Sunday, February 02, 2014

GameOver Zeus now uses Encryption to bypass Perimeter Security

The criminals behind the malware delivery system for GameOver Zeus have a new trick. Encrypting their EXE file so that as it passes through your firewall, webfilters, network intrusion detection systems and any other defenses you may have in place, it is doing so as a non-executable ".ENC" file. If you are in charge of network security for your Enterprise, you may want to check your logs to see how many .ENC files have been downloaded recently.

Malcovery Security's malware analyst Brendan Griffin let me know about this new behavior on January 27, 2014, and has seen it consistently since that time.

On February 1st, I reviewed the reports that Malcovery's team produced and decided that this was a trend we needed to share more broadly than just to the subscribers of our "Today's Top Threat" reports. Subscribers would have been alerted to each of these campaigns, often within minutes of the beginning of the campaign. We sent copies of all the malware below to dozens of security researchers and to law enforcement. We also made sure that we had uploaded all of these files to VirusTotal which is a great way to let "the industry" know about new malware.

To review the process, Cutwail is a spamming botnet that since early fall 2013 has been primarily distributing UPATRE malware via Social Engineering. The spam message is designed to convince the recipient that it would be appropriate for them to open the attached .zip file. These .zip files contain a small .exe file whose primary job is to go out to the Internet and download larger more sophisticated malware that would never pass through spam filters without causing alarm, but because of the way our perimeter security works, are often allowed to be downloaded by a logged in user from their workstation.

As our industry became better at detecting these downloads, the criminals have had a slightly more difficult time infecting people. With the change last week, the new detection rate for the Zeus downloads has consistently been ZERO of FIFTY at VirusTotal. (For example, here is the "Ring Central" .enc file from Friday on VirusTotal -- al3101.enc. Note the timestamp. That was a rescan MORE THAN TWENTY-FOUR HOURS AFTER INITIAL DISTRIBUTION, and it still says 0 of 50. Why? Well, because technically, it isn't malware. It doesn't actually execute! All Windows EXE files start with the bytes "MZ". These files start with "ZZP". They aren't executable, so how could they be malware? Except they are.

In the new delivery model, the .zip file attached to the email has a NEW version of UPATRE that first downloads the .enc file from the Internet and then DECRYPTS the file, placing it in a new location with a new filename, and then causing it both to execute and to be scheduled to execute in the future.

I am grateful to William MacArthur of GoDaddy, Brett Stone-Gross of Dell Secure Works, and Boldizsár Bencsáth from CrySys Lab in Hungary who were three researchers who jumped in to help look at this with us. Hopefully others will share insights as well, so this will be an on-going conversation. (UPDATE: Boldizsár has published details of how the encoding works -- the file is first compressed and then XOR'ed with a 32-bit key). Upatre reverses the process to create the .exe file)

UPATRE campaigns that use Encryption to Bypass Security

Here are the campaigns we saw this week, with the hashes and sizes for the .zip, the UPATRE .exe, the .enc file, and the decrypted GameOver Zeus .exe file that came from that file. For each campaign, you will see some information about the spam message, including the .zip file that was attached and its size and hash, and the .exe file that was unpacked from that .zip file. Then you will see a screenshot of the email message, followed by the URL that the Encrypted GameOver Zeus file was downloaded from, and some statistics about the file AFTER it was decrypted.

ALL OF THESE SPAM CAMPAIGNS ARE RELATED TO EACH OTHER! They are all being distributed by the criminals behind the Cutwail malware delivery infrastructure. It is likely that many different criminals are paying to use this infrastructure.

