Saturday, May 20, 2017

Europol Announces 27 ATM Black Box arrests

On 18MAY2017 Europol announced that 27 thieves have been arrested across Europe for participating in a ring that conducts ATM Black Box attacks.  The arrests were conducted in France (11), Estonia (4), Czech Republic (3), Norway (3), the Netherlands (2), Romania (2), and Spain (2) over the course of 2016 and 2017.  Much of the data about how the attacks are conducted is being shared between member countries and the institutions within those countries by a little-known group called E.A.S.T. and their Expert Group on ATM Fraud (EGAF).  When EAST holds their Financial Crime & Security Forum next month members will want to also attend the Expert Group on ATM Physical Attacks (EGAP).

What is an ATM Black Box attack?

In an ATM Black Box attack, criminals have identified access points in the physical architecture of the ATM that would grant them access to cables or ports allowing them to attach a laptop to the internal computer of the ATM.  Once attached, the laptop can issue commands to the ATM resulting in the ultimate payout, a full distribution of all of the cash in the machine!   

The technique of causing an ATM machine to dump all of its cash is called "Jackpotting."  Most of us first heard about jackpotting as a result of the Barnaby Jack presentation at BlackHat 2010 and repeated on two models of ATMs for DEF CON 18 (video link below):

Barnaby Jack at DEF CON 18
Last September, Kaspersky demonstrated an ATM Black Box, however in their proof of concept approach, the criminals physically open the computer using a maintenance workers key, and flip a physical switch in the ATM to cause it to enter Supervisor mode.   The Black Box is connected to the ATM through a simple USB port that was at that time available in most ATM machines.

Black box demo video from Kaspersky

The new Europol arrest report shows that the current evolution on ATM Black Box attacks is to physically cut in to the ATM with drills, saws, or acetylene torches, and gain physical access to cables to which the laptop or black box will be attached.  In the current round of Black Box attacks, the target is not the ATM Computer, but rather the cables that connect the ATM computer to the Banknote Dispenser.  By directly connecting to the Dispenser, the connected laptop's malware simply issues commands to the Dispenser that normally would come from the ATM Computer and gives the order to dispense bills.
Image from Europol

Image from Europol

Information shared in the EAST working groups has produced some uncharacteristic good news in this space!  Although the number of ATM Black Box attacks went up considerably, with 15 attacks in 2015 and 58 attacks in 2016, many of these attacks were unsuccessful.  In their 11APR2017 report, EAST explained:

[In 2016] a total of 58 such attacks were reported by ten countries, up from 15 attacks during 2015.  ‘Black Box’ is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser in order to ‘cash-out’ the ATM.  Related losses were down 39%, from €0.74 million to €0.45 million.

 and illustrated this information with the following chart:

from EAST Report on ATM Fraud

The mitigation guidelines issued by EAST should be significantly updated at the upcoming meeting with guidance on Logical Attacks, Black Box Attacks, and Explosive Attacks, as well as Regional ATM Crime trend reports from Europol, Russia, the US Secret Service, Latin America,and ASEANAPOL.

Other ATM Attacks Still Dominate 

While ATM Black Box attacks are interesting, as the chart above shows they aren't where most of the money is being stolen.  Traditional skimming and white-carding is still stealing over 300 Million Euros per year, while physical attacks of other sorts are claimed nearly 50 Million Euros in 2016 alone!

One other trend that is sweeping Europe is the technique of pumping an ATM full of an explosive gas to blow the front off the machine giving the criminals access to the full contents of the dispenser.   The Italian police shared this interesting video of the technique:

Italian police shared this video from Feb 2013
This technique was recently used by two British men to blow up at least thirteen ATMs along the Costa del Sol in Southern Spain.  In the first half of 2016, 492 ATM Explosive attacks occurred across Europe, yielding the criminals an average of $18,300 per attack!  For the full year-over-year comparison, in 2015 there were 673 ATM Explosive attacks in Europe, and in 2016 there were 988 such attacks.  This accounts for roughly 1/3rd of the Physical attacks on ATMs in the EAST reporting.

