AlienVault Labs - Archive

Yara rules and network detection for Operation Hangover

Last week, our friends from Norman published a great report on a cyber espionage campaign named Operation Hangover.

We have released some Yara rules to detect most of the payloads mentioned on the paper. You can download the rules from our Github space:

On the other hand the Hangover attackers have been using several payloads with network capabilities to steal data including documents, keystrokes and downloading other payloads. Following are some examples of network traffic performed by these payloads:

- Smackdown Minapro

- Hangover

- Several keyloggers and data harvesters

Some of the network requests made by these payloads were covered by Snort rules (Emerging Threats) months before the Operation Hangover was uncovered) so our product was alerting on these connections from at least several weeks.

AlienVault Unified Security Management (USM) will detect all the threats mentioned on the blog post (and it’s available as a Free 30 day trial download).

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:

APT, hangover, malware

How cybercriminals are exploiting Bitcoin and other virtual currencies

- What is Bitcoin?

Bitcoin is an online descentralised virtual currency based on an open source, P2P protocol. Bitcoins can be transferred using a computer without relying on a financial institution.

If you haven’t heard about Bitcoin I recommend you watch the following video:

Both the Bitcoin creation and transfer is performed by computers called “miners” that confirm the bitcoin’s creation by adding the information to a descentralized database. Bitcoins get harder to generate all the time. There are more that 10 million bitcoins in circulation today. The Bitcoin design only lets the creation of 21 millions and that limit will be reached during the year 2140.

The Bitcoin wallet is what gives you ownership of one or more Bitcoin addresses. You can use those addresses to send and receive coins from other users.

Due to the complexity of mining bitcoins if you mine on your own it may be a long time until you can make some return. Bitcoin pools are places where multiple users can work together to make bitcoins and share benefits in a fair way.

Finally, you can buy and sell bitcoins using several real world currencies (EUR, USD ..) using several exchanges such as:

- MtGox

- BTC-E

- Virtex

Threat Landscape

Due to the growing popularity of the Bitcoin it has become an attractive and profitable target for cybercriminals. During the last few years we have seen an increase in the number of attacks and threats involving the virtual currency. The bad guys have adapted their tools to steal bitcoins from victims, use compromised systems to mine bitcoins and obtain benefit from it. On the other hand virtual exchanges are also victims and we have seen how the attackers have phished the users of those exchanges and how they have performed Denial of Service attacks to destabilize the exchange rate and profit.

Wallet stealing

During the last few years the capability of stealing the wallet.dat file has been added to several malware families. In addition, new malware families have appeared with the objective of stealing the wallet file from the infected machines.

For example, a version of the Khelios malware that has been used to send Spam and steal data from infected systems added the capability to steal the wallet.dat file some time ago:

As a result if a Bitcoin’s user gets infected, the file containing the keys to use your bitcoin addresses will be stolen. The wallet file can be protected by a password but most of the malwares we have found have keylogging capabilities that could steal the wallet password as well.

Another example are several IRC botnets that are running based on the “AthenaIRCBot” source code that has the capability of stealing the wallet file as well:

Example: 08a9b6a933c8eac7919355d47a811aa2752df74473b8789bcfd567fb779708cd

- Bitcoin mining

Apart from stealing the Bitcoin wallet the number of malware families that can use the victim’s computer power to mine Bitcoins is getting bigger and bigger.

We have found samples that install the Bitcoin daemon in the victim but the most frequently used technique is adding a piece of code that connects to a mining pool (public or private) to mine bitcoins.

You can find variants of very well known malware families such as Zeus/Zbot that added this capability. As an example, we found a Zeus variant more than a year ago that had intalled the Bitcoin daemon to mine bitcoins using the infected systems.

That specific variant was distributed using Fake e-mail messages containing a link to the malicious file.

Once the system got infected the Bitcoin client bitcoind was installed in the system. The Zeus variant was using the configuration file from:

http://www[.]anshaa[.]com/z/config.bin

In the last few months several Dorkbot variants including one that was using Skype to spread added the capability of mining bitcoins.

Once the system gets compromised, a version of the Ufasoft Bitcoin miner is started. In this case the attacker is running his own pooling server.

The Ufasoft software contacts the mining pool server via HTTP:

We have seen samples contacting the following servers that are owned by the same guys behind the botnet:

suppp[.]cantvenlinea[.]biz:1942

ahora[.]revisiondelpc[.]ru:2142

xhuehs[.]cantvenlinea[.]ru:1942

keep[.]hustling4life[.]biz:2142

That infrastructure has been running for at least 5 months.

Another gang has been running several Bitcoin mining servers for more than a year now. They have used Dorkbot as well as other malicious software to infect systems and use their computer power to mine bitcoins. Following is the list of malicious servers they have been using:

m1[.]m94vo3[.]com
xxa[.]m94vo3[.]com
pool[.]dload[.]asia
abcpool[.]dload[.]asia
thehood[.]k4912m[.]com
abc[.]dload[.]asia
paljacinke[.]aquarium-stakany[.]org
entropy[.]k4912m[.]com
xxx[.]z0k3[.]org
xdx[.]8xx5[.]org
xd[.]x1x9[.]asia
xD[.]x3x9[.]asia
www[.]ewgtr[.]us
www[.]btcminers[.]biz
sfx[.]dload[.]asia
thehood[.]k4912m[.]com

We have found instances where the malicious actors are also mining Litecoins that is another virtual currency similar to Bitcoin.

