Red Sky Alliance: Cyber Intelligence Service

Friday, February 19, 2016

Custom Macro Delivers Locky

The new Locky ransomware has been making big headlines recently due to its reported links to the Dridex botnet. This week, the team at Wapack Labs took a closer look at a unique malicious macro that has been downloading Locky payloads for the past couple days.

Similar to Dridex, the macro is delivered via large scale phishing attacks and it is embedded in Microsoft Excel documents. The good news is the macro will not be launched upon rendering the host document, it requires user interaction in order to enable it.

All macro malware will either launch embedded files or download remote files. Variants that download malware have become increasingly popular as they trigger less static detections. Typically the download URLs that are embedded in these macros are obfuscated so as to make detection and analysis more difficult. Fortunately, these URL obfuscation tactics are often rudimentary and they also present unique artifacts for malware identification.

The Locky macro is no different. Close to 300 specimens were identified and every one makes use of the same simple URL obfuscation. This method is characterized by ASCII character codes which are delimited with |1. The following is an example observed in strings:

After removing the |1 delimiter and converting the remaining ASCII codes, we are left with the download URL which consists of a compromised website. Despite identifying hundreds of recent specimens in the past two days, only 17 distinct URL download sites were identified – all delivering the same payload.

meow://organichorsesupplements.co.uk/system/logs/7647gd7b43f43[.]exe

meow://vipkalyan.com.ua/system/logs/7647gd7b43f43[.]exe

meow://sekiedge.co.uk/system/logs/7647gd7b43f43[.]exe

meow://tramviet.vn/system/logs/7647gd7b43f43[.]exe

meow://jurisdocs.3forcom.net/system/logs/7647gd7b43f43[.]exe

meow://shop.zoomyoo.com/image/templates/7647gd7b43f43[.]exe

meow://kaminus.com.ua/admin/view/7647gd7b43f43[.]exe

meow://cms.insviluppo.net/images/slides/7647gd7b43f43[.]exe

meow://sugarhouse928.com.my/system/logs/7647gd7b43f43[.]exe

meow://ramevent.ru/system/logs/7647gd7b43f43[.]exe

meow://merichome.com/system/logs/7647gd7b43f43[.]exe

meow://alkofuror.com/system/engine/7647gd7b43f43[.]exe

meow://tutikutyu.hu/system/logs/7647gd7b43f43[.]exe

meow://mppl.ca/system/logs/7647gd7b43f43[.]exe

meow://remont-krovlia.ru/system/cache/7647gd7b43f43[.]exe

meow://neways-eurasia.com.ua/system/logs/7647gd7b43f43[.]exe

meow://acilkiyafetgulertekstil.com/system/logs/7647gd7b43f43[.]exe

All observed file names use the same naming convention which contains the prefix “Rechnung”, German for bill, followed by randomized hex ascii. Examples:

Rechnung-FF8-16909.xls

Rechnung-649-748599.xls

Rechnung-784-074688.xls

Rechnung-56BE-68985.xls

Rechnung-AA-62891.xls

Rechnung-674-80222.xls

Among all of these Locky macros, there was no consistent AV detection ratio. Some had zero detection while others had over 20. Nevertheless, a large amount had poor detection with more than 40% detected by less than 10 AV vendors. Unfortunately, this poor AV detection exemplifies macro malware as a whole and explains the popularity of this tactic.

We suspect that we haven’t seen the last of Locky and that more of these will be popping up in the near future. Happy hunting and stay vigilant!

