ZeusVM is a relatively new addition to the Zeus family of malware. Like the other Zeus variants, it is a banking trojan (“banker”) that focuses on stealing user credentials from financial institutions. Although recent attention has been on non-Zeus based bankers such as Neverquest and Dyreza, ZeusVM is still a formidable threat. At the time of this writing, it is actively being developed and has implemented some interesting features such as a custom virtual machine and basic steganography. In addition, due to a recent leak of a builder program, the ability to create new ZeusVM campaigns is now in the hands of many more miscreants.
To foster a better understanding of ZeusVM, the attached paper examines some of the internals of the malware from a reverse engineer’s perspective. While it doesn’t cover every component, the visibility provided can help organizations better detect and protect from this threat.
ZeusVM: Bits and Pieces (PDF)
Click here to download the full report that includes attack details, TTPs and indicators of compromise.
Myanmar is a country currently engaged in an important political process. A pro-democracy reform took place in 2011 which has helped the government create an atmopshere conducive to investor interest. The country is resource rich, with a variety of natural resources and a steady labor supply. Despite recent progress, the country is subject to ongoing conflict with ethnic rebels and an ongoing civil war. Analysts suggest that both China and the United States are vying for greater influence in Myanmar, with China in particular having geopolitical interest due to sea passages, port deals, and fuel pipelines that are important to its goals. Geopolitical analysts have suggested that the United States may have its own interests that involve thwarting Chinese ambitions in the region.
APT groups from multiple countries – including China – have been known to target organizations of strategic interest with aggressive malware-based espionage campaigns. One of the malware families used in such a scenario is the well-known Remote Access Trojan PlugX, also known as Korplug, that enables full access to the victim’s machine and network.
Multiple instances of PlugX and related downloader Continue reading
ASERT provides a weekly threat bulletin for Arbor customers that highlights and analyzes the week’s top security events and provides other pertinent infosec material. Recently, we covered the public notification of a United Airlines breach by possible Chinese state-sponsored threat actors. In this blog, we offer an alternative hypothesis to the conclusions many have drawn regarding the motivation behind this and other recent attacks.
The Compromises
For those keeping score, the United States Office of Personnel Management (OPM), Anthem, Premera, and Carefirst Blue Cross all reported large data breaches, seemingly perpetrated by the same possible Chinese state-sponsored threat actors [1]. Research into the OPM breach provided information leading investigators to believe the same group of threat actors also compromised additional companies [2]. These investigators released IOC’s that United Airlines used to detect their own data breach in late May/early June of 2015. The data stolen reportedly included passenger manifests containing travel information and basic demographics about travelers. Additionally, according to Bloomberg, one of the individuals familiar with the case indicated information regarding United’s corporate merger and acquisition strategy was also possibly compromised.
Considering the context discussed so far, let’s highlight the current train of thought amongst many in the security Continue reading
One of the hardest things to do when you are receiving malware that have “anonymized” (e.g. name-is-hash) names or general samples that lack any indication of the infection vector is to determine the origin of the file and its intended target. Even harder is when you do not receive telemetry data from products that contains information about infected machines. To that end, I have been working on automating ways to help ASERT better understand the context around samples so we can answer question about what may have been targeted, why it was targeted and when it was targeted. This post will use the PlugX malware as an example (PlugX is well known and has had its various iterations analyzed many times), due in part to its ongoing activity and will focus on leveraging metadata from VirusTotal due to it being publicly accessible.
Automation is king when processing malware and getting the configuration out of samples without analyst intervention is always ideal and we prefer to treat our various sandbox platforms as black boxes and extract what we can from them before doing our own normalization and post-processing tasks to collate all the information into our internal malware analysis system and Continue reading
UrlZone is a banking trojan that appeared in 2009. Searching its name or one of its aliases (Bebloh or Shiotob) reveals a good deal of press from that time period along with a few technical analyses in 2009 [1] [2], 2012 [3], and 2013 [4]. Despite having a reputation of evolution, there doesn’t seem to be very many recent updates on this malware family though. Is UrlZone still a threat and if so, how has it changed?
