Awareness isn’t the goal, it’s just the beginning

When people refer to PhishMe as the awareness company, we smile and nod. I want to correct them, but the label ‘security awareness’ is comfortable and relatable. One of the activities that organizations commonly believe will help reduce risk is mandatory security awareness computer-based training (CBT) lessons.  The hope is that if we enroll our humans in online courses about how the bad guys hack us, they will walk away with a wealth of new-found awareness and avoid being victimized.  (Try to visualize how far in the back of my head my eyes are rolling…)

PhishMe Celebrates National Cyber Security Awareness Month 2015 and UK Based Security Serious Week

It’s that time of year again. No, it’s not the arrival of the pumpkin spiced latte at your local coffee shop. It’s National Cyber Security Awareness month (NCSAM) as proclaimed by President Barack Obama last year. “National Cyber Security Awareness Month — celebrated every October — was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online,” as stated by the National Cyber Security Alliance located on their StaySafeOnline.org website. At PhishMe, we are proud to once again play a lead role in the cyber security community as a 2015 NCSAM “Champion” sponsor.

Upatre Malware Anti-Sandboxing Mechanism Uncovered

Researchers have been studying the Upatre malware anti-sandboxing mechanism over the course of the past few days, after capturing a number of samples of the malware.

The Upatre malware anti-sandboxing mechanism involves a delay in activity. A 12-minute delay to be precise. That is how long it takes before the malware downloads its malicious payload. The delay is an anti-sandboxing tactic to ensure that the malware is not being executed in a sandbox environment where its actions can be analyzed and studied by security researchers. An early example of this technique can be found in any of the binaries delivered by the spam messages profiled in PhishMe Intelligence database (Threat 4301) using spam email content like that shown in the image below:

Sandbox and analysis evasion is not a new technique for malware. Many of the mechanisms utilized by malware to detect that they are under analysis are exceedingly complex. Those anti-sandboxing mechanisms look for evidence of a sandbox hidden deep in the environment.

This often takes two forms—searching for traces that would indicate that the malware is being run on a virtual machine or searching for tools used by malware researchers to analyze the sample. These tasks require comparison of registry entries, device names, and running processes against known values that would reflect that the environment in which the malware is being run is not a real computer. However, as a result of the ongoing arms race between researchers and threat actors, analysis techniques have been developed that allow for researchers to avoid giving away their presence to the malware’s runtime. In fact, many of these analysis techniques have been implemented in automated and inline sandboxing tools, where advanced and sophisticated virtual machines are used to screen content for malware.

However, the Upatre malware anti-sandboxing mechanism is somewhat different to highly technical anti-sandboxing and analysis techniques. Instead, Upatre malware exploits characteristics of researcher behavior in creating and utilizing analysis environments. A similar tactic is employed by the Dyre Trojan, in that the malware interrogates the number of cores in the computer’s processor, refusing to execute in cases where there is only one. The Dyre Trojan makes the assumption that many analysis sandboxes will utilize a virtualized processor with only one core while nearly all real, consumer-grade computers will have at least two cores in their processors.

A similar line of thinking is employed in the Upatre malware anti-sandboxing mechanism. The assumption made by the threat actor is that no real computer in use by a human being will be booted immediately before executing the malware binary. Instead, this behavior would be characteristic of a sandbox being started immediately before the introduction and execution of a malware binary.

Upatre malware utilizes the Windows GetTickCount function, used to enumerate the number of milliseconds that have passed since the Windows system was started. This is an effective means of tracking the system’s uptime, providing the malware binary an insight into the duration for which the system has been running. This anti-sandboxing mechanism is a simple branch in the malware’s execution logic. If the GetTickCount function returns a value that is too small—less than approximately 720 seconds or twelve minutes—the malware takes a branch that leads directly to a process exit. However, if GetTickCount returns a value greater than the twelve-minute uptime the malware will proceed to download and deobfuscate its Dyre malware payload.

