vrijdag 19 december 2014

Commonalities between the different wiper viruses

In this blog post I will describe details about several attacks that, as of today, are not directly linked to each other. But in my opinion share very important commonalities that should not be unnoticed.

The main hacking attacks I will talk about are the Dark Seoul cyberattacks, the Shamoon wiper virus and the Destover malware used to attack Sony. All have their own Wikipedia page, which proves their extend.

Below I will describe some remarkable events in which wiping/erasing malware functionality plays a key role, the events are in chronological order. (some political events are mentioned as well).

July 8, 2009 Malware is used to launch a large scale DDoS attack and eventually corrupts the systems by placing the text: "Memory of the Independence Day" in the Master Boot Record (MBR) to prevent the compromised computer from restarting. The malware used hardcoded command and control ip addresses.

March 4th, 2011 Malware is used to launch DDoS attacks, encrypt files and corrupt the MBR. Bytes are written to the MBR to prevent the system from booting normally, thus breaking the system. Another functionality is that the malware is able to encrypt documents. Hard coded command and control ip addresses are embedded in the malware.

April, 2012 The Iranian oil ministry is hit by a cyber-attack. The malware effectively wipes whole computers leaving no traces. Security researches from Kaspersky who are called in to investigate the attack only find some traces of the malware, slightly linking in to Duqu and Stuxnet.

July 2012
Oil Embargo Sanctions against Iran set to squeeze the country, effectively starting in July 2012, $133 million in losses a day.

News struck Saudi Aramco was hit by a cyber attack. It suffered from a virus that effectively destroyed the MBR crippling the computer network. In the MBR a small portion of a JPG image was displayed. It later turned out to be a burning American flag. The attackers claimed to belong to the group "The Cutting Sword of Justice" and promised another present on August 25th.

August 25, 2012 Hackers from "The Cutting Sword of Justice" made their promise and crippled the network of Qatari based firm RasGas.

Sept 1, 2012
Iran and North Korea sign a scientific and technological cooperation agreement, bringing the two nations deeply at odds with the US closer together.

March 20, 2013 Hard drive wiping malware hit South Korea. Banks and television stations were reportedly crippled. Computers failed to boot up properly, and displayed an image of three skulls alongside a message claiming that the systems had been "hacked by Whois Team".

February 11th, 2014 The Sands Casino was hit by a cyber attack. Their public website and internal network infrastructure was defaced and effectively wiped. The hacker group "Anti WMD Team" claimed responsibility.http://www.sandsinfo.com/index.htmlhttp://i1-news.softpedia-static.com/images/news2/No-Credit-Card-Data-Compromised-in-Las-Vegas-Sands-Casino-Company-Hack-AP-426875-2.jpg

November 24, 2014 Sony Pictures falls victim to a devastating cyber attack. All internal data is leaked and computers destroyed. The attackers are known only by their collective name, the "Guardians of Peace". Once again the malware deletes the MBR. CommonalitiesIf we quickly point a perpetrator in all of the above cases it looks like this:
North Korea
North KoreaUS/IsraelIranIranNorth KoreaIranNorth Korea

The first attack clearly used highly technical malware and could possibly addressed to America and/or Israel as there is reason to believe it is connected to Duqu and Stuxnet. It is the first appearance of "wiping" malware.

Quickly after this first attack another devastating "wiping" malware struck Saudi Aramco. This time the malware was not very technical, but proved its capability to destroy computers. It was highly effective in its job.The malware itself moved on a lateral basis throughout the network, had preconfigured Command andControl addresses, used compromised account credentials and sended a notifying message to an internal proxy server whom in turn forwarded that information to the internet. The attackers apparently wanted to know how much damage their attack had cost. Through pastebin posts the world was updated about the success of the malware. A group no one ever heard of claimed responsibility: "TheCutting Sword of Justice". In order to improve the impact the malware used a signed driver from the company ElDos.The malware contained several typing errors that made some parts of the malware malfunction.Although claiming to be from Saudi origin the hackers communicated in English.In the MBR the hackers left a small portion of an image. This image turned out to be a burning American flag. The hacker actively approached the press, said to bring another gift and promised to be back.The malware was compiled 5 days in advance of the attack.Shortly after the attack on Saudi Aramco the hackers delivered what could be assumed was the present mentioned in some of the statements of "The Cutting Sword of Justice". This time the Qatari based firm RasGas fell victim to a wiper virus.The malware spread lateral throughout the network, had preconfigured user account credentials, contained a lot of coding errors and also used the ElDos driver. 

