Category Archives: FireEye

  • 0

Security Predictions 2018

Category : FireEye

Cyber crime is a business that threat actors take very seriously. Cyber security is its opposing force. To be effective in the battle against cyber attacks, trusted security partners such as FireEye must hold their secrets close.

But to equip the world-at-large against an ever-expanding and continually diversifying collection of threats, some information must be shared freely.

The Security Predictions for 2018 paper offers unique insights into what we can expect from attackers, victim organizations, security vendors and nation-states in the coming year.

  • Who is likely to instigate cyber attacks, and who are their targets
  • What cyber attack techniques are likely to be most popular, and under what conditions
  • Which nation-states are likely to engage in cyber warfare and cyber crime, and their reasons for doing so
  • What options are available to deal with cyber attacks, and which activities will be most effective

Take notes. Take guidance. Take the edge away from the criminals working against you in the coming year.

Download the paper today.


  • 0

The Underground Uber Networks Driven by Russian Hackers

Category : FireEye

Uber’s ride-sharing service has given birth to some of the most creative criminal scams to date, including using a GPS-spoofing app to rip off riders in Nigeria, and even ginning up fake drivers by using stolen identities. Add to those this nefariously genius operation: Cybercriminals, many working in Russia, have created their own illegitimate taxi services for other crooks by piggybacking off Uber’s ride-sharing platform, sometimes working in collaboration with corrupt drivers.

Based on several Russian-language posts across a number of criminal-world sites, this is how the scam works: The scammer needs an emulator, a piece of software which allows them to run a virtual Android phone on their laptop with the Uber app, as well as a virtual private network (VPN), which routes their computer’s traffic through a server in the same city as the rider. The scammer acts, in essence, as a middleman between an Uber driver and the passenger—ordering trips through the Uber app, but relaying messages outside of it. Typically, this fraudulent dispatcher uses the messaging app Telegram to chat with the passenger, who provides pickup and destination addresses. The scammer orders the trip, and then provides the car brand, driver name, and license plate details back to the passenger through Telegram.

In one Russian-language crime-forum post, a scammer says their service runs in some 20 cities, including Moscow and St. Petersburg, as well as Kiev in Ukraine and Minsk in Belarus; another thread suggests the service has been used in New York and Portugal as well. In some cases, the scam middleman will use an Uber promotional code or voucher for a free or discounted ride—meaning they’d just pocket whatever fee charged to the passenger. In another variation of the scheme, some scammers are working with drivers to split profits—one post explicitly says the scammer cooperates with drivers.

“Presumably, this service would operate similarly to other money laundering schemes, in which the service provider would use compromised payment credentials to cover the cost of the Uber ride for a customer, who would pay him/her the discounted rate,” David S. Mainor, who manages financial-crime analysis at cybersecurity firm FireEye, told The Daily Beast.

Regardless, the passenger pays the scammer through the Russian service Qiwi, according to two posts on Russian-language crime forums, although other schemes may use Yandex.Money or Sberbank, judging by another post. If the payment is late, one scammer writes they will cancel the trip, “usually in the middle of the ring road =).”

And the prices are cheap. One scammer is offering four hours of UberX for 600 rubles, or just over $10, and the same amount of time in an UberBlack for 1,000 rubles, or $17. On another Russian crime site, a different fraudster offers more short-time rides, with up to 40 minutes costing 200 rubles—just $3. That scammer will also redirect the driver’s call to the passenger’s own phone for an extra 80 cents.

Obviously, this is not the most profitable scam in the world. But it still shows the ingenuity of fraudsters determined to squeeze whatever profit they can out of tech services, and the idea is seemingly to build a business, albeit an illegitimate one, over time, rather than pulling a quick, one-off scam. One guide suggests marketing the scheme to students, or people who don’t want to wait for the subway, and posting adverts on VK, Russia’s version of Facebook. It also recommends giving away the first trip for free, so as to build a loyal customer base.

Customers don’t necessarily have to ride in the Ubers either; one apparently satisfied user says they like to use Ubers as “couriers,” although it’s not clear what exactly the person may have been transporting.  Some scammers have even tried to automate much of the process, by setting up a bot to handle messages instead of having a human relay them through Telegram.

“Everything is easy and accessible at any time of the day,” writes that fraudster, whose avatar includes a cartoon of a taxi. The bot has not always worked as intended though, judging by some responses to the post. Earlier this year, the scammer offered a promotional code that when typed into the bot would offer a free ride, and another of their posts says this service uses Yandex.Taxi, a kind of Russian Uber alternative.

“Currently, actors tend to focus on Uber more than other ride-sharing services, likely due to the prevalence of Uber in the global ride-sharing market; however, other such comparable services, such as Lyft, share similar risk profiles,” Mainor from FireEye added.

Uber spokesperson Melanie Ensign told The Daily Beast, after being shown a screenshot for one of the illegitimate Uber services, “We have multiple detection and prevention measures in place for this type of fraud, including multi-factor authentication for suspicious logins either at the time of login or at the time a trip is requested.  “Our anti-fraud team also uses machine-learning models and pattern detection to identify fake accounts created with stolen credit cards and routinely deactivate fraudulent actors. In some cases, we’re able to proactively refund riders when we detect fraudulent activity, but they can also report issues to our team inside the Uber app for investigation. Additionally, we have a specialized team of fraud investigators who actively monitor online forums where these services are advertised,” she added.