Figure 2 shows the assembly code passed to the processor by an Upatre sample utilizing this uptime constraint. The red-highlighted breakpoint is the beginning of the code section where the value returned by GetTickCount is handled, while the black-highlighted line shows this value stored in the processor’s eax register as the hexadecimal value 0x001EA5E. That corresponds to a decimal value of 125,534 representing the approximately 125,000 milliseconds of uptime for the analysis system. After the return, immediately below the black-highlighted entry, the malware branches to either terminate the process or continue with the download and execution of a Dyre sample.

By denying researchers or sandboxing tools the ability to observe the malware’s runtime behavior, except under certain specific circumstances, the threat actor preserves an element of secrecy for his or her operations. The indicators by which an Upatre sample can be identified are not revealed, thereby preventing those resources from being shared widely among researchers. Furthermore, since the malware’s hostile behavior lies beyond the crucial uptime-dependent branch, many sandbox tools would not provide visibility into the malware’s fully completed runtime, thereby missing crucial intelligence on this rapidly evolving threat.

PhishMe customers have access to the special report on this topic in their documents folder on PhishMe Intelligence. If you are not currently a PhishMe Intelligence customer and would like further information, please contact the PhishMe team today.

Updated Dyre, Dropped by Office Macros

Whenever attackers make a shift in tactics, techniques, and protocol (TTP), we like to make note of it to help both customers and the rest of the Internet community. We recently analyzed a sample that started out appearing to be Dridex, but quickly turned into a headache leading to Dyre that featured some notable differences to past Dyre samples. One PhishMe user was targeted to their personal account, and here’s a copy of the phishing email:

Figure 1 -- Phishing email

Figure 1 — Phishing email

Once opened, we’re presented with the very familiar story of “please enable this macro so you can get infected”. This time, they do give a few more instructions to the user, saying that the data is “encoded” and macros need to be enabled to read the text.

Detecting a Dridex Variant that Evades Anti-virus

Attackers constantly tweak their malware to avoid detection. The latest iteration of Dridex we’ve analyzed provides a great example of malware designed to evade anti-virus, sandboxing, and other detection technologies.

How did we get our hands on malware that went undetected by A/V? Since this malware (like the majority of malware) was delivered via a phishing email, we received the sample from a user reporting the phishing email using Reporter.

Dridex Code Breaking – Modify the Malware to Bypass the VM Bypass

Post Updated on March 25

The arrival of spring brings many good things, but it’s also prime season for tax-themed phishing emails. A partner of ours recently reported an email with the subject “Your Tax rebate” that contained an attachment with Dridex and password-protected macros to hinder analysis. If you read this blog, this story should sound familiar, but this particular strain took new precautions, such as adding a longer password and using VM detection inside of the code.

Decoding ZeuS Disguised as an .RTF File

While going through emails that were reported by our internal users using Reporter, I came across a particularly nasty looking phishing email that had a .doc attachment. At first when I detonated the sample in my VM, it seemed that the attackers weaponized the attachment incorrectly. After extracting and decoding the shellcode, I discovered a familiar piece of malware that has been used for some time.

Dridex – Password Bypass, Extracting Macros, and Rot13

When attackers decide to password protect something, it can be very frustrating as an analyst, because we are often left with few options to find out what they are protecting. If this happens, we can always try to straight up brute force the password, but unless the attackers use something like 1q2w3e4r, we’re up a creek without an oar. If it’s an MD5 hash of a password, we have many more options to crack it. In the case of xls files, we have the option to essentially “wipe out” the password and give it our own password. In a recent wave of Dridex phishing emails, this is what we saw. Here’s the phishing email sent to one PhishMe employee:

Dyre Trojan Expands to Career Website Targets

The MAAWG conference in San Francisco provides an opportunity for the leading hosting companies, Internet Service Providers, and Internet and email security companies to collaborate, develop best practices, and share information. We took the opportunity to speak to attendees about Dyre malware, and how the Trojan is now a serious concern. In recent days, we have seen an aggressive expansion in the targets that Dyre is configured to steal credentials from. Dyre malware is currently being spread via spam email and the Upatre downloader.

We have already reached out to many of the newly impacted brands, several of which had a presence at MAAWG.  The relationships at MAAWG are so critical for maintaining effective response capabilities in the security industry.  Shaking hands and breaking bread with those in charge of security in very large organizations is critical to how the community actually gets things done!

