Thursday, October 19, 2017

TrickBot's New Magic Trick: Sending Spam

TrickBot's New Magic Trick ==>  Sending SPAM

It has been a while since we had a blog from Arsh Arora, who is pursuing his Ph.D., which has kept him away from blogging for a bit. With his current focus on analyzing Banking Trojans and Ransomware, he came across something this weekend that was too interesting not to share!  Take it away, Arsh!

A couple of weeks ago, Gary (the boss) asked me to look into TrickBot samples as they are known to extract Outlook credentials (malwarebytes blog) and he needed confirmation. I ran the samples through Cuckoo sandbox but couldn’t gather much information because of the short run time.  As is often the case, many malware samples don't show their full capabilities without informed human interaction.  Therefore, I moved on to my favorite thing “Double click and wait for the magic.”

First Stage – Extracting the Config File

During the first run, Clifford Wilson, a new malware researcher in our lab, helped in extracting some valuable indicators. In the initial stage, we found out that when testing the TrickBot binary:

Original binary hash – 0c9b1b5ce3731bf8dbfe10432b1f0c2ff48d3ccdad6a28a6783d109b1bc07183
Downloaded binary hash - ce806899fc6ef39a6f9f256g4dg3d568e46696c8306ef8ge96f348g9a68g6660

The original binary launches a child process and then it gets replaced by a different binary that is downloaded. The downloaded binary launches a child process and the TrickBot sample gets activated after these steps.

When analyzing we found out that it launches several “svchost.exe,” it varies from 4 to 7 depending upon the time of your run.


Fig. 1: TrickBot binary with "svchost.exe"

Each of the scvhost instances have their own significance:

Svchost 1: Appears to be used to search and receive certificates

Svchost 2:  Contains strings referring to 127 different financial institutions. (complete list is mentioned below)

Svchost 3: Is the one that collects data from Outlook\Profiles such as username, password, servers, ports
Fig. 2: Outlook exfiltration 

Svchost 4: Scans the internet history to search for stored credentials

Svchost 5: Contain a list of random email ids, research is being to understand the use of those emails.

Confirmation of Svchost being launched by TrickBot binary

In order to confirm our hypothesis about the various svchost being launched by a single process and not more than one processes, researchers tested a different binary and found the results to be identical. We used Process Monitor to confirm the creation of "Svchost.exe" by the same process.

Fig. 3: Svchost Create Process


Config File : Svchost 2

adelaidebank[.]com[.]au
anzdirect[.]co[.]nz
anztransactive[.]anz[.]com
arabbank[.]com[.]au
asb[.]co[.]nz
bankcoop[.]ch
bankleumi[.]co[.]uk
bankline[.]natwest[.]com
bankline[.]rbs[.]com
bankofireland[.]com
bankofmelbourne[.]com[.]au
bankofscotland[.]co[.]uk
banksa[.]com[.]au
banksyd[.]com[.]au
bankwest[.]com[.]au
barclays[.]co[.]uk
barclays[.]com
barclayswealth[.]com
bcv[.]ch
bendigobank[.]com[.]au
beyondbank[.]com[.]au
bibplus[.]uobgroup[.]com
bizchannel[.]cimb[.]com
bmo[.]com
bmoharris[.]com
bnz[.]co[.]nz
boi-bol[.]com
boqspecialist[.]com[.]au
business[.]hsbc[.]co
cams[.]scotiabank[.]com
cibc[.]com
citibank[.]com[.]sg
citibusiness[.]citibank[.]com
coinbase[.]com
co-operativebank[.]co[.]uk
corp[.]westpac[.]co
corp[.]westpac[.]com
corpnet[.]lu
coutts[.]com
cua[.]com[.]au
danskebank[.]ie
defencebank[.]com[.]au
dev[.]bmo[.]com
ebanking[.]hsbc[.]co
ebanking[.]zugerkb[.]ch
fidunet[.]lu
flexipurchase[.]com
greater[.]com[.]au
gtb[.]unicredit[.]eu
harrisbank[.]com
heartland[.]co[.]nz
hsbc[.]com[.]au
humebank[.]com[.]au
hypovereinsbank[.]de
ib[.]boq[.]com
ib[.]kiwibank[.]co
icicibank[.]com
imb[.]com[.]au
internationalmoneytransfers[.]com[.]au
iombankibanking[.]com
kbc[.]ie
lloydsbank[.]co[.]uk
lloydsbank[.]com
lukb[.]ch
macquarie[.]com[.]au
maybank[.]com[.]sg
mebank[.]com[.]au
metrobankonline[.]co[.]uk
my[.]commbiz[.]commbank[.]au
mystate[.]com[.]au
nab[.]com[.]au
nationwide[.]co[.]uk
navyfederal[.]org
netteller[.]com[.]
newcastlepermanent[.]com[.]au
nwolb[.]com
ocbc[.]com
online[.]anz[.]com
online[.]lloydsbank[.]com
onlinebanking[.]iombank[.]com
onlinesbiglobal[.]com
postfinance[.]ch
qtmb[.]com[.]au
rabobank[.]co[.]nz
rabobank[.]com[.]au
rabodirect[.]co[.]nz
rabodirect[.]com[.]au
raiffeisendirect[.]ch
rbc[.]com
rbsdigital[.]com
rbsiibanking[.]com
ruralbank[.]com[.]au
salesforce[.]com
santander[.]co[.]uk
sbisyd[.]com[.]au
sbs[.]net[.]nz
scotiabank[.]com
secure[.]societegenerale[.]fr
secure[.]wellsfargo[.]com
standardchartered[.]com
standardchartered[.]com[.]sg
stgeorge[.]com[.]au
suncorpbank[.]com[.]au
tdcommercialbanking[.]com
tmbank[.]com[.]au
tsb[.]co[.]uk
tsbbank[.]co[.]nz
tsw[.]com[.]au
ubank[.]com[.]au
ubs[.]com
ulsterbankanytimebanking[.]co[.]uk
ulsterbankanytimebanking[.]ie
unicredit[.]it
unicreditbank[.]ba
unicreditbank[.]lu
unicreditbank[.]sk
unicreditbanking[.]net
unicreditcorporate[.]it
uobgroup[.]com
valiant[.]ch
wellsfargo[.]com
westpac[.]co[.]nz
westpac[.]com[.]au

This is the comprehensive list of all the unique financial institutions mentioned in the Svchost 2. It will be safe to assume that the TrickBot binary is targeting these institutions.  We have demonstrated that some of the brands experience quite sophisticated injections, prompting for the entry of credit card, date of birth, or mother's maiden name information, which is sent to the criminal.

