Category Archives: Trend Micro

  • 0

The Week in Security Week

Category : Trend Micro

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!

Coupon Fraud Could be Costing Your Business Millions

There is a dark side to couponing: fraud. While seemingly a mild form of fraud, wide-spread coupon fraud can add up. PennLive put realistic estimates of coupon crime costs between $300 – 600 million per year in the U.S. While losses will vary per organization, this is still no small price to pay for any business.

Microsoft Just Fixed a 17 Year Old Security Flaw in Office

Since 2000, there’s been a vulnerable component in the equation editor, which allows you to insert complex mathematical expressions into your documents. It’s a feature most users never touch, but a well-executed attack could allow a hacker to launch malicious code on a vulnerable machine.

New Banking Malware Variant Wants to Scoop up Your Email and Social Media Accounts

A sophisticated form of malware based on the notorious Zeus trojan and originally designed to steal banking credentials has returned with new espionage capabilities which allow it to monitor and modify Facebook and Twitter posts, as well as the ability to eavesdrop on emails.

New EMOTET Hijacks Windows API

Trend Micro recently discovered that EMOTET has a new iteration with a few changes in its usual behavior and new routines that allow it to elude sandbox and malware analysis. Based on its findings, EMOTET’s dropper changed from using RunPE to exploiting CreateTimerQueueTimer.

Cybercriminals Are Gaining Access to iCloud Accounts Through Phishing Emails

As Americans begin to worry more about cybercrime than the conventional kind, researchers warn users to remain cautious of both, as stolen iPhones are so valuable in criminal circles that they can go for as much as $2,100 in some countries.

Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera

Security researchers have demonstrated that with a simple program run from any computer in Wi-Fi range, that the internet enabled camera called Cloud Cam, can be not only disabled, but frozen. A viewer watching its live or recorded stream sees only a closed door, even as their actual door is opened.

IcedID Banking Trojan Targets US Financial Institutions

A new banking trojan called IcedID, spotted by researchers last September, has been wreaking havoc among financial institutions across the US, UK and Canada, including banks, payment card providers, mobile services providers, as well as e-commerce sites.

Trend Micro’s Capture the Flag Competition Provides Young Pros Real-World Experience

Young cybersecurity professionals need to overcome the gap between what is learned in a classroom and the practical experience required to protect real, critical business data. Trend Micro’s annual Capture the Flag (CTF) competition works to bridge this gap.

Budget for Cybersecurity in 2018

As Q4 begins in earnest, now is the time to start making considerations for next year’s budgets. This is especially true for the company’s IT and cyber security budgets – a difficult decision with so many robust technologies and new threats emerging. Check out top considerations for next year’s budget.

Pursue the Right to be Left Alone

Are you working for a US-based firm that holds personal information about European Union or Swiss citizens? If so, you should do three things. 1) Opt in to the Privacy Shield. 2) Put a Data Protection Officer in place. 3) Ensure your IAM solution is comprehensive and effective.

Hacker Hijacks North Korean Radio Station and Plays ‘The Final Countdown’

A North Korean radio station was reportedly hijacked by an unknown hacker to play the 1980’s hit song “The Final Countdown”. The short-wave radio station, 6400kHz is allegedly run from the North Korean city Kanggye and is known to be used by Pyongyang to transmit secret codes.

Source: http://blog.trendmicro.com/week-security-news-64/?linkId=44942751

Author: Jon Clay


  • 0

Coupon fraud could be costing your business millions

Category : Trend Micro

Customers are always looking for good deals with their purchases and a coupon could be the defining factor for a buyer completing his or her transaction. In fact, a 2015 survey by CreditCards.com found that paper coupons were used by 63 percent of respondents. This is followed by discounts for online and mobile purchases. Distributed coupons are valued at billions of dollars every year and companies continue to use these techniques to attract consumers for their business. However, there is a darker side to couponing: fraud. The real-life costs of this crime go beyond the deals consumers get and could be costing your business millions.

coupon fraudWhile seemingly a mild form of fraud, wide-spread coupon fraud can add up.

 

What is coupon fraud?

Coupon fraud comes in a variety of flavors. Normally, coupon transactions are simply data changing hands between the consumer, coupon providers and an agent that sorts and audits the coupons. Because there are so many layers, only one needs to be vulnerable to affect the whole supply chain. The Balance noted that shoppers often participate in coupon fraud by making multiple copies of the coupon, using the discount for products that extend beyond those listed in the terms, stealing newspaper inserts and buying or selling coupons. When consumers don’t stick to the rules for printing out coupons or abiding by the usage agreements, this is considered illegal activity and leaves businesses covering the cost.

Coupon fraud is costing businesses millions.Coupon fraud is costing businesses millions.

Just how damaging is it?

When a business accepts a counterfeit coupon or scans and authorizes a deal for products that aren’t listed on the coupon, it might not be caught at first. It can even seem like a small occurrence compared to all of the other transactions that the business might see throughout the day. However, PennLive put realistic estimates of coupon crime costs between $300 million and $600 million per year in the U.S. While losses will vary per organization, this is still no small price to pay for any business.

With such a lucrative market, cyber criminals are taking advantage of coupon fraud for their own payday. In fact, Trend Micro stated that coupon fraud’s scalability results in business process compromise, which undermines business operations components and significantly impacts the bottom line. Fraudsters can generate purportedly valid coupon codes and distribute them to unknowing consumers. New customer promos are also sold in bulk in the underground, which allow buyers to take advantage of perks given upon account registration. These occurrences mount up, earning criminals money while costing your business.