Not everything has been smooth sailing for these scammers. A number of customers have complained of sloppy service, and, particularly at the start of the year, multiple users said Uber had somehow clamped down on the practice. But an apparently happy customer left a positive review on one related thread just last month.

At the end of one of the online advertisements, the scammer writes, “Enjoy your trips!”

Source: The Daily Beast

Author: JOSEPH COX


  • 0

FireEye Autumn Demo Series

Category : FireEye

Innovative FireEye technologies continue to set the standard for cyber security. Now you can see how simple and effective these solutions are.

The FireEye Autumn Demo Series provides a firsthand experience of our new security operations platform and recent major enhancements to both endpoint and email solutions.

These 15-minute live demos, followed by Q&A sessions, are delivered by seasoned FireEye engineers.

Solution Demo Date Time
Email Security Every Tuesday 12 p.m. ET,
9 a.m. PT
Endpoint Security Every Wednesday 12 p.m. ET,
9 a.m. PT
FireEye Helix Every Thursday 12 p.m. ET,
9 a.m. PT

Reserve a spot for your preferred demo today.


  • 0

Tomorrow’s Endpoint Protection Platforms

Category : FireEye

Why common endpoint security can’t beat modern threats

Although endpoint protection platforms (EPP) continue to rely on the decades-old technology that was part of their original design, cyber threats are forcing a change. You cannot afford to settle for standard endpoint security products.

As attack methodologies have evolved, endpoint security has continued to adapt based on several insights:

  • The static, reactive approach of signature-based security and machine learning programming are no longer sufficient.
  • Encryption, vulnerability assessment and data loss prevention (DLP) capabilities add value, but don’t close the security gap.
  • Comprehensive visibility, intelligence, behavior analysis and automation are critical to the future of endpoint security.

The FireEye whitepaper, “Tomorrow’s Endpoint Protection Platforms,” discusses how EPPs are changing, and explains what EPP capabilities might be best for your needs.


  • 0

The Devious Netflix Phish That Just Won’t Die

Category : FireEye

THE EMAIL HITS  your inbox with an urgent warning: Your Netflix account has been suspended, due to a problem with your billing information. It offers a link, which takes you to what looks very much like a Netflix landing page. It’s not. Instead, it’s a phishing scam that collects extensive personal data on victims. But as with all of the most pernicious phishes, the problem with the Netflix phish isn’t just its convincing look—it’s that whoever’s behind it has found new ways to bypass spam filters over and over again.

While the Netflix phish has garnered recent headlines, it dates back at least to January, when threat researchers at the security firm FireEye first detected it. It prompts victims to type in their username and password, and then presents a form to update their billing information (things like full name, date of birth, address, and phone number). After that, another form asks them to validate their payment method by entering their credit card info. Some versions of the phish even ask for a Social Security number.

Deep Deception

As with many social engineering attacks, its outward simplicity helps ensnare potential victims. Underneath that exterior, though, researchers who have tracked the campaign say that it uses a clever combination of defense measures to make it harder for spam filters, antivirus programs, and phishing scanners to flag.

Richard Hummel, the manager of technical analysis at FireEye, says that he still sees attackers using some of the same subject lines for Netflix phishing emails that they did almost a year ago. “They’re not even varying their tactics all that much,” he says. “What they’re doing is working, it’s successful. Netflix is still one of the common themes that’s used for credential theft. It’s definitely something that’s still ongoing—steady and recurring.”

While the Netflix phish is outwardly straightforward, it does include a lot of clever touches. It replicates a lot the HTML Netflix uses on its actual website, to make the fake pages look as genuine as possible. The login pages even include autofilling backsplashes that promote Netflix original content. The phishing emails also use a template system, to personalize the messages by autofilling each victim’s name at the beginning.

The evasive maneuvers go even deeper. Some versions of the campaign encrypt user-side HTML in the phishing pages, so scanners can’t inspect the code for malicious components. The phishing pages also have a defense in place where they won’t load for IP addresses that trace back to known internet security monitoring groups, like Google, or the anti-phishing initiative PhishTank. All of this makes it easier for phishers to run the Netflix scam again and again, because their infrastructure hasn’t been flagged on security and spam blacklists.

Most importantly, the Netflix phishers use a well-known technique of compromising legitimate web accounts or web servers, and hosting their phishing pages off of those services. By hosting the pages on sites that have been around for a while and weren’t previously malicious, the attackers buy time on URLs that have credibility (known online as a good reputation score) and won’t be flagged by security scanners. Analysts at the email scanning and security group MailGuard found that in this go-around the Netflix phishers have been using compromised WordPress blogs to host their malicious pages.

This type of approach can be used to launch phishing attacks based off of all different brands and services. Aaron Higbee, CTO of the phishing defense firm PhishMe, says the company has tracked the same types of phishing campaign infrastructure to impersonate brands like Chase, Comcast, TD Bank, and Wells Fargo. And he notes that the system can perpetuate itself. Some of the stolen credentials attackers get out of the scam may include reused credentials for accounts and web servers that the phishers can then compromise and use to launch more attacks.