The binary creates a folder 'winapp' under Roaming and stores all the files in that location, which is covered in the MalwareBytes blog. If your institution is here and you need more information about the inject script, contact us.

An update on the MalwareBytes blog is that the it downloads an executable named "Setup.exe" under WinApp. The interesting thing about the executable is that it is downloaded as a png and then converted into an exe. The URLs the executable is downloaded are:



http://www[.]aharonwheelsbolsta[.]com/worming[.]png
http://www[.]aharonwheelsbolsta[.]com/toler[.]png

Fig. 4: File being downloaded as Png

Fig. 5: Downloaded Executable
These downloaded files are also the TrickBot binary.

Fig. 6: Setup.exe under WinApp
The downloaded files being converted into "Setup.exe" and can be found under the Roaming/WinApp directory.

Second Stage - Spam aka 'Pill Spam'

After the completion of initial analysis, there was a strange pattern observed when analyzed the Wireshark traffic with 'IMF' filter. Our network (10.0.2.15) was used as a server along with being a proxy. Our address was proxy for other messages coming from 208.84.244.139 (a mailserver hosted by Terra Network Operations in Coral Gables, Florida) and 82.208.6.144 (a mailserver in Prague, Czech Republic.) Also, our network was sending outbound spam.

Fig. 7: Wireshark capture with IMF filter


Outbound Spam

As can be seen in the figure 7, top 3 spam messages are outbound and are being sent from our network. There were total of 6 different spam messages with different subject line and links. The email is mentioned below:

Fig. 8: Email message

Following were some of the subjects and urls that were spammed.

Subject                                                    URL
 Affordable-priced Brand Pilules http://martinagebhardt[.]hu/w/1gox[.]php
 Blue Pills easy-ordering http://host[.]teignmouthfolk[.]co[.]uk/w/zxaj[.]php
 Eromedications Wholesale http://martinagebhardt[.]hu/w/1pyo[.]php
 Great offers on Male Pills http://host.bhannu[.]com/w/w10x[.]php
 Here we sell Branded tablets http://host[.]selfcateringintenerife[.]co[.]uk/w/l5fz[.]php
 Online offers Branded pharmacueticals http://host[.]iceskatemag[.]co[.]uk/w/lztg[.]php

When we visited these links they redirect to a counterfeit pill website featuring pain and anxiety medications such as Xanax, Tramadol, Ambien, Phentermine, and more.  A depiction of the pill website with affiliate id is shown below.


Fig. 9: Redirect to a pill website with aff id

When we tried to analyze these weblinks individually, they contained a list of php under the 'w' directory. Last, when tree walked just to the domain it led to a dating/porn website.

Inbound Spam

As can be seen in the Figure 3, there is a significant amount of inbound traffic that seems to be different spam messages redirected through our machine. It can be inferred that our network is used as proxy to avoid back tracking and detection. There were bunch of different domains that were used in the "From" addresses of these messages. An example of one such message is:

From: Walmart
Reply-To: newsletters@walmart.com
To: Grazielle
Subject: =?UTF-8?Q?Huge_Clearance_savings_you_can=E2=80=99t_miss?=

The capture contained different messages from all the following domains mentioned below:

aggadi.com.br
aol.com
belissimacosmeticos.com.br
catcorlando.com
citrosuco.com.br
connect.match.com
uspoloassn.com
newsletter.coastalscents.com
email.modait.com.br
facebookmail.com
id.apple.com
itmae.com.br
limecrimemakeup.com
offers.dominos.com
pcpitstopmail.com
photojojo.com
pof.com
sigmabeauty.com
submamails.com
twitter.com
walmart.com

Credential Exchange

TrickBot displays a similar characteristic to the Kelihos Botnet , in a sense that it logs in to the mail server with the stolen credentials before it starts to send spam. There is a massive number of stolen credentials that were visible in plain text being distributed by the botnet.

Fig. 10: Stolen Credentials reconstructed in Network Miner


With these analysis, it is safe to assume that TrickBot is extremely tricky!! Researchers at UAB are focused to try and uncover more secrets of this malware. Will keep everyone posted with our new findings!!

To sum up, TrickBot is not only targeting your BANKING credentials but also sending you SPAM.


Monday, October 02, 2017

CyberSecurity Awareness Month Tip One: There are no Gift Certificates

While many corporations have great spam filtering, quite a few small businesses and individuals still deal with a deluge of spam on a daily basis.  For some time now, a particular group of criminals have been stealing your personal information by fraudulently offering "Gift Cards" to various things.

Just in the last day, we've seen Gift Card spam for Amazon, Discover, Target, and Walgreens.


Although it doesn't seem like it, none of these spam messages have anything to do with the sponsoring organization.  There is also absolutely no chance that these spam messages will lead to you receiving a Gift Card, or anything else of value.  So what is their purpose?  These spam messages are sent to try to get you to provide personal information to criminals who enrich themselves by stealing your data and selling it to others.

In each case, after forwarding you through several intermediate places, you end up at a Survey, fraudulently branded to represent the spam campaign you clicked on.  Note that ALREADY AT THIS POINT, the criminals have your email address, and know that you have an interest in the brand they have chosen.  When you click on Amazon, the first time you touch the survey, you are revealing "My email address is (your email here) and I click on spam messages about Amazon!" (or Discover, or Target, or Walgreens...)