During the analysis of one of the malicious servers that was used to compromise users we found a GUI application that the attackers are using to build “Silent Miners” that are basically processes that run on the background, connect to the server pool that you configure and mine Litecoins/Bitcoins for you:

The program will generate an executable file prepared to run in the background. It makes it very easy for the attackers to include or distribute the executable in the botnets they are already running.

Apart from the infrastructure we have unveiled, we have found many different malwares with Bitcoin mining capabilities in the last few weeks. Some of them are distributed as fake software in P2P networks, using malicious web redirects (Blackhole Exploit Kit), Fake AV’s, etc.

A lot of them also use public mining pools that are also used by regular users to mine bitcoins. Following is a list of malicious binaries we have found as well as the pool server and username they use:

Hash	Server	Username
b21183ebee87ea86acd11e25a3a3b0d1	notroll.in:6332	tromm.5
7fdf03f888932a384b0089d391f01b2e	mining.eligius.st:8337	1663o1jPydX5fgTNsAW33owbsyC1gpwbvn
544b1a3b310ebb9dc9a9d3858c8c7fe4	pool.50btc.com:8332	169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi
9b7a5ab5e06c46b88e3182457b1e9a0f	pool.50btc.com:8332	17F8N9AvEWSWRMgfR2WncDxhHCm2zLMgST
6ba659c9f3de5b5d45a77b12c5ca1e7b	mining.eligius.st:8337	17VJ4nebUbfBoydRC7vLynQruXyqMCDY1W
e26686c56297f259e936454e4ea3f7ae	mining.eligius.st:8337	17VJ4nebUbfBoydRC7vLynQruXyqMCDY1W
ae1350e85fb01777d6b5f93384f23bdc	mining.eligius.st: 8337	1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
d770554455a70f3a3ad8e3326ddca765	mining.eligius.st:8337	1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
d911d82dc184bbfc952b77cb4cb1b743	mining.eligius.st:8337	1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
2f0312e6c46cd6e045f3be88e16ecb74	pool.50btc.com:8332	1Dt8Ai9uNhupwxejr8PN631XTpbECTfQ2y
e64d98da86cf03ff6088b48612870f83	pool.50btc.com:8332	1Dt8Ai9uNhupwxejr8PN631XTpbECTfQ2y
20d5c788a075113145261ee5dfab0fa0	mining.eligius.st:8337	1ES11Ke5mxgz9MYiJ2Pb1MgY2FFYnfs5fA
500d53fbf363ce31d75447a7ac335516	mining.eligius.st:8337	1ES11Ke5mxgz9MYiJ2Pb1MgY2FFYnfs5fA
e61b38b75d1cfefe9f631231666a9211	mining.eligius.st:8337	1H1xa5PV522hUKfBqvfXPqu7buS5q9ckiW
1a155713d6ff01a3e949730d6fe868d9	mining.eligius.st:8337	1HH1Geovwhxq2UnNt6tiscF2kMsxYEVCRM
d726542997e8aaca1c8c2809cc859f04	pool.50btc.com:8332	1Hy8HbYrLPrXhGko2SmkUtMjBvBpVDEeMh
974b155cef5cb549dcd81b62d26a7d7e	mining.eligius.st:8337	1Kjvxd9CbnYbigcC13gS5VAd2asNcdVSyH
9384cb2d2b69d4023dbe2260b789c509	mining.eligius.st:8337	1KyxrBp8mJRt3U6Q12LfuNLonZ9JHLYnbM
9f878f2f555e690d447060bff7856dac	mining.eligius.st:8337	1NqV1Dy7jH4SLXgbihQDRYA9qKgqnSfaVJ
bfe45e910c94c49e63e969cc2dd8c806	mining.eligius.st:8337	1PyoNmwdNP7PQWQwjCLiK8Av5V9eAGhKcL:x
bb0449dcb53723f6cb58d7024c16f887	mining.eligius.st:8337	1Q3TM64corp7BCYY98pa88w9RoZSfxrH8
9a48fe740b8feff35b1dbc07ab99d949	pool.50btc.com:8332	1qGYbXUe48RjdAoHuRhs4vvm118XMY6e3
35c3c3506064dbad08ba3a8a1ccd742b	eiswoj.uktop40chart.co.uk:80	2thread
e32caa62ef6e67e82c2b95c3b2b66db4	litecoinpool.org:3333	8r9di23217.97123y92
13052239a6a852a4eee3febe10268e25	notroll.in:6332	appap.6
6111ebdfcf7c58c953271dcbd594a417	litecoinpool.org:9332	aspen.4
1c5458ed87729b711310b6f0baf270bf	pool.50btc.com:8332	blackweader@hotmail.com_dodi
5271a38bd18c8ad51d5e3b158db11b38	eu.triplemining.com:8344	Bool_Bool
49d8ce6f361cc87f85fe12f4df73bda5	us2.eclipsemc.com:8337	cartoon1996_hm9gjp
815ccc9f6a48cab368e41647c8f81722	us2.eclipsemc.com:8337	cartoon1996_server
2a79e90f44bd136b3a977fe9fc93c1e0	pool.50btc.com:8332	cbargas3443@outlook.com
0eece32d0d55449366eae4462a4781c7	eu.triplemining.com:8344	comp_pony
cc3dc3b176bbc34444117057659e9e14	de.btcguild.com:8332	cviper_1
75bd6e532370c06c567718d68e551647	pool.50btc.com:8332	edwardpafford220@outlook.com