Campaign: 2014-01-27.ADPMessages Seen: 2606Subject: Invoice #(RND)
From: ADP - Payroll Servicespayroll.invoices@adp.com
Invoice.zip9767 bytesb624601794380b2bee0769e09056769c
Invoice.PDF.exe18944 bytes8d3bf40cfbcf03ed13f0a900726170b3

dcmsservices.com/images/stories/slides/pdf.encOFFLINE bytes OFFLINE
decrypted bytes

electriciansdublinireland.com/wp-content/uploads/2014/01/pdf.enc287920 bytes 09ced08856101f86c02890f4373623a4
decrypted 338432 bytes b63415efcc70974269bd9d8da10b3ac1


Campaign: 2014-01-27.BBBMessages Seen: 776Subject: FW: Complaint Case (RND)
From: Better Business Bureau(Random)@newyork.bbb.org
Case 463252349343.zip9762 bytes1ed259d9e7474cfe56df485be479ea97
Case 463252349343.exe18944 bytes809ae1af04ab921aa60efeb7083d21d7

sigmau.co.uk/templates/hot_spicy/images/glass/pdf.encOFFLINE bytes OFFLINE
decrypted bytes

skipbagsdublin.com/wp-content/uploads/2014/01/pdf.encOFFLINE bytes OFFLINE
decrypted bytes


Campaign: 2014-01-27.HMRCMessages Seen: 302Subject: Important Information for Employers
From: HMRC Employer Alerts & Registrationsemployers@alerts.hmrc.gov.uk
Employer_Bulletin_Issue_46_79520EEE31.zip7218 bytes413cda07e774a5ed7f98279dd9e8a087
Employer_Bulletin_Issue_46_79520EEE31.exe17920 bytes2616babcdf0c5b9086ff63fa6682fe07

all-monitor.com/images/pdf.enc282449 bytes 9d1b8f296b5bfb0f4817c2aacb8815a3
decrypted 289280 bytes fa4d35b63a8485bc7c0b167ca9358b76


Campaign: 2014-01-27.HSBCMessages Seen: 404Subject: FW: Payment Advice - Advice Ref:[GB(RND)] / ACH credits / Customer Ref:[pay run 14/11/13]
From: HSBC Advising Serviceadvising.service.(RND).(RND).RND)@mail.hsbcnet.hsbc.com
PaymentAdvice.zip7162 bytesc17396cddadf201f83074615824240c0
PaymentAdvice.exe17920 bytese0595c4f17056e5599b89f1f9cf52d83

afrolatinotala.com/images/pdf.enc282448 bytes 414755f65ebbaf52669aaab649b3f274
decrypted 289280 bytes 5a393b283f42edd17c7da2625b8e1045


Campaign: 2014-01-27.SkypeMessages Seen: 275Subject: Skype Missed voice message
From: Administratordocs(#)@(many)
Skype-message.zip10147 bytes79fb2e523fe515a6dac229b236f796ff
Voice_Mail_Message.exe18944 bytes6e4857c995699c58d9e7b97bff6e3ee6

rockthecasbah.eu/templates/beez/css/wav.encOFFLINE bytes OFFLINE
decrypted bytes


Campaign: 2014-01-27.VoiceMessageMessages Seen: 271Subject: Voice Message from Unknown
From: Administratordocs(#)@(many)
VoiceMessage.zip7273 bytesd2070f6a15312dec7882ca0d9ec7f431
VoiceMessage.exe17920 bytes8a739776cf8316eba1bfae50e020c8f1

akhrisawal.com/images/marquee/wav.enc282448 bytes 73c811d0794de15906225d7d936fc6b7
decrypted 289280 bytes 2b0db77ac980be10b9ef4562269d8db4

ayeshaomar.com/images/host/wav.enc282446 bytes 1d30d5fe55585d24cd15ef97afb7322c
decrypted 289280 bytes b993b4cb332b979d6f8509f5765abfd4


