separate victim systems behind an IP address in the US, each connecting with a governmental economic research institute in the Middle East.
Here's a link to the full paper (part 1) about our Red October research. During the next days, we'll be publishing Part 2, which contains a detailed technical analysis of all the known modules. Please stay tuned.
During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment.
Kaspersky Lab's researchers have spent several months analyzing this malware, which targets specific organizations mostly in Eastern Europe, former USSR members and countries in Central Asia, but also in Western Europe and North America.
The campaign, identified as "Rocra", short for "Red October", is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware. Registration data used for the purchase of C&C domain names and PE timestamps from collected executables suggest that these attacks date as far back as May 2007.