20c05310dc8bb6dd2cf0e4c642e475a1	uscentral.btcguild.com:8332	epix6_datacenter1
4decdf42f9eaf230768220edb361a0e0	uscentral.btcguild.com:8332	epix6_datacenter1
8c5fd67f62fbccf02f8e0e306341713d	uscentral.btcguild.com:8332	epix6_datacenter1
38831b2e4e6ead08c23f7387919999af	pool.50btc.com:8332	franklinandrus99@outlook.com
44ab7103e31a41b53401cedcabf9de6f	us2.eclipsemc.com:8337	happyworld_3
b08ef6df987e03e86cc9af30942e8fd2	us2.eclipsemc.com:8337	happyworld_3
2d150ca060ed2d89ff031c0060275c99	notroll.in:6332	happyworld3000.1
d1cc70aa60e76879da80303f0f79a894	dns.domain-crawlers.com:8332	haqidodges@gmail.com
135cbc204145e63f7af441fff85f4ec7	pool.50btc.com:8332	i0nn@mail.ru_4
854387049a16de49fc6a02655c38c4eb	eu.triplemining.com:8344	IamX_Worker1
a401a4a5051feb11fe594aad9b4bdf95	pool.50btc.com:8332	Jasoncharles848@outlook.com
4b8ad799881c4a79a32ea2a6576a8037	mine3.btcguild.com:8332	JennyEsta_666fuckerhead
ff925fbce01271e6a033febc27703762	gief3.25u.com:8332	jowsie_cheap2
3e4ef7f6727217b01c38ffcab91ef3c9	pool.50btc.com:8332	jrodriguez442@outlook.com
add443fe32e35fb4a46e35ed2052b6f6	miningpool.com:9350	koji35.3
4d4fa3c12eb5f77529e08bb9873e54e1	eu.triplemining.com:8344	lezoum2010_pocket
3f5589b0c8fc9b049e5fde81a642db6c	eu.triplemining.com:8344	loadrs2009_1
1fc06c8cdcbcff1fd5ecf07ded4bed93	us2.eclipsemc.com:8337	m1nd_jorgee
ae08c3c4ab1e43ce8201b572b0b45115	eu.triplemining.com:8344	madhav007_pudge007
47d21779b4e1d7195ae3eceafa1b163d	ltcmine.ru:3333	MinerG_0
ae03b006bb3eb6dcb2a64e3533862367	ltcmine.ru:3333	MinerG_17
c3f67b7b4d3d5152757fd71bca6fbbfe	ltcmine.ru:3333	MinerG_18
202dfdf0ced47d213e833d8a92012d90	ltcmine.ru:3333	MinerG_26
0ed23a28270a27e5a4332ae521ee70b8	ltcmine.ru:3333	MinerG_34
3e348e07f5d98929baa0cb88f00cd8cf	ltcmine.ru:3333	MinerG_7
eb375ba9447d20401ee17192c2f9010d	ltcmine.ru:3333	MinerG_8
c1d4410b41ed7f534457f077370067a6	us2.eclipsemc.com:8337	moi_worker
20c258e021449365a42f9b2fc7d0d4c8	us2.eclipsemc.com:8337	Mystical_pike
2164bd712071628549a25f5eb97a5f35	us2.eclipsemc.com:8337	N785O1c_3cxQO9S
2bab5ce7b48baea90b11244278bd6d57	mine2.btcguild.com:8332	o2521666_1
92b4c95a10d12132138ef15f44c9b9fc	pool.50btc.com:8332	pinkywesen@secure-mail.biz
86ac869662e4b8f0422fb9cbca77d72e	pool.50btc.com:8332	popa_zade@yahoo.com
c6cf7161100ff107b59b7b07db6	pool.50btc.com:8332	popa_zade@yahoo.com
b7752d762c5a9ac883caaefd1cc19c1b	eu.triplemining.com:8344	pr3m1era_Bossnigger
67e591f09ae0cea47f920878f100baa8	pool.50btc.com:8332	rainbow101@outlook.com
3b6c8728ac3ee82a06bca7096265d666	pool.50btc.com:8332	rthrockmorton212@outlook.com
3eb76d2427c283d2c4b9b396bef275a2	pool.50btc.com:8332	ryancaswell772@outlook.com
8f4ad4c95adef240f8edb5f3da09f164	us2.eclipsemc.com:8337	shrooms_mining
da99275413845905166e8470980a155f	eu.triplemining.com:8344	Sisocviper_siso
7f1ef23a0076cedaeec0b7bb55b9702d	eu.triplemining.com:8344	smackos_aliens
1f85e27b2bd33c4d0ca377ad696fa563	us2.eclipsemc.com:8337	SSnack_worker
bbfe230a8471e2b5d807df3368836bce	eu.triplemining.com:8344	Strick3n_stricken
0b04c1538e5f3a37a81ec2086810b8e1	pool.50btc.com:8332	svintaz@mail.ru_7
b51128a0d8626a9b36f25679854d137e	uswest.btcguild.com:8332	tester20122_3
ccf5f50c9f919dbd9c0cc9a313ef5a2d	pool.50btc.com:8332	titorjohn@rocketmail.com
3d31545f1889fa7593defb5f8bbc915a	pool.50btc.com:8332	TOGRI2012@hotmail.com
43cc15d6178c0fa7845fe257a58f5e0b	notroll.in:6332	tophosts.1
9425c6b7654e8e9ceba5894862e28970	notroll.in:6332	tromm.14
865341e5ae9e6fd01eca8e6bb31b4e5d	us2.eclipsemc.com:8337	vapor_worker
ce38c3479d126c80298e0fe76e73e8e5	pool.50btc.com:8332	victory2egy@yahoo.com
d20be24e318844a56d3f38f2d1061dde	pool.50btc.com:8332	victory2egy@yahoo.com
c24700038e25f4ed1aea01bc374ed5a1	pool.50btc.com:8332	victory2egy@yahoo.com_v
d11b21251ef6f8f84efc7130525a4785	pool.50btc.com:8332	vincentbaty87@outlook.com

Show me the money

As you can see in the previous table some of the bad guys were using Bitcoin addresses instead of usernames to connect to the pool servers.