Campaign: 2014-01-28 DeptTreasuryMessages Seen: 223Subject: Department of Treasury Notice of Outstanding Obligation - Case (RND)
From: support@salesforce.com
FMS-Case-(RND).zip9462 bytes067617d990a861f87304bb08b6628524
FMS-.exe18944 bytes40afe219c14a0a5f3a4ddd6c8e39bc23

almotawer.biz/img/pdf.enc328025 bytes 41d57ca4b8705247186e2f30d911d811
decrypted 387584 bytes 7178a455ee9a0d6e42465ad9967a177a

imagevillage.co.uk/images/pdf.enc328025 bytes 41d57ca4b8705247186e2f30d911d811
decrypted 387584 bytes 7178a455ee9a0d6e42465ad9967a177a


Campaign: 2014-01-28.IRSMessages Seen: 192Subject: Complaint Case (RND)
From: IRS.govfraud.dep@irs.gov
Complaint_RND.zip7240 bytesf20768ed9f771a92950a5f5ab14bf57f
Complaint_.exe17408 bytes8163d272c4975b1d7ed578b4d24b3d2a

farmyarddog.co.uk/images/pdf.enc282486 bytes 97b200826b7a526d91fda4c56dc438ae
decrypted 289276 bytes 542a5a6f04ddcad3effc72121c59e332

hamdanicoffee.com/up/pdf.enc282486 bytes 97b200826b7a526d91fda4c56dc438ae
decrypted 289276 bytes 542a5a6f04ddcad3effc72121c59e332


Campaign: 2014-01-28.NewVoiceMessageMessages Seen: 165Subject: New Voice Message
From: Voice Mail(RND)@(reflective)
VoiceMail.zip6502 bytes2a048dfb3429155d552cb0c37b499b51
VoiceMail.exe17920 bytesdc2e2f04a01009f3193b0df4ba0f6e81

hailantrdg.com/scripts/wav.enc282489 bytes 11a55dd1a756dbba6e7d404a7c22544a
decrypted 289280 bytes cae9c9614affac694320215228efcf27

morethanshelters.co.uk/images/banners/wav.enc282489 bytes 11a55dd1a756dbba6e7d404a7c22544a
decrypted 289280 bytes cae9c9614affac694320215228efcf27


Campaign: 2014-01-28.RingCentralMessages Seen: 7720Subject: New Fax Message on 1/22/2013
From: RNDRND@RND
fax.zip9929 bytesafa90762f6412173cf6e0e6d1d57531d
fax.doc.exe18944 bytes81e425646f68d3adaddca0cf398f595f

ren7oaks.co.uk/images/al2701.enc441073 bytes f626ad2af056644ff4717e1cd80c6da3
decrypted 484352 bytes c7c4a875b90c86136e497af8ffc9a9e0

salahicorp.com/up/al2701.enc441073 bytes f626ad2af056644ff4717e1cd80c6da3
decrypted 484352 bytes c7c4a875b90c86136e497af8ffc9a9e0


Campaign: 2014-01-28.WhatsAppMessages Seen: 767Subject: Missed voice message, "(timestamp)"
From: WhatsApp Messengerctaylor@magma.net
Missed-message.zip6492 bytes494d6095b540dbc9f570e22b717a32df
Missed-message.exe17920 bytesa4c01917b7d48aa7c1c9a2619acb5453

inspireplus.org.uk/images/banners/wav.enc282491 bytes 33070eda34ccea632c3b4007a1e2beee
decrypted 289268 bytes dc5b998fd7a6f29ebac6365654d57609

zubayen.com/up/wav.enc282491 bytes 33070eda34ccea632c3b4007a1e2beee
decrypted 289268 bytes dc5b998fd7a6f29ebac6365654d57609


Campaign: 2014-01-28.Skype Messages Seen: 574Subject: Skype Missed voice message
From: Administratordocs(#)@(many)
Skype-message.zip9163 bytesdfa3db3c14ae1e369a4a9df6cb82832f
Skype-message.exe18944 bytesab703881cb4b3fbd5ee13df30b7bb8d7