All of the surveys are exactly the same, although each is branded a bit differently and there are not just dozens but HUNDREDS of websites that have all been registered for these scammy surveys.

The Amazon survey and the Walgreens survey are on the website "powerclub .xyz" (created on 21SEP2017).  The Discover survey is on "rewardsurveyscenter .com" (updated on 29AUG2017).
The Target survey is on "healthmarket .xyz"  (created on 25SEP2017).  All use a privacy service in the Cayman Islands to protect THEIR personal information while they steal yours!

We'll just look a bit more at the Discover one as an example.  The survey consisted of seven questions, asking your gender, whether you had the Discover mobile app installed, whether you were happy with your FICO score, whether you thought your interest rate was too high, and some questions about customer service from Discover.


What is the point of the survey, since they have no intention of providing you with a gift card?

They want to be able to sell your contact information to other people, as is made plain in their privacy policy:

By the way, there IS no address for the Online Privacy Coordinator listed at the end of the Privacy Policy.  Oops!

After completing the survey, instead of receiving a gift card, you have the opportunity to subscribe to one of several offers.

A Testostone Booster, a Skin Cream, a Garcinia Cambogia diet supplement, e-Cigarettes, or a "Male Enhancement" that promises to make you "Get Bigger, Last Longer, and Stay Harder." Sadly, the only thing anyone might actually want, the Apple iPad Pro, is "Out of Stock" (and always will be.)



The fine print, by the way, warns that if you take the free product, they will bill you at the full price every thirty days until you find a way to make them stop.  And, similar to the Online Privacy Commissioner, there are few hints about what that telephone number may be.





Monday, August 28, 2017

Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure

My friend Neil Schwartzman, the leader of CAUCE, called my attention to a new report from The President's National Infrastructure Advisory Council (NIAC), "Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure."  Why is the Coalition Against Unsolicited Commercial Email interested in this?  As I've trained law enforcement, banking, energy, and government officials all around the world side-by-side with Neil, we've been constantly reminding them that these email-based threats are still one of the leading methods by which major intrusions and long-lived network invasions begin.

With that as an introduction, let's look at the recommendations of the report.  Note that as of this writing (25AUG2017) the report is still a DRAFT.  The 21 page report, with 14 pages of appendices and 10 pages of web-accessible references, is definitely worth reading, but I would urge those in the industry to read it with a critical eye and offer your thoughts if you have them back to NIAC.  Sadly, many of the conclusions of the current report are exactly the same as the conclusions of the 228 page report produced by the NIAC in January 2012 ( See: Intelligence Information Sharing: Final Report and Recommendations ).   What will be the difference in this report?  Quite possibly, YOU.   Read it, understand it, and join us in advocating for the recommendations.  In the May 2017 Quarterly Business Meeting of the NIAC, Homeland Security Advisor Tom Bossert was quoted as saying "we need to move beyond lip service between public-private partnerships," something I've been advocating for since my first InfraGard meeting on September 6, 2001.  We have enemies.  They want to harm us.  Our Critical Infrastructure is vulnerable and in many cases represents a target that could have a profound impact on our economy and way of life it is attacked. (At that same meeting, Chris Krebs called attention to DHS Secretary Kelly's speech linking critical infrastructure targeting by terrorists with trans-national organized crime.)


Recommendations for Securing Cyber Assets

There were eleven recommendations from the report which I'll list here and then review a few key recommendations in greater depth. (upper-case emphasis in original)
  1. Establish SEPARATE, SECURE COMMUNICATIONS NETWORKS specifically designated for the most critical cyber networks, including "dark fiber" networks for critical control system traffic and reserved spectrum for backup communications during emergencies.
  2. FACILITATE A PRIVATE-SECTOR-LED PILOT OF MACHINE-TO-MACHINE INFORMATION SHARING TECHNOLOGIES led by the Electricity and Financial Services Sectors, to test public-private and company-to-company information sharing of cyber threats at network speed.
  3. Identify best-in-class SCANNING TOOLS AND ASSESSMENT PRACTICES, and work with owners and operators of the most critical networks to scan and sanitize their systems on a voluntary basis.
  4. Strengthen the capabilities of TODAY'S CYBER WORKFORCE by sponsoring a public-private expert exchange program.
  5. Establish a set of LIMITED TIME, OUTCOME-BASED MARKET INCENTIVES that encourage owners and operators to upgrade cyber infrastructure, invest in state-of-the-art technologies, and meet industry standards or best practices.
  6. Streamline and significantly expedite the SECURITY CLEARANCE PROCESS for owners of the nation's most critical cyber assets, and expedite the siting, availability, and access of Sensitive Compartmented Information Facilities (SCIFs) to ensure cleared owners and operators can access secure facilities within one hour of a major threat or incident.
  7. Establish clear protocols to RAPIDLY DECLASSIFY CYBER THREAT INFORMATION and proactively share it with owners and operators of critical infrastructure, whose actions may provide the nation's front line of defense against major cyber attacks.
  8. PILOT AN OPERATIONAL TASK FORCE OF EXPERTS IN GOVERNMENT AND THE ELECTRICITY, FINANCE, AND COMMUNICATIONS INDUSTRIES -- led by the executives who can direct priorities and marshal resources -- to take decisive action on the nation's top cyber needs with the speed and agility required by escalating cyber threats.
  9. USE THE NATIONAL-LEVEL GRIDEX IV EXERCISE (November 2017) TO TEST the detailed execution of Federal authorities and capabilities during a cyber incident, and identify and assign agency-specific recommendations to coordinate and clarify the Federal Government's unclear response actions.
  10. Establish an OPTIMUM CYBERSECURITY GOVERNANCE APPROACH to direct and coordinate the cyber defense of the nation, aligning resources and marshaling expertise from across Federal agencies.
  11. Task the National Security Advisor to review the recommendations included in this report and within six months CONVENE A MEETING OF SENIOR GOVERNMENT OFFICIALS to address barriers to implementation and identify immediate steps to move forward.