Due to the openness of the Bitcoin’s protocol we can access the information and the transactions done by those accounts.

169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi, 91.39938806 BTC ,$ 8,317.34

17F8N9AvEWSWRMgfR2WncDxhHCm2zLMgST, 20.89356766 BTC , $ 1,901.31

1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX, 420.81569559 BTC, $ 38,294.23

1ES11Ke5mxgz9MYiJ2Pb1MgY2FFYnfs5fAm 52.33521919 BTC , $ 4,762.50

1H1xa5PV522hUKfBqvfXPqu7buS5q9ckiW, 31.00274179 BTC , $ 2,821.25

1Kjvxd9CbnYbigcC13gS5VAd2asNcdVSyH, 88.99839055 BTC , $ 8,098.85

1KyxrBp8mJRt3U6Q12LfuNLonZ9JHLYnbM, 77.55520657 BTC , $ 7,057.52

1Q3TM64corp7BCYY98pa88w9RoZSfxrH8, 48.69058357 BTC , $ 4,430.84

For instance we can see these two Bitcoin addresses probably belong to the same bad actors:

169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi

1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX

Those two accounts sent most of the money to the following account:

1827x95K36G3NFxDqiNwo6aE1rH55Ua3p5

That Bitcoin address received a total amount of 1050.21 BTC in the last few months. If the bad guys sold that amount of bitcoins some days ago when a single Bitcoin was worth $265 they could have made $278k. Not bad for a small Botnet!

MtGox Fake sites

Mtgox is the largest Bitcoin exchange where you can trade Bitcoins for EUR/US, etc. In the last few weeks the increased popularity of both Bitcoin and Mtgox has made it an attractive target for attackers.

Last week, we detected several websites that were attempting to target Mtgox users. An attacker set up the fake website www[.]mtgox-chat[.]info:

The malicious server looks like an official Mtgox website with a chat on it. Once the user enters the site it will try to load a malicious Java applet:

The Java applet will download and execute a binary file from a remote site.

Once the file is executed the victim gets infected and the system will contact the C&C server on:

tamere123[.]no-ip[.]org

Having access to the victim’s system the attacker can now get the Mtgox’s credentials and steal the money/bitcoins from the victim.

Impact on the enterprise

The detection of mining software in your network could indicate either a misuse of resources by your employees or an infection that could lead to financial losses.

The following best practices will help you prevent these threats:

- Keep software up to date

- Update your Antivirus signatures

- Run a Vulnerability Assessment Program

- Monitor your networks to detect suspicious network behaviors.

AlienVault Unified Security Management (USM) will detect all the threats mentioned on the blog post (and it’s available as a Free 30 day trial download):

If you want to increase your network visibility you can try our Unified Security Management solution or download the Open Source version.

jaime.blasco

More Posts - Website

Follow Me:

bitcoin, Botnet, darkomet, ddos, dorkbot, khelios, litecoin, mtgox, wallet, Zeus

New Sykipot developments

Summary

During the last few years, we have been publishing about a group of hackers who have focused on targeting DIB (Defence Industrial Base) and other government organizations:

- Another Sykipot sample likely targeting US federal agencies

- Are the Sykipot’s authors obsessed with next generation US drones?

- Sykipot variant hijacks DOD and Windows smart cards

- Sykipot is back

Sykipot are a highly skilled group of individuals who have exploited a wide range of zeroday vulnerabilities in the last few years including:

CVE	Date	Product
CVE-2007-0671	2007-02-02	Microsoft Excel
CVE-2009-3957	2010-12-01	Adobe Reader
CVE-2010-0806	2010-05-04	Internet Explorer
CVE-2010-2883	2010-09-08	Adobe Reader
CVE-2010-3654	2010-10-28	Adobe Flash Player
CVE-2011-2462	2011-12-06	Adobe Reader

In this blog post we will unveil the new vulnerabilities that this group have used using during the last 8 months and we will publish the new infrastructure they have used. We will expose several examples of the campaigns they have launched and new versions of the Sykipot backdoor they have used to access the compromised systems. We have found evidences that show they have exploited at least the following vulnerabilities during the last few months:

CVE	Date	Product
CVE-2012-1889	06/13/2012	MSXML/Internet Explorer
CVE-2012-1723	06/12/2012	Java 7
CVE-2012-4969	09/16/2012	Microsoft Internet Explorer
CVE-2013-0640	02/12/2012	Adobe Acrobat Reader

Several times the date of the exploit was a few days after the vulnerability had been disclosed and there wasn’t a patch released by the vendor.

