Custom Macro Delivers Locky

The new Locky ransomware has been making big headlines recently due to its reported links to the Dridex botnet. This week, the team at Wapack Labs took a closer look at a unique malicious macro that has been downloading Locky payloads for the past couple days.

Similar to Dridex, the macro is delivered via large scale phishing attacks and it is embedded in Microsoft Excel documents. The good news is the macro will not be launched upon rendering the host document, it requires user interaction in order to enable it.

All macro malware will either launch embedded files or download remote files. Variants that download malware have become increasingly popular as they trigger less static detections. Typically the download URLs that are embedded in these macros are obfuscated so as to make detection and analysis more difficult. Fortunately, these URL obfuscation tactics are often rudimentary and they also present unique artifacts for malware identification.

The Locky macro is no different. Close to 300 specimens were identified and every one makes use of the same simple URL obfuscation. This method is characterized by ASCII character codes which are delimited with |1. The following is an example observed in strings:

After removing the |1 delimiter and converting the remaining ASCII codes, we are left with the download URL which consists of a compromised website.  Despite identifying hundreds of recent specimens in the past two days, only 17 distinct URL download sites were identified – all delivering the same payload.

meow://organichorsesupplements.co.uk/system/logs/7647gd7b43f43[.]exe

meow://vipkalyan.com.ua/system/logs/7647gd7b43f43[.]exe

meow://sekiedge.co.uk/system/logs/7647gd7b43f43[.]exe

meow://tramviet.vn/system/logs/7647gd7b43f43[.]exe

meow://jurisdocs.3forcom.net/system/logs/7647gd7b43f43[.]exe

meow://shop.zoomyoo.com/image/templates/7647gd7b43f43[.]exe

meow://kaminus.com.ua/admin/view/7647gd7b43f43[.]exe

meow://cms.insviluppo.net/images/slides/7647gd7b43f43[.]exe

meow://sugarhouse928.com.my/system/logs/7647gd7b43f43[.]exe

meow://ramevent.ru/system/logs/7647gd7b43f43[.]exe

meow://merichome.com/system/logs/7647gd7b43f43[.]exe

meow://alkofuror.com/system/engine/7647gd7b43f43[.]exe

meow://tutikutyu.hu/system/logs/7647gd7b43f43[.]exe

meow://mppl.ca/system/logs/7647gd7b43f43[.]exe

meow://remont-krovlia.ru/system/cache/7647gd7b43f43[.]exe

meow://neways-eurasia.com.ua/system/logs/7647gd7b43f43[.]exe

meow://acilkiyafetgulertekstil.com/system/logs/7647gd7b43f43[.]exe

All observed file names use the same naming convention which contains the prefix “Rechnung”, German for bill, followed by randomized hex ascii. Examples:

Rechnung-FF8-16909.xls

Rechnung-649-748599.xls

Rechnung-784-074688.xls

Rechnung-56BE-68985.xls

Rechnung-AA-62891.xls

Rechnung-674-80222.xls

Among all of these Locky macros, there was no consistent AV detection ratio. Some had zero detection while others had over 20. Nevertheless, a large amount had poor detection with more than 40% detected by less than 10 AV vendors. Unfortunately, this poor AV detection exemplifies macro malware as a whole and explains the popularity of this tactic.

We suspect that we haven’t seen the last of Locky and that more of these will be popping up in the near future. Happy hunting and stay vigilant!

Analyst Resources:

The following python code may be used to de-obfuscate the Locky macro URLs:

url = '1104|1116|1116|1112|1058|1047|1047|1110|1101|1119|1097|1121|1115|1045|1101|1117|1114| 1097|1115|1105|1097|1046|1099|1111|1109|1046|1117|1097|1047|1115|1121|1115|1116|1101| 1109|1047|1108|1111|1103|1115|1047|1055|1054|1052|1055|1103|1100|1055|1098|1052|1051|1102| 1052|1051|1046|1101|1120|1101' url = url[1:] url = url.split('|1') url_int = [] for u in url:     url_int.append(int(u)) decoded_url = ''.join(chr(i) for i in url_int) print decoded_url

The following yara rule will detect files that leverage the URL obfuscation observed in the Locky macro downloaders:

rule Locky_URL_Encoding { meta: description = "Detects unique URL obfuscation seen in Locky macro downloaders" author = "Chris Hall (chall@wapacklabs.com)" strings: $http = "1104|1116|1116|1112" $exe = "|1046|1101|1120|1101" condition: all of them }

Russian hackers tested manipulation of exchange rates by hacking into bank trading system

The markets are in danger. We’ve seen market manipulation in cyber activities ranging from mining

operations to ships being held at sea.  As well, I proofed, last night a report suggesting direct access to an overseas stock exchange. Fraud is rampant, but now, attackers are testing direct market manipulation. It was only a matter of time.  

Group-IB reported recently on what it claims is the first documented case of hackers directly attacking trading system to change prices and increase volatility. Over $400M in sales executed on that day in 2015 resulted in $3.2M direct losses to the affected bank. While primary targeting by Corkow/Metel trojan being Russia infections in US were growing fast too.

Damages?

·       Direct losses due to malicious trades ($3.2M)

·       Initial investigation by the country authorities who thought the bank is manipulating the market

·       Loss of the trust from partners who thought bank is covering it's own technical trading mistakes. Information about the breach may cause some reputation cost as well.