To explore that, this post takes a look at a recent UrlZone malware sample to see if it is still an active threat. It then gives an update on the command and control (C2) communications as they have changed since being previously documented. These are then put together in some proof of concept code that downloads and decrypts the webinject configuration file (the bread and butter of any banker malware) to see what financial institutions are being targeted.
Sample
The sample analyzed for this post has an MD5 of:
01fd0f1ad59ad5403c9507bfb625fe0c
For the “stop using md5 now” converts, it has the following SHA256:
39bbde33922cd6366d7c2a252c4aadd4dfd7405d5271e3652940a7494b885e88
The sample’s compilation date is 2015-06-12 12:01:03. This date seems legit as Continue reading
The H1N1 Loader appears to be a relatively new downloader family that, to the best of our knowledge, was initially discovered and analyzed by the security community in May 2015. We have seen several samples show up in our malware zoo this Spring and have documented our preliminary findings from a network communications perspective in a short summary report.
One of the truisms of comic books and graphic novels is that nothing is immutable – both heroes and villains are rebooted, retconned, featured as radically (or subtly) different versions in alternate timelines, etc. The Marvel Cinematic Universe, which so far includes the Captain America, Thor, Hulk, Iron Man, and Avengers films, is a good example. DC are doing the same with The Flash and Green Arrow, and the latest cinematic incarnations of Batman and Superman are set to do battle with one another in a projected summer blockbuster movie next year.
And these new variants on old stories proliferate throughout the various versions of each character arc – variations on the same themes, but instantly recognizable to long-time fans and easily remembered by new ones. Tony Stark’s updated Iron Man origin story in the first Iron Man movie is one such example; the supervillain Mystique’s origin in the X-Men series of films (not part of the MCU) is another.
That isn’t to say that there’s no innovation taking place – Frank Miller’s The Dark Knight Returns radically migrated the general public perception of Batman away from the 1960s comedy paradigm Continue reading
As initially researched by Trend Micro [1] [2], Zscaler [1] [2], Cyphort, and Malware don’t need Coffee, the Bedep malware family focuses on ad / click fraud and the downloading of additional malware. ASERT’s first sample dates from September 22, 2014, which is in line with when Trend Micro started seeing it in their telemetry. In early 2015, the family got some more attention when it was being observed as the malware payload for some instances of the Angler exploit kit, leveraging the Adobe Flash Player exploit (CVE-2015-0311) which at the time was a 0day. It was also observed that this newer version was using a domain generation algorithm (DGA) to generate its command and control (C2) domain names.
This post provides some additional notes on the DGA including a proof of concept Python implementation, a look at the two most recent sets of DGA generated domains, and concludes with some sinkhole data.
Samples
The following Bedep samples were used for this research:
The former was originally sourced from KernelMode.
Algorithm
I’ve posted a proof of concept (read: works for me) Python implementation of the DGA to ASERT’s Github.
At the time of Continue reading
By: ASERT Research Team
On March 31st, Arbor’s Security Engineering & Response Team (ASERT) published a detailed threat brief on the Neverquest malware for Arbor customers. Along with thousands of IOC’s (indicators of compromise), the brief details Neverquest’s current inner workings and describes some reversing techniques ASERT uses to unravel and monitor this stealthy and quickly evolving malware. Applying this research at scale to malware and data acquired by our global ATLAS initiative allows us to develop targeted defenses and security context that enables customers to mitigate advanced threats and enhance their security posture over time [1].
This blog post provides excerpts from the Neverquest threat brief along with some new data that was not available at the time the brief was released to customers. In doing so, it also highlights the results of ASERT research activities that feed Arbor products.
Historical Threat Context and Prior Research
Originally, a malware family known as Ursniff was used to build newer malware called Gozi. After some success and a time of inactivity, Gozi was revitalized as Gozi Prinimalka, which has evolved into the modern Vawtrak/Neverquest (referred to as ‘Neverquest’ herein). Foundational threat analysis work has been performed for years on Continue reading
On January 15th, France’s chief information systems defense official, Adm. Arnaud Coustilliere, announced a sharp rise in online attacks against French web sites:
“Calling it an unprecedented surge, Adm. Arnaud Coustilliere, head of cyberdefense for the French military, said about 19,000 French websites had faced cyberattacks in recent days, …” [1].