Campaigns

In the past most of the campaigns which we found related to the Sykipot actors were based on SpearPhishing mails with attachments that exploited vulnerabilities in software like Microsoft Office, Adobe Flash, Adobe PDF and some times Internet Explorer. During the last 8-10 months we have seen a change and the number of SpearPhishing campaigns which have included a link instead of an attachment and this has increased. Once the victim clicks in the link the attackers will use vulnerabilities in Internet Explorer, Java, etc to access the system.

Some examples of the campaigns they have launched are detailed below.

gsasmartpay.org – 2012-06-20

The last summer, we found a malicious site that the Sykipot actors set up to try and phish government employees. When the victim visited the link the following page appeared:

As we can see it shows the information present in https://smartpay.gsa.gov/cardholders.

“The GSA SmartPay program, established in 1998, is the largest charge card program in the world serving more than 350 federal agencies, organizations, and Native American tribal governments. In FY10, approximately 98.9M transactions were made and $30.2B were charged using the GSA SmartPay charge cards, creating $325.9M in refunds.”

“Eligibility for the program is determined by the GSA SmartPay Contracting Officer. Federal agencies, departments, tribal organizations, and approved non-federal entities can apply to obtain charge card services under the GSA SmartPay program.”

If we take a look at the malicious files we will find that it was exploiting CVE-2012-1889 in the background:

During the exploitation it will load the following files as well:

www[.]gsasmartpay[.]org/cardholders/login/movie[.]swf?apple=AA969692D8CDCD959595CC859183918F83909692839BCC8D9085CD83868D808784CC919584E2E2E2E2
www[.]gsasmartpay[.]org/cardholders/login/deployJava[.]js
www[.]gsasmartpay[.]org/cardholders/login/faq[.]htm

We are not going to show how this vulnerability is exploited since we have showed it in previous blog posts, you can find a good description here.

searching-job.net is another domain registered by the Sykipot actors (registered by thomas7610@yahoo.com on 06-20-2012) that was also serving the same exploit at that time:

www[.]searching-job[.]net/list/verification/deployJava[.]js
www[.]searching-job[.]net/list/verification/faq[.]htm
www[.]searching-job[.]net/list/verification/index[.]htm
www[.]searching-job[.]net/list/verification/movie[.]swf?apple=AA969692D8CDCD959595CC91878390818A8B8C85CF888D80CC8C8796CD848B8E878E8B9196CC868396E2E2E2E2
www[.]searching-job[.]net/account_list/verification/index[.]htm

Apart from gsasmartpay.org we have found several domains registered by the Sykipot actors that they have probably used to phish users in the last few months. Some of the most suspicious ones are detailed below:

- dfasonline.com registered by alcott.churchill@yahoo.com on 06-19-2012

Probably related to Defense Finance and Accounting Service – DFAS - http://www.dfas.mil/

- aafbonus.com registered by janagreen2000@yahoo.com on 06-19-2012

Probably related to American Advertising Federation – http://www.aaf.org/

- nceba.org registered by jimgreen200088@yahoo.com on 07-24-2012

Probably related to U.S. BANKRUPTCY ADMINISTRATOR - http://www.nceba.uscourts.gov/

- pdi2012.org registered by alcott.churchill@yahoo.com on 08-18-2011

Probably related to PDI 2012, the premier training event hosted by the American Society of Military Comptrollers

- hudsoninst.com registered by alcott.churchill@yahoo.com on 11-26-2012

Probably related to the Hudson Institute – http://www.hudson.org/

Hudson Institute is a nonpartisan, independent policy research organization dedicated to innovative research and analysis that promotes global security, prosperity, and freedom.

CVE-2012-4969 – Internet Explorer

In September last year, the Sykipot actors registered several domains to exploit a vulnerability in Internet Explorer (CVE-2012-4969).

- resume4jobs.net registered by james.wade1@yahoo.com on 03-08-2012

URL’s involved:

http://www[.]resume4jobs[.]net/account/1024486[.]html

http://www[.]resume4jobs[.]net/account/embed[.]htm

http://www[.]resume4jobs[.]net/jobs[.]exe Sykipot malware that uses info[.]resume4jobs[.]net as the C&C

- paypal1.dns1.us – Dynamic DNS provider

URL’s involved:

http://paypal1[.]dns1[.]us/account/1024486[.]html

http://paypal1[.]dns1[.]us/account/embed[.]htm

- pollingvoter.org registered by jimgreen200088@yahoo.com on 06-11-2012

URL’s involved:

http://www[.]pollingvoter[.]org/ne2012/vote/embed[.]htm

http://www[.]pollingvoter[.]org/life[.]exe Sykipot malware that uses www[.]betterslife[.]com as the C&C

- skyruss.net registered by joneluxara@yahoo.com on 04-17-2012

URL’s involved:

http://social[.]sns[.]skyruss[.]net/variety/index[.]html

http://forum[.]skyruss[.]net/articles/embed[.]htm

CVE-2012-1723 – Java 7

In August, they were exploiting a vulnerability in Java (CVE-2012-1723) to gain access to the victim’s systems. It seems they were using the Metasploit version of the exploit.

Some examples are:

- slashdoc.org registered by jessantt@gmail.com on 05-21-2012

URL’s involved:

http://www[.]slashdoc[.]org/default[.]jar

http://www[.]slashdoc[.]org/index[.]html

The index.html page loads the malicious Java applet and it passes the payload they want to execute using the data parameter (the value is hex encoded):

In this case the host www[.]photosmagnum[.]com was used as the C&C server.