Possible benefit scenarios for hackers:

·       Direct purchases/sales on their own capital (according to Group-IB it was not the case this time)

·       Direct connections with traders who executed trades after hackers changed prices (according to Group-IB it was not the case this time)

·       Indirect and difficult to detect game on futures market which allows to multiply capital in this case up to 20-fold

·       Executing an order of competitors or having self-interest to hurt the affected financial institution

·       As a step in an extortion scheme

Details:

“In February 2015 the first major successful attack on a Russian trading system took place, when hackers gained unsanctioned access to trading system terminals using a Corkow Trojan resulting in trades of more than $400 million. The criminals made purchases and sales of US dollars in the Dollar/Ruble exchange program on behalf of a bank using malware. The attack itself lasted only 14 minutes, however, it managed to cause a high volatility in the exchange rate of between 55 - 62 (Buy/Sell) rubles per 1 dollar instead of the 60 - 62 stable range. Losses to financial institution were estimated in the millions. To conduct the attack criminals used the Corkow malware, also known as Metel, containing specific modules designed to conduct thefts from trading systems, such as QUIK operated by ARQA Technologies and TRANSAQ from ZAO “Screen market systems”. Corkow provided remote access to the ITS - Broker system terminal by «Platforma soft» Ltd., which enabled the fraud to be committed.

Timeline of the attack

In August 2015 a new incident related to the Corkow (Metel) Trojan was detected. An attack on a bank card systems , which included about 250 banks which used the bank card system to service cash withdrawals from Visa and MasterCard cards under a special tariff. This attack resulted in the hundreds of millions of rubles being stolen via ATMs of the systems members.

According to Group-IB statistics, as of the beginning of 2015 this botnet encompassed over 250,000 infected devices worldwide including infecting more than 100 financial institutions with 80% of them from the top 20 list. Hackers target primarily companies in Russia and CIS countries, though it is noticed that the amount of attacks targeting the USA has increased 5 times since 2011. Antiviruses are not capable of effectively preventing these threats. The majority of computers infected by this malware have antivirus installed and active. The Trojan can stay undetected in the system for more than 6 months.

In 2014 Corkow had a QUIK v.1.0. module for collecting data from the Quik trading software developed by ARQA Technologies. In 2015 Corkow’s developers updated the QUIK module to v.1.1. and released another module TRZQ v.1.0. to copy information from the trading system’s application TRQNSAQ developed by ZAO «Screen market systems». The re-development of the old QUIK module and development of the new TRANSAQ module show the Corkow group’s continued interest in targeting trading system.

The attack itself lasted only 14 minutes, during which all losses were sustained, however, the preparations for this intrusion took a much longer time. Hackers gained access to a computer in the trading system in September 2014. From this time the Trojan was functional and constantly updated itself to avoid detection by antivirus software installed at the bank which was in functioning order. As of the Group-IB investigation of this malware program in March 2015, Corkow v.7.118.1.1 had not been detected by a single antivirus program Starting in December 2014, the criminal group began running keyloggers in the infected system. On the 27th of February, 2015 Corkow provided remote access to the trading system which enabled the hackers to launch programs and enter data at the same time as the system operator did.”

  

Previosly hackers from Ukraine gained access to unpublished stock reports used that information in cooperation with some brokers.

Ivan Turchynov and Oleksandr Ieremenko, two Ukrainian hackers, were indicted on 10 August 2015, for the $100 million insider trading scheme that relied on stealing unpublished press releases. These hackers likely penetrated financial and media databases for years and are likely sophisticated programmers who were very active in the Russian and Ukrainian hacker communities prior to the 2010 breach. Wapack Labs analysts were able to identify these individuals on the Ukrainian Internet as well as connections and possible co-conspirators who may have researched the targets.

One of the companies named in the SEC complaint concerning Ukrainian hackers DSU and Lamarez sharing stolen unpublished press-releases with traders is Exante LTD. This company was registered in Malta by three Russians, Knyazev, Maslyakov and Kirienko, with backgrounds in markets and IT. One of the most unusual of Exante's projects was Bitcoin Fund – ability to invest in Bitcoins. On the peak Bitcoin Fund had up to $100M (92,000 Btc). And coincidently(?) they sold their Bitcoin investments and recommended the same to their clients on the very peak of the Bitcoin price.

One of those attackers, Oleksandr Ieremenko (Alexander Eryomenko, AKA “Lamarez”, “Zl0m”, “Ded.Mcz” and “Sh..)”, is the domain registrant for a Black Energy malware command and control domain.

---

[1] www.group-ib[.]ru/brochures/Group-IB-Corkow-Report-EN.pdf

Brazilian Trojan Targets Banks

A Trojan that’s been going after banks since late October appears to be part of a family of malware born in Brazil, and since mid-December a new variation named “Kaicone” has been on the prowl, stealing funds from online customers of the country’s largest banks.

The Kaicone Trojan, believed to be part of the Kaiser Malware family, infects computers after the victim opens an email alleging to be from a trusted source. Using a keylogger, the malware records all of the characters typed into the computer by the user, including usernames and passwords. The malware reports this information back to the hacker, who then takes over the computer, accesses the victim’s bank accounts, and starts transferring funds to his own account.

The Kaiser Family is believed to have originated in Brazil, which is where its primary targets are. The new version identified by was discovered by TELUS Security Labs, and the victims of the attacks have been online banking customers of Brazilian banking entities, primarily Banco de Brazilia, one of the country’s largest financial institutions.

Trojan attacks on banks are not uncommon in Brazil. According to a 2014 report by Kapersky Labs, the country had the second highest number of banking attacks, accounting for 6.55 percent of all attacks worldwide (Russia topped the charts with 29.97 percent while the US saw 5.33 percent).

But in terms of the total percentage of users victimized by financial malware, Brazil held the record, according to Kapersky. More than 20 percent of online banking customers in Brazil had their accounts compromised by hackers in 2014.