Be aware of distribution channels

How coupons are sent to customers can be an important factor in coupon fraud cases. Social media in particular is being used more for delivering great deals and acting as a marketplace for potential transactions. Cyber criminals have identified this tactic and are devising their own legitimate looking coupons or discounts to scam social media users. According to Consumer Affairs, a recent online coupon scam promised deals on popular consumer products. The catch was that the buyer would need to provide their credit card information or personal identifying data in order to get the coupon. Fraudsters could then sell this data on the underground market and use it for identity theft.

If your business decides to market through social media, it’s important to show that your page is verified. This could help consumers better identify real deals while still attracting revenue opportunities through the social channels. As cyber criminals continue to create legitimate looking coupon codes and scams, it will be integral for organizations to direct customers to actual discount pages.

Spotting and stopping fake coupons

For businesses and consumers alike, coupon fraud is a major problem. Businesses increase the prices on products to make up for the losses, which then impacts consumers that seek to legitimately use coupons. This cyclical occurrence will continue as long as fake coupons are distributed. There are a few signs that organizations should be wary of:

  • Coupons without bar codes.
  • Discounts where a purchase isn’t required to redeem it.
  • Deals that are more than the actual price of the item.
  • Coupons that don’t have conditions of usage on them.

Cashiers themselves must be trained on how to use coupons properly and catch potential fraud cases.

Smart coupon creation can make a big difference in identifying legitimate ones over counterfeits. Trend Micro suggested putting safeguards in place like limiting the reuse, distribution and time limit for coupon codes. Businesses can also personalize coupons and use anti-counterfeit techniques like complex data codes, watermarks, code authentication and microprinting to deter scammers from duplicating codes and deals. Leaders must also work with distributors, stakeholders and law enforcement to establish stronger fraud resistance and risk management policies for coupon programs. All the while, organizations need to maintain the privacy, security and integrity of their infrastructure that manages critical processes.

Organizations must be prudent in their coupon strategies this holiday season. Organizations must be prudent in their coupon strategies this holiday season.

 

Don’t be duped this holiday

As the holiday season approaches, more businesses will start coming out with sales and deals on their products and services. However, it’s also the perfect time for cyber criminals and coupon counterfeiters to make a quick payday off of unsuspecting victims. Consumers must take care to check over their coupons for terms of agreement and remain wary of deals that ask for personal information, particularly those distributed through social media sites.

Organizations must take action now to determine the best distribution strategy for their sales marketing strategy while also designing their coupons to limit fraud opportunities. Here, a time limit mark could be a great solution, along with design choices to reflect the holiday season. This makes it much harder for criminals to replicate and helps consumers identify which deals are legitimate. Retailers must be prudent to ensure buyers play by the rules to get freebies and discounts.

Safeguards will limit coupon fraud and prevent abusers from repeatedly cashing in on coupons this holiday season.

Source: http://blog.trendmicro.com/coupon-fraud-could-be-costing-your-business-millions/?linkId=44672645

 


  • 0

Data Center Attack: The Game

Category : Trend Micro

Game Overview


In Data Center Attack: The Game, put yourself in the shoes of a CISO at a hospital to see if you can go back in time to prevent a data center attack from holding critical patient data hostage.

You’ll be prompted to make decisions that will impact your security posture. Wrong choices could result in ransomware hijacking your patient data and putting lives at risk. Right choices will show you what happens with DevOps and IT work together, will allow doctors to see patient data, and the hospital will run as expected.

See if you have the knowledge it takes to stop a data center attack, and if not, learn what defenses you need to prevent one.

Play the game now.


  • 0

Coin Miner Mobile Malware Returns, Hits Google Play

Category : Trend Micro

The efficacy of mobile devices to actually produce cryptocurrency in any meaningful amount is still doubtful. However, the effects on users of affected devices are clear: increased device wear and tear, reduced battery life, comparably slower performance.

Recently, we found that apps with malicious cryptocurrency mining capabilities on Google Play. These apps used dynamic JavaScript loading and native code injection to avoid detection. We detect these apps as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER.

This is not the first time we’ve found these types of apps on app stores. Several years ago, we found malicious apps on the Google Play store detected as ANDROIDOS_KAGECOIN, a malware family with hidden cryptocurrency mining capabilities.

ANDROIDOS_JSMINER: Mining via Coinhive

We’ve previously seen tech support scams and compromised websites used to deliver the Coinhive JavaScript cryptocurrency miner to users. However, we’re now seeing apps used for this purpose, which we detect as ANDROIDOS_JSMINER. Wtwo apps we found; one supposedly helps users pray the rosary, while the other provides discounts of various kinds.

Figures 1 and 2. JSMINER Malware on Google Play

Both of these samples do the same thing once they are started: they will load the JavaScript library code from Coinhive and start mining with the attacker’s own site key:

Figure 3. Code to start mining when the app starts

This JavaScript code runs within the app’s webview, but this is not visible to the user because the webview is set to run in invisible mode by default.

Figure 4. Webview is set to invisible mode

When the malicious JavaScript code is running, the CPU usage will be exceptionally high.

ANDROIDOS_CPUMINER: Trojanized versions of legitimate apps

Another family of malicious apps takes legitimate versions of apps and adds mining libraries, which are then repackaged and distributed. We detect these as ANDROIDOS_CPUMINER.