Safety Steps

The good news is that users can protect themselves by following the standard advice about phishing. To confirm who really sent an email, click on the downward arrow next to the sender’s name in Gmail. It’ll expand to show the full info. Hover over any links to confirm that they lead to the URLs they claim. Make account changes by navigating, on your own, to a site itself, and log in there instead of going through an email link. Don’t reuse passwords. And view any emails that push you to act right away with suspicion.

“Unfortunately, these scams are common on the internet and target popular brands such as Netflix and other companies with large customer bases to lure users into giving out personal information,” Netflix said in a statement to WIRED.

There’s a lot at stake. Researchers say that the Netflix phishers also likely sell the victim data they collect to dark-web processors looking for bulk data, credit card numbers, and even just active Netflix accounts that they can resell for a few dollars.

“There are a number of motives here,” Higbee says. “And I know I’m going to sound like a broken record, but if your email address password is the same as your entertainment passwords you’re really setting yourself up for disaster. Your email address password needs to be different even if you don’t vary all your passwords. That alone will prevent a lot of damage.”

You might as well commit those tips to memory—especially with an attack like the Netflix phish that’s been around for months, and isn’t slowing down.

Source: https://www.wired.com/story/netflix-phishing-scam/

Author: Lily Hay Newman


  • 0

2017 – An active year for APT groups

Category : FireEye

From cyber criminals who seek personal financial information and intellectual property to state-sponsored cyber attacks designed to steal data and compromise infrastructure, today’s advanced persistent threats (APTs) can sidestep cyber security efforts and cause serious damage to your organization.
2017 is already one of the most prolific years in terms of APT activity. Indeed, since the beginning of the year, there have been several examples of major cyber attacks.

Join us for a live webinar as we discuss:
– The most severe cybercriminal activities of 2017
– The motivations, approaches and TTPs of the threat groups behind these attacks
– Insights into APT10, APT32 & APT33

Register for free


  • 0

BACKSWING – Pulling a BADRABBIT Out of a Hat

Category : FireEye

Executive Summary

On Oct. 24, 2017, coordinated strategic web compromises started to distribute BADRABBIT ransomware to unwitting users. FireEye appliances detected the download attempts and blocked our user base from infection. During our investigation into the activity, FireEye identified a direct overlap between BADRABBIT redirect sites and sites hosting a profiler we’ve been tracking as BACKSWING. We’ve identified 51 sites hosting BACKSWING and four confirmed to drop BADRABBIT. Throughout 2017, we observed two versions of BACKSWING and saw a significant increase in May with an apparent focus on compromising Ukrainian website. The pattern of deployment raises the possibility of a strategic sponsor with specific regional interests and suggest a motivation other than financial gain. Given that many domains are still compromised with BACKSWING, we anticipate that there is a risk that they will be used for future attacks.

Incident Background

Beginning on Oct. 24 at 08:00 UTC, FireEye detected and blocked attempts to infect multiple clients with a drive-by download masquerading as a Flash Update (install_flash_player.exe) that delivered a wormable variant of ransomware. Users were redirected to the infected site from multiple legitimate sites (e.g. http://www.mediaport[.]ua/sites/default/files/page-main.js) simultaneously, indicating a coordinated and widespread strategic web compromise campaign.

FireEye network devices blocked infection attempts at over a dozen victims primarily in Germany, Japan, and the U.S. until Oct. 24 at 15:00 UTC, when the infection attempts ceased and attacker infrastructure – both 1dnscontrol[.]com and the legitimate websites containing the rogue code – were taken offline.

BACKSWING Framework Likely Connected to BADRABBIT Activity

Strategic web compromises can have a significant amount of collateral targeting. It is common for threat actors to pair a strategic web compromise with profiling malware to target systems with specific application versions or victims. FireEye observed that BACKSWING, a malicious JavaScript profiling framework, was deployed to at least 54 legitimate sites starting as early as September 2016.  A handful of these sites were later used to redirect to BADRABBIT distribution URLs.

FireEye iSIGHT Intelligence tracks two distinct version of BACKSWING that contain the same functionality, but differ in their code styles. We consider BACKSWING a generic container used to select attributes of the current browsing session (User-Agent, HTTP Referrer, Cookies, and the current domain). This information is then relayed to a “C2” sometimes to referred to as a “receiver.” If the receiver is online, the server returns a unique JSON blob to the caller which is then parsed by the BACKSWING code (Figure 1).


Figure 1: BACKSWING Reply

BACKSWING anticipates the JSON blob to have two fields, “InjectionType” (expected to be an integer) and “InjectionString” (expected to be string containing HTML content). BACKSWING version 1 (Figure 2) explicitly handles the value of “InjectionType” into two code paths:

  • If InjectionType == 1 (Redirect browser to URL)
  • If InjectionType != 1 (render HTML into the DOM)


Figure 2: Backswing Version 1

In Version 2 (Figure 3), BACKSWING retains similar logic, but generalizes the InjectionString to be handled strictly to render the reply into the DOM.


