AlienVault Labs - Archive

New Internet Explorer zeroday was used in the DoL Watering Hole campaign

A few days ago we reported a new Watering Hole campaign affecting a U.S Department of Labor website.

In our first analysis we reported that the exploited vulnerability was CVE-2012-4792 . Further analysis showed that the vulnerability exploited wasn’t CVE-2012-4792 but a new zeroday vulnerability affecting Internet Explorer 8 (CVE-2013-1347). It was confirmed by Microsoft that released a Security Advisory on Friday and also FireEye and Invincea.

In addition we have found that the U.S Department of Labor website wasn’t the only entity affected and we can confirm that at least 9 other websites were redirecting to the malicious server at the same time. The list of affected sites includes several non-profit groups and institutes as well as a big european company that plays on the aerospace, defence and security markets.

Finally we detected several redirections to another malicious server located at www[.]sellagreement[.]com (198.96.92.107) that was serving parts of the malicious payloads found on dol[.]ns01[.]us.

We recommend you to search your logs for connections to those domains and IP addresses.

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:

CVE-2013-1347

U.S. Department of Labor website hacked and redirecting to malicious code

May 1st, 2013 | Posted by jaime.blasco in APT | Attacks | Exploits - (0 Comments)

During the last few hours we have identified that one the U.S. Department of Labor website has been hacked and it is serving malicious code.

Clarification:

The website affected is the The Department of Labor (DOL) Site Exposure Matrices (SEM) Website

“The Department of Labor (DOL) Site Exposure Matrices (SEM) Website is a repository of information gathered from a variety of sources regarding toxic substances present at Department of Energy (DOE) and Radiation Exposure Compensation Act (RECA) facilities covered under Part E of the Energy Employees Occupational Illness Compensation Program Act (EEOICPA)”

As you can see in the following UrlQuery report the website is including code from the malicious server dol[.]ns01[.]us:

Once you visit the website the following file is included:

www[.]sem[.]dol[.]gov/scripts/textsize.js that contains the following code:

The browser will then execute a script from the malicious server dol[.]ns01[.]us:8081/web/xss.php

http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/information-about-ip/?ip=96.44.136.115

The script will collect a lot of information from the system and then it will upload the information collected to the malicious server. Some of the functions to collect information are:

flashver(): This function will collect information about the Flash software running on the system, including versions and OS details

bitdefender2012check() and disabledbitdefender_2012(): The function will try to determine if BitDefender is running on the system checking for the injected code (netdefender/hui/ndhui.js) on the HTML of the webpage and it will try to deactivate the AV.

avastcheck(): It checks if Avast Antivirus is running on the system detecting the presence of the Chrome extension:

aviracheck(): It checks if Avira Antivirus is running on the system detecting the presence of the Chrome extension:

java(): It collects information about Java versions running on the system

officever(): It collects information about Microsoft Office versions installed on the system

plugin_pdf_ie(): It detects if Adobe Reader is installed in the system calling Acrobat Reader’s ActiveX object:

jstocreate(): It detects if the system is running one of the following Antivirus:

avira
bitdefender_2013
mcafee_enterprise
avg2012
eset_nod32
Dr.Web
Mse
sophos
f-secure2011
Kaspersky_2012
Kaspersky_2013

Once all the information has been collected it sends the data to the following URL using a POST request:

dol[.]ns01[.]us:8081/web/js[.]php

An example of the information collected is as follow:

Shockwave Flash 11.6.602,No Java or Disable or user uninstall it(if plugins have java)!,Avast!,Shockwave Flash(Name:NPSWF32_11_6_602_180.dll{Ver:11.6.602.180}),AVG SiteSafety plugin(Name:npsitesafety.dll{Ver:14.2.0.1}),MindSpark Toolbar Platform Plugin Stub(Name:NP4zStub.dll{Ver:1.0.1.1}),TelevisionFanatic Installer Plugin Stub(Name:NP64EISb.dll{Ver:1.0.0.1}),MinibarPlugin(Name:npMinibarPlugin.dll{Ver:1.0.0.1}),Photo Gallery(Name:NPWLPG.dll{Ver:16.4.3505.912}),Yahoo Application State Plugin(Name:npYState.dll{Ver:1.0.0.7}),Silverlight Plug-In(Name:npctrl.dll{Ver:5.1.10411.0}),Microsoft Office 2010(Name:NPSPWRAP.DLL{Ver:14.0.4761.1000}),Microsoft Office 2010(Name:NPAUTHZ.DLL{Ver:14.0.4730.1010}),Microsoft® Windows Media Player Firefox Plugin(Name:np-mswmp.dll{Ver:1.0.0.8}),PDF-XChange Viewer(Name:npPDFXCviewNPPlugin.dll{Ver:2.5.200.0})

Some of the techniques used in this attack are very similar to the ones we identified a few months ago in an attack against a Thailand NGO website:

Thailand NGO site hacked and serving malware

After sending the information about the system the following request is also made:

dol[.]ns01[.]us:8081/update/index.php

After analyzing that file we found the following function:

If we decode the eval string we find:

After a quick analysis it seems the malicious server is exploiting CVE-2012-4792 that was fixed earlier this year. We are still verifying this information and we will give you more details when we confirm the vulnerability exploited is CVE-2012-4792.