Skimming dominates arrests to date

While we aren't sure exactly which attacks are included in the statistics above, several major ATM attacking gangs have been previously arrested and disclosed. While jackpotting arrests are rare, there must be a hundred reports of arrests for implanting skimming devices and creating counterfeit ATM cards based on the results.

One rare Jackpotting arrest was in January 2016 when a Romanian ATM attack gang was arrested for attacks in Germany, France, Norway, Sweden, Poland, and Romania.  In that case, the Tyupkin trojan, targeting a particular model of NCR ATMs, was inserted by gaining physical access to the ATM and booting a malicious CD in the ATM computer.  (See ).

In April 2016, the Italian police arrested 16 Romanians for running a large ATM skimming ring who stole at least €1.2 million. 

In May 2016, the French Gendarmerie of Pau, in cooperation with the Italian State Police and Europol, arrested nine for running an ATM Skimming Ring that stole more than 500,000 Euros.

In March 2017, a group of five Romanians were arrested for skimming in York County, Pennsylvania as well.

Wednesday, February 01, 2017

Kelihos infection spreading by Thumb Drive and continues geo-targeting

I've mentioned before how proud I am that my students are extremely passionate about CyberCrime. My guest blogger 'Arsh Arora' is on a visit to his hometown New Delhi, India to attend a wedding. Instead of having fun, he is monitoring Kelihos botnet from a different geographical location than US to determine if the behavior is any different. Seems fairly consistent, but Arsh explains more in this next edition of his Kelihos guest-blogging:

Kelihos botnet geo-targeting Canada and Kazakhstan 

After laying low for a while, the Kelihos botnet is back to its business of providing 'spam as a service'. The Kelihos botnet continues "geo-targeting" based on the ccTLD portion of email addresses. Today, those recipients whose email address ends in ".ca" are receiving links to web pages of Tangerine Bank Phish websites. While recipients whose email address ends in ".kz" are receiving a link to the Ecstasy website.

Tangerine Bank Phish geo-targeted to Canadians

The spam body consists of a webpage that will be displayed as a webpage, seeking the user to click a button with the subject line of "TANGERINE online account has been suspended". Tangerine is internet/telephone base bank formerly known as ING Direct (Tangerine).

Fig. 1 Raw Text of  Spam message

The html version is displayed to the victim receiving the email. Thus, instigating the victim to click on the "Learn More" Button (link is "hxxp://tangeerine[dot]com/InitialTangerine/index.php"). Once clicked the victim is redirected to a phishing site, seeking the user to enter  "Enter your Client Number, Card Number or Username".

Fig. 2 Html version of the Phish
Fig. 3 Redirected link seeking user to enter details

Second version of the similar-themed message was with the subject line of "Your account is disabled. Please verify your information is correct" and the corresponding redirect link once you hit the start button was "hxxp://sec-tangrene[dot]online/". 

Fig. 4 Raw Text of second spam message

Fig. 5 Html version of Tangerine Phish
Unfortunately, the following link was down and not accessible.

Canadian Banks take great pride in their infrastructure and preventive measures. This gives the attackers an extra challenge of trying to penetrate inside these banks. Therefore, targeting them like in previous instances, one such case of Desjardins phish. 

Fcuk Spam geo-targeted to Kazakhstan 

This behavior is never observed before as Kelihos botnet was geo-targeting email addresses ending with ".kz". The spam message contained a link (www[dot]almatinki[dot]com) to a Fcuk website with the subject line in Russian "Глубокий м" when translated it is stated as"Deep m". Attached are the screenshot of email message and website.

Fig. 6 Email message of the spam
Fig. 7 Website

Kelihos spreading via executables copied to flash drives

There is a saying that when an Academic has an accident we call it "research!"  After completing a successful infection of Kelihos, a thumb drive was accidentally connected to the virtual machine instead of the host machine. Upon inspection, the thumb drive appeared to have acquired a new hidden executable name “porn.exe”, as well as a few shortcuts that were not there before. On further analysis of the file "porn.exe", it revealed that it was a copy of the original Kelihos binary. 