Analyst Resources:

The following python code may be used to de-obfuscate the Locky macro URLs:

url = '1104|1116|1116|1112|1058|1047|1047|1110|1101|1119|1097|1121|1115|1045|1101|1117|1114|

1097|1115|1105|1097|1046|1099|1111|1109|1046|1117|1097|1047|1115|1121|1115|1116|1101|

1109|1047|1108|1111|1103|1115|1047|1055|1054|1052|1055|1103|1100|1055|1098|1052|1051|1102|

1052|1051|1046|1101|1120|1101'

url = url[1:]

url = url.split('|1')

url_int = []

for u in url:

url_int.append(int(u))

decoded_url = ''.join(chr(i) for i in url_int)

print decoded_url

The following yara rule will detect files that leverage the URL obfuscation observed in the Locky macro downloaders:

rule Locky_URL_Encoding

{

meta:

description = "Detects unique URL obfuscation seen in Locky macro downloaders"

author = "Chris Hall (chall@wapacklabs.com)"

strings:

$http = "1104|1116|1116|1112"

$exe = "|1046|1101|1120|1101"

condition:

all of them

}

Saturday, February 13, 2016

Russian hackers tested manipulation of exchange rates by hacking into bank trading system

The markets are in danger. We’ve seen market manipulation in cyber activities ranging from mining

operations to ships being held at sea. As well, I proofed, last night a report suggesting direct access to an overseas stock exchange. Fraud is rampant, but now, attackers are testing direct market manipulation. It was only a matter of time.

Group-IB reported recently on what it claims is the first documented case of hackers directly attacking trading system to change prices and increase volatility. Over $400M in sales executed on that day in 2015 resulted in $3.2M direct losses to the affected bank. While primary targeting by Corkow/Metel trojan being Russia infections in US were growing fast too.

Damages?

· Direct losses due to malicious trades ($3.2M)

· Initial investigation by the country authorities who thought the bank is manipulating the market

· Loss of the trust from partners who thought bank is covering it's own technical trading mistakes. Information about the breach may cause some reputation cost as well.

Possible benefit scenarios for hackers:

· Direct purchases/sales on their own capital (according to Group-IB it was not the case this time)

· Direct connections with traders who executed trades after hackers changed prices (according to Group-IB it was not the case this time)

· Indirect and difficult to detect game on futures market which allows to multiply capital in this case up to 20-fold

· Executing an order of competitors or having self-interest to hurt the affected financial institution

· As a step in an extortion scheme

Details:

“In February 2015 the first major successful attack on a Russian trading system took place, when hackers gained unsanctioned access to trading system terminals using a Corkow Trojan resulting in trades of more than $400 million. The criminals made purchases and sales of US dollars in the Dollar/Ruble exchange program on behalf of a bank using malware. The attack itself lasted only 14 minutes, however, it managed to cause a high volatility in the exchange rate of between 55 - 62 (Buy/Sell) rubles per 1 dollar instead of the 60 - 62 stable range. Losses to financial institution were estimated in the millions. To conduct the attack criminals used the Corkow malware, also known as Metel, containing specific modules designed to conduct thefts from trading systems, such as QUIK operated by ARQA Technologies and TRANSAQ from ZAO “Screen market systems”. Corkow provided remote access to the ITS - Broker system terminal by «Platforma soft» Ltd., which enabled the fraud to be committed.

Timeline of the attack

In August 2015 a new incident related to the Corkow (Metel) Trojan was detected. An attack on a bank card systems , which included about 250 banks which used the bank card system to service cash withdrawals from Visa and MasterCard cards under a special tariff. This attack resulted in the hundreds of millions of rubles being stolen via ATMs of the systems members.

According to Group-IB statistics, as of the beginning of 2015 this botnet encompassed over 250,000 infected devices worldwide including infecting more than 100 financial institutions with 80% of them from the top 20 list. Hackers target primarily companies in Russia and CIS countries, though it is noticed that the amount of attacks targeting the USA has increased 5 times since 2011. Antiviruses are not capable of effectively preventing these threats. The majority of computers infected by this malware have antivirus installed and active. The Trojan can stay undetected in the system for more than 6 months.