As we’ve done in the recent past for North Korea [2], Hong-Kong [3], and Israel [4], we can leverage Arbor’s ATLAS initiative to observe how real world conflict is reflected in the digital realm. ATLAS receives anonymized Internet traffic and DDoS event data from over 330 participating Internet Service Providers worldwide. In particular, we are interested in DDoS attacks before and after Sunday, January 11th. As reported in [1],
“Coustilliere called the attacks a response to the massive demonstrations against terrorism that drew 3.7 million people into the streets Sunday across France.”
In order to gauge this response, we compare the DDoS attacks that took place between January 3rd and January 10th to the DDoS attacks that took place between January 11th and January 18th inclusive.
Between January 3rd and January 18th, a total of 11,342 Continue reading
It was reported earlier today that North Korea was having Internet connectivity issues.
Now obviously given recent events with Sony, this sort of report is far more fascinating than it normally would be. The first question when you see this type of report is whether it’s purely a connectivity issue or whether an attack is behind it. While visibility into North Korean Internet is quite difficult, we are able to see quite a few attacks over the last few days.
1.) All targets are in this netblock:
inetnum: 175.45.176.0 – 175.45.179.255
netname: STAR-KP
descr: Ryugyong-dong
descr: Potong-gang District
country: KP
admin-c: SJVC1-AP
tech-c: SJVC1-AP
status: ALLOCATED PORTABLE
2.) pDNS Data on the specific targets
175.45.176.8 – This appears to be primary DNS
175.45.176.9 – This appears to be secondary DNS
175.45.176.10 – smtp.star-co.net.kp
175.45.176.67 – naenara.com.kp
175.45.176.77 – Unknown
175.45.176.79 – www.ryongnamsan.edu.kp
3.) Port Analysis
– All attacks on the 18th, 19th and 20th target port 80
– All attacks (except for one) on the 21st Continue reading
In early August, we examined data demonstrating a striking correlation between real-world and online conflict [1], which ASERT tracks on a continual basis [2-7]. Recent political unrest provides another situation in which strong correlative indicators emerge when conducting time-series analysis of DDoS attack data.
The latest round of pro-democracy protests in Hong Kong began on September 22nd when “. . . Students from 25 schools and universities go ahead with a week-long boycott to protest Beijing’s decision to proceed with indirect elections for Hong Kong’s Chief Executive position.” [8]. The protests ramped up on September 28th when a larger pro-democracy group, Occupy Central with Love and Peace, combined forces with the student demonstrators [8-9]. On October 1st, protesters vowed to increased the level of civil disobedience if Hong Kong’s Chief Executive, Leung Chun-Ying, did not step down [10]. Since that time, tensions have increased, with police crackdowns, tear gas, barricades, skirmishes, shutdowns of government buildings and infrastructure, and heavy use of social media to promote both pro-and anti-protest sentiment. By examining Arbor ATLAS Internet-wide attack visibility data we have identified DDoS attack activity in the APAC region which correlates strongly with the ebb and flow Continue reading
It’s been far too long since the last MindshaRE post, so I decided to share a technique I’ve been playing around with to pull C2 and other configuration information out of malware that does not store all of its configuration information in a set structure or in the resource section (for a nice set of publicly available decoders check out KevTheHermit’s RATDecoders repository on GitHub). Being able to statically extract this information becomes important in the event that the malware does not run properly in your sandbox, the C2s are down or you don’t have the time / sandbox bandwidth to manually run and extract the information from network indicators.
To find C2 info, one could always just extract all hostname-/IP-/URI-/URL-like elements via string regex matching, but it’s entirely possible to end up false positives or in some cases multiple hostname and URI combinations and potentially mismatch the information. In addition to that issue, there are known families of malware that will include benign or junk hostnames in their disassembly that may never get referenced or only referenced to make false phone-homes. Manually locating references and then disassembling using a disassembler (in my case, Capstone Engine) can help Continue reading
Yesterday, the Communications Security, Reliability and Interoperability Council (CSRIC), a federal advisory committee to the Federal Communications Commission (FCC), submitted its final report on Remediation of Server-based DDoS Attacks.