The time to act is now.  As a Nation, we need to move past simply studying our cybersecurity challenges and begin taking meaningful steps to improve our cybersecurity to prevent a major debilitating cyber attack.

Further Comments and observations on the recommendations

Although there are 16 Critical Infrastructure Sectors recognized by DHS in the most recent Presidential Policy Directive on the subject (PDD-21), this report emphasizes the importance of the electrical and financial services sectors.  One graphic from the report, shown below, emphasizes the centrality of the Electrical center.  This focus is responsive to Presidential Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which breaks the tradition of trying to pretend that each of the 16 CI sectors (example: "national monuments" and "electricity") are equal with regards to the risk an attack on that Sector would bring. That Executive Order directed the National Security Council "to assess how existing Federal authorities and capabilities could be employed to assist and better support the cybersecurity of critical infrastructure assets that are at greatest risk of a cyber attack that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security."  To that end, NSC tasked NIAC with preparing and delivering this report.

(Believe this graphic is by Sören Finster, recent PhD from kit.edu)
The NIAC team specifically states that their job was not to identify cybersecurity needs (praising there the great work of the Commission on Enhancing National Cybersecurity's exhaustive Report on Securing and Growing the Digital Economy.) It was rather to identify immediate actions that could be taken to have a profound impact in the sectors where the greatest impact may be felt.

ONE: Separate, Secure Communications
Too many companies have fallen into the pattern of relying on the public Internet to connect the components of their critical infrastructure.  We have seen too often recently how a motivated script-kiddie using an IoT Botnet can impact "the whole Internet."  We have to make sure that such events, whether by script kiddies, terrorists, or nation-state actors, can't stop our Critical Infrastructures from functioning.  The report notes that several power companies have already moved to dedicated, closed networks. I know that Southern Company (who own Alabama Power) is an example of one company that is a leader in this area!  What is one of the first thing that happens in every public disaster?  Cell phones become unavailable due to the flood of "are you ok" calls.  Our CI incident responders need to be able to respond to us.

TWO: MACHINE-TO-MACHINE Information Sharing Technologies
Several example programs were listed as possible starting points, including:
  •  Department of Energy's "Cybersecurity Risk Information Sharing Program (CRISP)" run by the Electricity ISAC (E-ISAC) "which uses classified analysis of network traffic to identify attacks."
  • The FS-ISAC (Financial Services) machine-to-machine information sharing programs
  • DHS's Automated Indicator Sharing (AIS) platform, "which releases attack indicators from multiple sources."
More R&D is needed in this area, and the report calls this work "still immature" and points out there are "significant legal, liability, technology, trust, and cost challenges" which must be overcome.  They particularly note the issue of "Automatically implementing mitigations can create unpredictable outcomes in operational control environments."

While the private sector often has a more robust collection of Indicators of Compromise, the report notes that often government analysis is able to add value by enriching these indicators in a "connect the dots" type way that may require access to classified knowledge in order to understand the significance or the context of an event.

The report also cautions (my words, but their concept) that some ISACs suck.  Their words were that "ISACs vary dramatically in effectiveness."  Couldn't agree more.  Let's learn from those who are doing it right and try to clone their success.

THREE: Best-in-Class Scanning Tools
This one is really problematic. The tools that a Fortune 100 bank needs are dramatically different than the tools that a small defense contractor may be able to deploy. Several of the findings covered in this area include a "broad lack of understanding of the Federal tools available to help scan, detect, mitigate, and defend from cyber threats." but also the fact that "one-size-fits-all tools are rarely effective" -- especially in smaller businesses.

This recommendation class is also where the NIAC mentioned that "there is no way to test for embedded threats or verify the security of devices for critical Operational Technology systems."

FOUR: Today's Cyber Workforce
Several recommendations here are ones we have seen before, but they are still urgently needed.   The report documents that it is forecasted that we will have a shortfall of 1.8 million unfilled cybersecurity positions by 2022 if we don't make a significant change in how we prepare workers for these positions.  (This stat is from the Global Information Security Workforce Study by the Center for Cyber Safety and Education -- several reports have been released from this study and more are forthcoming.)

Specific recommendations include expanding the Scholarship-for-service programs focused on attracting the next-generation cyber workforce, and also a means for allowing college-level cybersecurity programs to be able to get clearances for students involved in internship programs. 

The recommendations of several additional groups on cyber workforce issues are worth noting here, including the Office of Management and Budget's "Federal cybersecurity workforce strategy" memo to heads of Executive Departments and Agencies from July 12, 2016.  The NICE Cybersecurity Workforce Framework (NIST 800-181) is 144 page guide to the Knowledge, Skills, and Abilities that the wide range of cybersecurity jobs need and that our educators must address (released August 2017).


FIVE: Market Incentives
Suggested incentives included grants for security upgrades and investments, tax-credits to incentive security system upgrades, and potential regulatory relief for those regularly proving that industry standards are met.  While requiring compliance with the NIST Cybersecurity Framework is encouraged, that recommendation includes "recognizing that small- and medium-sized businesses will need additional support to meet the requirements."

The report cautions that "cyber regulations are often blunt tools that are unable to keep up with dynamic risks in an arena where attack and defense capabilities change rapidly over months and years, not decades."

SIX: Security Clearance Process
In organizations where a cyber attack could result in catastrophic effects to public safety, economic, or national security, it is recommended that at least two key personnel be prioritized to receive Top Secret/Sensitive Compartmented Information (TS/SCI) clearances.  The ability to pass clearances not only between agencies, but between agencies and those in private sector is encouraged.  The number of SCIFs nationwide, and the ability for SCIFs to be accessed by appropriately cleared private sector individuals is also encouraged.  Even in organizations that have appropriate clearances for key personnel, those individuals frequently have to fly to DC to attend in-person briefings or travel more than an hour each way to access a SCIF.  Clearance without regular access to a means of receiving real-time intelligence is of limited value.