One version of this malware is in Google Play and disguised as a wallpaper application:

Figure 5. Mining malware on Google Play store

The mining code appears to be a modified version of the legitimate cpuminer library. The legitimate version is only up to 2.5.0, whereas this malicious version uses 2.5.1. The code is added to normal applications, as seen below:

Figure 6. Code added to normal apps by CPUMINER

Please note that the above code layout was taken from a sample that is not found on Google Play, but belongs to the same family.

Figure 7. Malware with modified code

The mining code fetches a configuration file from the cybercriminal’s own server (which uses a dynamic DNS service) that provides information on its mining pool via the Stratum mining protocol.

Figure 8. Cryptocurrency mining profits

The figure above shows that the attacker is mining various cryptocurrencies, with varying amounts of currencies mined. It also shows that the value of the coins mined over an unknown period amounts to just over 170 US dollars; total profits aren’t known.

We have identified a total 25 samples of ANDROIDOS_CPUMINER. Trend Micro Mobile Security already detects these variants, as well as the JSMINER variants mentioned earlier in this post.

These threats highlight how even mobile devices can be used for cryptocurrency mining activities, even if, in practice, the effort results in an insignificant amount of profit. Users should take note of any performance degradation on their devices after installing an app.

We have reached out to Google, and the apps mentioned in this post are no longer on Google Play.

Indicators of Compromise

The following malicious apps were found on Google Play and are connected to this threat:

SHA256 hash App name Package name Detection name
22581e7e76a09d404d093ab755888743b4c908518c47af66225e2da991d112f0 Recitiamo Santo Rosario Free prsolutions.rosariofacileads ANDROIDOS_JSMINER
440cc9913d623ed42563e90eec352da9438a9fdac331017af2ab9b87a5eee4af SafetyNet Wireless App com.freemo.safetynet ANDROIDOS_JSMINER
d3c0bed627edab9ac1bbc2bcc6e8c3ff45b4708afa527790e42a4a6fe2c045f0 Car Wallpaper HD: mercedes, ferrari, bmw and audi com.yrchkor.newwallpapers ANDROIDOS_CPUMINER

Spurce:

Source: http://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29

Author: Jason Gu, Veo Zhang, Seven Shen

 


  • 0

Bad Rabbit Ransomware Spreads via Network, Hits Ukraine and Russia

Category : Trend Micro

An ongoing ransomware campaign is hitting Eastern European countries with what seems to be a variant of the Petya ransomware dubbed Bad Rabbit (which we detect as RANSOM_BADRABBIT.A). Trend Micro XGen™ security products with machine learning enabled can proactively detect this ransomware as TROJ.Win32.TRX.XXPE002FF019 without the need for a pattern update. The attack comes a few months after the previous Petya outbreak, which struck European countries back in June.

Initial reports peg the main casualties as transport systems and media outlets in Ukraine and Russia. The Ukranian arm of CERT (CERT-UA) has also issued an advisory warning of further potential ransomware attacks.

Initial Analysis

Figure 1: Bad Rabbit Infection Chain

Figure 1: Bad Rabbit Infection Chain

Our initial analysis found that Bad Rabbit spreads via watering hole attacks that lead to a fake Flash installer “install_flash_player.exe”. Compromised sites are injected with a script that contains a URL that resolves to hxxp://1dnscontrol[.]com/flash_install, which is inaccessible as of the time of publication. We’ve observed some compromised sites from Denmark, Ireland, Turkey, and Russia where it delivered the fake Flash installer.

 Figure 2: Code showing the injected script

Figure 2: Code showing the injected script

Once the fake installer is clicked, it will drop the encryptor file infpub.dat using the rundll32.exe process, along with the decryptor file dispci.exe. As part of its routine, Bad Rabbit uses a trio of files referencing the show Game of Thrones, starting with rhaegal.job, which is responsible for executing the decryptor file, as well as a second job file, drogon.job, that is responsible for shutting down the victim’s machine. The ransomware will then proceed to encrypt files in the system and display the ransom note shown above.

 Figure 3: Bad Rabbit ransom note showing the installation key

Figure 3: Bad Rabbit ransom note showing the installation key

A third file, viserion_23.job, reboots the target system a second time. The screen is then locked, and the following note displayed:

 Figure 4: Bad Rabbit ransom note displayed after system reboot

Figure 4: Bad Rabbit ransom note displayed after system reboot

Based on our initial analysis, Bad Rabbit spreads to other computers in the network by dropping copies of itself in the network using its original name and executing the dropped copies using Windows Management Instrumentation (WMI) and Service Control Manager Remote Protocol. When the Service Control Manager Remote Protocol is used, it uses dictionary attacks for the credentials.

Among the tools Bad Rabbit reportedly incorporates is the open-source utility Mimikatz, which it uses for credential extraction. We also found evidence of it using DiskCryptor, a legitimate disk encryption tool, to encrypt the target systems.

It is important to note that Bad Rabbit does not exploit any vulnerabilities, unlike Petya which used EternalBlue as part of its routine.

Mitigation and Best Practices

Users can mitigate the impact of ransomware such as Bad Rabbit with the best practices found in this guide.

Trend Micro Solutions

Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally identifiable data. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Further information about Trend Micro solutions can be found in this article.