The CSRIC’s Working Group 5 was tasked with developing recommendations for communications providers to enable them to mitigate the impact of high volume DDoS attacks launched from large data center and hosting environments.
The final report includes a comprehensive look at the DDoS threat landscape, covering everything from the massive size of today’s attacks, to the potential for collateral damage. The report describes how DDoS attacks are becoming increasingly complex, how they are being used as a diversion “to distract security resources while other attacks are being attempted, e.g., fraudulent transactions.” The report also discusses how botnet architectures are becoming more sophisticated and difficult to trace.
Given this complex and challenging threat landscape, we were grateful for the opportunity to contribute. The CSRIC has adapted Arbor Networks best practices for DDoS incident response as the Six Phases for DDoS Attack Preparation & Response.
Roland Dobbins, senior analyst with Arbor’s Security Engineering & Response Team (ASERT), served as the Internet sub-group chairman of CSRIC IV WG5 – Server-Based Continue reading
by Dennis Schwarz and Dave Loftus
NewPosThings is a point of sale (PoS) malware family that ASERT has been tracking for a few weeks. It operates similarly to other PoS malware by memory scraping processes looking for credit card track data and then exfiltrating the spoils to a command and control (C2) server. Based on compilation times, it has been in active development since at least October 20, 2013—with the latest timestamp being August 12, 2014. Since we haven’t come across any public details of this family, we’re releasing our malware analysis for posterity and to get ahead of the threat.
The analyzed sample has an MD5 of 4196c67648003a18f61573a77b6d3be6.
Naming
Its name comes from an embedded PDB pathname string from the analyzed sample:
C:UsersTomdocumentsvisual studio 2012ProjectsNewPosThingsReleaseNewPosThings.pdb
Initialization
The malware initializes itself as follows:
Last week in Chicago, at the annual SIGCOMM flagship research conference on networking, Arbor collaborators presented some exciting developments in the ongoing story of IPv6 roll out. This joint work (full paper here) between Arbor Networks, the University of Michigan, the International Computer Science Institute, Verisign Labs, and the University of Illinois highlighted how both the pace and nature of IPv6 adoption has made a pretty dramatic shift in just the last couple of years. This study is a thorough, well-researched, effective analysis and discussion of numerous published and previously unpublished measurements focused on the state of IPv6 deployment.
The study examined a decade of data reporting twelve measures drawn from ten global-scale Internet datasets, including several years of Arbor data that represents a third to a half of all interdomain traffic. This constitutes one of the longest and broadest published measurement of IPv6 adoption to date. Using this long and wide perspective, the University of Michigan, Arbor Networks, and their collaborators found that IPv6 adoption, relative to IPv4, varies by two orders of magnitude (100x!) depending on the measure one looks at and, because of this, care must really be taken when looking at individual measurements of IPv6. For example, examining only the fraction of IPv6 to IPv4 Continue reading
By Dennis Schwarz and Dave Loftus
It has been a few weeks since news broke of the Zeus Gameover variant known as newGOZ. As has been reported, the major change in this version is the removal of the P2P command and control (C2) component in favor of a new domain generation algorithm (DGA).
The DGA uses the current date and a randomly selected starting seed to create a domain name. If the domain doesn’t pan out, the seed is incremented and the process is repeated. We’re aware of two configurations of this DGA which differ in two ways: the number of maximum domains to try (1000 and 10,000) and a hardcoded value used (0×35190501 and 0x52e645).
Date based domain generation algorithms make for excellent sinkholing targets due to their predictability, and provides security researchers the ability to estimate the size of botnets that use them. With this in mind, we have gathered five days worth of newGOZ sinkhole data. Our domains are based on the first configuration, since this configuration seems to be used the most in the wild.
As with all sinkhole data, many variables can affect the accuracy of victims such as network topology (NAT and DHCP), timing, Continue reading