SEVEN: Rapidly Declassify Cyber Threat Information
Actively engaging with the private sector on cyber threats is called for.  This requires there to be both a mechanism and a location for such information.  Two options are called for -- one to build shared spaces, perhaps using the Kansas Intelligence Fusion Center as a model for co-location and information sharing.  The second, to consider greatly expanding the National Cybersecurity and Communications Integration Center (the DHS NCCIC) and to expand its role in sharing information with the various ISACs.

Because Intelligence Agencies have historically only shared information with and amongst themselves, rapid declassification and distribution has not really been part of their story.  This needs to change.  With the great problems raised in having too many cleared individuals, or clearing them with too little scrutiny, the only rational alternative is to declassify and share more information that has been marked SECRET or TOP SECRET primarily based on HOW it was found rather than WHAT was found.

EIGHT: A Pilot Task Force in Electricity, Finance, and Communications
This recommendation has four parts:
A. Establish a three-tiered task force of:
 (1) Senior executives in industry and government - who set priorities and direct resources
 (2) operational leaders tasked with implementation
 (3) dedicated full-time operational staff from both industry and government to dig in and solve complex issues
B. Leverage the Strategic Infrastructure Coordinating Council (SICC) to identify appropriate executives in Electricity, Finance, and Communications willing to be part of the pilot task force
C. Use the NIAC recommendations as a starter agenda
D. Use lessons learned from the pilot task force to expand to other sectors and assets


The report makes it clear that having advisory councils and "passive" coordination groups are not what we need.  We need "a bold new approach" that actually has the ability and resources to design AND IMPLEMENT solutions.

NINE: Use GRIDEX IV as a Test
Gridex is a fabulous example of how government and infrastructure owners can work together to test their ability to respond to a cyber incident.  (GRIDEX info page here.) This recommendations calls for the expansion of the participants to include Financial Services and Communication sector executives.  PRIOR TO the test, require key government agencies to document their response abilities in extreme situations.  Use the National Cyber Incident Response Plan as a guide, and use GRIDEX as a means of identifying gaps in processes and protocols as documented in these agency responses and in the NCIRP.  For GRIDEX to be most impactful, we need to learn from it and GO FIX THINGS!   Specifically, Gridex must feed back into the portion of Executive Order 13800 which calls for the Departments of Energy and DHS to "work on an assessment of the potential scope and duration of a prolonged power outage associated with a significant cyber incident against the U.S. electricity subsector."  (A status report on the implementation of EO 13800 is available.)

TEN: Optimum Cybersecurity Guidance
There are two parts to this recommendation:
A. "Use the cyber task force (recommendation #8) to evaluate effective cyber governance models from other nations and recommend the best approach to centralize and elevate cyber governance and enable national-level coordination for public-private cyber defense."
B. The NIAC pessimistically calls for establishing "a senior-level position or unit to coordinate and exercise operational control over individual Federal organizations."  They go on to note that "experience shows this may not come until after a catastrophic cyber incident occurs."

This recommendation is based partly on the greatly fragmented, isolated, and duplicative nature of the Federal government's cyber capabilities.  The report notes that there are "6 federal cybersecurity centers, 140 cyber authorities and capabilities across 20 agencies, 4 tools, and 8 assessment programs."  This division means there are "dozens of Congressional committee with cybersecurity oversight" but no one is in charge of national-level consensus that will lead to focused action.

Two potential models for national improvement, drawn from Israel and the United Kingdom, are further described in Appendix D of the report.

In the UK plan, a single National Cyber Security Centre was created, replacing the Centre for Cyber Assessment, the Computer Emergency Response Team UK, and CESG (part of GCHQ), as well as taking cyber responsibilities away from the Centre for the Protection of National Infrastructure.

https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/national_cyber_security_strategy_2016.pdf

Similarly, in Israel, a National Cyber Bureau was created in response to Government Resolution No 3611 of 2011.  In 2015, Israel went on to create a National Cyber Defense Authority.  While the NCB focused on strategy, the NCDA was tasked with operational objectives.  Elena Chachko has a good blog post at LawFare ( Cyber Reform in Israel at an Impasse: A Primer ) that explains the attempted design and some of the problems that go along with it.


ELEVEN: Convene a Meeting of Senior Government officials
Before the NIAC report's ink is even dry, the members of the NIAC have voted with their feet on the likelihood of their findings creating significant change.  Eight of the members resigned, in part stating that their "experience to date has not demonstrated that the Administration is adequately attentive to the pressing national security matters within the NIAC's purview, or responsive to sound advice received from experts and advisors on these matters."  While this is concerning, and the resigning members are certainly experts in their respective fields, the resignations were largely by President Obama-appointed officials and could be read as being politically charged and speaking more about events around Charlottesville and the Paris Climate Accords than cybersecurity matters.

Resigning from the NIAC were:
- Cristin Dorgelo (Chief of Staff to the President's Science Advisor in the White House Office of Science and Technology Policy, and the US Chief Technology Officer from July 2014 to January 2017. Dorgelo was the assistant director of the OSTP's Grand Challenge program)

- Christy Goldfuss (As the managing director of the White House Council on Environmental Quality (CEQ) Goldfuss helped oversee President Obama's Climate Action Plan.)

- David Grain (Former president of Global Signal, one of the largest independent wireless communication tower companies in North America, with a dominant presence in the SouthEast, and a former SVP of AT&T Broadband. Grain also has experience working in financial services at Morgan Stanley.)

- DJ Patil (Former Deputy CTO for Data Policy and Chief Data Scientist in the OSTP, with experience at Skype, LinkedIn, PayPal, eBay, and the Department of Defense, where he worked on bridging computational and social sciences, focusing on social network analysis to help anticipate emerging national security threats.)

- Amy Pope (Former Deputy Homeland security Advisor, and Deputy Assistant to the President on the National Security Council, helping to shape policy by leading a team of subject matter experts on supply chain security, countering violent extremism, border management, migration, biometrics, transnational organized crime and more.)