The following SHA256 hashes are detected as RANSOM_BADRABBIT.A:

  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Additional hashes related to this ransomware:

install_flash_player.exe:

  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

infpub.dat:

  • 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
  • 141d45d650580ed4b0d0fc4b8fd5448da67b30afbe07781da02c39d345a8f4a0

dispci.exe:

  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Updated on October 24, 2017, 9:52 PM PDT to add more technical information 

Updated on October 24, 2017, 11:34 PM PDT to add the infection chain

Updated on October 25, 2017, 10:23 PM PDT to update the infection chain

Source: http://blog.trendmicro.com/trendlabs-security-intelligence/bad-rabbit-ransomware-spreads-via-network-hits-ukraine-russia/?utm_source=trendlabs-social&utm_medium=smk&utm_campaign=10-2017-bad-rabbit

 


  • 0

No More Limits

Category : Trend Micro

Watch Josh Atwell, Developer Advocate at NetApp, explain. For more information, please visit www.trendmicro.com/vmware


  • 0

Maximize VMware on AWS

Category : Trend Micro

It’s been this binary choice for customers for far too long in trying to make a decision between VMware and AWS.

For many years if you wanted to use both VMware and AWS, it required a lot of reprogramming and retraining of staff to get the two solutions to work in tandem. Now, that’s no longer the case. For more information, please visit: www.trendmicro.com/vmware


  • 0

Threat Actors Target Government of Belarus Using CMSTAR Trojan

Category : Trend Micro

Palo Alto Networks Unit 42 has identified a series of phishing emails containing updated versions of the previously discussed CMSTAR malware family targeting various government entities in the country of Belarus.

We first reported on CMSTAR in spear phishing attacks in spring of 2015and later in 2016.

In this latest campaign. we observed a total of 20 unique emails between June and August of this year that included two new variants of the CMSTAR Downloader. We also discovered two previously unknown payloads. These payloads contained backdoors that we have named BYEBY and PYLOT respectively.

CMSTAR_1

Figure 1 Diagram of the attack sequence

Phishing Emails

Between June and August of this year, we observed a total of 20 unique emails being sent to the following email addresses:

Email Address Description
press@mod.mil[.]by Press Service of the Ministry of Defense of the Republic of Belarus
baranovichi_eu@mod.mil[.]by Baranovichi Operational Management of the Armed Forces
modmail@mod.mil[.]by Ministry of Defense of the Republic of Belarus
admin@mod.mil[.]by Ministry of Defense of the Republic of Belarus
itsc@mod.mil[.]by Unknown. Likely used by Ministry of Defense of the Republic of Belarus
mineuvs@mod.mil[.]by Minsk Operational Administration of the Armed Forces
inform@mod.mil[.]by Unknown. Likely used by Ministry of Defense of the Republic of Belarus
uporov_milcoop@mod.mil[.]by Unknown. Likely used by Ministry of Defense of the Republic of Belarus
video@gpk.gov[.]by State Border Committee of the Republic of Belarus
armscontrol@mfa.gov[.]by International Security and Arms Control Department, Ministry of Foreign Affairs
ablameiko@mia[.]by Unknown. Likely used by the Ministry of Internal Affairs of the Republic of Belarus

 

These emails contained a series of subject lines, primarily revolving around the topic of Запад-2017 (‘West-2017’), also known in English as Zapad 2017. Zapad 2017 was a series of joint military exercises conducted by the Armed Forces of the Russian Federation and the Republic of Belarus, held from September 14th to 20th in 2017.

The full list of subject lines is as follows:

  • Fwd:Подготовка к Запад-2017 [Translation: Fwd:Preparing for the West-2017]
  • выпуск воспитанников [Translation: graduation]
  • К Запад-2017 [Translation: To West-2017]
  • Запад-2017 [Translation: West-2017]

An example of some of the previously mentioned emails may be seen below.

CMSTAR_2

Figure 2 Phishing email sent to Belarus government (1/2)

CMSTAR_3

Figure 3 Phishing email sent to Belarus government (2/2)

Decoy Documents

We observed that the attachments used in these emails contained a mixture of file types. RTF documents, Microsoft Word documents, and a RAR archive. The RAR archive contained a series of images, a decoy document, and a Microsoft Windows executable within it. The executable has a .scr file extension, and is designed to look like a Windows folder, as seen below:

CMSTAR_4

Figure 4 Payload disguising itself as a Microsoft Windows folder

The rough translation of the folder and file names above are ‘Preparations for large-scale West-2017 exercises in this format are being held for the first time.’ Within the actual folder, there are a series of JPG images, as well as a decoy document with a title that is translated to ‘Thousands of Russian and Belarusian military are involved in the training of the rear services.’

CMSTAR_5

Figure 5 Embedded images and decoy document within RAR

The decoy document contains the following content:

CMSTAR_6

Figure 6 Decoy document within RAR

The other RTF and Word documents used additional decoy documents, which can be seen below.

CMSTAR_7

Figure 7 Decoy document with translation (1/2)

CMSTAR_8

Figure 8 Decoy document with translation (2/2)

While we observed different techniques being used for delivery, all attachments executed a variant of the CMSTAR malware family. We observed minor changes between variants, which we discuss in the CMSTAR Variations and Payloads section of the blog post.

The Word documents, which we track as Werow, employ malicious macros for their delivery. More information about these macros may be found in the Appendix of the blog post. Additionally, we have included a script that extracts these embedded payloads that can also be found in the Appendix.

The RTF documents made use of CVE-2015-1641. This vulnerability, patched in 2015, allows attackers to execute malicious code when these specially crafted documents are opened within vulnerable instances of Microsoft Word. The payload for these samples is embedded within them and obfuscated using a 4-byte XOR key of 0xCAFEBABE. We have included a script that can be used to extract the underlying payload of these RTFs statically that can be found in the Appendix.