Once the vulnerability is exploited the system will download the payload from dol[.]ns01[.]us:8081/update/bookmark.png:

After fixing the PE header we obtained the following PE file:

https://www.virustotal.com/en/file/ea80dba427e7e844a540286faaccfddb6ef2c10a4bc6b27e4b29ca2b30c777fb/analysis/

It has a detection rate of 2 / 46 at the time of writing this blog post.

Once the payload is executed:

- The malware will create a copy of itself in Documents and Settings\[CURRENT_USER]\Application Data\conime.exe

- It will create a registry key pointing to conime.exe on HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run conime to maintain persistence

- It will connect to a C&C on microsoftUpdate.ns1.name currently pointing to a Google DNS server 8.8.8.8.

An available on malwr.com shows that that the DNS name was previously pointing to:

173.254.229.176

https://malwr.com/analysis/YzUyMDk4M2M5YmM4NDgzNDllMDE5MWE1MDY4Y2I1MGM/

An analysis of the malware shows the payload is using the following GET requests to communicate with the C&C server:

/Photos/Query.cgi?loginid=[RANDOM_NUMBER]

The C&C protocol matches with a backdoor used by a known chinese actor called DeepPanda and described by CrowdStrike in the following analysis:

http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf

We are still investigating this attack and we will update the blog post if we obtain more information about it.

Happy hunting!

jaime.blasco

More Posts - Website

Follow Me:

CVE-2012-4792, deep panda

UrlQuery Chrome Extension

April 29th, 2013 | Posted by Eduardo De la Arada in General | Malware | News | Tutorial - (0 Comments)

UrlQuery is a service for detecting and analyzing web-based malware, claims its website, this service is very useful and provides a detailed report of the submitted webpage. We use these services a lot in the lab, so we’ve decided to make our lives easier by developing a simple context menu extension which automatically sends urls to the service.

The extension adds a new option to the contextual menu. This option sends the link under the cursor to urlQuery.

It opens a new tab with the url added to the url’s queue. You have to wait a few seconds, while the url is being scanned, and then the full report is shown.

As urlQuery webpage, this extension has an options page where you can configure the User Agent, Refer, Acrobat Reader and Java versions. Unfortunately, a few options are provided by the original page, but we expect some more parameters in the future.

You can get it from Chome Web Store or from our github repository:

https://github.com/jaimeblasco/AlienvaultLabs/tree/master/urlquery-chrome

Eduardo De la Arada

chrome extension, exploit kit, malware, urlQuery

How cybercriminals are exploiting Bitcoin and other virtual currencies

- What is Bitcoin?

Bitcoin is an online descentralised virtual currency based on an open source, P2P protocol. Bitcoins can be transferred using a computer without relying on a financial institution.

If you haven’t heard about Bitcoin I recommend you watch the following video:

Both the Bitcoin creation and transfer is performed by computers called “miners” that confirm the bitcoin’s creation by adding the information to a descentralized database. Bitcoins get harder to generate all the time. There are more that 10 million bitcoins in circulation today. The Bitcoin design only lets the creation of 21 millions and that limit will be reached during the year 2140.

The Bitcoin wallet is what gives you ownership of one or more Bitcoin addresses. You can use those addresses to send and receive coins from other users.

Due to the complexity of mining bitcoins if you mine on your own it may be a long time until you can make some return. Bitcoin pools are places where multiple users can work together to make bitcoins and share benefits in a fair way.

Finally, you can buy and sell bitcoins using several real world currencies (EUR, USD ..) using several exchanges such as:

- MtGox

- BTC-E

- Virtex

Threat Landscape

Due to the growing popularity of the Bitcoin it has become an attractive and profitable target for cybercriminals. During the last few years we have seen an increase in the number of attacks and threats involving the virtual currency. The bad guys have adapted their tools to steal bitcoins from victims, use compromised systems to mine bitcoins and obtain benefit from it. On the other hand virtual exchanges are also victims and we have seen how the attackers have phished the users of those exchanges and how they have performed Denial of Service attacks to destabilize the exchange rate and profit.

Wallet stealing

During the last few years the capability of stealing the wallet.dat file has been added to several malware families. In addition, new malware families have appeared with the objective of stealing the wallet file from the infected machines.

For example, a version of the Khelios malware that has been used to send Spam and steal data from infected systems added the capability to steal the wallet.dat file some time ago:

As a result if a Bitcoin’s user gets infected, the file containing the keys to use your bitcoin addresses will be stolen. The wallet file can be protected by a password but most of the malwares we have found have keylogging capabilities that could steal the wallet password as well.