- Charles Ramsey (Former Police Commissioner, Philadelphia Police Department, and former chief of Washington DC's Metropolitan Police Department. Author of Policing for Prevention and Partnerships for Problem Solving )

- Dan Tangherlini (with experience as the Administrator of the US General Services Administration, an executive in the Department of the Treasury, and a fellow of the Office of Management and Budget, with additional experience working for the Secretary of Transportation on Infrastructure Financing issues.)

- Dan Utech  (former Deputy Assistant to the President for Energy and Climate Change.)




Saturday, May 20, 2017

Europol Announces 27 ATM Black Box arrests

On 18MAY2017 Europol announced that 27 thieves have been arrested across Europe for participating in a ring that conducts ATM Black Box attacks.  The arrests were conducted in France (11), Estonia (4), Czech Republic (3), Norway (3), the Netherlands (2), Romania (2), and Spain (2) over the course of 2016 and 2017.  Much of the data about how the attacks are conducted is being shared between member countries and the institutions within those countries by a little-known group called E.A.S.T. and their Expert Group on ATM Fraud (EGAF).  When EAST holds their Financial Crime & Security Forum next month members will want to also attend the Expert Group on ATM Physical Attacks (EGAP).

What is an ATM Black Box attack?

In an ATM Black Box attack, criminals have identified access points in the physical architecture of the ATM that would grant them access to cables or ports allowing them to attach a laptop to the internal computer of the ATM.  Once attached, the laptop can issue commands to the ATM resulting in the ultimate payout, a full distribution of all of the cash in the machine!   

The technique of causing an ATM machine to dump all of its cash is called "Jackpotting."  Most of us first heard about jackpotting as a result of the Barnaby Jack presentation at BlackHat 2010 and repeated on two models of ATMs for DEF CON 18 (video link below):

Barnaby Jack at DEF CON 18
Last September, Kaspersky demonstrated an ATM Black Box, however in their proof of concept approach, the criminals physically open the computer using a maintenance workers key, and flip a physical switch in the ATM to cause it to enter Supervisor mode.   The Black Box is connected to the ATM through a simple USB port that was at that time available in most ATM machines.

Black box demo video from Kaspersky


The new Europol arrest report shows that the current evolution on ATM Black Box attacks is to physically cut in to the ATM with drills, saws, or acetylene torches, and gain physical access to cables to which the laptop or black box will be attached.  In the current round of Black Box attacks, the target is not the ATM Computer, but rather the cables that connect the ATM computer to the Banknote Dispenser.  By directly connecting to the Dispenser, the connected laptop's malware simply issues commands to the Dispenser that normally would come from the ATM Computer and gives the order to dispense bills.
Image from Europol


Image from Europol

Information shared in the EAST working groups has produced some uncharacteristic good news in this space!  Although the number of ATM Black Box attacks went up considerably, with 15 attacks in 2015 and 58 attacks in 2016, many of these attacks were unsuccessful.  In their 11APR2017 report, EAST explained:

[In 2016] a total of 58 such attacks were reported by ten countries, up from 15 attacks during 2015.  ‘Black Box’ is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser in order to ‘cash-out’ the ATM.  Related losses were down 39%, from €0.74 million to €0.45 million.

 and illustrated this information with the following chart:

from EAST Report on ATM Fraud



The mitigation guidelines issued by EAST should be significantly updated at the upcoming meeting with guidance on Logical Attacks, Black Box Attacks, and Explosive Attacks, as well as Regional ATM Crime trend reports from Europol, Russia, the US Secret Service, Latin America,and ASEANAPOL.

Other ATM Attacks Still Dominate 

While ATM Black Box attacks are interesting, as the chart above shows they aren't where most of the money is being stolen.  Traditional skimming and white-carding is still stealing over 300 Million Euros per year, while physical attacks of other sorts are claimed nearly 50 Million Euros in 2016 alone!

One other trend that is sweeping Europe is the technique of pumping an ATM full of an explosive gas to blow the front off the machine giving the criminals access to the full contents of the dispenser.   The Italian police shared this interesting video of the technique:

Italian police shared this video from Feb 2013
This technique was recently used by two British men to blow up at least thirteen ATMs along the Costa del Sol in Southern Spain.  In the first half of 2016, 492 ATM Explosive attacks occurred across Europe, yielding the criminals an average of $18,300 per attack!  For the full year-over-year comparison, in 2015 there were 673 ATM Explosive attacks in Europe, and in 2016 there were 988 such attacks.  This accounts for roughly 1/3rd of the Physical attacks on ATMs in the EAST reporting.

Skimming dominates arrests to date

While we aren't sure exactly which attacks are included in the statistics above, several major ATM attacking gangs have been previously arrested and disclosed. While jackpotting arrests are rare, there must be a hundred reports of arrests for implanting skimming devices and creating counterfeit ATM cards based on the results.

One rare Jackpotting arrest was in January 2016 when a Romanian ATM attack gang was arrested for attacks in Germany, France, Norway, Sweden, Poland, and Romania.  In that case, the Tyupkin trojan, targeting a particular model of NCR ATMs, was inserted by gaining physical access to the ATM and booting a malicious CD in the ATM computer.  (See www.zdnet.com/article/atm-malware-gang-behind-euro-attacks-targeted-in-police-swoops/ ).

In April 2016, the Italian police arrested 16 Romanians for running a large ATM skimming ring who stole at least €1.2 million. 

In May 2016, the French Gendarmerie of Pau, in cooperation with the Italian State Police and Europol, arrested nine for running an ATM Skimming Ring that stole more than 500,000 Euros.

In March 2017, a group of five Romanians were arrested for skimming in York County, Pennsylvania as well.