PhishMe Intelligence subscribers will have already have received our report on the Dyre Trojan, although, before the report was issued, their SIEMs and scripts will have been able to retrieve the campaign information and Indicators of Compromise (IOCs) to help protect their network and identify potentially compromised hosts.

PhishMe Analysis of the Upatre / Dyre Campaign

Today’s Dyre campaign was quite different than many of the previous Dyre campaigns that used a spam “lure” of a range of British brand names, with financial services companies extensively spoofed.  This campaign was quite high volume, with well over a thousand emails identified early in the morning.

The actual messages attempt to convince the user that their credit card has been charged several thousand dollars by the New York City Department of Finance.  The spam messages all have the “Subject: Thank you for your payment” and the sender appears to be nycserv@finance.nyc.gov.

The attachment, which claims to have more details about the parking fines that have been paid, is in .zip form.

The MAAWG conference in San Francisco provides an opportunity for the leading hosting companies, Internet Service Providers, and Internet and email security companies to collaborate, develop best practices, and share information. We took the opportunity to speak to attendees about Dyre malware, and how the Trojan is now a serious concern. In recent days, we have seen an aggressive expansion in the targets that Dyre is configured to steal credentials from. Dyre malware is currently being spread via spam email and the Upatre downloader.

We have already reached out to many of the newly impacted brands, several of which had a presence at MAAWG.  The relationships at MAAWG are so critical for maintaining effective response capabilities in the security industry.  Shaking hands and breaking bread with those in charge of security in very large organizations is critical to how the community actually gets things done!

PhishMe Intelligence subscribers will have already have received our report on the Dyre Trojan, although, before the report was issued, their SIEMs and scripts will have been able to retrieve the campaign information and Indicators of Compromise (IOCs) to help protect their network and identify potentially compromised hosts.

PhishMe Analysis of the Upatre / Dyre Campaign

Today’s Dyre campaign was quite different than many of the previous Dyre campaigns that used a spam “lure” of a range of British brand names, with financial services companies extensively spoofed.  This campaign was quite high volume, with well over a thousand emails identified early in the morning.

The actual messages attempt to convince the user that their credit card has been charged several thousand dollars by the New York City Department of Finance.  The spam messages all have the “Subject: Thank you for your payment” and the sender appears to be nycserv@finance.nyc.gov.

The attachment, which claims to have more details about the parking fines that have been paid, is in .zip form.

The PDF file is the Upatre executable, the TXT file is the Upatre-encoded version of the binary, while the “cube icon” file is the Dyre Trojan.

Career Sites Now Targeted

The Dyre Trojan uses a special configuration file to prioritize the credentials that it desires to steal.  PhishMe Intelligence subscribers will be familiar with several previous Dyre reports on how these configuration files work.  The current version is the first time that we have seen “Career Sites” targeted by Dyre.  The criminals have posed as employers on the following sites:

SimplyHired, Indeed.com, Monster.com, GlassDoor, CareerBuilder.

The URL substrings that will trigger Dyre’s special actions are listed below:
ads.simplyhired.com/simplypost/sign-in/*
ads.simplyhired.com/v/favicon.ico[?]*

secure.indeed.com/account/login*
employers.indeed.com/jobs?ts=*
employers.indeed.com/candidates?ts=*
*.indeed.com/v/favicon.ico[?]*

hiring.monster.com/Login.aspx*
hiring.monster.com/Challenge.aspx*
hiring.monster.com/jpw/Services/Secure/JCMIIWebServices/Jobs.asmx/GetJobs*
hiring.monster.com/v/favicon.ico[?]*

www.glassdoor.com/partners/login_input.htm*
www.glassdoor.com/v/favicon.ico[?]*

www.careerbuilder.com/share/verifyidentity.aspx*
www.careerbuilder.com/share/setchallengequestions.aspx*
www.careerbuilder.com/share/login.aspx*
www.careerbuilder.com/share/favicon.ico[?]*
www.careerbuilder.com/AJAX/GetProductsByUserGroup.aspx*
www.careerbuilder.com/jobposter/mycb/loadaccountwidgetdata.aspx*
www.careerbuilder.com/jobposter/ajax/myjobs/loadmyjobs.aspx*