In 2014 Corkow had a QUIK v.1.0. module for collecting data from the Quik trading software developed by ARQA Technologies. In 2015 Corkow’s developers updated the QUIK module to v.1.1. and released another module TRZQ v.1.0. to copy information from the trading system’s application TRQNSAQ developed by ZAO «Screen market systems». The re-development of the old QUIK module and development of the new TRANSAQ module show the Corkow group’s continued interest in targeting trading system.

The attack itself lasted only 14 minutes, during which all losses were sustained, however, the preparations for this intrusion took a much longer time. Hackers gained access to a computer in the trading system in September 2014. From this time the Trojan was functional and constantly updated itself to avoid detection by antivirus software installed at the bank which was in functioning order. As of the Group-IB investigation of this malware program in March 2015, Corkow v.7.118.1.1 had not been detected by a single antivirus program Starting in December 2014, the criminal group began running keyloggers in the infected system. On the 27th of February, 2015 Corkow provided remote access to the trading system which enabled the hackers to launch programs and enter data at the same time as the system operator did.”

Previosly hackers from Ukraine gained access to unpublished stock reports used that information in cooperation with some brokers.

Ivan Turchynov and Oleksandr Ieremenko, two Ukrainian hackers, were indicted on 10 August 2015, for the $100 million insider trading scheme that relied on stealing unpublished press releases. These hackers likely penetrated financial and media databases for years and are likely sophisticated programmers who were very active in the Russian and Ukrainian hacker communities prior to the 2010 breach. Wapack Labs analysts were able to identify these individuals on the Ukrainian Internet as well as connections and possible co-conspirators who may have researched the targets.

One of the companies named in the SEC complaint concerning Ukrainian hackers DSU and Lamarez sharing stolen unpublished press-releases with traders is Exante LTD. This company was registered in Malta by three Russians, Knyazev, Maslyakov and Kirienko, with backgrounds in markets and IT. One of the most unusual of Exante's projects was Bitcoin Fund – ability to invest in Bitcoins. On the peak Bitcoin Fund had up to $100M (92,000 Btc). And coincidently(?) they sold their Bitcoin investments and recommended the same to their clients on the very peak of the Bitcoin price.

One of those attackers, Oleksandr Ieremenko (Alexander Eryomenko, AKA “Lamarez”, “Zl0m”, “Ded.Mcz” and “Sh..)”, is the domain registrant for a Black Energy malware command and control domain.

[1] www.group-ib[.]ru/brochures/Group-IB-Corkow-Report-EN.pdf

Friday, February 5, 2016

Brazilian Trojan Targets Banks

A Trojan that’s been going after banks since late October appears to be part of a family of malware born in Brazil, and since mid-December a new variation named “Kaicone” has been on the prowl, stealing funds from online customers of the country’s largest banks.

The Kaicone Trojan, believed to be part of the Kaiser Malware family, infects computers after the victim opens an email alleging to be from a trusted source. Using a keylogger, the malware records all of the characters typed into the computer by the user, including usernames and passwords. The malware reports this information back to the hacker, who then takes over the computer, accesses the victim’s bank accounts, and starts transferring funds to his own account.

The Kaiser Family is believed to have originated in Brazil, which is where its primary targets are. The new version identified by was discovered by TELUS Security Labs, and the victims of the attacks have been online banking customers of Brazilian banking entities, primarily Banco de Brazilia, one of the country’s largest financial institutions.

Trojan attacks on banks are not uncommon in Brazil. According to a 2014 report by Kapersky Labs, the country had the second highest number of banking attacks, accounting for 6.55 percent of all attacks worldwide (Russia topped the charts with 29.97 percent while the US saw 5.33 percent).

But in terms of the total percentage of users victimized by financial malware, Brazil held the record, according to Kapersky. More than 20 percent of online banking customers in Brazil had their accounts compromised by hackers in 2014.