Campaign: 2014-01-29.RingCentral1Messages Seen: 3811Subject: New Fax Message on 1/29/2013
From: RNDRND@*.ru
fax.zip9473 bytes0842e4bcc8af1f0d54519a99834be218
fax.pdf.exe18432 bytesd309df26dd91294dc4acd5fb78aa98f5
Campaign: 2014-01-29.RingCentral1Messages Seen: 2887Subject: New Fax Message on 1/22/2013
From: RNDRND@RND
fax.zip9929 bytesafa90762f6412173cf6e0e6d1d57531d
fax.pdf.exe19968 bytes5db38bd493ef2f9b35bb0015822b493d
Campaign: 2014-01-29.RingCentral1Messages Seen: 2353Subject: New Fax Message on 1/29/2013
From: RNDRND@*.ru
fax.zip9994 bytes2d65747503e7b251ad597a650f352f4e
fax.doc.exe18944 bytes81e425646f68d3adaddca0cf398f595f

internetauctions.ca/img/apps/al2901.encOFFLINE bytes OFFLINE
decrypted bytes


Campaign: 2014-01-29.eFaxMessages Seen: 1016Subject: Fax transmission: (RND-RND-RND-RND).zip
From: eFax Corporatemessage@inbound.efax.com
(RND-RND-RND-RND.zip)9628 bytes9f2613dabe2a89ac21e9b55b6df51ebc
{fax num123}.exe17920 bytes89f45f68a0568996a6a109a1d04b6670

amy-escort.com/amy/pdf.enc281970 bytes 42dda6f13b2c8df96321570e1fa84fe8
decrypted 289785 bytes ee038bdd137f518614599275add5b9bb

pakmailbarrie.com/images/banners/pdf.encOFFLINE bytes OFFLINE
decrypted bytes


Campaign: 2014-01-29.LloydsTSBMessages Seen: 551Subject: January Spending
From: RNDRND@lloydstsb.com
January.zip9586 bytesea42b883dab711810243e8f138438733
January.exe17920 bytesc28d9a0b3b2643a01fd3f3250a39a511

airconexpress.com.au/images/deac/pdf.enc281971 bytes 9c790bfd6def569362483192d6e1b9ba
decrypted 289800 bytes 82dd0f87007fc0149183e1de8f0913f2

numantis.com/images/banners/pdf.encOFFLINE bytes OFFLINE
decrypted bytes


Campaign: Messages Seen: 166Subject: Voice Message from Unknown
From: Administratordocs(#)@(many)
Message.zip8748 bytesff2c3e6b875803945b320e438304f506
VoiceMessage.exe17920 bytes13d6046c575abe9c3072067135a57996


Campaign: 2014-01-30.BanquePopulaireMessages Seen: 259Subject: Numero de cas: RND
From: Banquepopulaire.frresponse-automatique@banquepopulaire.fr
Cas_RND.zip9476 bytesa21cd2697687ae6eb1b15175a8fb0ae2
Cas_01302014.exe17920 bytes968779b34f063af0492c50dd4b6c8f30

doradoresources.com/images/ie6/pdf.enc282033 bytes 8cce7406f943daa81ef31411247491d3
decrypted 300544 bytes 092eb58dce516414908ecf6f3156372a

sportsstoreonline.in/wp-content/uploads/2013/03/pdf.encOFFLINE bytes OFFLINE
decrypted bytes


Campaign: 2014-01-30.RemitMessages Seen: 206Subject: FW: Last Month Remit
From: Administratordocs(#)@reflective
Remit.(domain).zip9465 bytes145d3da149cc8fa3bef38af648713fb6
Remit.exe17920 bytes84a6030c8265b33c3c4e68d29975bd76

excelbizsolutions.com/templates/pdf.enc282036 bytes 5c7d5797e1f46c29dd9c7a9976d9d359
decrypted 299008 bytes aaf1097da1e50b7fd8d8c5e1a95acd80

poragdas.com/images/Porag/pdf.enc282036 bytes 5c7d5797e1f46c29dd9c7a9976d9d359
decrypted 299008 bytes aaf1097da1e50b7fd8d8c5e1a95acd80