Figure 3: BACKSWING Version 2

Version 1:

  • FireEye observed the first version of BACKSWING in late 2016 on websites belonging to a Czech Republic hospitality organization in addition to a government website in Montenegro. Turkish-tourism websites were also injected with this profiler.
  • BACKSWING v1 was commonly injected in cleartext to affected websites, but over time, actors began to obfuscate the code using the open-source Dean-Edwards Packer and injected it into legitimate JavaScript resources on affected websites. Figure 4 shows the injection content.
  • Beginning in May 2017, FireEye observed a number of Ukrainian websites compromised with BACKSWING v1, and in June 2017, began to see content returned from BACKSWING receivers.
  • In late June 2017, BACKSWING servers returned an HTML div element with two distinct identifiers. When decoded, BACKSWING v1 embedded two div elements within the DOM with values of 07a06a96-3345-43f2-afe1-2a70d951f50a and 9b142ec2-1fdb-4790-b48c-ffdf22911104. No additional content was observed in these replies.


Figure 4: BACKSWING Injection Content

Version 2:

  • The earliest that FireEye observed BACKSWING v2 occurred on Oct. 5, 2017 across multiple websites that previously hosted BACKSWING v1
  • BACKSWING v2 was predominantly injected into legitimate JavaScript resources hosted on affected websites; however, some instances were injected into the sites’ main pages
  • FireEye observed limited instances of websites hosting this version were also implicated in suspected BADRABBIT infection chains (detailed in Table 1).

Malicious profilers allow attackers to obtain more information about potential victims before deploying payloads (in this case, the BADRABBIT “flash update” dropper). While FireEye has not directly observed BACKSWING delivering BADRABBIT, BACKSWING was observed on multiple websites that were seen referring FireEye customers to 1dnscontrol[.]com, which hosted the BADRABBIT dropper.

Table 1 highlights the legitimate sites hosting BACKSWING that were also used as HTTP referrers for BADRABBIT payload distribution.

Compromised Website BACKSWING Receiver BACKSWING Version Observed BADRABBIT Redirect
blog.fontanka[.]ru Not Available Not Available 1dnscontrol[.]com
www.aica.co[.]jp http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com
www.fontanka[.]ru http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com
www.mediaport[.]ua http://172.97.69[.]79/i/ v1 1dnscontrol[.]com
www.mediaport[.]ua http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com
www.smetkoplan[.]com http://172.97.69[.]79/i/ v1 1dnscontrol[.]com
www.smetkoplan[.]com http://38.84.134[.]15/Core/Engine/Index/default v1 1dnscontrol[.]com
www.smetkoplan[.]com http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com

Table 1: Sites hosting BACKSWING profilers and redirected users to a BADRABBIT download site

The compromised websites listed in Table 1 demonstrate one of the first times that we have observed the potential weaponization of BACKSWING. FireEye is tracking a growing number of legitimate websites that also host BACKSWING underscoring a considerable footprint the actors could leverage in future attacks. Table 2 provides a list of sites also compromised with BACKSWING

Compromised Website BACKSWING Receiver BACKSWING Version
akvadom.kiev[.]ua http://172.97.69[.]79/i/ v1
bahmut.com[.]ua http://dfkiueswbgfreiwfsd[.]tk/i/ v1
bitte.net[.]ua http://172.97.69[.]79/i/ v1
bon-vivasan.com[.]ua http://172.97.69[.]79/i/ v1
bonitka.com[.]ua http://172.97.69[.]79/i/ v1
camp.mrt.gov[.]me http://38.84.134[.]15/Core/Engine/Index/two v1
Evrosmazki[.]ua http://172.97.69[.]79/i/ v1
forum.andronova[.]net http://172.97.69[.]79/i/ v1
forum.andronova[.]net http://91.236.116[.]50/Core/Engine/Index/two v1
grandua[.]ua http://172.97.69[.]79/i/ v1
grupovo[.]bg http://185.149.120[.]3/scholargoogle/ v2
hr.pensionhotel[.]com http://38.84.134[.]15/Core/Engine/Index/default v1
i24.com[.]ua http://172.97.69[.]79/i/ v1
i24.com[.]ua http://185.149.120[.]3/scholargoogle/ v2
icase.lg[.]ua http://172.97.69[.]79/i/ v1
montenegro-today[.]com http://38.84.134[.]15/Core/Engine/Index/two v1
montenegro-today[.]ru http://172.97.69[.]79/i/ v1
most-dnepr[.]info http://172.97.69[.]79/i/ v1
most-dnepr[.]info http://185.149.120[.]3/scholargoogle/ v2
obereg-t[.]com http://172.97.69[.]79/i/ v1
sarktur[.]com http://104.244.159[.]23:8080/i v1
sarktur[.]com http://38.84.134[.]15/Core/Engine/Index/default v1
school12.cn[.]ua http://172.97.69[.]79/i/ v1
sinematurk[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
vgoru[.]org http://172.97.69[.]79/i/ v1
www.2000[.]ua http://172.97.69[.]79/i/ v1
www.444android[.]com http://172.97.69[.]79/i/ v1
www.444android[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
www.aica.co[.]jp http://38.84.134[.]15/Core/Engine/Index/default v1
www.alapli.bel[.]tr http://91.236.116[.]50/Core/Engine/Index/two v1
www.ambilet[.]ro http://185.149.120[.]3/scholargoogle/ v2
www.andronova[.]net http://91.236.116[.]50/Core/Engine/Index/two v1
www.chnu.edu[.]ua http://172.97.69[.]79/i/ v1
www.dermavieskin[.]com https://bodum-online[.]gq/Core/Engine/Index/three v1
www.evrosmazki[.]ua http://172.97.69[.]79/i/ v1
www.hercegnovi[.]me http://38.84.134[.]15/Core/Engine/Index/two v1
www.len[.]ru http://185.149.120[.]3/scholasgoogle/ v2
www.montenegro-today[.]com http://38.84.134[.]15/Core/Engine/Index/two v1
www.montenegro-today[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
www.otbrana[.]com http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]be http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]cz http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]de http://172.97.69[.]79/i/ v1
www.pensionhotel[.]de http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]dk http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]nl http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]pl http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]ro http://46.20.1[.]98/scholargoogle/ v1
www.pensionhotel[.]sk http://38.84.134[.]15/Core/Engine/Index/default v1
www.sinematurk[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
www.t.ks[.]ua http://172.97.69[.]79/i/ v1
www.teknolojihaber[.]net http://91.236.116[.]50/Core/Engine/Index/two v1
www.uscc[.]ua http://172.97.69[.]79/i/ v1
www.vertizontal[.]ro http://91.236.116[.]50/Core/Engine/Index/three v1
www.visa3777[.]com http://172.97.69[.]79/i/ v1
www.www.pensionhotel[.]de http://38.84.134[.]15/Core/Engine/Index/default v1