Non-Career Sites Also Added Today

We’re not sure why the following were also added.  Perhaps the NewEgg indicates a desire to do a little shopping, or perhaps something more sinister may be occurring.

secure.newegg.com/NewMyAccount/AccountLogin.aspx*
secure.newegg.com/Shopping/ShoppingLogin.aspx*
secure.newegg.com/*/CheckoutStep1.aspx*
secure.newegg.com/*/CheckoutStep2.aspx*
sellerportal.newegg.com/Pages/Account/LandingPage.aspx*
*.newegg.com/v/favicon.ico[?]*

The criminals also are targeting the administrators of mailing lists hosted by MailChimp, which could allow them to deliver malicious emails on behalf of a “trusted” source, helping the criminals to bypass spam filtering controls.

  • mailchimp.com
  • *.admin.mailchimp.com/campaigns*
  • *.admin.mailchimp.com/lists*
  • *.admin.mailchimp.com/account/domains*
  • *.admin.mailchimp.com/reports*
  • mailchimp.com/v/favicon.ico[?]*

GoDaddy accounts would allow creation of domains and also modification of existing domains for malicious purposes.

*.godaddy.com*
*.godaddy.com/v/favicon.ico[?]*

Lastly, Accurint refers to the LexisNexis Accurint database.  This is a very rich collection of Public Records with more than 37 billion entries that can be used for verifying identities.

  • accurint.com/app/bps/main
  • accurint.com/1/favicon.ico[?]*
  • accurint.com

 

 

CTB-Locker: The Latest Crypto Malware Coming to you Via Email Spam

The latest crypto malware threat – CTB-Locker – promises to be one of the most serious security threats seen in recent years. The latest crypto malware is one of many of its ilk that have emerged in the past two years. This form of malware encrypts files on victims’ computers and will not unlock them until a ransom is paid. Only then will the key to decrypt data be provided.

Crypto malware has been around for some time, although its popularity has been increasing over the past couple of years. One of the first major crypt malware variants was CryptoLocker. CryptoLocker first emerged in late 2013 and has been particularly active throughout the first half of 2014.

CryptoLocker malware was a major concern for many businesses and individuals.  In June of 2014, the FBI was able to successfully disrupt CryptoLocker, along with Game Over Zeus, but according to the figures in their legal complaint against Evgeniy Bogachev, not before his malware had encrypted more than 230,000 computers, 120,000 of which were in the United States.

The second major crypto malware variant was CryptoWall. PhishMe documented 24 separate spam campaigns in Q3 that pushed CryptoWall.  But that number declined sharply in quarter 4, with only 10 CryptoWall spam campaigns seen in October, only 4 in November, and none at all in December.

The latest crypto malware threat emerged today. This new wave of crypto malware is being distributed via spam email.

PhishMe detected this new threat today when spam messages were intercepted containing an attachment that appeared to be some form of faxed document.  There were many variants of the spam messages including the one below:

  • Fax from RAMP Industries Ltd
  • [Fax server]= +07955-168045
  • [Fax server] : LPY.5705BBC7.1118
  • Incoming fax, NB-112420319-8448
  • New incoming fax message from +07829 062999
  • [Operational Support Ltd] Fax transmission=U2W9MABD921532EC5

 

The messages themselves contained very simple text explaining that your inbound fax was attached.
No.: +07434 20 65 74

Date: 2015/01/18 14:56:54 CST

Pages: 5

ID: TVZ.79483B95A.8086

Filename: headband.zip

Peter Brett Associates

Eun Gransberry

The attached file used a seemingly random dictionary word.  Some of the .zip files observed by PhishMe were:

  • zip
  • zip
  • zip
  • zip
  • zip
  • zip
  • zip

Many anti-spam tools now unzip .zip attachments to check for the presence of an .exe within the compressed file.  This spam attempts to avoid tripping spam filtering solutions by containing a .zip file, which also contains a .zip file, which includes an .scr file.