Wednesday, February 01, 2017

Kelihos infection spreading by Thumb Drive and continues geo-targeting

I've mentioned before how proud I am that my students are extremely passionate about CyberCrime. My guest blogger 'Arsh Arora' is on a visit to his hometown New Delhi, India to attend a wedding. Instead of having fun, he is monitoring Kelihos botnet from a different geographical location than US to determine if the behavior is any different. Seems fairly consistent, but Arsh explains more in this next edition of his Kelihos guest-blogging:

Kelihos botnet geo-targeting Canada and Kazakhstan 

After laying low for a while, the Kelihos botnet is back to its business of providing 'spam as a service'. The Kelihos botnet continues "geo-targeting" based on the ccTLD portion of email addresses. Today, those recipients whose email address ends in ".ca" are receiving links to web pages of Tangerine Bank Phish websites. While recipients whose email address ends in ".kz" are receiving a link to the Ecstasy website.

Tangerine Bank Phish geo-targeted to Canadians

The spam body consists of a webpage that will be displayed as a webpage, seeking the user to click a button with the subject line of "TANGERINE online account has been suspended". Tangerine is internet/telephone base bank formerly known as ING Direct (Tangerine).

Fig. 1 Raw Text of  Spam message

The html version is displayed to the victim receiving the email. Thus, instigating the victim to click on the "Learn More" Button (link is "hxxp://tangeerine[dot]com/InitialTangerine/index.php"). Once clicked the victim is redirected to a phishing site, seeking the user to enter  "Enter your Client Number, Card Number or Username".


Fig. 2 Html version of the Phish
Fig. 3 Redirected link seeking user to enter details

Second version of the similar-themed message was with the subject line of "Your account is disabled. Please verify your information is correct" and the corresponding redirect link once you hit the start button was "hxxp://sec-tangrene[dot]online/". 


Fig. 4 Raw Text of second spam message

Fig. 5 Html version of Tangerine Phish
Unfortunately, the following link was down and not accessible.

Canadian Banks take great pride in their infrastructure and preventive measures. This gives the attackers an extra challenge of trying to penetrate inside these banks. Therefore, targeting them like in previous instances, one such case of Desjardins phish. 

Fcuk Spam geo-targeted to Kazakhstan 

This behavior is never observed before as Kelihos botnet was geo-targeting email addresses ending with ".kz". The spam message contained a link (www[dot]almatinki[dot]com) to a Fcuk website with the subject line in Russian "Глубокий м" when translated it is stated as"Deep m". Attached are the screenshot of email message and website.

Fig. 6 Email message of the spam
Fig. 7 Website

Kelihos spreading via executables copied to flash drives

There is a saying that when an Academic has an accident we call it "research!"  After completing a successful infection of Kelihos, a thumb drive was accidentally connected to the virtual machine instead of the host machine. Upon inspection, the thumb drive appeared to have acquired a new hidden executable name “porn.exe”, as well as a few shortcuts that were not there before. On further analysis of the file "porn.exe", it revealed that it was a copy of the original Kelihos binary. 

Fig. 8 VT analysis of porn.exe

By repeating the process with ProcMon running, we found the Create File function linked to the E:\porn.exe. In the moments leading up to this, several other file names are tried with CreateFile, in an attempt to open them. It appears that if none of these files are opened, then it defaults to creating a porn.exe file, and then writing the binary to this file. After binary creation, the shortcuts for the hidden directories, and executables are created.

Fig. 9 Create File of porn.exe
Fig. 10 Various instances of trying to Create File

An Autorun.inf is not created to run this file, however, a shortcut to the file with the command C:\WINDOWS\system32\cmd.exe F/c "start %cd%\porn.exe" can be found on the drive, as well as shortcut to several other hidden directories on the drive (not malicious).

Fig. 11 Executable and shortcut placed on thumb drive
Running porn.exe works like a normal Kelihos run, however, we were unable to infect a thumb drive with this binary. Further analysis is required to determine the mechanism by which thumb drive infection occurs, as this executable appears to be identical to the original binary.

Thanks a lot Eli Brown for sharing great insights on the infection behavior of Kelihos. 

We continue our research on the Kelihos botnet and try to provide as much insights about the botnet.





Monday, January 16, 2017

"Microsoft notification" leads to Pharma Redirector on Steroids

Today while investigating spam in the PhishMe spam collection, I started looking at a spam campaign that used two distinct subject lines:

Subject: Microsoft notification
Subject: Windows notification

The body of the email looked like this:

NOT Your Friend!

In true botnet style, every single email had a different "friend name."  The three links at the bottom, all go to "real" Microsoft locations, but the "View invitation" button is the place we need to be concerned about today.  While this delivery mechanism certainly COULD be used to deliver malware, right now, all we knew was that it was certainly not from Microsoft and was potentially dangerous.  With at least 310 different sending IP addresses sending us the spam, it seemed a deeper investigation was called for.

Since the spam did not have an attachment, the method to determine whether the URL may be malicious is normally to fetch the URL, but first we ran some statistics.  In this case of the 410 "Microsoft" and the 377 "Windows" versions of the spam there were 773 different redirection destinations, each a hacked website where the criminals placed a small .php program.

Here are just a few examples of the many hundred redirection URLs:
  • lsa48.ru / populace.php
  • longevidadeativa1.hospedagemdesites.ws / valences.php
  • regionp.primor.biz / trowels.php
  • vesinhxanh.net / wp-content / gillian.php
  • nord-okna.pl / timeout.php
  • serax.es / bustles.php
  • nethraprophoto.com / i/wp-content/plugins / contour.php
  • hassanstudio.com / muttons.php
Each PHP file is a program that will cause the visitor to be automagically redirected to an additional website! To determine what directions will occur, and what we might encounter at the ultimate "landing site" we visit the redirection pages to see where it sends our web browser.
Here's a sample redirection script from pro-kisti.ru / irving.php, which caused us to visit an illicit pharmaceutical sales website:


(meta name="keywords" content="crowds, nothing, mountains, fulfilld")
(title) ice32044 Pain. Era - ran earth heaven. Nigh spotted relief, found.(/title)

function palee() { palea=61; paleb=[180,166,171,161,172,180,107,177,172,173,107,169,172,160,158,177,166,172,171,107,165,
175,162,163,122,100,165,177,177,173,119,108,108,173,175,166,179,158,177,162,173,166,
169,169,179,158,169,178,162,107,175,178,100,120]; palec=""; for(paled=0;paled lessthan paleb.length; paled++) (palec+=String.fromCharCode(paleb[paled]-palea); return palec;

++++++++++++++++++
This code will subtract the number 61 from each value in the row of integers that begins with 180,166, and will then concatenate each character to the previous and convert it to a string.  Then it will wait 1.295 seconds, and forward the visitor to the website by using the document property "window.top.location.href".