Another example are several IRC botnets that are running based on the “AthenaIRCBot” source code that has the capability of stealing the wallet file as well:

Example: 08a9b6a933c8eac7919355d47a811aa2752df74473b8789bcfd567fb779708cd

- Bitcoin mining

Apart from stealing the Bitcoin wallet the number of malware families that can use the victim’s computer power to mine Bitcoins is getting bigger and bigger.

We have found samples that install the Bitcoin daemon in the victim but the most frequently used technique is adding a piece of code that connects to a mining pool (public or private) to mine bitcoins.

You can find variants of very well known malware families such as Zeus/Zbot that added this capability. As an example, we found a Zeus variant more than a year ago that had intalled the Bitcoin daemon to mine bitcoins using the infected systems.

That specific variant was distributed using Fake e-mail messages containing a link to the malicious file.

Once the system got infected the Bitcoin client bitcoind was installed in the system. The Zeus variant was using the configuration file from:

http://www[.]anshaa[.]com/z/config.bin

In the last few months several Dorkbot variants including one that was using Skype to spread added the capability of mining bitcoins.

Once the system gets compromised, a version of the Ufasoft Bitcoin miner is started. In this case the attacker is running his own pooling server.

The Ufasoft software contacts the mining pool server via HTTP:

We have seen samples contacting the following servers that are owned by the same guys behind the botnet:

suppp[.]cantvenlinea[.]biz:1942

ahora[.]revisiondelpc[.]ru:2142

xhuehs[.]cantvenlinea[.]ru:1942

keep[.]hustling4life[.]biz:2142

That infrastructure has been running for at least 5 months.

Another gang has been running several Bitcoin mining servers for more than a year now. They have used Dorkbot as well as other malicious software to infect systems and use their computer power to mine bitcoins. Following is the list of malicious servers they have been using:

m1[.]m94vo3[.]com
xxa[.]m94vo3[.]com
pool[.]dload[.]asia
abcpool[.]dload[.]asia
thehood[.]k4912m[.]com
abc[.]dload[.]asia
paljacinke[.]aquarium-stakany[.]org
entropy[.]k4912m[.]com
xxx[.]z0k3[.]org
xdx[.]8xx5[.]org
xd[.]x1x9[.]asia
xD[.]x3x9[.]asia
www[.]ewgtr[.]us
www[.]btcminers[.]biz
sfx[.]dload[.]asia
thehood[.]k4912m[.]com

We have found instances where the malicious actors are also mining Litecoins that is another virtual currency similar to Bitcoin.

During the analysis of one of the malicious servers that was used to compromise users we found a GUI application that the attackers are using to build “Silent Miners” that are basically processes that run on the background, connect to the server pool that you configure and mine Litecoins/Bitcoins for you:

The program will generate an executable file prepared to run in the background. It makes it very easy for the attackers to include or distribute the executable in the botnets they are already running.

Apart from the infrastructure we have unveiled, we have found many different malwares with Bitcoin mining capabilities in the last few weeks. Some of them are distributed as fake software in P2P networks, using malicious web redirects (Blackhole Exploit Kit), Fake AV’s, etc.

A lot of them also use public mining pools that are also used by regular users to mine bitcoins. Following is a list of malicious binaries we have found as well as the pool server and username they use:

Hash	Server	Username
b21183ebee87ea86acd11e25a3a3b0d1	notroll.in:6332	tromm.5
7fdf03f888932a384b0089d391f01b2e	mining.eligius.st:8337	1663o1jPydX5fgTNsAW33owbsyC1gpwbvn
544b1a3b310ebb9dc9a9d3858c8c7fe4	pool.50btc.com:8332	169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi
9b7a5ab5e06c46b88e3182457b1e9a0f	pool.50btc.com:8332	17F8N9AvEWSWRMgfR2WncDxhHCm2zLMgST
6ba659c9f3de5b5d45a77b12c5ca1e7b	mining.eligius.st:8337	17VJ4nebUbfBoydRC7vLynQruXyqMCDY1W
e26686c56297f259e936454e4ea3f7ae	mining.eligius.st:8337	17VJ4nebUbfBoydRC7vLynQruXyqMCDY1W
ae1350e85fb01777d6b5f93384f23bdc	mining.eligius.st: 8337	1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
d770554455a70f3a3ad8e3326ddca765	mining.eligius.st:8337	1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
d911d82dc184bbfc952b77cb4cb1b743	mining.eligius.st:8337	1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
2f0312e6c46cd6e045f3be88e16ecb74	pool.50btc.com:8332	1Dt8Ai9uNhupwxejr8PN631XTpbECTfQ2y
e64d98da86cf03ff6088b48612870f83	pool.50btc.com:8332	1Dt8Ai9uNhupwxejr8PN631XTpbECTfQ2y
20d5c788a075113145261ee5dfab0fa0	mining.eligius.st:8337	1ES11Ke5mxgz9MYiJ2Pb1MgY2FFYnfs5fA
500d53fbf363ce31d75447a7ac335516	mining.eligius.st:8337	1ES11Ke5mxgz9MYiJ2Pb1MgY2FFYnfs5fA
e61b38b75d1cfefe9f631231666a9211	mining.eligius.st:8337	1H1xa5PV522hUKfBqvfXPqu7buS5q9ckiW
1a155713d6ff01a3e949730d6fe868d9	mining.eligius.st:8337	1HH1Geovwhxq2UnNt6tiscF2kMsxYEVCRM
d726542997e8aaca1c8c2809cc859f04	pool.50btc.com:8332	1Hy8HbYrLPrXhGko2SmkUtMjBvBpVDEeMh
974b155cef5cb549dcd81b62d26a7d7e	mining.eligius.st:8337	1Kjvxd9CbnYbigcC13gS5VAd2asNcdVSyH
9384cb2d2b69d4023dbe2260b789c509	mining.eligius.st:8337	1KyxrBp8mJRt3U6Q12LfuNLonZ9JHLYnbM
9f878f2f555e690d447060bff7856dac	mining.eligius.st:8337	1NqV1Dy7jH4SLXgbihQDRYA9qKgqnSfaVJ
bfe45e910c94c49e63e969cc2dd8c806	mining.eligius.st:8337	1PyoNmwdNP7PQWQwjCLiK8Av5V9eAGhKcL:x
bb0449dcb53723f6cb58d7024c16f887	mining.eligius.st:8337	1Q3TM64corp7BCYY98pa88w9RoZSfxrH8
9a48fe740b8feff35b1dbc07ab99d949	pool.50btc.com:8332	1qGYbXUe48RjdAoHuRhs4vvm118XMY6e3
35c3c3506064dbad08ba3a8a1ccd742b	eiswoj.uktop40chart.co.uk:80	2thread
e32caa62ef6e67e82c2b95c3b2b66db4	litecoinpool.org:3333	8r9di23217.97123y92
13052239a6a852a4eee3febe10268e25	notroll.in:6332	appap.6
6111ebdfcf7c58c953271dcbd594a417	litecoinpool.org:9332	aspen.4
1c5458ed87729b711310b6f0baf270bf	pool.50btc.com:8332	blackweader@hotmail.com_dodi
5271a38bd18c8ad51d5e3b158db11b38	eu.triplemining.com:8344	Bool_Bool
49d8ce6f361cc87f85fe12f4df73bda5	us2.eclipsemc.com:8337	cartoon1996_hm9gjp
815ccc9f6a48cab368e41647c8f81722	us2.eclipsemc.com:8337	cartoon1996_server
2a79e90f44bd136b3a977fe9fc93c1e0	pool.50btc.com:8332	cbargas3443@outlook.com
0eece32d0d55449366eae4462a4781c7	eu.triplemining.com:8344	comp_pony
cc3dc3b176bbc34444117057659e9e14	de.btcguild.com:8332	cviper_1
75bd6e532370c06c567718d68e551647	pool.50btc.com:8332	edwardpafford220@outlook.com
20c05310dc8bb6dd2cf0e4c642e475a1	uscentral.btcguild.com:8332	epix6_datacenter1
4decdf42f9eaf230768220edb361a0e0	uscentral.btcguild.com:8332	epix6_datacenter1
8c5fd67f62fbccf02f8e0e306341713d	uscentral.btcguild.com:8332	epix6_datacenter1
38831b2e4e6ead08c23f7387919999af	pool.50btc.com:8332	franklinandrus99@outlook.com
44ab7103e31a41b53401cedcabf9de6f	us2.eclipsemc.com:8337	happyworld_3
b08ef6df987e03e86cc9af30942e8fd2	us2.eclipsemc.com:8337	happyworld_3