No two files that we reviewed had the same malware hash.  One of the many ways the anti-virus industry inflates their numbers is to count each unique hash as a separate file.  PhishMe prefers to refer to the malware by the campaign name.  Since every .scr file was unique, we could claim that each was a new malware variant; however, that would have no meaningful value since each of these samples performs the same action and is structurally identical, if not actually identical. The only thing different in each is the hash.

The “.scr” file, which will be named with the same dictionary word as the .zip file from which it was extracted, is a downloader known as Dalexis.

Dalexis performs a similar role to the more common UPATRE malware.  Its job is to covertly download additional malware, unpack it, and execute it.  In this case, it does so by retrieving a file named “pack.tar.gz” from a variety of websites, such as:

  • breteau-photographe.com   /  tmp   / pack.tar.gz
  • com  / assets  / pack.tar.gz
  • asso.fr   / piwigotest   / pack.tar.gz
  • org   / histoiredesarts    / pack.tar.gz
  • voigt-its.de   /   fit  / pack.tar.gz

These files are not actually .tar.gz archive files, they are copies of the latest crypto malware – CTB-Locker – which have been XOR’ed in a special way that Dalexis knows how to reverse.  By passing through the network perimeter in an encoded format, the download is not scanned, since the file is not an executable or commonly known file type.

At that point, CTB-Locker takes over.  CTB is an acronym for Curve Tor Bitcoin.  Curve refers to the fact that the malware uses Eliptical Curve Encryption, which the author claims is the equivalent of RSA-encryption with a 3072 bit key.  The first time we saw CTB being described was by the malware blogger Kaffeine back in July 2014.  At that time, CTB was primarily associated with the Angler Exploit Kit.

The author of the malware announced CTB to the criminal underworld in June, with a couple interesting points.

The criminal, who uses the handle Tapkin, was offering his malware for $3,000, with a discount of 50% to the first purchaser.  He also advertised that he was planning to offer his/her latest crypto malware under an affiliate model. Under such a scheme, Tapkin or another criminal would host CTB, while affiliates could earn commission by infecting people. When a ransom demand is paid, the affiliate gets a cut of the profits, as does Tapkin. It is a common online marketing tactic used by retailers. They get others to do the hard work of getting sales. The retailer gets a smaller cut of the profits, although since they get sales that they would unlikely have otherwise made, everyone is a winner.

We are not sure yet whether today’s spam will be revealed to be part of such an affiliate program, or if this is just one of Tapkin’s customers.  We believe that the Angler Exploit Kit will continue to be used to deliver some forms of CTB-Locker, but expect that this will be the beginning of a long series of similar spam messages.  The challenge is criminals may find the TOR network requirement to be a barrier to their efforts.

Regardless of how it is distributed, the sequence of infection with this latest crypto malware is as follows:

  1. After CTB has been downloaded, it encrypts files on the local machine.  Many filetypes that have not been encrypted by previous Crypto Malware have been added into this latest crypto malware. Most interestingly, several extensions related to computer source code have been added. Extensions that would likely be found on a programmer’s computer.

2. Once the encryption process is completed, the Count Down Begins! There is a payment window for sending the ransom payment. Failure to pay on time will see files encrypted forever.

(2A). Choosing the “View” screen displays a list of the victim’s encrypted files.

  1. When the victim is ready to decrypt their files, clicking NEXT results in a request for the Private Decryption Key:

  1. But of course they aren’t going to give that to you for FREE!

  1. The only payment type accepted is BitCoin, but several helpful links are included to educate the victim on how they can buy Bitcoin.  The latest crypto malware requires a substantial payment – The highest price we’ve seen in crypto malware to date.  This version asks for EIGHT BitCoin, which have a current value of around $1520 USD:

  1. The addresses offered for contacting the criminal’s website requires the use of the TOR network.  If you have TOR installed, you can use the “.onion.cab” address. If you don’t have TOR, you can use a “tor2web.org” gateway.

A more detailed analysis of this report has been provided PhishMe Intelligence subscribers. The campaign ID is #2644.