Saturday, January 30, 2016

10 Things you probably didn’t know about Cyber Attacks on the Energy Sector

On 28 December 2015, five days after the blackout in the western Ukraine, Security Service of Ukraine (SBU) reported it suspected Russian hackers of conducting a “telephone flood” to regional energy companies’ technical support departments. According to SBU, this telephone flood was accompanying a “computer virus attack” on these companies.

On 26 January, Ars Technical reported that the Israeli Electric Authority reported a power outage, and also claimed it to be the result of hackers.

For the past four years Wapack Labs has been digging deep into the targeting of the energy sector. Once relegated to the nation state warfare, think STUXNET, it soon became clear that the shift for renewable energy, and development of geostrategic reserves put a bull’s eye on critical infrastructure in the energy sector --and that those cyber operations clearly have operational and physical effects.

These are ten things that Wapack Labs knows about attacks on critical infrastructure in the Energy sector that you most likely have never heard before, including the most recent attacks on Ukraine’s power stations. These ten things are just a peak at what we know about the threats to the Energy sector and are meant to provoke questions and conversation from the reader.

#1 Telephone Distributed Denial of Serve (TDoS) Attacks accompanied attacks on Ukrainian critical infrastructure.

#2 What researchers are calling the new BlackEnergy was in fact first seen by Wapack Labs in October of 2014, over a year before the 2015 attacks on Ukraine’s power grid.

The Russian APT group, the Sandworm Team, suspected in this attack and a BlackEnergy user, also previously targeted the Human-Machine interface (HMI) of General Electric’s (GE) CIMPLICITY SCADA systems in mid-2014.

#3 Malicious Software cyber-attacks on critical infrastructure in the energy sector believed to originate in China were written in a computer language popular with Russian hackers.

The Zwshell Trojan used in the Night Dragon campaign in 2011 was written in Delphi, a popular computing language with Russian programmers. Despite the fact that Chinese hackers are not known to use Delphi, a connection between Night Dragon and Russian hackers remains as an intelligence gap.

#4 Striking INTESA workers in Venezuela disrupted two-thirds of the country’s oil production.

The attackers were unsophisticated, but reportedly managed to delete data from the programmable logic controllers (PLC) controlling a tanker loading at a marine terminal in eastern Venezuela. Backups were unaffected and PDVSA was able to restore operations but succeeded in disrupting two-thirds of Venezuela’s 3.0 million bbl/d of production. Ultimately, a strategic joint venture between SAIC and INTESA collapsed and all remote systems were ordered to be disabled.

#5 Venezuela has partnered with Cuba to replace its commercial PLC and SCADA infrastructure.

Venezuela’s SCADA software management system, known as GALBA, was developed by the PDVSA and Havana’s University of Information Science “to preserve our sovereignty and oil independence.” It is unlikely this new infrastructure is being tested for vulnerabilities and is likely compromised.

#6 Within a year of changing its PLC and SCADA infrastructure, the country was heavily targeted by the LIberpy keylogger malware.

Liberpy is a malware threat that undermines the security of a system by reporting all keyboard events (keys the user presses). Liberpy is spread via USB devices, reminiscent of STUXNET, and compromised more than 2000 systems in only a few months. By 2015, over 98% of global Liberpy infections were in Venezuela. It is likely, Venezuela’s critical infrastructure has been infected with this malware.

#7 Global energy supply chains are being compromised by the least sophisticated malware.

Wapack Labs has discovered nearly 12,000 individual organizations that have been compromised by inexpensive commercial administration tools. So called Nigerian 419 scammers target the energy sector through social engineering and computer intrusion schemes fooling employees into wiring money. The FBI estimates the losses near US$800 million.

#8 Once compromised by Nigerian 419 scammers, all your infrastructure is compromised.

Through key loggers, Nigerian 419 scammers are saving unencrypted credentials of their victims on public webservers. Simple techniques allow others to aggregate those credentials, including administration passwords, and are sold on the black market to fraudsters and others conducting industrial espionage, including access to PLC and SCADA systems.