2d150ca060ed2d89ff031c0060275c99	notroll.in:6332	happyworld3000.1
d1cc70aa60e76879da80303f0f79a894	dns.domain-crawlers.com:8332	haqidodges@gmail.com
135cbc204145e63f7af441fff85f4ec7	pool.50btc.com:8332	i0nn@mail.ru_4
854387049a16de49fc6a02655c38c4eb	eu.triplemining.com:8344	IamX_Worker1
a401a4a5051feb11fe594aad9b4bdf95	pool.50btc.com:8332	Jasoncharles848@outlook.com
4b8ad799881c4a79a32ea2a6576a8037	mine3.btcguild.com:8332	JennyEsta_666fuckerhead
ff925fbce01271e6a033febc27703762	gief3.25u.com:8332	jowsie_cheap2
3e4ef7f6727217b01c38ffcab91ef3c9	pool.50btc.com:8332	jrodriguez442@outlook.com
add443fe32e35fb4a46e35ed2052b6f6	miningpool.com:9350	koji35.3
4d4fa3c12eb5f77529e08bb9873e54e1	eu.triplemining.com:8344	lezoum2010_pocket
3f5589b0c8fc9b049e5fde81a642db6c	eu.triplemining.com:8344	loadrs2009_1
1fc06c8cdcbcff1fd5ecf07ded4bed93	us2.eclipsemc.com:8337	m1nd_jorgee
ae08c3c4ab1e43ce8201b572b0b45115	eu.triplemining.com:8344	madhav007_pudge007
47d21779b4e1d7195ae3eceafa1b163d	ltcmine.ru:3333	MinerG_0
ae03b006bb3eb6dcb2a64e3533862367	ltcmine.ru:3333	MinerG_17
c3f67b7b4d3d5152757fd71bca6fbbfe	ltcmine.ru:3333	MinerG_18
202dfdf0ced47d213e833d8a92012d90	ltcmine.ru:3333	MinerG_26
0ed23a28270a27e5a4332ae521ee70b8	ltcmine.ru:3333	MinerG_34
3e348e07f5d98929baa0cb88f00cd8cf	ltcmine.ru:3333	MinerG_7
eb375ba9447d20401ee17192c2f9010d	ltcmine.ru:3333	MinerG_8
c1d4410b41ed7f534457f077370067a6	us2.eclipsemc.com:8337	moi_worker
20c258e021449365a42f9b2fc7d0d4c8	us2.eclipsemc.com:8337	Mystical_pike
2164bd712071628549a25f5eb97a5f35	us2.eclipsemc.com:8337	N785O1c_3cxQO9S
2bab5ce7b48baea90b11244278bd6d57	mine2.btcguild.com:8332	o2521666_1
92b4c95a10d12132138ef15f44c9b9fc	pool.50btc.com:8332	pinkywesen@secure-mail.biz
86ac869662e4b8f0422fb9cbca77d72e	pool.50btc.com:8332	popa_zade@yahoo.com
c6cf7161100ff107b59b7b07db6	pool.50btc.com:8332	popa_zade@yahoo.com
b7752d762c5a9ac883caaefd1cc19c1b	eu.triplemining.com:8344	pr3m1era_Bossnigger
67e591f09ae0cea47f920878f100baa8	pool.50btc.com:8332	rainbow101@outlook.com
3b6c8728ac3ee82a06bca7096265d666	pool.50btc.com:8332	rthrockmorton212@outlook.com
3eb76d2427c283d2c4b9b396bef275a2	pool.50btc.com:8332	ryancaswell772@outlook.com
8f4ad4c95adef240f8edb5f3da09f164	us2.eclipsemc.com:8337	shrooms_mining
da99275413845905166e8470980a155f	eu.triplemining.com:8344	Sisocviper_siso
7f1ef23a0076cedaeec0b7bb55b9702d	eu.triplemining.com:8344	smackos_aliens
1f85e27b2bd33c4d0ca377ad696fa563	us2.eclipsemc.com:8337	SSnack_worker
bbfe230a8471e2b5d807df3368836bce	eu.triplemining.com:8344	Strick3n_stricken
0b04c1538e5f3a37a81ec2086810b8e1	pool.50btc.com:8332	svintaz@mail.ru_7
b51128a0d8626a9b36f25679854d137e	uswest.btcguild.com:8332	tester20122_3
ccf5f50c9f919dbd9c0cc9a313ef5a2d	pool.50btc.com:8332	titorjohn@rocketmail.com
3d31545f1889fa7593defb5f8bbc915a	pool.50btc.com:8332	TOGRI2012@hotmail.com
43cc15d6178c0fa7845fe257a58f5e0b	notroll.in:6332	tophosts.1
9425c6b7654e8e9ceba5894862e28970	notroll.in:6332	tromm.14
865341e5ae9e6fd01eca8e6bb31b4e5d	us2.eclipsemc.com:8337	vapor_worker
ce38c3479d126c80298e0fe76e73e8e5	pool.50btc.com:8332	victory2egy@yahoo.com
d20be24e318844a56d3f38f2d1061dde	pool.50btc.com:8332	victory2egy@yahoo.com
c24700038e25f4ed1aea01bc374ed5a1	pool.50btc.com:8332	victory2egy@yahoo.com_v
d11b21251ef6f8f84efc7130525a4785	pool.50btc.com:8332	vincentbaty87@outlook.com