The SCR file mentioned previously drops a CMSTAR DLL and runs it via an external call to rundll32.exe.

CMSTAR Variations and Payloads

In total, we observed three variations of CMSTAR in these recent attacks against Belarusian targets. The biggest change observed between them looks to be minor modifications made to the string obfuscation routine. A very simple modification to the digit used in subtraction was modified between the variants, as shown below:

CMSTAR_9

Figure 9 String obfuscation modifications between CMSTAR variants

The older variation, named CMSTAR.A, was discussed in a previous blog post entitled, “Digital Quartermaster Scenario Demonstrated in Attacks Against the Mongolian Government.”

The CMSTAR.B variant was witnessed using both a different mutex from CMSTAR.A, as well as a slightly modified string obfuscation routine. The mutexes used by CMSTAR ensure that only one instance of the malware runs at a time. The CMSTAR.C variant used the same mutex as CMSTAR.B, however, again used another slightly modified string obfuscation routine. We found all CMSTAR variants using the same obfuscation routine when I payload was downloaded from a remote server. We have included a tool to extract mutex and C2 information from all three CMSTAR variants, as well as a tool to decode the downloaded payload: both may be found in the Scripts section.

An example of CMSTAR downloading its payload may be found below:

CMSTAR_10

Figure 10 Example HTTP download by CMSTAR

When expanding the research to identify additional CMSTAR.B and CMSTAR.C variants, we identified a total of 31 samples. Of these 31 samples, we found two unique payloads served from three of the C2 URLS—One of which was downloaded from a sample found in the phishing attacks previously described. Both payloads contained previously unknown malware families. We have named the payload found in the email campaign PYLOT, and the malware downloaded from the additional CMSTAR samples BYEBY.

Both malware families acted as backdoors, allowing the attackers to execute commands on the victim machine, as well as a series of other functions. More information about these individual malware families may be found in the appendix.

Conclusion

During the course of this research, we identified a phishing campaign consisting of 20 unique emails targeting the government of Belarus. The ploys used in these email and decoy documents revolved around a joint strategic military exercise of the Armed Forces of the Russian Federation and the Republic of Belarus, which took place between September 14th and September 20th of this year. While looking at the emails in question, we observed two new variants of the CMSTAR malware family. Between the samples identified and others we found while expanding our research scope, we identified two previously unknown malware families.

Palo Alto customers are protected from this threat in the following ways:

  • Tags have been created in AutoFocus to track CMSTARBYEBY, and PYLOT
  • All observed samples are identified as malicious in WildFire
  • Domains observed to act as C2s have been flagged as malicious
  • Traps 4.1 identifies and blocks the CVE-2015-1641 exploit used in these documents
  • Traps 4.1 blocks the macros used in the malicious Word documents

A special thanks to Tom Lancaster for his assistance on this research.

Appendix

Werow Macro Analysis

The attacker used the same macro dropper all of the observed Microsoft Word documents we analyzed for this campaign. It begins by building the following path strings:

  • %APPDATA%\d.doc
  • %APPDATA%\Microsoft\Office\WinCred.acl

The ‘d.doc’ path will be used to store a copy of the Word document, while the ‘WinCred.acl’ will contain the dropped payload, which is expected to be a DLL.

CMSTAR_11

Figure 11 Macro used to drop CMSTAR

Werow uses rudimentary obfuscation to hide and re-assemble the following strings:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinCred
  • rundll32 %APPDATA%\Microsof\Office\WinCred.acl ,WinCred

These strings will be used at the end of the macro’s execution to ensure persistence via the Run registry key.

The malware proceeds to read an included overlay within the original Word document from a given offset. This data is decoded using and XOR operation, as well as an addition operation. It can be represented in Python as follows:

Once this overlay is decoded, it is written to the ‘WinCred.acl’ file and loaded with the ‘WinCred’ export. A script has been provided in the Scripts section that, in conjunction with oletools, can statically extract the embedded DLL payload from these documents.

RTF Shellcode Analysis

The RTF documents delivered in this attack campaign appear to be created by the same builder. All of the RTF files attempt to exploit CVE-2015-1641 to execute shellcode on the targeted system. Please reference https://technet.microsoft.com/en-us/library/security/ms15-033.aspx for more information.

The shellcode executed after successful exploitation begins by resolving the API functions it requires by enumerating the API functions within loaded modules in the current process. It then builds the following list of values:

CMSTAR_12

The shellcode then enumerates the API functions, subjects them to a ROR7 hashing routine and XORs the resulting hash with 0x10ADBEEF. It uses the result of this arithmetic to compare with the list of values above to find the API functions it requires to carry out its functionality.