- nceba.org registered by jimgreen200088@yahoo.com on 07-24-2012

URL’s involved:

http://www[.]nceba[.]org/newsroom/article/news201207240251[.]html

http://www[.]nceba[.]org/newsroom/article/default[.]jar

Using www[.]betterslife[.]com as the C&C server.

- milstars.org registered by slyan8024@gmail.com on 06-20-2012

URL’s involved:

http://milstars[.]org/view/default[.]jar

CVE-2013-0640 – PDF Exploit targeting Japanese victims

We found the Sykipot actors using the latest Adobe Acrobat exploit (CVE-2013-0640) a few weeks ago.

The version of the exploit is the same that we found in our latest blog post:

- Latest Adobe PDF exploit used to target Uyghur and Tibetan activists

The Javascript code inside the PDF file is very similar to the one found in the Itaduke samples but part of the initial variables and the obfuscation has been removed from the original one.

Once the PDF is opened the following lure file is displayed to the victim:

Based on the content of the lure document the potential victims seem to be somehow related to the Japanese Ministry of Health, Labour and Welfare

Once the infection takes place the following fiels are created on the system:

\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pfilede.dat 5ED3A94354F27BC7AF0FEF04F89D8EB8
\DOCUME~1\ADMINI~1\LOCALS~1\mpr.dll 84EFAFF343CF7A34D2A0D847A1E5FD50
\DOCUME~1\ADMINI~1\LOCALS~1\setm.ini 00051F392350128BA4DD4CA10F44DDEF
\DOCUME~1\ADMINI~1\LOCALS~1\temp.dll BEA84BE4BFE236652F6A4E382B21A96F

The file setm.ini contains the configuration of Sykipot in this case:

[srv_info]
sleeptime=3600000
url=bassball[.]peocity[.]com (C&C server)
scexe=rsvp.exe
scdll=mpr.dll
runexe=run.exe
mark=0304adbh

The following actions take place in the system:

cmd /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v start /t REG_SZ /d [sykipot_payload_file].exe -startup /f (persistence)

Several functions are called within the Sykipot’s DLL:

[sykipot_payload_file].exe -startupEx
[sykipot_payload_file].exe -startup1
cmd /c [sykipot_payload_file].exe -startup

Then the malicious payload will be injected into Internet Explorer.

The malware will communicate with the C&C server once in a while using SSL and the well known communication paths of previous Sykipot payloads:

/kys_allow_put.asp?type=
/kys_allow_get.asp?name=

As we showed in the past most of the Sykipot samples used the key “19990817″ for encryption.In this sample we have found a new key “20120709″ that is also a date.

Infrastructure

Along with the blog post we are making a list of new domains public that weren’t mentioned in previous Sykipot research:

Unique malicious domains:

peocity.com
rusview.net
skyruss.net
commanal.net
natareport.com
photogellrey.com
photogalaxyzone.com
insdet.com
creditrept.com
pollingvoter.org
dfasonline.com
hudsoninst.com
wsurveymaster.com
nhrasurvey.org
pdi2012.org
nceba.org
linkedin-blog.com
aafbonus.com
milstars.org
vatdex.com
insightpublicaffairs.org
applesea.net
appledmg.net
appleintouch.net
seyuieyahooapis.com
appledns.net
emailserverctr.com
dailynewsjustin.com
hi-tecsolutions.org
slashdoc.org
photosmagnum.com
resume4jobs.net
searching-job.net
servagency.com
gsasmartpay.org
tech-att.com

We are releasing Snort rules to detect queries to the malicious domains in your network:

Thanks to EmergingThreats for the help. You will find the rules in its ruleset update today as well.

Based in our research, below is the list of unique e-mail addreses used to registered malicious domains:

233@lao.com
Joneluxara@yahoo.com
alcott.churchill@yahoo.com
b@bvc.com
calvin.kliff@yahoo.com
carrier.fisher@hotmail.com
conan0557@126.com
james.wade1@yahoo.com
janagreen2000@yahoo.com
jessantt@gmail.com
jimgreen200088@yahoo.com
jimgreen20008@yahoo.com
marialreyna11211919@yahoo.com
morgan.wale1@yahoo.com
mskinner62@yahoo.com
myhog@hotmail.com
parviz7415@yahoo.com
slyan8024@gmail.com
thomas7610@yahoo.com

Apart from the list of new domains you should check out the domains mentioned in the following articles that all related to previous Sykipot’s activity but some of them are still being used in Sykipot’s operations:

- Sykipot is back - Alienvault Labs

- The Sykipot Attacks - Symantec

- The Sykipot Campaign – TrendMicro

- Hurricane Sandy serves as lure to deliver Sykipot - Verizon

- Insight into Sykipot Operations - Symantec

- Medical Industry A CYBER VICTIM: BILLIONS STOLEN AND LIVES AT RISK - Cyber Squared

jaime.blasco

More Posts - Website

Follow Me:

CVE-2012-1723, CVE-2012-1889, CVE-2012-4969, CVE-2013-0640, Sykipot

Latest Adobe PDF exploit used to target Uyghur and Tibetan activists

Last month Adobe released a fix to patch a vulnerability that was being exploited in the wild. Kaspersky found that the 0day was being used by a very sophisthicated group to target different governments using a malware called MiniDuke.

Alienvault Labs have detected that a different group of attackers have been using this vulnerability to target non-governmental and human rights organizations.

Together with our partner Kaspersky Labs we are releasing an analysis of this campaign. You can read his report here.