Show me the money

As you can see in the previous table some of the bad guys were using Bitcoin addresses instead of usernames to connect to the pool servers.

Due to the openness of the Bitcoin’s protocol we can access the information and the transactions done by those accounts.

169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi, 91.39938806 BTC ,$ 8,317.34

17F8N9AvEWSWRMgfR2WncDxhHCm2zLMgST, 20.89356766 BTC , $ 1,901.31

1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX, 420.81569559 BTC, $ 38,294.23

1ES11Ke5mxgz9MYiJ2Pb1MgY2FFYnfs5fAm 52.33521919 BTC , $ 4,762.50

1H1xa5PV522hUKfBqvfXPqu7buS5q9ckiW, 31.00274179 BTC , $ 2,821.25

1Kjvxd9CbnYbigcC13gS5VAd2asNcdVSyH, 88.99839055 BTC , $ 8,098.85

1KyxrBp8mJRt3U6Q12LfuNLonZ9JHLYnbM, 77.55520657 BTC , $ 7,057.52

1Q3TM64corp7BCYY98pa88w9RoZSfxrH8, 48.69058357 BTC , $ 4,430.84

For instance we can see these two Bitcoin addresses probably belong to the same bad actors:

169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi

1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX

Those two accounts sent most of the money to the following account:

1827x95K36G3NFxDqiNwo6aE1rH55Ua3p5

That Bitcoin address received a total amount of 1050.21 BTC in the last few months. If the bad guys sold that amount of bitcoins some days ago when a single Bitcoin was worth $265 they could have made $278k. Not bad for a small Botnet!

MtGox Fake sites

Mtgox is the largest Bitcoin exchange where you can trade Bitcoins for EUR/US, etc. In the last few weeks the increased popularity of both Bitcoin and Mtgox has made it an attractive target for attackers.

Last week, we detected several websites that were attempting to target Mtgox users. An attacker set up the fake website www[.]mtgox-chat[.]info:

The malicious server looks like an official Mtgox website with a chat on it. Once the user enters the site it will try to load a malicious Java applet:

The Java applet will download and execute a binary file from a remote site.

Once the file is executed the victim gets infected and the system will contact the C&C server on:

tamere123[.]no-ip[.]org

Having access to the victim’s system the attacker can now get the Mtgox’s credentials and steal the money/bitcoins from the victim.

Impact on the enterprise

The detection of mining software in your network could indicate either a misuse of resources by your employees or an infection that could lead to financial losses.

The following best practices will help you prevent these threats:

- Keep software up to date

- Update your Antivirus signatures

- Run a Vulnerability Assessment Program

- Monitor your networks to detect suspicious network behaviors.

AlienVault Unified Security Management (USM) will detect all the threats mentioned on the blog post (and it’s available as a Free 30 day trial download):

If you want to increase your network visibility you can try our Unified Security Management solution or download the Open Source version.

jaime.blasco

More Posts - Website

Follow Me:

bitcoin, Botnet, darkomet, ddos, dorkbot, khelios, litecoin, mtgox, wallet, Zeus

New Sykipot developments

Summary

During the last few years, we have been publishing about a group of hackers who have focused on targeting DIB (Defence Industrial Base) and other government organizations:

- Another Sykipot sample likely targeting US federal agencies

- Are the Sykipot’s authors obsessed with next generation US drones?

- Sykipot variant hijacks DOD and Windows smart cards

- Sykipot is back

Sykipot are a highly skilled group of individuals who have exploited a wide range of zeroday vulnerabilities in the last few years including:

CVE	Date	Product
CVE-2007-0671	2007-02-02	Microsoft Excel
CVE-2009-3957	2010-12-01	Adobe Reader
CVE-2010-0806	2010-05-04	Internet Explorer
CVE-2010-2883	2010-09-08	Adobe Reader
CVE-2010-3654	2010-10-28	Adobe Flash Player
CVE-2011-2462	2011-12-06	Adobe Reader

In this blog post we will unveil the new vulnerabilities that this group have used using during the last 8 months and we will publish the new infrastructure they have used. We will expose several examples of the campaigns they have launched and new versions of the Sykipot backdoor they have used to access the compromised systems. We have found evidences that show they have exploited at least the following vulnerabilities during the last few months:

CVE	Date	Product
CVE-2012-1889	06/13/2012	MSXML/Internet Explorer
CVE-2012-1723	06/12/2012	Java 7
CVE-2012-4969	09/16/2012	Microsoft Internet Explorer
CVE-2013-0640	02/12/2012	Adobe Acrobat Reader

Several times the date of the exploit was a few days after the vulnerability had been disclosed and there wasn’t a patch released by the vendor.

Campaigns

In the past most of the campaigns which we found related to the Sykipot actors were based on SpearPhishing mails with attachments that exploited vulnerabilities in software like Microsoft Office, Adobe Flash, Adobe PDF and some times Internet Explorer. During the last 8-10 months we have seen a change and the number of SpearPhishing campaigns which have included a link instead of an attachment and this has increased. Once the victim clicks in the link the attackers will use vulnerabilities in Internet Explorer, Java, etc to access the system.

Some examples of the campaigns they have launched are detailed below.

gsasmartpay.org – 2012-06-20

The last summer, we found a malicious site that the Sykipot actors set up to try and phish government employees. When the victim visited the link the following page appeared:

As we can see it shows the information present in https://smartpay.gsa.gov/cardholders.