ROR7 ROR7^0x10ADBEEF API Func
1a22f51 110f91be WinExec
741f8dc4 64b2332b WriteFile
94e43293 84498c7c CreateFileA
daa7fe52 ca0a40bd UnmapViewOfFile
dbacbe43 cb0100ac SetFilePointer
ec496a9e fce4d471 GetEnvironmentVariableA
ff0d6657 efa0d8b8 CloseHandle

After resolving the API functions, the shellcode then begins searching for the embedded payload and decoy within the initial RTF file. It does so by searching the RTF file for three delimiters, specifically 0xBABABABABABA, 0xBBBBBBBB and 0xBCBCBCBC, which the shellcode uses to find the encrypted payload and decoy. The shellcode then decrypts the payload by XOR’ing four bytes at at time with the key 0xCAFEBABE, and decrypts the decoy by XOR’ing four bytes at a time using the key 0xBAADF00D. Here is a visual representation of the delimiters and embedded files:

CMSTAR_delimiters

After decrypting the payload, it saves the file to the following location:

%APPDATA%\Microsoft\Office\OutL12.pip

The shellcode then creates the following registry key to automatically run the payload each time the system starts:

Software\Microsoft\Windows\CurrentVersion\Run : Microsoft

The shellcode saves the following command to this autorun key, which will execute the OutL12.pip payload, specifically calling its ‘WinCred’ exported function:

rundll32.exe
“%APPDATA\Roaming\Microsoft\Office\OutL12.pip”,WinCred

The shellcode will then overwrite the original delivery document with the decrypted decoy contents and open the new document.

PYLOT Analysis

This malware family was named via a combination of the DLLs original name of ‘pilot.dll’, along with the fact it downloads files with a Python (.py) file extension.

PYLOT begins by being loaded as a DLL with the ServiceMain export. It proceeds to create the following two folders within the %TEMP% path:

  • KB287640
  • KB887209

PYLOT continues to load and decode an embedded resource file. This file contains configuration information that is used by the malware throughout its execution. The following script, written in Python, may be used to decode this embedded resource object:

Looking at the decoded data, we see the following:

CMSTAR_13

Figure 12 Decoded embedded configuration information

The malware continues to collect the following information from the victim computer:

  • Computer name
  • IP addresses present on the machine
  • MAC addresses
  • Microsoft Windows version information
  • Windows code page identifier information

This information is used to generate a unique hash for the victim machine. PYLOT then begins entering its C2 handler routine, where it will use HTTP for communication with the remote host.

Data sent to the remote C2 server is encrypted using RC4 with the previously shown key of ‘BBidRotnqQpHfpRTi8cR.’ It is then further obfuscated by base64-encoding this encrypted string. An example of this HTTP request containing this data can be seen below.

 

CMSTAR_14

Figure 13 HTTP request made by PYLOT to remote server

The decrypted data sent in the request above is as follows. Note that all of this custom data format has not been fully identified, however, we’re able to see various strings, including the embedded configuration string of ‘fGAka0001’, as well as the victim hash of ‘100048048.’

CMSTAR_15

Figure 14 Decrypted data sent by PYLOT to remote server

The base64-encoded string at the end of the data contains the collected victim machine information from earlier, separated by a ‘|’ delimiter.

The remote C2 server responds using the same data format. An example response can be seen below.

CMSTAR_16

Figure 15 Response from remote C2 server

The decoded data at the end of the response contains various URIs to be used by the malware to receive commands, as well as other information that has yet to be fully researched.

A number of commands have been identified within PYLOT, including the following:
• Download batch script
• Run batch script
• Delete file
• Rename file
• Execute file
• Download file
• Upload file

BYEBY Analysis

BYEBY was named based on a string within the malware itself. Most strings found within this malware are concatenated to 6 characters. One such example was an instance where a debug string contained ‘BYE BY’, which was likely a concatenated form of the phrase ‘BYE BYE’.

This malware is loaded as a DLL, with an export name of ServiceMain. When the malware is initially loaded, it begins by checking to see if it is running within either of the following paths:

  • [SYSTEM32]\svchost.exe
  • [SYSTEM32]\rundll32.exe

If it finds itself not running in either location, it will immediately exit. This is likely a technique used to bypass various sandboxing systems. Should it find itself running as svchost.exe, it will write the current timestamp and a value of ‘V09SS010’ (Base64 Decoded: ‘WORKMN’) to a file named ‘vmunisvc.cab’ within the user’s local %TEMP% folder. This file acts as a lot file and is written to frequently throughout the malware’s execution.

When the malware runs within the context of svchost.exe, it bypasses the installation routines and immediately enters the C2 handler.

When BYEBY is run within the context of rundll32.exe, it expects itself to be running for the first time. As such, it will register itself as a service with a name of ‘VideoSrv.’ After this service is created, BYEBY proceeds to enter it’s C2 handler function in a new thread.

BYEBY uses TLS for network communication, connecting to the following host on port 443:

  • oeiowidfla22[.]com

After the initial connection is established, BYEBY will collect the following system information and upload it to the remote C2:

  • Hostname
  • IP Address
  • Embedded String of ‘WinVideo’
  • Major Windows Version
  • Minor Windows Version
  • Embedded String of ‘6.1.7603.16000’

The malware is configured to accept a number of commands. These appear to be Base64-encoded strings that, when decoded, provide their true meaning. Only the beginning of the commands are checked. The Base64-decoded strings have been included for the benefit of the reader.

  • aGVsbG8h [Decoded: hello!]
  • R09PREJZ [Decoded: GOODBY]
  • TElTVCBE [Decoded: LIST D]
  • U1RBUlRD [Decoded: STARTC]
  • Q09NTUFO [Decoded: COMMAN]
  • VFJBTlNG [Decoded: TRANSF]
  • RVhFQ1VU [Decoded: EXECUT]

A mapping of commands and their descriptions has been provided:

Command Description
aGVsbG8h Authenticate with the remote C2 server.
R09PREJZ Close socket connection with remote server.
TElTVCBE List drives on the victim machine.
U1RBUlRD Start an interactive shell on the victim machine.
Q09NTUFO Execute a command in the interactive shell
VFJBTlNG Upload or download files to the victim machine.
RVhFQ1VU Execute command in a new process.