Then in 2013 South Korea fell victim to a large scale attack on its nation’s infrastructure. Computers from banks and television stations were wiped. This time a group again no one ever heard of called "Whois Team" claimed responsibility.The malware had a Linux component in it and credentials were retrieved from a very specific path: http://www.symantec.com/security_response/writeup.jsp?docid=2013-032014-2531-99&tabid=2 Indicating the malware was specifically designed for this attack.
The malware was compiled 2 days before the attack.

In February 2014 The Sands casino fell victim to another wiping malware. As I have no sample of this malware I cannot draw any conclusions so far. But the attackers claimed to be from the unknown group "Anti WMD Team" and communicated in English. Via messages directed at the casino and through video posts the attackers made clear they stole 828 Gb of data and have it in their possession. They actively approached the press, promised a gift and said to be back soon.

In November Sony fell victim to the devastating wiping malware. The malware used the ElDosdriver again, moved throughout the internal network via lateral movement, had hardcoded Command and Control IP addresses in it, had hardcoded credentials in the code, contained typo errors in the malware and showed a picture with their demands. The hackers were once again from an unknown team called "Guardians of Peace", communicated in English and well yes, they promised a Christmas gift and said to be back soon.
In the mean time they slowly release all the data they had stolen to the public and actively approached the press.
The malware was compiled just a few days before the actual attack.

Some of the commonalities shared between these attacks are the following:
Political MessagesElDos driver
Actively approached press
Promised gift/Said to be backCommunication in English
English group name
Former unknown group
Use of images in MBRSpecific timingCompilation few days before attack

There definitely is no smoking gun here, but the circumstantial evidence is of such similarity it, in my opinion, cannot be ignored.

Political Messages
Political messages were to be found in all elements. Burning flags, detonation on specific dates and statements made by the group always had a political tone.

ElDos driver
The returning usage of the ElDos driver is one shared commonality in the malware. As malware with the main purpose of completely destroying hard drives is unique is even more unique a same driver is used. And it is specifically remarkable that in some of the attacks the driver wasn't even necessary for the purpose it was supposed to serve. Apparently the driver was just there and available to the attackers, and because of this they decided to include it in their malware. Maybe because they were just used to doing it?

Actively approaching the press
In some attacks the attackers specifically targeted the press. They didn't just choose one newspaper, or one favorite journalist like often happens with lone wulfs or small groups. No they were highly informed about what press is influential and distributed their massage an mass towards all these organizations. Chances of getting unmasked by accidentally exposing more information to the journalist that opposed apparently didn't pose a threat to the hackers.

Promising Gifts and Said to be back
In some of these cases the hackers said they had a present waiting. The presents promised were thus far always met. Promising something and keeping that promise causes extra fear at the victim’s side.

Communication in English
While this clearly doesn't seem important it is remarkable though that an attack carried out by supposedly attackers from Saudi origin, attacking a Saudi company communicate in English whilst both of their first languages is Arabic. The attackers stuck to English as their way to cummunicate with their victims, and clearly wanted to world to be able to read and understand it as well. This slightly proves the attacks were not targeted at the company, but to the public.

English group names
In all cases English group names were used. In attacks of which Iran is the main subject one group called itself "The Cutting Sword of Justice" and in the attack on the Sands Casino the attackers said: "Don't let your tongue cut your throat.” On the other hand the attacks of which North Korea is the main suspect group names where "The WHOIS team" and "Guardians of Peace". By causing havoc these attackers apparently want to establish world peace.

Unknown groups
Often hackers and hacktivists join groups, known groups. Groups that claim responsibility because the hackers are proud of what they have achieved. They want people to know it was them again. They want to prove to the public they are capable of doing it again. In these cases the attacking groups have never been seen before, and are thus far never seen after the events.

The use of images.
In the first attack on the Saudi Aramco, a small portion of a JPG image was left in the MBR. This image eventually turned out to be a burning American flag. Although according to the initial message the attack had to do with the country of Saudi Arabia apparently something of America had stung the creators of the malware. The images used in the DarkSeoul attack and the Sony attack have remarkable commonalities in their layout and structure.

Specific timing
During the attacks and during statements made by the different group very specific timing was used. The malware at Saudi Aramco was set to specifically detonate at a certain time and the promised present was set at again a very specific time. This is also the case in the DarkSeoul attack, as was in the Sony attack. The usage of very specific timing is not uncommon for programmers. It is less common though in an ongoing attacks. This is because once an attack is launched the attackers usually lose control over the situation. In these cases the attackers apparently were very confident in their succeeding’s. 

Compilation times
Specifically in the Shamoon, DarkSeoul and Destover malware the compilation time was right before the attack. The attackers apparently waited till the last moment to compile their weapon and deploy it out in the open.

As a side note it is probably remarkable that Keith Alexander on numerous occasions specifically named the adversaries described in the above attacks. Some of the video's below:

See: 15:58

As the usage of destructive malware is uncommon, so is the modus operand of the described attacks. Based on these facts I can imagine the presence of an APT group that is funded and supported by the Iranian and North Korean government specifically tasked with targeting common enemies.