#9 If you’re business is located in located at a supply chain choke-point, you’re more likely to be a target of attack

There is no doubt that energy choke points are high valued targets for industry espionage. Wapack Labs has geo-located thousands of compromised credentials of energy sector employees that fall near, or at, supply chain choke points including the Danish Straits, Suez Canal, Panama Canal and the Strait of Malacca. These compromised systems give extraordinary access to global energy supply chains.

#10 Critical infrastructures vital to the free movement of the world’s energy supply has been compromised.

Wapack Labs has identified pilot services responsible for the movement of oil and LNG ships, including post-Panamax ships, have been compromised giving hackers access to pilot operations. In the same location, suppliers of harbor monitoring systems such as data buoys a meteorological measurement have also been compromised, giving unauthorized access to systems critical to safety of persons and property at sea.

This was an introductory piece written by one of our analysts this week as a primer on work we've tracked, and analyzed as a result of our GEOPOLITICAL risk monitoring in current world hot spots. We've partnered with some really smart folks who know the industrial control space but by simply monitoring risk in the world, pieces like these become possible. When corroborated with sources on the ground and the cyber work we do on a regular basis, the storied move from risk, to threat, to real.

For more information, please feel free to contact me.

jstutzman@wapacklabs.com

844-4-WAPACK (ext 700)

Thursday, July 23, 2015

Analysts Say Hacking Team Breach Creates ‘One-Stop Shop for Badness’

Analysts Say Hacking Team Breach Creates ‘One-Stop Shop for Badness’

July 21, 2015

An attack on an Italian cyber-security firm is having far-reaching implications and Microsoft is now finding itself on the defensive trying to patch holes that are letting in the worst kind of malware.

On July 6, a company called Hacking Team, which provides spyware and other surveillance technology to government agencies and law enforcement around the world, ironically could not prevent a team of hackers from invading their own databases. The attackers stole massive amounts of sensitive information, including documents identifying weaknesses in software programs like Internet Explorer, and made all of this information public.

“You could say that they got hacked and now the bad guys know how to get the good guys,” said a Wapack Labs analyst who is currently monitoring the situation.

These weaknesses in software, called Day Zero Vulnerabilities, allow hackers (including Hacking Team) to use exploitative software to find their way into computers and access private information such as user names and passwords. From there, the hackers can let themselves into the victim’s personal cyberspace, accessing everything from contact lists to credentials for financial accounts to Facebook profiles.

While developing technology to allow their clients in the US, Egypt, Iran and other countries to spy on criminals, political opponents, and ordinary citizens, Hacking Team identified a “Zero Day” Vulnerability - a vulnerability not previously known, in Internet Explorer 11 that opened a door into computers running on Windows. When cyber-rogues turned the tables on Hacking Team and slipped into the company’s seemingly secure network, the Internet Explorer vulnerability that Microsoft was apparently unaware of was up for grabs to hackers around the globe.

“It’s one thing for a company to work with governments to help track bad actors through cyberspace,” said a Wapack Lab analyst, “it’s another for one to collect these exploits and become a one-stop shop for badness.”

The IE11 vulnerability has resulted in a particularly insidious type of invasion of Windows computers using remote code execution malware. Once inside a system, remote code execution allows hackers access to computers and gives them to make changes within the system, no matter where the owner is located in the world.

Remote code execution malware is difficult for users to detect because it circumvents normal security settings, anti-virus and anti-malware programs, and memory protection technologies.

On June 9, Microsoft was contacted by Vectra Threat Labs that the day zero vulnerability in Internet Explorer was being exploited by hackers using remote code execution malware to victimize Windows users. Five days later, Microsoft presented an update to patch the weak spot named MS15-065 CVE-2015-2419. But if users aren’t downloading the patch, they face continued threats from hackers taking over their computers.