Table 2: Additional sites hosting BACKSWING profilers and associated receivers

The distribution of sites compromised with BACKSWING suggest a motivation other than financial gain. FireEye observed this framework on compromised Turkish sites and Montenegrin sites over the past year. We observed a spike of BACKSWING instances on Ukrainian sites, with a significant increase in May 2017. While some sites hosting BACKSWING do not have a clear strategic link, the pattern of deployment raises the possibility of a strategic sponsor with specific regional interests.

BADRABBIT Components

BADRABBIT is made up of several components, as described in Figure 5.


Figure 5: BADRABBIT components

Install_flashPlayer.exe (MD5: FBBDC39AF1139AEBBA4DA004475E8839)

The install_flashplayer.exe payload drops infpub.dat (MD5: C4F26ED277B51EF45FA180BE597D96E8) to the C:\Windows directory and executes it using rundll32.exe with the argument C:\Windows\infpub.dat,#1 15. This execution format mirrors that of EternalPetya.

infpub.dat (MD5: 1D724F95C61F1055F0D02C2154BBCCD3)

The infpub.dat binary is the primary ransomware component responsible for dropping and executing the additional components shown in the BADRABBIT Components section. An embedded RSA-2048 key facilitates the encryption process, which uses an AES-128 key to encrypt files. The extensions listed below are targeted for encryption:

.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip

The following directories are ignored during the encryption process:

  • \Windows
  • \Program Files
  • \ProgramData
  • \AppData

The malware writes its ransom message to the root of each affected drive with the filename Readme.txt.

The inpub.dat is capable of performing lateral movement via WMI or SMB. Harvested credentials provided by an embedded Mimikatz executable facilitate the infection of other systems on the network. The malware contains lists of common usernames, passwords, and named pipes that it can use to brute-force other credentials for lateral movement.

If one of four Dr.Web antivirus processes is present on the system, file encryption is not performed. If the malware is executed with the “-f” command line argument, credential theft and lateral movement are bypassed.

dispci.exe (MD5: B14D8FAF7F0CBCFAD051CEFE5F39645F)

The dispci.exe binary interacts with the DiskCryptor driver (cscc.dat) to install the malicious bootloader. If one of three McAfee antivirus processes is running on the system, dispci.exe is written to the %ALLUSERSPROFILE% directory; otherwise, it is written to C:\Windows. The sample is executed on system start using a scheduled task named rhaegal.

cscc.dat (MD5s: B4E6D97DAFD9224ED9A547D52C26CE02 or EDB72F4A46C39452D1A5414F7D26454A)

A 32 or 64-bit DiskCryptor driver named cscc.dat facilitates disk encryption. It is installed in the :\Windows directory as a kernel driver service named cscc.

Mimikatz usage (MD5s: 37945C44A897AA42A66ADCAB68F560E0 or 347AC3B6B791054DE3E5720A7144A977)

A 32 or 64-bit Mimikatz variant is written a temporary file (e.g., 651D.tmp) in the C:\Windows directory and executed by passing a named pipe string (e.g., \\.\pipe\{8A93FA32-1B7A-4E2F-AAD2-76A095F261DC}) as an argument. Harvested credentials are passed back to infpub.dat via the named pipe, similar to EternalPetya.

BADRABBIT Compared to EternalPetya

The infpub.dat contains a checksum algorithm like the one used in EternalPetya. However, the initial checksum value differs slightly: 0x87654321 in infpub.dat, 0x12345678 in EternalPetya. infpub.dat also supports the same command line arguments as EternalPetya with the addition of the “-f” argument, which bypasses the malware’s credential theft and lateral movement capabilities.