Fig. 8 VT analysis of porn.exe

By repeating the process with ProcMon running, we found the Create File function linked to the E:\porn.exe. In the moments leading up to this, several other file names are tried with CreateFile, in an attempt to open them. It appears that if none of these files are opened, then it defaults to creating a porn.exe file, and then writing the binary to this file. After binary creation, the shortcuts for the hidden directories, and executables are created.

Fig. 9 Create File of porn.exe
Fig. 10 Various instances of trying to Create File

An Autorun.inf is not created to run this file, however, a shortcut to the file with the command C:\WINDOWS\system32\cmd.exe F/c "start %cd%\porn.exe" can be found on the drive, as well as shortcut to several other hidden directories on the drive (not malicious).

Fig. 11 Executable and shortcut placed on thumb drive
Running porn.exe works like a normal Kelihos run, however, we were unable to infect a thumb drive with this binary. Further analysis is required to determine the mechanism by which thumb drive infection occurs, as this executable appears to be identical to the original binary.

Thanks a lot Eli Brown for sharing great insights on the infection behavior of Kelihos. 

We continue our research on the Kelihos botnet and try to provide as much insights about the botnet.

Monday, January 16, 2017

"Microsoft notification" leads to Pharma Redirector on Steroids

Today while investigating spam in the PhishMe spam collection, I started looking at a spam campaign that used two distinct subject lines:

Subject: Microsoft notification
Subject: Windows notification

The body of the email looked like this:

NOT Your Friend!

In true botnet style, every single email had a different "friend name."  The three links at the bottom, all go to "real" Microsoft locations, but the "View invitation" button is the place we need to be concerned about today.  While this delivery mechanism certainly COULD be used to deliver malware, right now, all we knew was that it was certainly not from Microsoft and was potentially dangerous.  With at least 310 different sending IP addresses sending us the spam, it seemed a deeper investigation was called for.

Since the spam did not have an attachment, the method to determine whether the URL may be malicious is normally to fetch the URL, but first we ran some statistics.  In this case of the 410 "Microsoft" and the 377 "Windows" versions of the spam there were 773 different redirection destinations, each a hacked website where the criminals placed a small .php program.

Here are just a few examples of the many hundred redirection URLs:
  • / populace.php
  • / valences.php
  • / trowels.php
  • / wp-content / gillian.php
  • / timeout.php
  • / bustles.php
  • / i/wp-content/plugins / contour.php
  • / muttons.php
Each PHP file is a program that will cause the visitor to be automagically redirected to an additional website! To determine what directions will occur, and what we might encounter at the ultimate "landing site" we visit the redirection pages to see where it sends our web browser.
Here's a sample redirection script from / irving.php, which caused us to visit an illicit pharmaceutical sales website:

(meta name="keywords" content="crowds, nothing, mountains, fulfilld")
(title) ice32044 Pain. Era - ran earth heaven. Nigh spotted relief, found.(/title)

function palee() { palea=61; paleb=[180,166,171,161,172,180,107,177,172,173,107,169,172,160,158,177,166,172,171,107,165,
169,169,179,158,169,178,162,107,175,178,100,120]; palec=""; for(paled=0;paled lessthan paleb.length; paled++) (palec+=String.fromCharCode(paleb[paled]-palea); return palec;

This code will subtract the number 61 from each value in the row of integers that begins with 180,166, and will then concatenate each character to the previous and convert it to a string.  Then it will wait 1.295 seconds, and forward the visitor to the website by using the document property "".