Destover, md5: 6467c6df4ba4526c7f7a7bc950bd47eb
Shamoon, md5: b14299fd4d1cbfb4cc7486d978398214 & d214c717a357fe3a455610b197c390aa
DarkSeoul, md5: 5fcd6e1dace6b0599429d913850f0364 & 0a8032cd6b4a710b1771a080fa09fb87 & 50e03200c3a0becbf33b3788dac8cd46 & 5fcd6e1dace6b0599429d913850f0364 & db4bbdc36a78a8807ad9b15a562515c4 & e4f66c3cd27b97649976f6f0daad9032 & f0e045210e3258dad91d7b6b4d64e7f3

woensdag 15 oktober 2014

Nederland doelwit CryptoLocker campagne

Sinds enkele dagen is een CryptoLocker malware campagne bij RedSocks op de radar verschenen. Op diverse fora word melding gemaakt van een spam campagne lijkend afkomstig van PostNL. Deze spam bevat diverse linkjes naar verschillende domeinen welke uiteindelijk allen uitkomen bij de domeinen postnl-track.com, postnl-track.info, postnl-track.org, postnl-track.net of postnl-tracktrace.com. Via deze domeinen word getracht de bezoeker met de CryptoLocker malware te infecteren.

Niets vermoedende gebruikers ontvangen een mail van PostNL.

In deze mail word men vaak aangesproken via voornaam en achternaam. Ook wanneer voornaam en achternaam niet direct uit het email adres zijn op te maken. Dit suggereert dat de aanvallers beschikking hebben over een database welke tenminste Naam, Voornaam en bijbehorend Email adres bevatten.
Hoewel de mail niet in volledig correct Nederlands is opgesteld, gaat het slechts om enkele foutjes die snel over het hoofd gezien kunnen worden.

De CryptoLocker malware versleuteld alle op het systeem aanwezig documenten en bestanden en vraagt een bedrag om deze bestanden weer te kunnen ontsleutelen. Inmiddels hebben tenminste 18 personen dit bedrag ter waarde van €3484 betaald, en dit loopt snel op!

Hieronder een beschrijving over hoe de besmetting plaats vind:

Het niets vermoedende slachtoffer heeft enkele documenten op de computer staan:

De spam mail word ontvangen en er word op de link in het mailtje geklikt, de volgende pagina verschijnt:

Er dient een code te worden ingevoerd waarna de informatie over uw pakket kan worden gedownload. Wanneer de code word ingevoerd start de download van een .zip bestand.

In dit zip bestand zit een executable file met de naam track_[nummer].exe. Iedere executable is uniek en heeft een eigen md5 hash waarde.

Het bestand beweert Google Chrome te zijn, afkomstig van het bedrijf Google Inc.
Wanneer dit bestand word geopend verschijnt de volgende pagina:

Wanneer vervolgens de bestanden op het bestandssysteem worden bekeken is het volgende te zien:

Alle bestanden zijn voorzien van de extensie .encrypted en kunnen niet meer worden geopend.
Om de encryptie ongedaan te maken moet er zoals op onderstaande pagina word beschreven, betaald worden.

Zoals al eerder vermeld hebben minimaal 18 personen geld betaald om van deze CryptoLocker af te kunnen komen. De bende hierachter heeft van deze slachtoffers op dit moment €3484 euro aan bitcoins binnen gehaald.

woensdag 18 juni 2014

Guerilla marketing on twitpic targetting Android devices

In this blogpost we will describe a new method observed by us that tries to trick android users into buying subscriptions. The guerilla marketing tactics caught our attention as of this week several people complained about twitpic serving malware. We decided to investigate this issue a little bit further and eventually were able to reproduce the supposed 'malware' and capture its behavior.

First things first, although several people reported the download of malware in the form of an apk file, we were not able to reproduce that situation. We were able though, to reproduce a very nifty full page forward from the website twitpic.com to a landing page were several tactics were used to trick the user into clicking on specific links and eventually acknowledging the purchase of a subscription worth €5 a week.

The story starts by visiting the website twitpic.com. Twitpic is a well known and frequently used platform to share pictures on twitter. Once a twitpic link is opened, the screen below appears after 3 seconds, making the average Android user think the application WhatsApp is interfering and an update for the program is available.