This recent attack on Microsoft using information stolen from Hacking Team is just the tip of the iceberg. More than 450GBs of data was stolen from the firm and hackers from every corner of the world are currently sifting through bounty, looking for vulnerabilities like the one used to attack Internet Explorer. Though Hacking Team purports to be fleshing out holes in software to benefit law enforcement and government agencies, from an economic standpoint the company could profit exponentially if it were to sell its information to both sides of a conflict.

As Wapack Labs analysts continue to monitor the global implications of Hacking Team’s security weaknesses as they unfold, they will be working to determine just whose side Hacking Team is really on. Is the firm selling information about software vulnerabilities to a government, and then offering a head’s up about those vulnerabilities to the parties the government intends to target?

If so, Hacking Team certainly would not be the first high tech company to engage in profiteering by selling technology to both sides of a conflict. In 2001, journalist and historian Edwin Black reported that IBM’s German-based subsidiary profited wildly by selling its punch card data collection and processing equipment – the precursor to the modern computer – to the Nazis in the years leading up to the war. IBM continued to provide technology to the Nazis even after the US joined the Allies to oust the Third Reich. At the same time, IBM was selling the same equipment to Allied governments. However, while the Allies were using the equipment to track the movement of troops, supplies and equipment, the Nazis were using it to record and improve the deadly efficiency of the concentration camp system.

Technology has come a long way since the punch card, but turning a profit by selling technological weapons to oppressive governments, and their foes, may have been brought into the modern era by companies like Hacking Team.

Regardless of their intent, which Wapack Labs analysts will continue to try to determine, Hacking Team has aided and abetted the enemies of their clients by failing to protect their own data.

About Wapack Labs

Wapack Labs, located in the technology mills of Manchester, NH is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual organizations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber. Wapack Labs’ engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.

For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com.

Wednesday, March 18, 2015

Manchester, NH - Cyber Intelligence Hub??

I've been thinking about how this might sound if posted, but for the last 24 hours, it's stuck with me. I can't seem to make it go out of my head --kinda like that music that my kids sing over and over.

We posted a piece on the Wapack Labs CMS site today that talked, at a high level, about a slug of data that we happened upon during our routine daily tasks. That slug of data was roughly 3.5Gb (and still growing) of user names and passwords (plus financials, plans, and a lot more) from over 100 transportation and shipping companies in dozens of countries around the world. This was a GREAT piece of work by our analytic team. And we do this on a daily basis. Some of the stories we tell, well, truth is stranger than fiction, and here in our office, we can tell you some stories that if you saw them on television, you probably wouldn't believe it.

One such story came out two days ago. I'm not going to take credit because we didn't write it. This kind of work is clearly not even in our ballpark. It's a different kind of intelligence called a new name.. "Internet Intelligence". It means, identifying how things are routed on the internet. We (the lab) focus more on the who and why, where this report focused on how the internet moved data. I'm referring to a report put out by Dyn describing nuclear data in the UK being routed to Russia. To us, this comes as no surprise, but to the lay reader, you might wonder why? Great question!

So here's the deal... I realized yesterday as I walked up to Elm Street from our little nondescript office in the mills, that we live in a town that literally possess an amazing skillset in cyber. I know of one small company here that does penetration testing work... for those not in the know, these guys are GOOD. They work for DC organizations. Dyn showed that they have an amazing capacity for internet intelligence, and us? Well, we do cyber intel for thousands of banks, a big telecom provider, some Managed Security Companies, and a whole bunch of Global 2000 sized organizations.

Manchester has become home to an amazing, highly specialized talent pool in cyber intelligence. I realize many of you have absolutely no idea what that means. Maybe one day we can show you. For now, just know, when retailers lose credit cards, or your health insurer gets whacked for all of that patient data, there are companies (right here in Manchester) who're chasing those bad guys.. heck, stop by my office, I'll show you pictures of some of them. Or stop by Dyn.. they'll show you how the data gets moved. Or stop by, we'll I'll leave the others out of this for now.