Campaign: 2014-01-30.SkypeMessages Seen: 42Subject: Skype Missed voice message
From: Administratordocs(#)@reflective
Missed voice message.zip9336 bytes40453639a6fbd58b1d30099666ad32a
Missed voice message.exe18944 bytes30e5d9d4d7da572fdef6f7253950a53c

aatextiles.com/images/gallery/wav.enc328784 bytes 75a9d6fd9fe34a4ff737c987938a8f6c
decrypted 386048 bytes f2bef403482c4dd70bd4e1be1fd4af8f

profitera.com/img/newsletter/auto/wav.enc328784 bytes 75a9d6fd9fe34a4ff737c987938a8f6c
decrypted 386048 bytes f2bef403482c4dd70bd4e1be1fd4af8f


Campaign: 2014-01-30.AssortedFax Messages Seen: 2410Subject: Corporate eFax message from (RND)
jConnect fax from (RND) - (RND) pages, Caller_ID (RND)
From: eFax Corporate
jConnect
Dun & Bradstreet
message / case.alert@inbound.j2.com
dnb.com
inbound.efax.com
FAX_001_RND.zip10293 bytes18b72825aecde011bdc92c1526491571
FAX_001_20143001_814.exe18944 bytes915fdc8403b26bac79801fa1a341495d

(These three all use the same binaries)


Campaign: Messages Seen: 1627Subject: New Fax Message on 01/29/2013
From: RNDRND@*.ru
fax.zip10095 bytes8627ce01daaebc35610d05cdbdbde612
fax.pdf.exe18432 bytes465c2656c07ab05e9349920f53dd0deb
Campaign: 2014-01-30.LaPoste Messages Seen: 101Subject: Scan de (RND)
From: LaPostereponse-automatique@laposte.net
Scan_RND_RND_RND.zip9494 bytesdaaf11e91c3cc3506042d633373aabd3
Scan_301_30012014_001.exe17920 bytes968779b34f063af0492c50dd4b6c8f30


Campaign: 2014-01-30.StaplesMessages Seen: 245Subject: Your order is awaiting verification!
From: Staples Advantage OrdersOrder@staplesadvantage.com
Order_RND.zip9465 bytese669d0ff0238ed2f3601c01f1a532728
Order.exe17920 bytes84a6030c8265b33c3c4e68d29975bd76


Campaign: 2014-01-31.RingCentral1Messages Seen: 3488Subject: New Fax Message on 01/29/2014
From: RNDRND@*.ru
fax.zip9815 bytesd373a3e96519612896facb6f18e89785
fax.pdf.exe19968 bytes9a836550c9e74a46076a7292fb0d4ab1

aim2go.com/WEB-INF/al3101.enc329132 bytes ded1b7f7ea934faf84a8dcc5011316cd
decrypted 390144 bytes f07d3afab1eb150e8a315596b5fb23f9

bandwagondesign.com/scripts/al3101.enc329132 bytes ded1b7f7ea934faf84a8dcc5011316cd
decrypted 390144 bytes f07d3afab1eb150e8a315596b5fb23f9


6 comments:

  1. I would say the only GOOD news in this is that it is still social engineering attacks. Non-corporate end-users will still have some protection from the dictum "Never open attachments or click on email links that are in ANY way suspicious".

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Anonymous3:00 PM

    Good summary. Thanks for sharing. One friendly note: you have a broken image link for the analysis of From: "RND RND@*.ru". Not a big deal. Just helping. Good work.

    ReplyDelete
  5. Thanks for the catch! Image fixed...

    ReplyDelete
  6. Whatup Gary. You are a madman, you know that right?

    Lately I'm seeing .zip, .jpg, and .rar files that are the same kind of binary string-less files of the same size range instead of .enc

    ReplyDelete

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.