What is actually happening?
While visiting twitpic.com the website loads a lot of ads. One of these ads is from AppNexus. This add makes a connection (in our case) to ams1.ib.adnxs.com. Which in this case, loads a page from track2.buyfaq.com/300x250.html. This supposed banner contains the following html code:

The banner loads an iFrame. This iFrame again is loaded from http://mt.moneyandroid.com/topic/mobi/mcenter.php?aid=98&ext=6
This specific mcenter.php?aid=98&ext=6 checks the user agent of the visiting client and screen width used. If the User-Agent does not match that of an Android device or the screen width does not match that of an Android device it will skip the JavaScript part that is displayed below and will only load the HTML content. In our case, where we use an Android device it will load the HTML+JavaScript code displayed below:

The webpage http://mt.moneyandroid.com/topic/mobi/download.php?i=[string] serves a HTTP/1.1 302 Moved Temporarily and contains the following value:
In the JavaScript code several functions are initiated. A setTimeOut function is called waiting 3000 milliseconds to execute a function that creates a click event on the HTML a-element which will initiate the provided href URL to load. In this case a HTTP/1.1 302 Moved Temporarily page was thrown containing a new URL. The browser of your Android device will forward to that page, taking over the previous Twitpic page. Once forwarded the image below will appear.

As shown in the pop-up above, WhatsApp needs an update. The domain used seems to be app-update.whatsapp.com..., very trustworthy. The "OK" button can be pressed. And a countdown will start, as shown below:
If you look closely to the domain you will see that the domain used is not "app-update.whatsapp.com" but instead "app-update.whatsapp.com.earic.com". Earic.com is an educational website, it is not clear weather this domain is hijacked, hacked or willingly cooperating. Obviously the original domain whatsapp.com is not involved in anyway, the crooks are just trying to let us think this domain is involved and thus make it look trustworthy.

Once you click the "Download now" button the webpage below is shown.

Here in small letters your subscription is described, in top the subscription costs of 5 euro are displayed. Below it says you are a member automatically. Users that don't read carefully will just press the download button to, what they believe, install the WhatsApp update.
Once you press the "Download" button, the following page is displayed:

Your mobile number is filled in automatically and you just have to press the "Continue" button. Once the "Continue" button is pressed an SMS-text message is sent to the mobile phone containing a verification link in it. Once that link is clicked the subscription is acknowledged and you will be charged 5 euros per week.

vrijdag 16 mei 2014

International -ongoing- BlackShades customers raid -Summary

Rumours within the cybercrime underground started to appear early May about people getting arrested and their equipment getting seized. Nothing uncommon so far, apart from that this time more and more people started to arise, with all the same stories, everywhere from Europe. At one point people even started posting 'proof'. Convincing proof.
If all turns out to be true we are being witness of one of the biggest international raids -ever- related to cybercrime.

Below is a summary of what the uproar is about. It contains user posts on different unrelated forums. 'Proof' users posted, some news articles that could be related, and probably most convincing, a domain seized by the FBI.

The domain bshades.eu went offline on Wednesday. According to its whois information the domain is seized by the FBI:

Most uproar is on hackforums.net where a dozen topics have been started some with even more than 70 pages of comments and more and more people showing up saying they have been a victim of the raid.
The image below show a Dutch hackforums user saying he was victim of the raid.

On this Belgium forum a user tells his story in Dutch.

He even posts some proof, most important sentence is: "Uw betrokkenheid inzake de aankooop, het bezit, de verspreiding en het gebruik van hackerools (Software om computers van derden te misbruiken)"
Translated: "Your involvement in buying, possesing, spreading and the use of hackertools."

The officer that signed the document is indeed, according to his linkedin profile, a ICT investigator.

This user from Finland posts another piece of 'proof'.
According to Mikko Hypponen this translates to: "It's a warrant for search and seizure, related to 'importing Blackshades XXXX' into Finland."

Below is a picture of someone claiming the Police is in front of his house because of a search warrant regarding BlackShades, as proof he posts this picture.

Here's a German user posting evidence of his arrest:

Another German person posting his comments:

And last one, here's a Dutch user talking about his arrest on a sole Dutch forum.

Then the newspapers. Most remarkable is that only French newspaper RTL seems to have inside information. They reported about a raid going on in France with in France alone 70 search warrants(!!) related to the use of BlackShades malware.

Dutch police declines to comment.

But most fascinating is this article from Reuters: "REUTERS SUMMIT-FBI plans cyber crime crackdown, arrests coming in weeks".
It says: "expects to announce searches, indictments and multiple arrests over the next several weeks, the agency's official in charge of combating cyber crime said on Wednesday."

What connects all these arrests is that they are all connected to the BlackShades RAT. Most users complain they once bought the BlackShades RAT and that is why are being arrested right now.

If all the above is true we are just seeing the tip of the iceberg. And are probably being witness of one of the biggest international raids ever related to cybercrime.


The Dutch person provided me with some evidence.
According to the paper the investigation in the Netherlands has the name: "Rouwmantel".