Like EternalPetya, infpub.dat determines if a specific file exists on the system and will exit if found. The file in this case is cscc.dat. infpub.dat contains a wmic.exe lateral movement capability, but unlike EternalPetya, does not contain a PSEXEC binary used to perform lateral movement.

Both samples utilize the same series of wevtutil and fsutil commands to perform anti-forensics:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %SYSTEMDRIVE%

FireEye Detections

Product Detection Names
NX,EX,AX,FX,ETP malware.binary.exe, Trojan.Ransomware.MVX, Exploit.PossibleWaterhole.BACKSWING
HX BADRABBIT RANSOMWARE (FAMILY), Gen:Heur.Ransom.BadRabbit.1, Gen:Variant.Ransom.BadRabbit.1
TAP WINDOWS METHODOLOGY [Scheduled Task Created], WINDOWS METHODOLOGY [Service Installation], WINDOWS METHODOLOGY [Audit Log Cleared], WINDOWS METHODOLOGY [Rundll32 Ordinal Arg], WINDOWS METHODOLOGY [Wevtutil Clear-log], WINDOWS METHODOLOGY [Fsutil USN Deletejournal], WINDOWS METHODOLOGY [Multiple Admin Share Failures]

We would like to thank Edward Fjellskål for his assistance with research for this blog.

Indicators

File: Install_flashPlayer.exe
Hash: FBBDC39AF1139AEBBA4DA004475E8839
Description: install_flashplayer.exe drops infpub.dat

File: infpub.dat
Hash: 1D724F95C61F1055F0D02C2154BBCCD3
Description: Primary ransomware component

File: dispci.exe
Hash: B14D8FAF7F0CBCFAD051CEFE5F39645F
Description: Interacts with the DiskCryptor driver (cscc.dat) to install the malicious bootloader, responsible for file decryption.

File: cscc.dat
Hash: B4E6D97DAFD9224ED9A547D52C26CE02 or EDB72F4A46C39452D1A5414F7D26454A
Description: 32 or 64-bit DiskCryptor driver

File: <rand_4_hex>.tmp
Hash: 37945C44A897AA42A66ADCAB68F560E0 or 347AC3B6B791054DE3E5720A7144A977
Description: 32 or 64-bit Mimikatz variant

File: Readme.txt
Hash: Variable
Description: Ransom note

Command: \system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Description: Runs the primary ransomware component of BADRABBIT. Note that “15” is the default value present in the malware and may be altered by specifying a different value on command line when executing install_flash_player.exe.

Command: %COMSPEC% /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR “<%COMSPEC%> /C Start \”\” \”<dispci_exe_path>\” -id
Description: Creates the rhaegal scheduled task

Command: %COMSPEC% /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR “%WINDIR%\system32\shutdown.exe /r /t 0 /f” /ST <HH:MM:00>
Description: Creates the drogon scheduled task

Command: %COMSPEC% /c schtasks /Delete /F /TN drogon
Description: Deletes the drogon scheduled task

Command: %COMSPEC% /c wswevtutil cl Setup & wswevtutil cl System & wswevtutil cl Security & wswevtutil cl Application & fsutil usn deletejournal /D <current_drive_letter>:
Description: Anti-forensics

Scheduled Task Name: rhaegal
Scheduled Task Run: “<%COMSPEC%> /C Start \”\” \”<dispci_exe_path>\” -id <rand_task_id> && exit”
Description: Bootloader interaction

Scheduled Task Name: drogon
Scheduled Task Run: “%WINDIR%\system32\shutdown.exe /r /t 0 /f”
Description: Forces a reboot

Service Name: cscc
Service Display Name: Windows Client Side Caching DDriver
Service Binary Path: cscc.dat

Embedded usernames from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)
Administrator
Admin
Guest
User
User1
user-1
Test
root
buh
boss
ftp
rdp
rdpuser
rdpadmin
manager
support
work
other user
operator
backup
asus
ftpuser
ftpadmin
nas
nasuser
nasadmin
superuser
netguest
alex
Embedded passwords from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)
Administrator
administrator
Guest
guest
User
user
Admin
adminTest
test
root
123
1234
12345
123456
1234567
12345678
123456789
1234567890
Administrator123
administrator123
Guest123
guest123
User123
user123
Admin123
admin123Test123
test123
password
111111
55555
77777
777
qwe
qwe123
qwe321
qwer
qwert
qwerty
qwerty123
zxc
zxc123
zxc321
zxcv
uiop
123321
321
love
secret
sex
god
Embedded pipe names from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)
atsvc
browser
eventlog
lsarpc
netlogon
ntsvcs
spoolss
samr
srvsvc
scerpc
svcctl
wkssvc