“The GSA SmartPay program, established in 1998, is the largest charge card program in the world serving more than 350 federal agencies, organizations, and Native American tribal governments. In FY10, approximately 98.9M transactions were made and $30.2B were charged using the GSA SmartPay charge cards, creating $325.9M in refunds.”

“Eligibility for the program is determined by the GSA SmartPay Contracting Officer. Federal agencies, departments, tribal organizations, and approved non-federal entities can apply to obtain charge card services under the GSA SmartPay program.”

If we take a look at the malicious files we will find that it was exploiting CVE-2012-1889 in the background:

During the exploitation it will load the following files as well:

www[.]gsasmartpay[.]org/cardholders/login/movie[.]swf?apple=AA969692D8CDCD959595CC859183918F83909692839BCC8D9085CD83868D808784CC919584E2E2E2E2
www[.]gsasmartpay[.]org/cardholders/login/deployJava[.]js
www[.]gsasmartpay[.]org/cardholders/login/faq[.]htm

We are not going to show how this vulnerability is exploited since we have showed it in previous blog posts, you can find a good description here.

searching-job.net is another domain registered by the Sykipot actors (registered by thomas7610@yahoo.com on 06-20-2012) that was also serving the same exploit at that time:

www[.]searching-job[.]net/list/verification/deployJava[.]js
www[.]searching-job[.]net/list/verification/faq[.]htm
www[.]searching-job[.]net/list/verification/index[.]htm
www[.]searching-job[.]net/list/verification/movie[.]swf?apple=AA969692D8CDCD959595CC91878390818A8B8C85CF888D80CC8C8796CD848B8E878E8B9196CC868396E2E2E2E2
www[.]searching-job[.]net/account_list/verification/index[.]htm

Apart from gsasmartpay.org we have found several domains registered by the Sykipot actors that they have probably used to phish users in the last few months. Some of the most suspicious ones are detailed below:

- dfasonline.com registered by alcott.churchill@yahoo.com on 06-19-2012

Probably related to Defense Finance and Accounting Service – DFAS - http://www.dfas.mil/

- aafbonus.com registered by janagreen2000@yahoo.com on 06-19-2012

Probably related to American Advertising Federation – http://www.aaf.org/

- nceba.org registered by jimgreen200088@yahoo.com on 07-24-2012

Probably related to U.S. BANKRUPTCY ADMINISTRATOR - http://www.nceba.uscourts.gov/

- pdi2012.org registered by alcott.churchill@yahoo.com on 08-18-2011

Probably related to PDI 2012, the premier training event hosted by the American Society of Military Comptrollers

- hudsoninst.com registered by alcott.churchill@yahoo.com on 11-26-2012

Probably related to the Hudson Institute – http://www.hudson.org/

Hudson Institute is a nonpartisan, independent policy research organization dedicated to innovative research and analysis that promotes global security, prosperity, and freedom.

CVE-2012-4969 – Internet Explorer

In September last year, the Sykipot actors registered several domains to exploit a vulnerability in Internet Explorer (CVE-2012-4969).

- resume4jobs.net registered by james.wade1@yahoo.com on 03-08-2012

URL’s involved:

http://www[.]resume4jobs[.]net/account/1024486[.]html

http://www[.]resume4jobs[.]net/account/embed[.]htm

http://www[.]resume4jobs[.]net/jobs[.]exe Sykipot malware that uses info[.]resume4jobs[.]net as the C&C

- paypal1.dns1.us – Dynamic DNS provider

URL’s involved:

http://paypal1[.]dns1[.]us/account/1024486[.]html

http://paypal1[.]dns1[.]us/account/embed[.]htm

- pollingvoter.org registered by jimgreen200088@yahoo.com on 06-11-2012

URL’s involved:

http://www[.]pollingvoter[.]org/ne2012/vote/embed[.]htm

http://www[.]pollingvoter[.]org/life[.]exe Sykipot malware that uses www[.]betterslife[.]com as the C&C

- skyruss.net registered by joneluxara@yahoo.com on 04-17-2012

URL’s involved:

http://social[.]sns[.]skyruss[.]net/variety/index[.]html

http://forum[.]skyruss[.]net/articles/embed[.]htm

CVE-2012-1723 – Java 7

In August, they were exploiting a vulnerability in Java (CVE-2012-1723) to gain access to the victim’s systems. It seems they were using the Metasploit version of the exploit.

Some examples are:

- slashdoc.org registered by jessantt@gmail.com on 05-21-2012

URL’s involved:

http://www[.]slashdoc[.]org/default[.]jar

http://www[.]slashdoc[.]org/index[.]html

The index.html page loads the malicious Java applet and it passes the payload they want to execute using the data parameter (the value is hex encoded):

In this case the host www[.]photosmagnum[.]com was used as the C&C server.