Scripts

We created multiple scripts during the course of our research. We are sharing them here to assist other researchers or defenders that encounter this malware.

extract_cmstar_doc.py – Script to extract the embedded CMSTAR payload from Word documents.

extract_cmstar_rtf.py– Script to extract the embedded CMSTAR payload from RTFs.

extract_cmstar_strings.py – Script to identify possible mutex and C2 strings from CMSTAR variants.

decode_cmstar_payload.py – Script to decode a payload downloaded by CMSTAR.

Indicators of Compromise

CMSTAR Variants Identified in Phishing Campaign

65d5ef9aa617e7060779bc217a42372e99d59dc88f8ea2f3b9f45aacf3ba7209

2a0169c72c84e6d3fa49af701fd46ee7aaf1d1d9e107798d93a6ca8df5d25957

4da6ce5921b0dfff9045ada7e775c1755e6ea44eab55da7ccc362f2a70ce26a6

2008ec82cec0b62bdb4d2cea64ff5a159a4327a058dfd867f877536389a72fb6

cecd72851c265f885ff02c60cbc3e6cbf1a40b298274761f623dfa44782a01f8

d8c0f8ecdeceba83396c98370f8f458ea7f7a935aabbcc3d41b80d4e85746357

2c8267192b196bf8a92c8b72d52096e46e307fa4d4dafdc030d3e0f5b4145e9e

2debf12b1cb1291cbd096b24897856948734fa62fd61a1f24d379b4224bda212

79b30634075896084135b9891c42fca8a59db1c0c731e445940671efab9a0b61

b0065fc16ae785834908f024fb3ddd4d9d62b29675859a8e737e3b949e85327a

16697c95db5add6c1c23b2591b9d8eec5ed96074d057b9411f0b57a54af298d5

6843d183b41b6b22976fc8d85e448dcc4d2e0bd2c159e6d966bfd4afa1cd9221

3c3efa89d1dd39e1112558af38ba656e048be842a3bedb7933cdd4210025f791

b2bebb381bc3722304ab1a21a21e082583bf6b88b84e7f65c4fdda48971c20a2

09890dc8898b99647cdc1cceb97e764b6a88d55b5a520c8d0ea3bfd8f75ed83b

fd22973451b88a4d10d9f485baef7f5e7a6f2cb9ce0826953571bd8f5d866c2a

CMSTAR Download Locations in Phishing Campaign

http://45.77.60[.]138/YXza9HkKWzqtXlt.dat
http://45.77.60[.]138/mePVDjnAZsYCw5j.dat
http://45.77.60[.]138/UScHrzGWbXb01gv.dat
http://45.76.80[.]32/tYD7jzfVNZqMfye.dat
http://45.77.60[.]138/liW0ecpxEWCfIgU.dat
http://45.77.60[.]138/ezD19AweVIj5NaH.dat
http://45.77.60[.]138/jVJlw3wp379neaJ.dat
http://108.61.175[.]110/tlhXVFeBvT64LC9.dat
http://45.77.60[.]138/HJDBvnJ7wc4S5qZ.dat
http://45.77.60[.]138/JUmoT4Pbw6U2xcj.dat
http://108.61.175[.]110/oiUfxZfej29MAbF.dat
http://45.77.60[.]138/cw1PlY308OpfVeZ.dat
http://45.77.60[.]138/VFdSKlgCAZD7mmp.dat
http://45.77.60[.]138/c2KoCT5OHcVwGi7.dat
http://45.77.60[.]138/3kK24dXFYRgM6Ac.dat
http://45.77.60[.]138/WsEeRyHEhLO1kUm.dat