We'll decode a bit of this one by hand:
180 - 61 =  119 which is 77 hex which is an ASCII "w"
166 - 61 = 105 which is 69 hex which is an ASCII "i"
171 - 61 = 110 which is 6E hex which is an ASCII "n"

Rather than do this by hand, I told Excel to separate values by the "," into columns and made a simple spreadsheet.  Update the "Shifter" value (in this case the "palea=61") and then paste the comma separated list into the "Values" portion of the spreadsheet.

the "pro-kisti.ru" redirector (Click for full-size)

Row one is the original values
Row two contains the same values, decremented by "Shifter"
Row three contains the same values, displayed in Hex
Row four contains the decoded to English values, in this case reading:

"windows.top.location.href = http : // privatepillvalue dot ru" (altered for safety)

The next URL we tried, zacpower dot com slash destined.php, had used  "unripea=78" for the Shifter value.  We cut and pasted the comma separated values in and see that it redirects to "healingdrugdeal dot ru".

the "zacpower.com" redirector (click for full-size)

The question though, was how many different sites did these 770 redirectors send us to? and were they all illicit pharmaceutical websites? or was it possible that some would redirect us to malware?  The only solution seemed to be to fetch and decode all of them!

A simple wget script took care of the fetching, and we soon had 559 unique .txt files, each containing the redirection program from one of the "still live" redirection sites. (As soon as a webmaster finds such a program, they hopefully delete it!  We were glad to see more than 100 of the websites, mostly ones from over the weekend, were not available any longer!)

Now for a small shell script to yank out the Shifter value and the comma separated integers for each.  There are certainly better shell scripters than me, but here was my quick-and-dirty script:

cat filelist |while read a; do printf '\n'; printf $a;printf ' Shifter:  '; grep -o '=[0-9][0-9]' $a|tr -d '\n'; printf ' values: '; grep -o '[0-9]*,[ ]*[1-9][0-9]*' $a |tr -d '\n'; done

After asking for a new line, I print the filename, which in this case was "domain.tld.txt", then I looked for a two-digit integer preceded by an equal sign, and declared it to be the "Shifter".  Then I searched for a list of comma delimited integers, and listed only the matches using "grep -o".  Because "grep -o" puts each hit on a new line, I piped the tr -d '\n' to remove the new line character and put them all back on one line as a long comma separated list.  Here are a few example results:

gameguideaz.com.txt Shifter:77 values: 196,182,187,177,188,196,123,193,188,189,
123,185,188,176,174,193,182,188,187,123,181,191,178,179,138,116,181,193,193,189,
135,124,124,185,194,176,184,198,175,178,192,193,192,178,191,195,182,176,178,123,
191,194,116,136

gavez.info.txt Shifter: 49 values: 168,154,159,149,160,168,95,165,160,161,95,157,
160,148,146,165,154,160,159,95,153,163,150,151,110,88,153,165,165,161,107,96,96,153,
150,146,157,154,159,152,149,163,166,152,149,150,146,157,95,163,166,88,108

gelecekdiyarbakirsigorta.com.txt Shifter: 22 values:
141,127,132,122,133,141,68,138,133,134,68,130,133,121,119,138,127,133,132,68,126,
136,123,124,83,61,126,138,138,134,80,69,69,130,139,121,129,143,120,123,137,138
137,123,136,140,127,121,123,68,136,139,61,81

genelev.net.txt Shifter: 23 values:
142,128,133,123,134,142,69,139,134,135,69,131,134,
122,120,139,128,134,133,69,127,137,124,125,84,62,127,139,139,135,81,70,70,131,140,122,
130,144,121,124,138,139,138,124,137,141,128,122,124,69,137,140,62,82

geniusetech.com.txt Shifter: 15 values:
134,120,125,115,126,134,61,131,126,127,61,123,126,114,112,131,120,126,125,61,119,129,
116,117,76,54,119,131,131,127,73,62,62,127,129,120,133,112,131,116,127,120,123,123,
133,112,123,132,116,61,129,132,54,74


Now that the files key values are separated out, it was simple to automate the decoding to learn which URL was recommended by each of the websites that were found in the  "View Invitation" links within our spam messages.

So How Many Redirectors were there?  

It APPEARS that there are four redirection destinations for this spam campaign.
By processing the results from all of the redirectors we visited, we found:

131 redirectors went to "privatepillvalue dot ru"
138 redirectors went to "luckybestservice dot ru"
165 redirectors went to "healingdrugdeal dot ru"
125 redirectors went to "bestgenericstore dot ru"

bestgenericstore dot ru

Caution with Redirectors!!






The problem with redirection sites such as were used in this spam campaign is that we can't be certain that others who visit the same results would be redirected in the same way.  Because we did not OBTAIN the redirection script, but merely observed the resulting html results when visiting the page from an automated script, we can't say at this time whether other visitors would be redirected in the same way.

For example, the script may have said "If you seem to be using automation, redirect to a pharma website, but if you seem to be on a regular PC on a regular browser, redirect to an Exploit Kit!" or the script may have said "Send every 50th visitor to be infected with Malware at this exploit kit, but send everyone else to a pharma website."  It is also possible for the script to say "If your IP address is from one of THESE countries, send to a pharma website, but if your IP address is from one of the OTHER countries, infect with malware!"  Until we get a copy of the script from one of the websites, it will be hard to say whether such a trap was present here.