- nceba.org registered by jimgreen200088@yahoo.com on 07-24-2012

URL’s involved:

http://www[.]nceba[.]org/newsroom/article/news201207240251[.]html

http://www[.]nceba[.]org/newsroom/article/default[.]jar

Using www[.]betterslife[.]com as the C&C server.

- milstars.org registered by slyan8024@gmail.com on 06-20-2012

URL’s involved:

http://milstars[.]org/view/default[.]jar

CVE-2013-0640 – PDF Exploit targeting Japanese victims

We found the Sykipot actors using the latest Adobe Acrobat exploit (CVE-2013-0640) a few weeks ago.

The version of the exploit is the same that we found in our latest blog post:

- Latest Adobe PDF exploit used to target Uyghur and Tibetan activists

The Javascript code inside the PDF file is very similar to the one found in the Itaduke samples but part of the initial variables and the obfuscation has been removed from the original one.

Once the PDF is opened the following lure file is displayed to the victim:

Based on the content of the lure document the potential victims seem to be somehow related to the Japanese Ministry of Health, Labour and Welfare

Once the infection takes place the following fiels are created on the system:

\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pfilede.dat 5ED3A94354F27BC7AF0FEF04F89D8EB8
\DOCUME~1\ADMINI~1\LOCALS~1\mpr.dll 84EFAFF343CF7A34D2A0D847A1E5FD50
\DOCUME~1\ADMINI~1\LOCALS~1\setm.ini 00051F392350128BA4DD4CA10F44DDEF
\DOCUME~1\ADMINI~1\LOCALS~1\temp.dll BEA84BE4BFE236652F6A4E382B21A96F

The file setm.ini contains the configuration of Sykipot in this case:

[srv_info]
sleeptime=3600000
url=bassball[.]peocity[.]com (C&C server)
scexe=rsvp.exe
scdll=mpr.dll
runexe=run.exe
mark=0304adbh

The following actions take place in the system:

cmd /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v start /t REG_SZ /d [sykipot_payload_file].exe -startup /f (persistence)

Several functions are called within the Sykipot’s DLL:

[sykipot_payload_file].exe -startupEx
[sykipot_payload_file].exe -startup1
cmd /c [sykipot_payload_file].exe -startup

Then the malicious payload will be injected into Internet Explorer.

The malware will communicate with the C&C server once in a while using SSL and the well known communication paths of previous Sykipot payloads:

/kys_allow_put.asp?type=
/kys_allow_get.asp?name=

As we showed in the past most of the Sykipot samples used the key “19990817″ for encryption.In this sample we have found a new key “20120709″ that is also a date.

Infrastructure

Along with the blog post we are making a list of new domains public that weren’t mentioned in previous Sykipot research:

Unique malicious domains:

peocity.com
rusview.net
skyruss.net
commanal.net
natareport.com
photogellrey.com
photogalaxyzone.com
insdet.com
creditrept.com
pollingvoter.org
dfasonline.com
hudsoninst.com
wsurveymaster.com
nhrasurvey.org
pdi2012.org
nceba.org
linkedin-blog.com
aafbonus.com
milstars.org
vatdex.com
insightpublicaffairs.org
applesea.net
appledmg.net
appleintouch.net
seyuieyahooapis.com
appledns.net
emailserverctr.com
dailynewsjustin.com
hi-tecsolutions.org
slashdoc.org
photosmagnum.com
resume4jobs.net
searching-job.net
servagency.com
gsasmartpay.org
tech-att.com

We are releasing Snort rules to detect queries to the malicious domains in your network:

Thanks to EmergingThreats for the help. You will find the rules in its ruleset update today as well.

Based in our research, below is the list of unique e-mail addreses used to registered malicious domains:

233@lao.com
Joneluxara@yahoo.com
alcott.churchill@yahoo.com
b@bvc.com
calvin.kliff@yahoo.com
carrier.fisher@hotmail.com
conan0557@126.com
james.wade1@yahoo.com
janagreen2000@yahoo.com
jessantt@gmail.com
jimgreen200088@yahoo.com
jimgreen20008@yahoo.com
marialreyna11211919@yahoo.com
morgan.wale1@yahoo.com
mskinner62@yahoo.com
myhog@hotmail.com
parviz7415@yahoo.com
slyan8024@gmail.com
thomas7610@yahoo.com

Apart from the list of new domains you should check out the domains mentioned in the following articles that all related to previous Sykipot’s activity but some of them are still being used in Sykipot’s operations:

- Sykipot is back - Alienvault Labs

- The Sykipot Attacks - Symantec

- The Sykipot Campaign – TrendMicro

- Hurricane Sandy serves as lure to deliver Sykipot - Verizon

- Insight into Sykipot Operations - Symantec

- Medical Industry A CYBER VICTIM: BILLIONS STOLEN AND LIVES AT RISK - Cyber Squared