PYLOT SHA256

7e2c9e4acd05bc8ca45263b196e80e919ff60890a872bdc0576735a566369c46

PYLOT C2

wait.waisttoomuchmind[.]com

BYEBY SHA256

383a2d8f421ad2f243cbc142e9715c78f867a114b037626c2097cb3e070f67d6

BYEBY C2

oeiowidfla22[.]com

CMSTAR.B SHA256

8609360b43498e296e14237d318c96c58dce3e91b7a1c608cd146496703a7fac

f0f2215457200bb3003eecb277bf7e3888d16edcf132d88203b27966407c7dc3

aecf53a3a52662b441703e56555d06c9d3c61bddf4d3b23d9da02abbe390c609

960a17797738dc0bc5623c74b6f8a5d74375f6d18d20ba18775f26a43898bae6

e37c045418259ecdc07874b85e7b688ba53f5a7dc989db19d7e8c440300bd574

75ea6e8dfaf56fb35f35cb043bd77aef9e2c7d46f3e2a0454dff0952a09c134f

a65e01412610e5ed8fde12cb78e6265a18ef78d2fd3c8c14ed8a3d1cef17c91d

7170b104367530ae837daed466035a8be719fdb17423fc01da9c0ded74ca6ad1

13acddf9b7c2daafd815cbfa75fbb778a7074a6f90277e858040275ae61a252b

625ed818a25c63d8b2c264d0f5bd96ba5ad1c702702d8ffaa4e0e93e5f411fac

a56cd758608034c90e81e4d4f1fe383982247d6aeffd74a1dd98d84e9b56afdf

a4b969b93f7882ed2d15fd10970c4720961e42f3ae3fced501c0a1ffa3896ff5

e833bbb79ca8ea1dbeb408520b97fb5a1b691d5a5f9c4f9deabecb3787b47f73

8e9136d6dc7419469c959241bc8745af7ba51c7b02a12d04fec0bc4d3f7dcdf0

CMSTAR.B Download Locations

http://108.61.175[.]110/tlhXVFeBvT64LC9.dat
http://104.238.188[.]211/gl7xljvn3fqGt3u.dat
http://45.77.60[.]138/c2KoCT5OHcVwGi7.dat
http://108.61.175[.]110/gkMmqVvZ7gGGxpY.dat
http://108.61.175[.]110/z_gaDZyeZXvScQ6.dat
http://108.61.175[.]110/bDtzGVtqgiJU9PI.dat
http://45.77.60[.]138/liW0ecpxEWCfIgU.dat
http://45.77.60[.]138/JUmoT4Pbw6U2xcj.dat
http://108.61.175[.]110/oiUfxZfej29MAbF.dat
http://108.61.103[.]123/jvZfZ0gdTWtr46y.dat
http://108.61.103[.]123/06JcD5jz5dSHVAy.dat
http://108.61.103[.]123/nj3dsMMpyQQDBF3.dat
http://108.61.103[.]123/fHZvWtBGlFvs2Nr.dat
http://45.77.60[.]138/w57E8dktKb9UQyV.dat

CMSTAR.C SHA256

85e06a2beaa4469f13ca58d5d09fec672d3d8962a7adad3c3cb74f3f9ef1fed4

b8ef93227b59e6c8d3a1494b4860d15be819fae17b57fd56bfff9a51b7972ff0

9e6fdbbc2371ac8bc6db3b878475ed0b0af8950d50a4652df688e778beb87397

4e38e627ae21f1a85aa963ca990a66cf75789b450605fdca2f31ee6f0f8ab8f2

f4ff0ca7f2ea2a011a2a4615d9b488b7806ff5dd61577a9e3a9860f2980e7fc0

8de3fa2614b1767cfd12936c5adf4423ef25ea60800fa170752266e0ca063274

38197abde967326568e101b65203c2efa75500e5f3c084b6dd08fd1ba1430726

726df91a395827d11dc433854b3f19b3e28eac4feff329e0bdad93890b03af84

5703565ec64d72eb693b9fafcba5951e937c8ee38829948e9518b7d226f81c10

d0544a3e6d1b34b8b4e976c7fc62d4500f28f617e2f549d9a3e590b71b1f9cc5

2a8e5551b9905e907da7268aba50fcbc526cfd0549ff2e352f9f4d1d71bf32a7

d7cd6f367a84f6d5cf5ffb3c2537dd3f48297bd45a8f5a4c50190f683b7c9e90

8f7294072a470b886791a7a32eedf0f0505aaecec154626c6334d986957086e4

6419255d017b217fe984d3439694eb96806d06c7ea41a422298650969028c08c

CMSTAR.C Download Locations

http://45.77.58[.]49/54xfapkezW64xDE.dat
http://45.77.58[.]49/54xfapkezW64xDE.dat
http://45.77.62[.]181/naIXl13kqeV7Y2j.dat
http://45.77.58[.]160/9EkCWYA3OtDbz1l.dat
http://45.77.58[.]160/8h5NPYB5fAn301E.dat
http://45.77.58[.]160/9EkCWYA3OtDbz1l.dat
http://45.77.60[.]138/3kK24dXFYRgM6Ac.dat
http://45.77.60[.]138/ezD19AweVIj5NaH.dat
http://45.77.60[.]138/VFdSKlgCAZD7mmp.dat
http://45.77.60[.]138/HJDBvnJ7wc4S5qZ.dat
http://45.77.60[.]138/jVJlw3wp379neaJ.dat
http://45.77.60[.]138/YXza9HkKWzqtXlt.dat
http://45.77.60[.]138/UScHrzGWbXb01gv.dat
http://45.77.60[.]138/WsEeRyHEhLO1kUm.dat

Source: https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan/

Author: 


  • 0

Machine Learning for Threat Detection, Hype vs. Reality

Category : Trend Micro

Thursday, October 5, 2017,  1:00 p.m. EDT
Machine learning is an important technique being leveraged to improve ransomware detection rates. Register to join us for this live webinar.
You’ll hear from Eric Skinner, VP of Market Strategy, as he outlines why machine learning is effective relative to other techniques, but also how to mitigate its main weakness, false positives. You’ll also learn how malware authors are reacting to the rise of machine learning and how defenses will evolve next.

  • 0

Hybrid Cloud Security, powered by XGen™

Category : Trend Micro

Optimized for leading environments

Hybrid Cloud Security, powered by XGen™, delivers multiple cross-generational threat defense techniques for protecting physical, virtual, and cloud workloads. Optimized for leading environments like AWS, Microsoft®Azure™, and VMware, you get full visibility and control of your workloads across all environments.

Protects against known and unknown threats

A connected threat defense provides increased visibility and speed of response to sophisticated attacks, allowing for a coordinated enterprise response that protects against known and unknown threats, while keeping skilled resources focused on your business goals.

Cross-generational blend of threat defense techniques

See how it works

Get expert insight. For free.

Don’t just take our word for it. See what industry experts have to say.

Gartner logo

Named a Leader in the Gartner Magic Quadrant for Endpoint Protection Platforms since 2002

Gartner logo

Market share leader every year since 2009

Gartner logo

Named a Leader in Forrester Wave™: Endpoint Security Suites, Q4 2016


Support