Based on the samples we found we believe this group has been running a SpearPhishing campaign from the last few weeks. The files we have analyzed are PDF files that contain code to exploit CVE-2013-0640. Once the victim opens the file, the system gets infected and a lure document is displayed to the victim. Some of the PDF lures we have found are:

Some of the exploit filenames:

2013-Yilliq Noruz Bayram Merikisige Teklip.pdf
联名信.pdf
arp.pdf

Based on the lures we found it seems the same group is targeting both Tibet and Uyghur activists in the same campaign.

The Javascript code inside the PDF files is very similar to the one found in the Itaduke samples but part of the initial variables and the obfuscation has been removed from the original one.

The shellcode will create the file AcroRd32.exe in the Temp folder. That file decrypts an encrypted block using XOR operations with the key “0l23kj@nboxu”.

The malicious payload will perform the following operations:

- Copy \WINDOWS\system32\wuauclt.exe to %APPDATA%\wuauclt\wuauclt.exe
- Drop a malicious DLL under %APPDATA%\wuauclt\clbcatq.dll
- Execute %APPDATA%\wuauclt\wuauclt.exe

Note that wuauclt.exe is a benign system executable. Once the system file is executed, the malicious DLL will be loaded. This technique is known as DLL search order hijacking.

The malicious DLL will be loaded when wuauclt.exe is executed. It is important to show that clbcatq.dll is not exporting all the methods that the original clbcatq.dll has. It only implements the ones that are required to run the malicious code:

Original DLL Malicious DLL

Once the malicious DLL is loaded, the malicious code will generate the following HTTP request:

The server will reply with an encrypted block of code that will be decrypted. The decrypted content is actually a DLL that exports the following functions:

GetWorkType
InfectFile

The payload will drop the following files:

\WINDOWS\system32\wbem\4BA5E980.PBK
\WINDOWS\system32\wbem\mstd32.dll

The InfectFile function will modify some code in the system library WINDOWS\system32\mswsock.dll. If we take a look at the patched DLL:

Original version

Modified version:

If we take a look at WSPStartup_0:

We can see how the malicious DLL mstd32.dll will be loaded everytime the system library mswsock.dll is loaded by a program.

The file mstd32.dll is signed using a certificate issued to “YNK JAPAN Inc. We have seen that certificate being used to sign malware dropped in several NGO attacks in the past.

Then the malicious code will perform the following HTTP request every few seconds:

The final payload is detected as Trojan.Win32.Swisyn and it has a lot of functionality to monitor and steal data from the infected system.

We have identified the following C&C servers for both payloads:

ly.micorsofts.net
ip.micrsofts.com
xdx.hotmal1.com
hy.micrsofts.com

All the DNS names are pointing to 60.211.253.28 at this time.

Both domains have been registered using the same mail address:

micorsofts.net

Created: 2008-05-12 01:51:10
Expires: 2013-05-12 01:51:10
Last Modified: 2012-05-02 13:26:38

Registrant Contact:
GW SY
li wen li wen (lcb_jn@sina.com)
zq dj
jiningshi, shandongsheng, cn 272000
P: +86.05372178000 F: +86.05372178000

hotmal1.com

Created: 2008-12-30 03:53:18
Expires: 2013-12-30 03:53:18
Last Modified: 2012-12-26 15:32:15

Registrant Contact:
GW SY
li wen li wen (lcb_jn@sina.com)
zq dj
shixiaqu, beijingshi, cn 272000
P: +86.02227238836601 F: +86.02227238836601

Profile of the user on 20cn.net

We – Alienvault Labs- have written some Snort rules to match the network behavior:

You can use the following Yara rule to match the malicious binaries:

And this one to detect the malicious PDF files:

Finally, we are releasing some OpenIOC indicators as well:

You can find all the content in our GitHub repository.

The rules have been included in the EmergingThreats ruleset as well as in our Open Source SIEM.

jaime.blasco

More Posts - Website

Follow Me:

APT, CVE-2013-0640, tibet, Uyghur, YNK JAPAN

Georbot Botnet – A cyber espionage campaign against Georgian Government

A few days ago, CERT-Georgia published a great report describing a cyber spionage campaign. ESET wrote a great report a few months ago as well. The report said the malware was found in Georgian Governmental Agencies including ministries, parliament, banks, ngo’s. The report also says the purpose of the malware was “Collecting Sensitive, Confidential Information about Georgian and American Security Documents” and it establishes a connection with Russian Official Security Agencies.

In this blog post we will offer a brief about the infection vectors as well as the malware behavior and we will share some IOC’s and signatures to detect the presence of the malware in your systems.

Infection method

To compromise the victims, the attackers placed javascript code or iframes into websites leading to exploit code.

The compromised website includes Georgian Government servers like ema.gov.ge. Other examples are:

- ema.gov.ge

- 31.214.140.214

- 178.32.91.70

- georgiaonline.xp3.biz

- 31.31.75.63

- 173.212.192.83

An example of a malicious javascript is as follow:

The malicious javascript present in frame.js/frame.php includes code that exploits several vulnerabilities including CVE-2010-0842, CVE-2006-3730, MS06-057 and some Java exploits.

Examples of exploit codes found:

178.32.91.70 [/] modules[/]docs[/]newexp[.]jar https://www.virustotal.com/file/9bf88bf15ffa6888ec2a3bd9e8dc6d13b650f1122ca69cface9ccf777c32e259/analysis/

178.32.91.70 [/] modules[/]docs[/]Java-2010-0842[.]jar

https://www.virustotal.com/file/7a900cc7616cfbf2ca17350c436af2490621550ded3e29325dc31149db50c63d/analysis/

Once the exploit code is executed, the payload calc.exe that contains the malware is downloaded from the remote server.