Yara Rules

rule FE_Hunting_BADRABBIT {
meta:version=”.2″
filetype=”PE”
author=”ian.ahl @TekDefense & nicholas.carr @itsreallynick”
date=”2017-10-24″
md5 = “b14d8faf7f0cbcfad051cefe5f39645f”
strings:
// Messages
$msg1 = “Incorrect password” nocase ascii wide
$msg2 = “Oops! Your files have been encrypted.” ascii wide
$msg3 = “If you see this text, your files are no longer accessible.” ascii wide
$msg4 = “You might have been looking for a way to recover your files.” ascii wide
$msg5 = “Don’t waste your time. No one will be able to recover them without our” ascii wide
$msg6 = “Visit our web service at” ascii wide
$msg7 = “Your personal installation key#1:” ascii wide
$msg8 = “Run DECRYPT app at your desktop after system boot” ascii wide
$msg9 = “Password#1” nocase ascii wide
$msg10 = “caforssztxqzf2nm.onion” nocase ascii wide
$msg11 = /partition (unbootable|not (found|mounted))/ nocase ascii wide

// File references
$fref1 = “C:\\Windows\\cscc.dat” nocase ascii wide
$fref2 = “\\\\.\\dcrypt” nocase ascii wide
$fref3 = “Readme.txt” ascii wide
$fref4 = “\\Desktop\\DECRYPT.lnk” nocase ascii wide
$fref5 = “dispci.exe” nocase ascii wide
$fref6 = “C:\\Windows\\infpub.dat” nocase ascii wide
// META
$meta1 = “http://diskcryptor.net/” nocase ascii wide
$meta2 = “dispci.exe” nocase ascii wide
$meta3 = “GrayWorm” ascii wide
$meta4 = “viserion” nocase ascii wide
//commands
$com1 = “ComSpec” ascii wide
$com2 = “\\cmd.exe” nocase ascii wide
$com3 = “schtasks /Create” nocase ascii wide
$com4 = “schtasks /Delete /F /TN %ws” nocase ascii wide
condition:
(uint16(0) == 0x5A4D)
and
(8 of ($msg*) and 3 of ($fref*) and 2 of ($com*))
or
(all of ($meta*) and 8 of ($msg*))

rule FE_Trojan_BADRABBIT_DROPPER
{
meta:
author = “muhammad.umair”
md5 = “fbbdc39af1139aebba4da004475e8839”
rev = 1
strings:
$api1 = “GetSystemDirectoryW” fullword
$api2 = “GetModuleFileNameW” fullword
$dropped_dll = “infpub.dat” ascii fullword wide
$exec_fmt_str = “%ws C:\\Windows\\%ws,#1 %ws” ascii fullword wide
$extract_seq = { 68 ?? ?? ?? ?? 8D 95 E4 F9 FF FF 52 FF 15 ?? ?? ?? ?? 85 C0 0F 84 C4 00 00 00 8D 85 A8 ED FF FF 50 8D 8D AC ED FF FF E8 ?? ?? ?? ?? 85 C0 0F 84 AA 00 00 00 }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
}

rule FE_Worm_BADRABBIT
{
meta:
author = “muhammad.umair”
md5 = “1d724f95c61f1055f0d02c2154bbccd3”
rev = 1
strings:
$api1 = “WNetAddConnection2W” fullword
$api2 = “CredEnumerateW” fullword
$api3 = “DuplicateTokenEx” fullword
$api4 = “GetIpNetTable”
$del_tasks = “schtasks /Delete /F /TN drogon” ascii fullword wide
$dropped_driver = “cscc.dat” ascii fullword wide
$exec_fmt_str = “%ws C:\\Windows\\%ws,#1 %ws” ascii fullword wide
$iter_encrypt = { 8D 44 24 3C 50 FF 15 ?? ?? ?? ?? 8D 4C 24 3C 8D 51 02 66 8B 31 83 C1 02 66 3B F7 75 F5 2B CA D1 F9 8D 4C 4C 3C 3B C1 74 07 E8 ?? ?? ?? ?? }
$share_fmt_str = “\\\\%ws\\admin$\\%ws” ascii fullword wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
}

rule FE_Trojan_BADRABBIT_MIMIKATZ
{
meta:
author = “muhammad.umair”
md5 = “37945c44a897aa42a66adcab68f560e0”
rev = 1
strings:
$api1 = “WriteProcessMemory” fullword
$api2 = “SetSecurityDescriptorDacl” fullword
$api_str1 = “BCryptDecrypt” ascii fullword wide
$mimi_str = “CredentialKeys” ascii fullword wide
$wait_pipe_seq = { FF 15 ?? ?? ?? ?? 85 C0 74 63 55 BD B8 0B 00 00 57 57 6A 03 8D 44 24 1C 50 57 68 00 00 00 C0 FF 74 24 38 4B FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 75 3B }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
}

rule FE_Trojan_BADRABBIT_DISKENCRYPTOR
{
meta:
author = “muhammad.umair”
md5 = “b14d8faf7f0cbcfad051cefe5f39645f”
rev = 1
strings:
$api1 = “CryptAcquireContextW” fullword
$api2 = “CryptEncrypt” fullword
$api3 = “NetWkstaGetInfo” fullword
$decrypt_seq = { 89 5D EC 78 10 7F 07 3D 00 00 00 01 76 07 B8 00 00 00 01 EB 07 C7 45 EC 01 00 00 00 53 50 53 6A 04 53 8B F8 56 89 45 FC 89 7D E8 FF 15 ?? ?? ?? ?? 8B D8 85 DB 74 5F }
$msg1 = “Disk decryption progress…” ascii fullword wide
$task_fmt_str = “schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR \”%ws\” /ST %02d:%02d:00″ ascii fullword wide
$tok1 = “\\\\.\\dcrypt” ascii fullword wide
$tok2 = “C:\\Windows\\cscc.dat” ascii fullword wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 150KB and all of them
}