We'll decode a bit of this one by hand:
180 - 61 =  119 which is 77 hex which is an ASCII "w"
166 - 61 = 105 which is 69 hex which is an ASCII "i"
171 - 61 = 110 which is 6E hex which is an ASCII "n"

Rather than do this by hand, I told Excel to separate values by the "," into columns and made a simple spreadsheet.  Update the "Shifter" value (in this case the "palea=61") and then paste the comma separated list into the "Values" portion of the spreadsheet.

the "" redirector (Click for full-size)

Row one is the original values
Row two contains the same values, decremented by "Shifter"
Row three contains the same values, displayed in Hex
Row four contains the decoded to English values, in this case reading:

" = http : // privatepillvalue dot ru" (altered for safety)

The next URL we tried, zacpower dot com slash destined.php, had used  "unripea=78" for the Shifter value.  We cut and pasted the comma separated values in and see that it redirects to "healingdrugdeal dot ru".

the "" redirector (click for full-size)

The question though, was how many different sites did these 770 redirectors send us to? and were they all illicit pharmaceutical websites? or was it possible that some would redirect us to malware?  The only solution seemed to be to fetch and decode all of them!

A simple wget script took care of the fetching, and we soon had 559 unique .txt files, each containing the redirection program from one of the "still live" redirection sites. (As soon as a webmaster finds such a program, they hopefully delete it!  We were glad to see more than 100 of the websites, mostly ones from over the weekend, were not available any longer!)

Now for a small shell script to yank out the Shifter value and the comma separated integers for each.  There are certainly better shell scripters than me, but here was my quick-and-dirty script:

cat filelist |while read a; do printf '\n'; printf $a;printf ' Shifter:  '; grep -o '=[0-9][0-9]' $a|tr -d '\n'; printf ' values: '; grep -o '[0-9]*,[ ]*[1-9][0-9]*' $a |tr -d '\n'; done

After asking for a new line, I print the filename, which in this case was "domain.tld.txt", then I looked for a two-digit integer preceded by an equal sign, and declared it to be the "Shifter".  Then I searched for a list of comma delimited integers, and listed only the matches using "grep -o".  Because "grep -o" puts each hit on a new line, I piped the tr -d '\n' to remove the new line character and put them all back on one line as a long comma separated list.  Here are a few example results: Shifter:77 values: 196,182,187,177,188,196,123,193,188,189,
191,194,116,136 Shifter: 49 values: 168,154,159,149,160,168,95,165,160,161,95,157,
150,146,157,154,159,152,149,163,166,152,149,150,146,157,95,163,166,88,108 Shifter: 22 values:
137,123,136,140,127,121,123,68,136,139,61,81 Shifter: 23 values:
130,144,121,124,138,139,138,124,137,141,128,122,124,69,137,140,62,82 Shifter: 15 values:

Now that the files key values are separated out, it was simple to automate the decoding to learn which URL was recommended by each of the websites that were found in the  "View Invitation" links within our spam messages.

So How Many Redirectors were there?  

It APPEARS that there are four redirection destinations for this spam campaign.
By processing the results from all of the redirectors we visited, we found:

131 redirectors went to "privatepillvalue dot ru"
138 redirectors went to "luckybestservice dot ru"
165 redirectors went to "healingdrugdeal dot ru"
125 redirectors went to "bestgenericstore dot ru"

bestgenericstore dot ru

Caution with Redirectors!!

The problem with redirection sites such as were used in this spam campaign is that we can't be certain that others who visit the same results would be redirected in the same way.  Because we did not OBTAIN the redirection script, but merely observed the resulting html results when visiting the page from an automated script, we can't say at this time whether other visitors would be redirected in the same way.

For example, the script may have said "If you seem to be using automation, redirect to a pharma website, but if you seem to be on a regular PC on a regular browser, redirect to an Exploit Kit!" or the script may have said "Send every 50th visitor to be infected with Malware at this exploit kit, but send everyone else to a pharma website."  It is also possible for the script to say "If your IP address is from one of THESE countries, send to a pharma website, but if your IP address is from one of the OTHER countries, infect with malware!"  Until we get a copy of the script from one of the websites, it will be hard to say whether such a trap was present here.