The malware uses a custom packer to evade security security products. It also uses obfuscation to hide both the configuration values and the API calls.

The malware uses byte substraction operations to hide the strings including the configuration values:

After deobfuscation:

We can use the following Yara rule to detect the obfuscated binary:

rule GeorBotBinary
{
strings:
$a = {63 72 ?? 5F 30 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C}

condition:
all of them
}

Based on the deofuscated strings we can also write a Yara rule to detect the presence of the malware in memory:

rule GeorBotMemory
{
strings:
$a = {53 4F 46 54 57 41 52 45 5C 00 4D 69 63 72 6F 73 6F 66 74 5C 00 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 00 52 75 6E 00 55 53 42 53 45 52 56}
$b = {73 79 73 74 65 6D 33 32 5C 75 73 62 73 65 72 76 2E 65 78 65}
$c = {5C 75 73 62 73 65 72 76 2E 65 78 65}
condition:
$a and ($b or $c)
}

We use both the registry key used to maintain persistence and the executable name that the malware creates on the system (in version >=5 of the malware those values are stored on wide strings).

If we have a memory image of a system we can use Volatility to look for processes matching our Yara rule:

$ python vol.py -f /Users/jaime/tmp/geor.img yarascan -y GeorBotMemory.yara
Volatile Systems Volatility Framework 2.1_alpha

Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004055b3 53 4f 46 54 57 41 52 45 5c 00 4d 69 63 72 6f 73 SOFTWARE\.Micros
0x004055c3 6f 66 74 5c 00 57 69 6e 64 6f 77 73 5c 43 75 72 oft\.Windows\Cur
0x004055d3 72 65 6e 74 56 65 72 73 69 6f 6e 5c 00 52 75 6e rentVersion\.Run
0x004055e3 00 55 53 42 53 45 52 56 00 2e 64 6f 63 00 2e 78 .USBSERV..doc..x
Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004059a6 73 79 73 74 65 6d 33 32 5c 75 73 62 73 65 72 76 system32\usbserv
0x004059b6 2e 65 78 65 00 43 3a 5c 57 49 4e 44 4f 57 53 5c .exe.C:\WINDOWS\
0x004059c6 73 79 73 74 65 6d 33 32 5c 75 73 62 63 6c 69 65 system32\usbclie
0x004059d6 6e 74 2e 65 78 65 00 43 3a 5c 57 49 4e 44 4f 57 nt.exe.C:\WINDOW
Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004059ae 5c 75 73 62 73 65 72 76 2e 65 78 65 00 43 3a 5c \usbserv.exe.C:\
0x004059be 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d 33 32 WINDOWS\system32
0x004059ce 5c 75 73 62 63 6c 69 65 6e 74 2e 65 78 65 00 43 \usbclient.exe.C
0x004059de 3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d :\WINDOWS\system

Network traffic

The malware uses HTTP to communicate with the C&C server. It contains several commands to upload and retrieve information from the victim. It also looks for malware updates every once in a while. In early versions the update version was requested from /modules/docs/upload/calc.exe on the C&C server.

In newer versions the malware performs a request to /calc.php and the server sends base64 encode content (it can be done using content from different servers at the same time).

When the malware starts it sends the following request to the C&C:

Every minute it sends the following HTTP request to the C&C to ask for instructions:

In newer versions the parameter “cam” was also introduced that tells the C&C whether the infected system has a webcam.

/index312.php?ver=5.1&cam=0&p=cert123&id=401acd00

You can use the following snort to detect the presence of this malware in your network:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot requesting update”; flow: to_server,established; content:”/modules/docs/upload/calc.exe”; http_uri; classtype:trojan-activity; sid:1111111112; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot initial checkin”; flow: to_server,established; content:”POST”; http_method; nocase; content:”.php?ver=”; http_uri; content:”&p=cert123″; fast_pattern; http_uri; content:”&id=”; http_uri; classtype:trojan-activity; sid:1111111113; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot checkin”; flow: to_server,established; content:”.php?ver=”; http_uri; content:”&p=bot123″; fast_pattern; http_uri; content:”&id=”; http_uri; classtype:trojan-activity; sid:1111111114; rev:1;)

Emerging Threats Pro has coverage for previous versions (see “ETPRO TROJAN TDSS.xcn”) but the rules I posted will work with newer versions of the malware as well.

Based on the behavior of the malware we wrote this OpenIOC rule:

You can download all the content from this blog post on the following url:

https://github.com/jaimeblasco/AlienvaultLabs/tree/master/malware_analysis/Georbot

Happy Halloween!

jaime.blasco

More Posts - Website

Follow Me:

Botnet, Georbot, georgia, malware, OpenIOC, snort, yara

Yara rules and network detection for Operation Hangover

jaime.blasco

How cybercriminals are exploiting Bitcoin and other virtual currencies

jaime.blasco

New Sykipot developments

jaime.blasco

Latest Adobe PDF exploit used to target Uyghur and Tibetan activists

jaime.blasco

Georbot Botnet – A cyber espionage campaign against Georgian Government

jaime.blasco

Navigation

Search IP in reputation database

Labs on twitter

Tags

Recent Discussions

People Online