Source: https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html

Author:  Barry Vengerik, Ben Read, Blog, Brian Mordosky, Christopher Glyer, Ian Ahl, Latest Blog Posts, Matt Williams, Michael Matonis, Nick Carr


  • 0

Breach Resilience

Category : FireEye

Join Jeff Berg, Sr. Manager of Cyber Threat Intelligence, and Brad Bell, Mandiant Principal Consultant, as they share the role of cyber threat intelligence in strategic security consulting services and why services based on compliance-based best practices and industry standards may not be an effective way to protect your organization against a rapidly evolving threat landscape.

Key takeaways:

• The role cyber threat intelligence plays in strategic security consulting services
• Why services rooted in compliance-based best practices and industry standards aren’t effective
• Case studies where different types of intelligence added value to service portfolio

Attend


  • 0

Devising a Suitable End State of Your CTI Program

Category : FireEye

The shift to an intelligence-led security program can seem daunting. When implementing Cyber Threat Intelligence (CTI) capabilities, there may be a degree of uncertainty across the organization. We’ve seen this happen many times with client teams who initially were not cyber security savvy; however, after the adjustment period, when CTI is fully integrated into their technology and business processes, we continuously see that customers are satisfied with the results.

While managing this shift is challenging, it is not insurmountable. To be successful, it’s important to have a vision for the end state of your program. This vision will help to plot the planned shift, define its true value, and identify opportunities afforded by those who carry out implementation.

When defining a program’s vision, it is important to cover the following four high-level areas:

  • Mission & Strategy: Define a clear mission that enables communications and justifies go-forward action items. Ultimately, focusing on the enhanced ability to manage risk within the organization using a requirements-based intelligence approach is crucial. Establishing the expected resulting capabilities ensures the end-state business objectives, goals, and outcomes are clearly identified and agreed upon.
  • Implementation Roadmap: Employ a clear game plan that addresses the changes in people, processes, and technologies. A smart roadmap provides guidance on order of events and scale of effort required to execute properly. This roadmap will also enable communication of budgetary requirements to senior leadership over the course of the program’s buildout.
  • Conceptual Organizational Design: Construct an end-state organizational design aligned with the mission, approved by executives, and agreed to by peers. This will ease the creation and integration of new teams and transition of any existing ones. While the actual end state may play out differently, the buy-in achieved at the onset of your program evolution will keep your major players moving in the right direction.
  • Metrics: Decipher a key set of metrics that will be used to evaluate the success of your program. This will be critical when determining whether or not the end state is a success, and will also enable you to easily identify wins as the program begins to take shape. Metrics should evaluate the individuals responsible for carrying out the mission, the intelligence sources, the technology supporting the program, and the program’s overall health. The true value of intelligence can be complex to assess; however, the proper level of granularity can help point out if the value is being delivered, and where any breakdowns may transpire and are occurring.

All said, the success of an operational transformation is truly grounded in the strategic legwork done before execution begins. Proper planning ensures that key stakeholders and senior leaders are in agreement with respect to the direction of the overall security operations, as well as the expected value provided. This in turn will motivate executives and other key stakeholders to help shepherd the program through its pending shifts, and into a position where everyone in the organization will see its true potential.

Visit our Cyber Threat Intelligence Services homepage for more information on how Mandiant can help your organization improve its threat intelligence capabilities.

Source: https://www.fireeye.com/blog/products-and-services/2017/10/devising-a-suitable-end-state-of-your-cti-program.html

Author: Jeff Compton, Jeff Berg


  • 0

Breach Resilience Technology. Intelligence. Expertise

Category : FireEye

We understand the challenges and complexities that you face as you try to protect your organization against ever-evolving threats. FireEye offers a three-pronged approach, that combines innovative security technologies, world-renowned expertise, and deep threat intelligence capabilities, to combat the shortage of security experts, inefficient processes, complex technologies and multiple siloed point products.

Attend ‘Breach Resilience: Technology. Intelligence. Expertise’ virtual summit to find out how to address the entire security operations lifecycle — every critical issue before, during and after an attack.

October 24, 2017 5:00am EDT

oin the discussion with experts, visionaries and leaders at one of the webinars below. Don’t miss your opportunity to have your questions answered in these live presentations!

Upcoming webinars

October 24, 2017 5:00am EDT

A session presented by: Stuart Davis, Director, Mandiant

October 24, 2017 7:00am EDT

A session presented by: Igors Konovalovs, Strategic Account Manager, GSI Sales

October 24, 2017 10:00am EDT

A session presented by: David Grout, Director, Southern Europe Systems Engineering, FireEye

October 24, 2017 11:00am EDT

A session presented by: Gareth Maclachlan, Vice President, Product and Market Strategy, Global Services and Intelligence

October 24, 2017 12:00pm EDT

A session presented by: Paul Nguyen, Vice President and General Manager of Helix and Orchestration


Support